Ch.7 - Virtualization and Cloud Computing

metered (features of cloud computing)

Everything offered by a cloud computing provider, including applications, desktops, storage, and other services, is measured. A provider might limit or charge by the amount of bandwidth, processing power, storage space, or client connections available to customers.

SDN controller

A product that integrates configuration and management control of all network devices, both physical and virtual, into one cohesive system that is overseen by the network administrator through a single dashboard. - It can even make configuration changes automatically in response to changing network conditions. - creates the potential to implement more sophisticated network functions while using less-expensive devices. - several vendors offer this software including VMware, Cisco, HP, IBM, and Juniper. Open-source controllers include OpenDaylight, Beacon, and OpenShift.

handshake protocol

A protocol within SSL that allows the client and server to authenticate (or introduce) each other and establishes terms for how they securely exchange data during an SSL session.

key

A series of characters that is combined with a block of data during that data's encryption.

increased complexity (disadvantages of virtualization)

- Although virtualization reduces the number of physical machines to manage, it increases complexity and administrative burden in other ways. For instance, a network administrator who uses virtual servers and switches must thoroughly understand virtualization software. In addition, managing addressing and switching for multiple VMs is more complex than doing so for physical machines. - Finally, because VMs are so easy to set up, they might be created capriciously or as part of experimentation, and then forgotten. As a result, extra VMs might litter a server's hard disk, consume resources, and unnecessarily complicate network management

increased licensing costs (disadvantages of virtualization)

- Because every instance of commercial software requires its own license, every VM that uses such software comes with added cost. In some cases, the added cost brings little return.

single point of failure (disadvantages of virtualization)

- If a host machine fails, all its guest machines will fail, too. As mentioned earlier, an organization that creates VMs for its email server, file server, web servers, and database server on a single physical computer would lose all those services if the computer went down. Wise network administrators implement measures such as clustering and automatic failover to prevent that from happening.

fault and threat isolation (advantages of virtualization)

- In a virtual environment, the isolation of each guest system means that a problem with one guest does not affect the others - Furthermore, because a VM is granted limited access to hardware resources, security attacks on a guest pose less risk to a host or the physical network to which it's connected.

cost and energy saving (advantages of virtualization)

- Organizations save money by purchasing fewer and less expensive physical machines. They also save electricity because there are fewer and more efficient computers drawing power and less demand for air conditioning in the computer room. - Thin clients, for example, are very small, energy-efficient computers that can be used to populate large computer labs on a college campus. Thin clients connect to a central server to perform most of their processing functions. When a user signs in to a domain account on the thin client, the thin client then contacts the server for all other functions. The server hosts the thin client's software, including the operating system and most or all applications. In other words, the thin client's entire desktop is virtualized and hosted by the server.

efficient use of resources (advantages of virtualization)

- Physical clients or servers devoted to one function typically use only a fraction of their capacity. Without virtualization, a company might purchase five computers to run five different services - With virtualization, however, a single, powerful computer can support all five services. This creates a significant single point of failure, however, if this one server goes down for any reason. Therefore, in actual practice, most of these network services are also duplicated across multiple physical servers. - Resources, such as hardware, energy usage, and physical space, are utilized more efficiently. - Services can be easily scaled to meet the changing needs of a network.

simple backups, recovery, and replication (advantages of virtualization)

- Virtualization software enables network administrators to save backup images of a guest machine. The images can later be used to recreate that machine on another host or on the same host. This feature allows for simple backups and quick recovery - It also makes it easy to create multiple, identical copies of one VM, called clones. Some virtualization programs allow you to save image files of VMs that can be imported into a competitor's virtualization program. - Virtual devices can be quickly and sometimes automatically migrated, or moved, from one server to another in the event of a hardware failure or maintenance.

compromised performance (disadvantages of virtualization)

- When multiple VMs contend for finite physical resources, one VM could monopolize those resources and impair the performance of others on the same computer. In theory, careful management and resource allocation should prevent this. In practice, however, it is unwise to force a critical application—for example, a factory's real-time control systems or a hospital's emergency medical systems—to share resources and take that risk. - In addition to multiple guest systems vying for limited physical resources, a hypervisor also requires some overhead.

PPP (Point-to-Point Protocol) (remote access protocol)

A Layer 2 (data link) communications protocol that enables a workstation to connect to a server using a serial connection such as dial-up or DSL. - directly connects two WAN endpoints. - One example might be when a DSL or cable modem connects to a server at the ISP. - PPP headers and trailers create a PPP frame that encapsulates Network layer packets. The frames total only 8 or 10 bytes, the difference depending on the size of the FCS field (recall that the FCS field ensures the data is received intact) - Negotiate and establish a connection between the two endpoints. - Use an authentication protocol, such as MS-CHAPv2 or EAP, to authenticate a client to the remote system. - Support several Network layer protocols, such as IP, that might use the connection. - Encrypt the transmissions, although PPP encryption is considered weak by today's standards.

