IS 460 Chapter 7
PPTP (Point-to-Point Tunneling Protocol)
A Layer 2 protocol developed by Microsoft that encapsulates PPP data frames for transmission over VPN connections.
IPsec (Internet Protocol Security)
A Layer 3 (network) protocol that defines encryption, authentication, and key management for TCP/IP transmissions and requires regular establishment of a connection. An enhancement to IPv4 and is native to IPv6.
platform
The operating system, the runtime libraries or modules the OS provides to applications, and the hardware on which the OS runs.
control plane
The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols.
port forwarding
The process of redirecting traffic from its normally assigned port to a different port, either on the client or server.
PKI (Public key infrastructure)
The use of certificate authorities to associate public keys with certain users.
L2TP (Layer 2 Tunneling Protocol)
A VPN tunneling protocol that encapsulates PPP data for use on VPNs.
SDN (software-defined networking)
A centralized approach to networking that removes most of the decision-making power from network devices and instead handles that responsibility at a software level, with an SDN controller, or network controller
SaaS (Software as a Service)
A cloud computing service model in which applications are provided through an online user interface and are compatible with a multitude of devices and operating systems.
PaaS (Platform as a Service)
A cloud computing service model in which various platforms are provided virtually, enabling developers to build and test applications within virtual, online environments tailored to the specific needs of a project.
community cloud
A cloud deployment model in which flexible data storage, applications, or services are shared between multiple organizations, but not available publicly.
hybrid cloud
A cloud deployment model in which shared and flexible data storage, applications, or services are made available through a combination of other service models into a single deployment, or a collection of services connected within the cloud.
public cloud
A cloud deployment model in which shared and flexible data storage, applications, or services are managed centrally by service providers and delivered over public transmission lines, such as the Internet.
private cloud
A cloud deployment model in which shared and flexible data storage, applications, or services are managed on and delivered via an organization's own network, or established virtually for a single organization's private use.
PoP (Points of Presence)
A data center facility at which a provider rents space to allow for dedicated connection services.
colocation facility
A data center facility that is shared by a variety of providers. Also called a carrier hotel.
Out-of-band management
A dedicated connection (either wired or wireless) from the network administrator's computer used to manage each critical network device, such as routers, firewalls, servers, power supplies, applications, and security cameras.
HVDs (hosted virtual desktops)
A desktop operating environment hosted virtually on a different physical computer from the one the user interacts with.
console router or console server
A device that provides centralized management of all linked devices.
public key encryption
A form of key encryption in which data is encrypted using two keys: One is a key known only to a user (that is, a private key), and the other is a key associated with the user and that can be obtained from a public source, such as a public key server. Also known as asymmetric encryption.
VPN concentrator
A specialized device that authenticates VPN clients, establishes tunnels for VPN connections, and manages encryption for VPN transmissions. helpful for large organizations where more than a few simultaneous VPN connections must be maintained Performs the following tasks: Authenticates VPN clients Establishes tunnels for VPN connections Manages encryption for VPN transmissions
in-band management
A switch management option, such as Telnet, that uses the existing network and its protocols to interface with a switch. inherently limits troubleshooting capabilities
ISP's uptime ISP-imposed bandwidth limitations Cloud provider's uptime Cloud provider's backup and security systems Misconfiguration that exposes one client's data to another client Unauthorized access to data by cloud provider employees or by illegitimate users Breaches of confidentiality agreements when data is stored online Data security regulations (such as for healthcare, financial, or government entities) Questions over ownership of intellectual property stored in the cloud (for example, photos or comments made on social media websites, or files saved in online storage accounts) Questions over data maintenance if a payment is not made on time Risks to the network, proprietary data, or customer information caused by BYOC (bring your own cloud) services on users' personal devices Reduced consumer confidence, fines, lawsuits, and possibly criminal charges when cloud breaches occur
Cloud Computing risk and limitations
Devices used for remote access must be kept up to date with patches, anti-malware software, and a firewall. Device access must be controlled by a strong password or biometric measures, such as fingerprint, retina, or face recognition. The device should lock down automatically after only a few minutes of inactivity. Passwords must be strong and must be changed periodically. Password best practices are discussed further in later chapters. Passwords cannot be shared, even with a family member. The device's internal and external storage devices must be encrypted. Note that some countries require that encrypted storage devices be decrypted or that encryption keys be filed with authorities. Employees who travel abroad should account for this when deciding what data to transport. Company and customer data that is accessed, transferred, stored, or printed must be kept secure. The loss or theft of any devices used for remote access or to process remotely accessed data (such as a printer) must be reported to the company immediately (or within a reasonable time frame, such as 72 hours). Encrypted VPN software must be used to remotely access company network resources. Typically, these options are clearly defined in the policy. While remotely connected to the company network, the device must not be connected to the open Internet or any other network not fully owned and controlled by the employee. This restriction is usually built into enterprise VPN solutions. Remote sessions must be terminated when not in use. In most cases, remote sessions should be configured to time out automatically as a precaution.
