Hw1-Chapter 7
What is the PPP (Point-to-Point Protocol), and how does it work?
PPP (Point-to-Point Protocol) is a Data Link layer protocol that directly connects two WAN endpoints. One example might be when a DSL or cable modem connects to a server at the ISP. PPP headers and trailers create a PPP frame that encapsulates Network layer packets. The frames total only 8 or 10 bytes, the difference depending on the size of the FCS field (recall that the FCS field ensures the data is received intact).
NAT mode
By default, what network connection type is selected when creating a VM in VMware, VirtualBox, or KVM?
True
PPP can support several types of Network layer protocols that might use the connection.
VNC is open source, allowing companies to develop their own software based on VNC.
Regarding VNC (Virtual Network Computing or Virtual Network Connection), what statement is accurate?
True
The HTTPS (HTTP Secure) protocol utilizes the same TCP port as HTTP, port 80.
FCS
The PPP headers and trailers used to create a PPP frame that encapsulates Network layer packets vary between 8 and 10 bytes in size due to what field?
True
The Virtual Network Computing (VNC) application uses the cross-platform remote frame buffer (RFB) protocol.
Key Pair
The combination of a public key and a private key are known by what term below?
SaaS
What cloud service model involves providing applications through an online user interface, providing for compatibility with a multitude of different operating systems and devices?
Virtualization software increases the complexity of backups, making creation of usable backups difficult.
What is NOT a potential disadvantage of utilizing virtualization?
OpenVPN
What open-source VPN protocol utilizes OpenSSL for encryption and has the ability to possibly cross firewalls where IPsec might be blocked?
IPsec
What security encryption protocol requires regular re-establishment of a connection and can be used with any type of TCP/IP transmission?
True
Office 365 is an example of an SaaS implementation with a subscription model.
Dynamic Multipoint VPN
What special enterprise VPN supported by Cisco devices creates VPN tunnels between branch locations as needed rather than requiring constant, static tunnels?
SSH supports port forwarding.
What statement regarding the SSH (Secure Shell) collection of protocols is accurate?
Point of Presence (POP)
What term is used to describe a space that is rented at a data center facility by a service provider?
A group of developers needs access to multiple operating systems and the runtime libraries that the OS provides.
What type of scenario would be best served by using a Platform as a Service (PaaS) cloud model?
Whenever the VM does not need to be access at a known address by other network nodes.
When is it appropriate to utilize the NAT network connection type?
VPN Gateway
When using a site-to-site VPN, what type of device sits at the edge of the LAN and establishes the connection between sites?
In an authorization file on the host where the SSH server is.
When using public and private keys to connect to an SSH server from a Linux device, where must your public key be placed before you can connect?
Trivial FTP (TFTP)
Which file transfer protocol has no authentication or security for transferring files, uses UDP, and requires very little memory to use?
A VPN concentrator shuts down established connections when malicious traffic occurs.
Which of the following is NOT a task that a VPN concentrator is responsible for?
PPP can support strong encryption, such as AH or ESP.
Which of the following statements regarding the Point-to-Point (PPP) protocol is NOT accurate?
Citrix XenServer
Which of the following virtualization products is an example of a bare-metal hypervisor?
IKEv2 offers fast throughput and good stability when moving between wireless hotspots.
Which statement regarding the IKEv2 tunneling protocol is accurate?
The vNIC will its own IP address on the physical LAN.
Which statement regarding the use of a bridged mode vNIC is accurate?
IaaS (Infrastructure as a Service)
Which type of cloud service model involves hardware services that are provided virtually, including network infrastructure devices such as virtual servers?
It provides poor authentication and no encryption.
Why is the telnet utility a poor choice for remote access to a device?
False
A Type 2 hypervisor installs on a computer before any OS, and is therefore called a bare-metal hypervisor.
True
A community cloud is a service shared between multiple organizations, but not available publicly.
What is the difference between a virtual firewall and a software firewall?
A software firewall is merely an application, like Windows Firewall. It's very limited in scope and features, and only services a single client. A dedicated firewall device, such as those made by Fortinet, Cisco, or Palo Alto Networks, services an entire network (or portion of a network). It has many more features than a firewall app, and runs on its own OS. A virtual firewall emulates a hardware firewall, and is hosted in a virtualized environment. An example would be the pfSense VMware Ready Virtual Firewall Appliance by Netgate. Another example is Barracuda's NextGen Firewall F-Series, which is compatible with VMware, XenServer, KVM, and Hyper-V and also provides protection for cloud-based portions of the network. There must be a hypervisor present (usually Type 1) for a virtual firewall to exist.
Layer 2
A vSwitch (virtual switch) or bridge is a logically defined device that operates at what layer of the OSI model?
False
After L2TP establishing a VPN tunnel, GRE is used to transmit L2TP data frames through the tunnel.
Citrix Xen
Amazon and Rackspace both utilize what virtualization software below to create their cloud environments?
True
An enterprise-wide VPN can include elements of both the client-to-site and site-to-site models.
Network layer
At what layer of the OSI model does the IPsec encryption protocol operate?
What are some of the features that all cloud services usually have in common?