PPTP (Point-to-Point Tunneling Protocol)

A Layer 2 protocol developed by Microsoft that encapsulates PPP data frames for transmission over VPN connections. - It uses TCP segments at the Transport layer. PPTP supports the encryption, authentication, and access services provided by the VPN server; however, PPTP itself is outdated and is no longer considered secure.

IPsec (Internet Protocol Security)

A Layer 3 protocol that defines encryption, authentication, and key management for TCP/IP transmissions. is an enhancement to IPv4 and is native to IPv6. - works at the Network layer of the OSI model—it adds security information to the headers of all IP packets and encrypts the data payload.

L2TP (Layer 2 Tunneling Protocol)

A VPN tunneling protocol that encapsulates PPP data for use on VPNs. - Unlike PPTP, is a standard accepted and used by multiple vendors, so it can connect a VPN that uses a mix of equipment types—for example, a Juniper router, a Cisco router, and a NETGEAR router. - typically implemented with IPsec for security and is considered secure and acceptable for most situations.

SDN (software-defined networking)

A centralized approach to networking that removes most of the decision-making power from network devices and instead handles that responsibility at a software level. - with a product called an SDN controller, or network controller. The SDN controller integrates configuration and management control of all network devices, both physical and virtual, into one cohesive system that is overseen by the network administrator through a single dashboard. Instead of reconfiguring each network device individually, the SDN controller can be used to reconfigure groups of network devices all at one time. - Instead of each device making its own decisions, the SDN controller manages these decisions for the devices and then tells the devices what to do with data traversing the network. What's more, the SDN controller can be programmed to change the rules for those decisions in order to adapt to changing network conditions. - The network devices essentially become "dumb" devices, without needing any particular knowledge of overarching network needs or protocols. This hardware is significantly less expensive than their more sophisticated counterparts and in the marketplace, they're often called white box switches. - networking devices essentially function at layer 1 of OSI model since SDN controller can manage all the other layers - one of the primary advantages to separating the control plane from the data plane is to provide network technicians with more centralized control of network settings and management—physical and virtual devices can all be managed from a central interface.

PoP (Point of Presence)

A data center facility at which a provider rents space to allow for dedicated connection services. - some of the larger cloud service providers maintain multiple of these (Amazon, Microsoft)

colocation facility

A data center facility that is shared by a variety of providers. Also called a carrier hotel.

out-of-band management

A dedicated connection (either wired or wireless) from the network administrator's computer used to manage each critical network device, such as routers, firewalls, servers, power supplies, applications, and security cameras. - These dedicated connections allow network administrators to remotely: - Power up a device - Change firmware settings - Reinstall operating systems - Monitor hardware sensors - Troubleshoot boot problems - Limit network users' access to management functions - Manage devices even when other parts of the network are down - A remote management card is attached to the network device's console port, or sometimes the remote management card is built into the device. A dial-in modem—either through a wired phone line or through a cellular connection—might be attached to the device to provide backup CLI access in the event of a catastrophic network shutdown. A single device, such as a console server or console router, provides centralized management of all linked devices.

community cloud

A deployment model in which flexible data storage, applications, or services are shared between multiple organizations, but not available publicly. - Organizations with common interests, such as regulatory requirements, performance requirements, or data access, might share resources in this way. For example, a medical database might be made accessible to all hospitals in a geographic area

hybrid cloud

A deployment model in which shared and flexible data storage, applications, or services are made available through a combination of other service models into a single deployment, or a collection of services connected within the cloud. -

public cloud

A deployment model in which shared and flexible data storage, applications, or services are managed centrally by service providers and delivered over public transmission lines, such as the Internet.

private cloud

A deployment model in which shared and flexible data storage, applications, or services are managed on and delivered via an organization's own network, or established virtually for a single organization's private use. - Service established on an organization's own servers in its own data center, or established virtually for a single organization's private use and made available to users over a WAN connection through some type of remote access. If hosted internally, this arrangement allows an organization to use existing hardware and connectivity, potentially saving money. If hosted virtually, the organization benefits from the usual advantages of virtual services, such as scalability and accessibility.

HVD (hosted virtual desktop)

A desktop operating environment hosted virtually on a different physical computer from the one the user interacts with.

console router

A device that provides centralized management of all linked devices. - used in out-of-band management solutions

console server

A device that provides centralized management of all linked devices. - used in out-of-band management solutions

public key encryption

A form of key encryption in which data is encrypted using two keys: One is a key known only to a user (that is, a private key), and the other is a key associated with the user and that can be obtained from a public source, such as a public key server. Public key encryption is also known as asymmetric encryption (one key encrypts while the other decrypts) - ensures data integrity, as the sender's public key will only work if the data has not been tampered with. Alternatively, data can be encrypted with the public key, and then can only be decrypted with the matching private key. This ensures data confidentiality, as only the intended recipient (the owner of the keys) can decrypt the data.