Common requirements for a good remote access
Compromised performance - when multiple VMs contend for finite physical resources, one VM could monopolize those resources and impair the performance of others on the same computer Increased complexity - even though virtualization reduces number of computers, it increases complexity and administrative burden in other ways increased licensing costs - because every instance of commercial software requires its own license, every VM that uses such software comes with added cost single point of failure - if a host machine fails, all its guest machines will fail, too
Disadvantages of Virtualization
TCP port 80
HTTP uses which TCP port
encryption and port 443 and SSL/TLS encryption
HTTPS uses TCP port ______ and what type of encryption
at rest - data is most secure when it's stored on a device that is protected by a firewall, anti-malware software, and physical security (such as being inside a locked room). Additional protections include storing portions of the data in separate locations so that no single portion is meaningful on its won in use—For data to be used, it must be accessible, which brings inherent risk. Tightly controlling access to the data and reliable authentication of users help reduce these risks. in motion—This is when data is most vulnerable. Especially when data must leave your own, trusted network, it's exposed to a multitude of potential gaps, intrusions, and weak links. Wireless transmissions, especially, are susceptible to interception. And wired transmissions also risk exposure. The number of devices, organizations, and transmission methods involved in sending a single email across the Internet highlights the need for a layer of security that travels with the data.
Data exists in what 3 states
You'll need licenses for each of the virtualized devices as well as for the Type 1 hypervisor that will host them. Fortunately, the cost of these licenses amounts to a fraction of the cost of similarly featured hardware devices. The interaction between physical and virtual devices introduces a small degree of latency as data passes through the hypervisor and its connections. Usually, this delay is negligible. However, it might be a relevant consideration in some cases. Even some of the most die-hard virtualization fans are uncomfortable using a virtual firewall to protect the entire network. The server hosting a virtual firewall occasionally needs to be restarted in the course of regular maintenance or some kind of failure, and in that event, the hosted firewall goes down with the server. Instead, many network admins believe that virtual firewalls are only appropriate for securing virtual-only portions of the network, or serving as a backup to physical firewall devices.
Disadvantages of NFV
transport mode—Connects two hosts. tunnel mode—Runs on routers or other connectivity devices in the context of VPNs.
IPsec can be used with any type of TCP/IP transmission and operates in two modes:
1. IPsec initiation—Noteworthy traffic, as defined by a security policy, triggers the initiation of the IPsec encryption process. 2. key management—Through a key management process, two nodes agree on common parameters for the keys they will use. This phase primarily includes two services: IKE (Internet Key Exchange)— Negotiates the exchange of keys, including authentication of the keys; the current version is IKEv2, which you'll see again in the discussion on VPNs later in this chapter ISAKMP (Internet Security Association and Key Management Protocol)—Works within the IKE process to establish policies for managing the keys 3. security negotiations—IKE continues to establish security parameters and associations that will serve to protect data while in transit. 4. data transfer—After parameters and encryption techniques are agreed upon, a secure channel is created, which can be used for secure transmissions until the channel is broken. Data is encrypted and then transmitted. Either AH (authentication header) encryption or ESP (Encapsulating Security Payload) encryption may be used. Both types of encryption provide authentication of the IP packet's data payload through public key techniques. In addition, ESP encrypts the entire IP packet for added security. 5. termination—IPsec requires regular reestablishment of a connection to minimize the opportunity for interference. The connection can be renegotiated and reestablished before the current session times out in order to maintain communication.