Cloud services usually have the following features in common: * on-demand-Services, applications, and storage in a cloud are available to users at any time, upon the user's request. * cross-platform-Clients of all types, including smartphones, laptops, desktops, thin clients, and tablet computers, can access services, applications, and storage in a cloud, no matter what operating system they run or where they are located, as long as they have a network connection. * consolidated-Host computers in the cloud provide multiple virtual machines, resources such as disk space, applications, and services that are pooled, or consolidated. For example, a single cloud computing provider can host hundreds of websites for hundreds of different customers on just a few servers. This is called a multi-tenant service model. * metered-Everything offered by a cloud computing provider, including applications, desktops, storage, and other services, is measured. A provider might limit or charge by the amount of bandwidth, processing power, storage space, or client connections available to customers. * elastic-Services and storage capacity can be quickly and dynamically-sometimes even automatically-scaled up or down. In other words, they are elastic. The elasticity of cloud computing means that storage space can be increased or reduced, and that applications and clients can be added or removed, as needed. For example, if your database server in the cloud is running out of hard disk space, you can upgrade your subscription to expand it yourself, without your having to alert the service provider. The amount of space you can add and the flexibility with which it can be added depend on your agreement with the service provider.
Why is the DTLS (Datagram Transport Layer Security) protocol used for streaming applications that need security?
DTLS is a variant of TLS that is designed specifically for streaming communications. As the name implies, DTLS relies on UDP instead of TCP, which minimizes delays. However, applications using DTLS must provide their own means of packet reordering, flow control, and reliability assurance. DTLS includes security levels that are comparable to TLS and is commonly used by delay-sensitive applications such as VoIP and tunneling applications such as VPN.
What two different types of encryption can be utilized with IPsec?
Data encrypted for use with an IPsec connection may utilize either AH (authentication header) encryption or ESP (Encapsulating Security Payload) encryption. Both types of encryption provide authentication of the IP packet's data payload through public key techniques. In addition, ESP encrypts the entire IP packet for added security.
True
Digital certificates are issued, maintained, and validated by an organization called a certificate authority (CA).
False
FTPS (FTP Security or FTP Secure) and SFTP (Secure FTP) are two names for the same protocol.
Describe the TLS/SSL handshake process as initiated by a web client accessing a secure website.
Given the scenario of a browser accessing a secure Web site, the SSL/TLS handshake works as follows 1. The browser, representing the client computer in this scenario, sends a client_hello message to the Web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client_hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the SSL session. 2. The server responds with a server_hello message that confirms the information it received from the browser and agrees to certain terms of encryption based on the options supplied by the browser. Depending on the Web server' s preferred encryption method, the server may choose to issue to the browser a public key or a digital certificate. 3. If the server requests a certificate from the browser, the browser sends it. Any data the browser sends to the server is encrypted using the server' s public key. Session keys used only for this one session are also established.
SDN controller
In a software defined network, what is responsible for controlling the flow of data?
ssh-keygen
In order to generate a public and private key for use with SSH, what command line utility should you use?
How does public key encryption work?
In public key encryption, data is encrypted with a private key known only to the user, and decrypted with a mathematically related public key that can be made available through a third-party source, such as a public key server. This ensures data integrity, as the sender's public key will only work if the data has not been tampered with. Alternatively, data can be encrypted with the public key, and then can only be decrypted with the matching private key. This ensures data confidentiality, as only the intended recipient (the owner of the keys) can decrypt the data. A public key server is a publicly accessible host (such as a server on the Internet) that freely provides a list of users' public keys, much as a telephone book provides a list of peoples' phone numbers. The combination of a public key and a private key is known as a key pair.
When deploying cloud services, what are some of the deployment models you might encounter?
The main deployment models you are likely to encounter are: * public cloud-Service provided over public transmission lines, such as the Internet. * private cloud-Service established on an organization's own servers in its own data center, or established virtually for a single organization's private use and made available to users over a WAN connection through some type of remote access. If hosted internally, this arrangement allows an organization to use existing hardware and connectivity, potentially saving money. If hosted virtually, the organization benefits from the usual advantages of virtual services, such as scalability and accessibility. * community cloud-Service shared between multiple organizations, but not available publicly. Organizations with common interests, such as regulatory requirements, performance requirements, or data access, might share resources in this way. For example, a medical database might be made accessible to all hospitals in a geographic area. In that case, the community cloud could be hosted internally by one or more of the organizations involved, or hosted by a third-party provider. But it would not be made available to the public. * hybrid cloud-A combination of the other service models into a single deployment, or a collection of services connected within the cloud. In the real world, the hybrid cloud infrastructure is a common result of transitory solutions. (In IT, "solution" refers to a product, service, or combination of products and services, and often includes extra features such as ongoing customer service.) An example of a hybrid cloud by design might arise when a company stores data in a private cloud, but uses a public cloud email service.
Public Key Infrastructure (PKI)
The use of certificate authorities to associate public keys with certain users is known by what term?
All types of remote access techniques connecting to a network require at least one of what two different types of remote access server?
There are two types of remote access servers: * dedicated devices-Devices such as Cisco's AS5800 access servers are dedicated solely as an RAS to run software that, in conjunction with their operating system, performs authentication for clients. An ISP might use a dedicated device to authenticate client computers or home routers to access the ISP resources and the Internet. * software running on a server-The remote access service might run under a network operating system to allow remote logon to a corporate network. For example, DirectAccess is a service first introduced in Windows Server 2008 R2 that can automatically authenticate remote users and computers to the Windows domain and its corporate network resources.
How is the CIA triad used to evaluate encryption methods?
To protect data at rest, in use, and in motion, encryption methods are primarily-evaluated by three benchmarks: * confidentiality-Data can only be viewed by its intended recipient or at its intended destination. * integrity-Data is not modified in the time after the sender transmits it and before the receiver picks it up. * availability-Data is available and accessible to the intended recipient when needed, meaning the sender is accountable for successful delivery of the data.Together, these three principles form the standard security model called the CIA (confidentiality, integrity, and availability) triad.
Type 2 hypervisor
VMware Player and Linux KVM are both examples of what type of hypervisor?