IPsec creates secure connections in Five steps, as follows:
guest
In the context of virtualization, a virtual machine operated and managed by a virtualization program.
host
In the context of virtualization, the physical computer that hosts the virtualization program
PPP can support strong encryption, such as AH or ESP.
Which of the following statements regarding the Point-to-Point (PPP) protocol is NOT accurate?
Citrix Xen
a baremetal hypervisor, Amazon and Rackspace both utilize this virtualization software to create their cloud environments
PPP (point-to-point protocol)
a data link (layer 2) protocol used to establish a direct connection between two nodes. protocol that directly connects two WAN endpoints
VPN (Virtual Private Networks)
a network connection encrypted from end to end that creates a private connection to a remote network avoid the expense of having to lease private point-point connections between each office and the national headquarters Layers 1 - 3
IKE (Internet Key Exchange)
One of two services in the key management phase of creating a secure IPsec connection. Negotiates the exchange of keys, including authentication of the keys.
ISAKMP (Internet Security Association and Key Management Protocol)
One of two services in the key management phase of creating a secure IPsec connection. Works within the IKE process to establish policies for managing the keys.
1. The browser, representing the client computer in this scenario, sends a client_hello message to the web server, which contains information about what level of security the browser is capable of accepting and what type of encryption the browser can decipher. The client_hello message also establishes a randomly generated number that uniquely identifies the client and another number that identifies the session. 2. The server responds with a server_hello message that confirms the information it received from the browser and agrees to certain terms of encryption based on the options supplied by the browser. Depending on the web server's preferred encryption method, the server might choose to issue to the browser a public key or a digital certificate. 3. If the server requests a certificate from the browser, the browser sends it. Any data the browser sends to the server is encrypted using the server's public key. Session keys used only for this one session are also established.
SSL/TLS handshake works as follows
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both methods of encrypting TCP/IP transmissions—including web pages and data entered into web forms—en route between the client and server using public key encryption technology. The two protocols can work side by side and are widely known as SSL/TLS or TLS/SSL. All browsers today (for example, Google Chrome, Mozilla Firefox, Apple's Safari, Microsoft Edge, and Internet Explorer) support SSL/TLS to create secure transmissions of HTTP sessions.
SSL/TLS or TLS/SSL
terminal emulation
also called remote virtual computing, allows a user on one computer, called the client, to control another computer, called the host or server, across a network Examples of command-line software that can provide terminal emulation include Telnet and SSH, and some GUI-based software examples are Remote Desktop for Windows, join.me, VNC, and TeamViewer
SLIP (Serial Line Internet Protocol)
an older agreed-to protocol that is rarely used today, does not support encryption, can carry only IP packets, and works strictly on serial connections such as dial-up or DSL. Replaced by PPP
traditional
cloud computing category in which all the hardware, software, and everything else is located and managed at your location
IaaS (Infrastructure as a Service)
cloud computing service model in which hardware services are provided virtually, including network infrastructure devices such as virtual serves and end user interfaces such as HVDs
ssh-keygen
command for generating a public and private key for SSH on the client workstation
NIST (National Institute of Standards and Technology)
company that developed a standard definition for each cloud computing category, which varies by the division of labor implemented
hypervisor
creates and manages a VM, and manages resource allocation and sharing between a host and any of its guest VMs.
cross-platform
in terms of cloud computing, clients of all types, including smartphones, laptops, desktops, thin clients, and tablet computers, can access services, applications, and storage in a cloud, no matter what operating system they run or where they are located, as long as they have a network connection.
metered
in terms of cloud computing, everything offered by a cloud computing provider, including applications, desktops, storage, and other services, is measured. A provider might limit or charge by the amount of bandwidth, processing power, storage space, or client connections available to customers.
consolidated
in terms of cloud computing, host computers in the cloud provide multiple virtual machines, resources such as disk space, applications, and services that are pooled, or consolidated. For example, a single cloud computing provider can host hundreds of websites for hundreds of different customers on just a few servers. This is called a multi-tenant service model.
elastic
in terms of cloud computing, services and storage capacity can be quickly and dynamically—sometimes even automatically—scaled up or down. In other words, they are elastic. The elasticity of cloud computing means that storage space can be increased or reduced, and that applications and clients can be added or removed, as needed. For example, if your database server in the cloud is running out of hard disk space, you can upgrade your subscription to expand it yourself, without your having to alert the service provider. The amount of space you can add and the flexibility with which it can be added depend on your agreement with the service provider.
on-demand
in terms of cloud computing, services, applications, and storage in a cloud are available to users at any time, upon the user's request.
host-only mode
in this state, VMs on the host can exchange data with each other and with their host, but they cannot communicate with any nodes beyond the host In other words, the vNICs never receive or transmit data via the host machine's physical NIC because this state prevents VMs from exchanging data with a physical network, this configuration cannot work for virtual servers that need to be accessed by clients across a LAN
bridged mode
in this state, a vNIC accesses a physical network using the host machine's NIC The vNIC will use its own IP address on the physical LAN.
TLS
operates in the Transport layer and uses slightly different encryption algorithms than SSL, but otherwise is essentially the updated version
SSL (Secure Sockets Layer)
originally developed by Netscape and operates in the Application Layer. Has now been deprecated and should be disabled whenever possible, leaving the more secure TLS to provide protection
SFTP (Secure FTP)
transfer version of SSH that includes encryption and authentication, and is sometimes inaccurately called FTP over SSH or SSH FTP. Note that SFTP is an extension of the SSH protocol, not of FTP. Unlike FTP or FTPS, which use a control channel and one or two data channels, SFTP uses only a single connection—both inbound and outbound communications are usually configured to cross SSH's port 22. SFTP and FTPS are incompatible with each other. While SFTP uses a similar acronym to vsftpd, these two standards also are not compatible with each other. However, SFTP is supported by Linux and UNIX servers.
Software Running on a Server
this remote access service might run under a network operating system to allow remote logon to a corporate network
Point-to-point remote access over a dedicated (usually leased) line, such as DSL or T1 access to an ISP. Terminal emulation, also called remote virtual computing, which allows a remote client to take over and command a host computer. Examples of terminal emulation software are Telnet, SSH, Remote Desktop, and VNC (Virtual Network Computing). We'll discuss all of these in more detail soon. VPN (virtual private network), which is a virtual connection that remotely accesses resources between a client and a network, two networks, or two hosts over the Internet or other types of networks.
3 of the most common remote access methods
Internet—Provides the simplest and cheapest option, but with high and unpredictable latency as well as significant security concerns. remote access connections—Uses tunneling or terminal emulation technologies to increase security. leased line—Relies on private WAN options to reserve a dedicated amount of bandwidth between the cloud provider and the customer's premises. Depending on the respective locations of provider and customer, this might require the cooperation of multiple ISPs in order to reach the cloud provider's servers. Hybrid pay-per-use models are available where the customer reserves a portion of anticipated bandwidth needs, and then is invoiced for additional bandwidth used during the pay period. dedicated connection—Maximizes predictability and minimizes latency, and of course comes with a high price tag. Some of the larger cloud service providers maintain multiple PoP (Points of Presence) around the world. This means the provider rents space at a data center facility, called a colocation facility or carrier hotel that is shared by a variety of providers. In many cases, ISPs can provide dedicated access from a customer's premises to a cloud provider's PoP. This is more cost effective when an organization subscribes to multiple cloud providers who all use the same colocation. Amazon's AWS Direct Connect and Microsoft's Azure ExpressRoute both offer dedicated connection services.
4-tiered array of options for an organization for how a network connects to your cloud resources
type 2 hypervisor
A hypervisor that installs in a host OS as an application and is called a hosted hypervisor. Type 2 hypervisor not as powerful as Type 1 because it is dependent on the host OS to allot its computing power
type 1 (baremetal) hypervisor
A hypervisor that installs on a computer before any OS and is therefore called a bare-metal hypervisor.
vSwitch (virtual switch)
A logically defined device that operates at the Data Link layer to pass frames between nodes One host can support multiple of these
vNIC (virtual network interface card)
A logically defined network interface associated with a virtual machine Each VM can have multiple of these and the max number depends on the hypervisor operates at the Data Link Layer
remote access
A method for connecting and logging on to a server, LAN, or WAN from a workstation that is in a different geographical location. after connecting, a remote client can access files, applications, and other shared resources, such as printers, like any other client on the server, LAN, or WAN
symmetric encryption
A method of encryption that requires the same key to encode the data as is used to decode the cipher text.
NFV (Network Functions Virtualization)
A network architecture that merges physical and virtual network devices
DMVPN (Dynamic Multipoint VPN)
A particular type of enterprise VPN using Cisco devices that dynamically creates VPN tunnels between branch locations as needed rather than requiring constant, static tunnels for site-to-site connections.
SDN controller
A product that integrates configuration and management control of all network devices, both physical and virtual, into one cohesive system that is overseen by the network administrator through a single dashboard. Instead of reconfiguring each network device individually, the SDN controller can be used to reconfigure groups of network devices all at one time networking devices in an SDN controlled environment function only at layer 1 in the OSI model, while the SDN controller can manage functionality at all the other OSI layers
Handshake protocol
A protocol within SSL that allows the client and server to authenticate (or introduce) each other and establishes terms for how they securely exchange data during an SSL session.
key
A series of characters that is combined with a block of data during that data's encryption. created according to a specific set of rules, or algorithms
RAS (remote access server)
A server that runs communications services enabling remote users to log on to a network and grant privileges to the network's resources.
subscription model
A service model in which software is provided by subscription.
TFTP (Trivial FTP)
A simple version of FTP that includes no authentication or security for transferring files and uses UDP at the Transport layer (unlike FTP, which relies on TCP at the Transport layer). TFTP requires very little memory and is most often used by machines behind the scenes to transfer boot files or configuration files. It's not safe for communication over the Internet, is not capable of giving users access to directory information, and limits file transfers to 4 GB. TFTP listens at port 69 and negotiates a data channel for each connection.
digital certificate
A small file containing verified identification information about the user and the user's public key. answer to the problem of the need for simple and secure key management
CIA (confidentiality, integrity, and availability triad)
A three-tenet, standard security model describing the primary ways that encryption protects data. Confidentiality ensures that data can only be viewed by its intended recipient or at its intended destination. Integrity ensures that data was not modified after the sender transmitted it and before the receiver picked it up. Availability ensures that data is available to and accessible by the intended recipient when needed.
GRE (Generic Routing Encapsulation)
A tunneling protocol developed by Cisco that is used to transmit PPP data frames through a VPN tunnel.
site-to-site VPN
A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over tunnels with other VPN gateways. Meanwhile, clients, servers, and other hosts on a site-to-site VPN communicate with the VPN gateway. requires that each location has a static public IP address
client-to-site VPN
A type of VPN in which clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. only the VPN gateway location needs a static public IP address
XaaS (Anything as a Service or Everything as a Service)
A type of cloud computing service in which the cloud can provide any combination of functions depending on a client's exact needs, or assumes functions beyond networking including, for example, monitoring, storage, applications, and virtual desktops.
asymmetric encryption
A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the cipher text
private key encryption
A type of key encryption in which the sender and receiver use a key to which only they have access. Also known as symmetric encryption.
dedicated devices
A type of remote access server (RAS) in which, Devices such as Cisco's AS5800 access servers are dedicated solely as an RAS to run software that, in conjunction with their operating system, performs authentication for clients. An ISP might use a dedicated device to authenticate client computers or home routers to access the ISP resources and the Internet.
DTLS (Datagram Transport Layer Security)
A variant of TLS designed specifically for streaming communications.
FTPS (FTP Security or FTP Secure)
A version of FTP that incorporates the TLS and SSL protocols for added security. Configured at port 21 like FTP but requires two data channels which are port 989 and 990 Can also be configured to negotiate its data ports within a predefined range each time it makes a connection can be difficult to configure through a firewall
VPN (virtual private network)
A virtual connection between a client and a remote network, two remote networks, or two remote hosts over the Internet or other types of networks, to remotely provide network resources.
Virtual devices can be quickly and sometimes automatically migrated, or moved, from one server to another in the event of a hardware failure or maintenance. Resources, such as hardware, energy usage, and physical space, are utilized more efficiently. Services can be easily scaled to meet the changing needs of a network.
Advantages of NFV
Efficient use of resources - virtualization allows a single powerful computer to support for example five services instead of buying five computers Cost and energy savings - oranizations can save money by purchasing fewer and less expensive physical machines, thus saving electricity fault and threat isolation - isolation of each guest system means that a problem with one guest does not affect the others, also security attacks on a guest pose less risk to a host or the physical network to which it's connected, because a VM is granted limited access to hardware resources simple backups, recovery, and replication - virtualization software enables network administrators to save backup images of a guest machine, it also makes it easy to create multiple, identical copies of one VM, called clones
Advantages of Virtualization
DNS spoofing
An attack in which an outsider forges name server records to falsify his host's identity.
client-to-site and site-to-site
An enterprise-wide VPN can include elements of both _______ and ________ VPN models
virtual firewall
An installation of a firewall's operating system in a VM
virtual router
An installation of a router's operating system in a VM.
CA (certificate authority)
An organization that issues and maintains digital certificates as part of the PKI (public-key infrastructure).
ESP (Encapsulating Security Payload)
In the context of IPsec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques and encrypts the entire IP packet for added security.
AH (authentication header)
In the context of IPsec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques.
client_hello
In the context of SSL encryption, a message issued from the client to the server that contains information about what level of security the client's browser is capable of accepting and what type of encryption the client's browser can decipher.
server_hello
In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied.
VNC (Virtual Network Computing or Virtual Network Connection)
Open source software that uses the cross-platform protocol RFB (remote frame buffer) to remotely control a workstation or server. slower than Remote Desktop and requires more network bandwidth. Because this is open source, man companies have developed their own software that can: Run OSes on client computers Remotely access computers, tablets, and smartphones Remotely control media equipment and surveillance systems
OpenDaylight, Beacon, and OpenShift
Open-source SDN controllers
PPPoE (PPP over Ethernet)
PPP running over an Ethernet network.
VNC is open source, allowing companies to develop their own software based on VNC.
Regarding VNC (Virtual Network Computing or Virtual Network Connection), what statement is accurate?
FCS
The PPP headers and trailers used to create a PPP frame that encapsulates Network layer packets vary between 8 and 10 bytes in size due to what field?
data plane
The actual contact made between physical devices and data transmissions as messages traverse a network.
IKEv2
The current version of IKE that offers fast throughput and good stability when moving between wireless hotspots.
Virtualization
The emulation of all or part of a computer or network.
Cloud Computing
The flexible provision of data storage, applications, or services to clients over the Internet.
key management
The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data
confidentiality—Data can only be viewed by its intended recipient or at its intended destination. integrity—Data is not modified in the time after the sender transmits it and before the receiver picks it up. availability—Data is available and accessible to the intended recipient when needed, meaning the sender is accountable for successful delivery of the data.
To protect data at rest, in use, and in motion, encryption methods are primarily evaluated by three benchmarks:
Data Link (layer 2) and Network (layer 3)
VPN tunneling protocols operate at which two layers?
VMware, Cisco, HP, IBM, and Juniper
Venders that offer SDN controller software
IPsec and SSL
What are the two primary encryption techniques used by VPNs today?
Negotiate and establish a connection between the two endpoints. Use an authentication protocol, such as MS-CHAPv2 or EAP, to authenticate a client to the remote system. Support several Network layer protocols, such as IP, that might use the connection. Encrypt the transmissions, although PPP encryption is considered weak by today's standards.
What can PPP do
OpenVPN
What open-source VPN protocol utilizes OpenSSL for encryption and has the ability to possibly cross firewalls where IPsec might be blocked?.
SSH supports port forwarding
What statement regarding the SSH (Secure Shell) collection of protocols is accurate?
When the VM is being created in the hypervisor Can determine how much memory, amount of memory, guest operating system, hard disk size, and processor type
When are a VM's software and hardware characteristics assigned?
a VM appears to other nodes as just another client or server on the network
When connected using bridged mode, how does a VM appear to other nodes?
Whenever the VM does not need to be access at a known address by other network nodes.
When is it appropriate to utilize the NAT network connection type?
VPN gateway
When using a site-to-site VPN, what type of device sits at the edge of the LAN and establishes the connection between sites?
In an authorization file on the host where the SSH server is.
When using public and private keys to connect to an SSH server from a Linux device, where must your public key be placed before you can connect?
It provides poor authentication and no encryption.
Why is the telnet utility a poor choice for remote access to a device?
SSH (Secure Shell)
a terminal emulation that is a collection of protocols that does both authentication and encryption. With SSH, you can securely log on to a host, execute commands on that host, and copy files to or from that host. SSH encrypts data exchanged throughout the session. It guards against a number of security threats, including unauthorized access to a host, IP spoofing, interception of data in transit (even if it must be transferred via intermediate hosts), and DNS spoofing Depending on the version, SSH may use Triple DES, AES, Blowfish, or other, less-common encryption schemes or techniques. SSH allows for password authentication or authentication using public and private keys. For authentication using keys, you first generate a public key and a private key on your client workstation by running the ssh-keygen command (or by choosing the correct menu options in a graphical SSH program). The keys are saved in two different, encrypted files on your hard disk. Next, you will transfer the public key to an authorization file on the host to which you want to connect. When you connect to the host via SSH, the client and host exchange public keys, and if both can be authenticated, the connection is completed. layer 7 (application) listens at port 22
Telnet
a terminal emulation utility used by Telnet clients/server applications that allow an administrator or other user to control a computer remotely provides little security for establishing a connection (poor authentication) and no security for transmitting data (no encryption) layer 7 (application)
host-to-host VPN
a type of VPN in which two computers create a VPN tunnel directly between them. Both computers must have the appropriate software installed, and they don't serve as a gateway to other hosts on their respective networks. In a host-to-host VPN, usually the site that receives the VPN connection (such as a home network) needs a static public IP address. Another option, however, is to subscribe to a service such as Dynamic DNS by Oracle (dyn.com/dns), which automatically tracks dynamic IP address information for subscriber locations.
agreed-to protocol
clients and remotes access servers require this protocol to establish a session and exchange data.
NAT mode
default connection type selected when creating a VM in VMware, VirtualBox, or KVM in this state, default mode for a when creating a VM, a vNIC relies on the host machine to act as a NAT device in other words, the VM obtains IP addressing information from its host, rather than a server or router on the physical network, however, other nodes communicate with the host machine's IP address to reach the VM; the VM itself is invisible to nodes on the physical network
SSH Communications Security
developed SSH and using their implementation of it requires paying for a license