Type 2 Hypervisor (hosted)

A hypervisor that installs in a host OS as an application and is called a hosted hypervisor. - Client Hyper-V - VirtualBox - Linux KVM - not as powerful as a type 1 because it is dependent on the hot OS to allot its computing power - also not as fast or as secure as type 1

Type 1 hypervisor (bare metal)

A hypervisor that installs on a computer before any OS and is therefore called a bare-metal hypervisor. - partitions the hardware computing power to multiple VMs, each with their own OS - Xenserver by Citrix - Hyper-V by Microsoft

vSwitch (virtual switch)

A logically defined device that operates at the Data Link layer to pass frames between nodes. - it can allow VMs to communicate with each other and with nodes on a physical LAN or WAN. - one host can support multiple of these which as controlled by the hypervisor

vNIC (virtual NIC)

A logically defined network interface associated with a virtual machine. - each VM has its own - can connect the VM to other machines, both virtual and physical. - just like a physical NIC, operates at the Data Link layer and provides the computer with network access - each VM can have several of these no matter how many NICs the host machine has - max number depends on the limits imposed by the hypervisor. - upon create, each one is assigned a MAC address - as soon as this is selected, the hypervisor creates a connection between that VM and the host. Depending on the hypervisor, this connection might be called a bridge or a switch - the way it is configured determines whether the VM is joined to a virtual network or attempts to join the physical LAN that the host machine is connected to (networking mode)

remote access

A method for connecting and logging on to a server, LAN, or WAN from a workstation that is in a different geographical location. - after connecting, a remote client can access files, applications, and other shared resources, such as printers, like any other client on the server, LAN, or WAN. - to communicate, the client and host need a transmission path plus the appropriate software to complete the connection and exchange data. - all types require some type of RAS (remote access server) to accept a remote connection and grant it privileges to the network's resources. Also, software must be installed on both the remote client and the remote access server to negotiate and maintain this connection.

symmetric encryption

A method of encryption that requires the same key to encode the data as is used to decode the cipher text.

NFV (Network Functions Virtualization)

A network architecture that merges physical and virtual network devices. - provides flexible, cost-saving options for many types of network devices, including virtual servers, data storage, load balancers, and firewalls. - You'll need licenses for each of the virtualized devices as well as for the Type 1 hypervisor that will host them. Fortunately, the cost of these licenses amounts to a fraction of the cost of similarly featured hardware devices. - The interaction between physical and virtual devices introduces a small degree of latency as data passes through the hypervisor and its connections. Usually, this delay is negligible. - Even some of the most die-hard virtualization fans are uncomfortable using a virtual firewall to protect the entire network. The server hosting a virtual firewall occasionally needs to be restarted in the course of regular maintenance or some kind of failure, and in that event, the hosted firewall goes down with the server. Instead, many network admins believe that virtual firewalls are only appropriate for securing virtual-only portions of the network, or serving as a backup to physical firewall devices.

DMVPN (Dynamic Multipoint VPN)

A particular type of enterprise VPN using Cisco devices that dynamically creates VPN tunnels between branch locations as needed rather than requiring constant, static tunnels for site-to-site connections. - a hub router sits at the headquarters location, and each remote office has a spoke router. Usually, when hosting enterprise VPN connections, the involved gateways all need static IP addresses from the ISP. With this, however, only the hub router needs a static public IP address. The spoke routers can communicate with the hub router to create VPN tunnels as needed, even from a spoke router to a spoke router.

RAS (remote access server)

A server that runs communications services enabling remote users to log on to a network and grant privileges to the network's resources. - 2 types: 1. dedicated devices—Devices such as Cisco's AS5800 access servers are dedicated solely as an RAS to run software that, in conjunction with their operating system, performs authentication for clients. An ISP might use a dedicated device to authenticate client computers or home routers to access the ISP resources 2. software running on a server—The service might run under a network operating system to allow remote logon to a corporate network. For example, DirectAccess is a service first introduced in Windows Server 2008 R2 that can automatically authenticate remote users and computers to the Windows domain and its corporate network resources

SaaS (Software as a Service)

A service model in which applications are provided through an online user interface and are compatible with a multitude of devices and operating systems. - Online email services such as Gmail and Yahoo! are good examples - Except for the interface itself (the device and whatever browser software is required to access the website), the vendor provides every level of support from network infrastructure through data storage and application implementation. - Here we see the full capability of pizza provider services. The restaurant provides the crust and all the ingredients, bakes it for us, and serves it directly to the table that they also have provided. We had to get ourselves to the restaurant, but we didn't need to bring anything to make it all work (except our payment, of course), and they do the cleanup after we leave - are more immediately accessible to a wide market of end users than other categories of cloud services

IaaS (Infrastructure as a Service)

A service model in which hardware services are provided virtually, including network infrastructure devices such as virtual servers. - and end user interfaces such as HVDs (hosted virtual desktops). HVDs are desktop operating environments running on a different physical computer than the one the user interacts with. These devices rely on the network infrastructure at the vendor's site, but customers are responsible for their own application installations, data management and backup, and possibly operating systems. - In our pizza analogy, this would be like a take-and-bake restaurant. You decide the type of crust you want and the toppings; the restaurant puts it all together for you. Then you take the unbaked pizza home, bake it yourself, and eat it at your own table. - In the IT world, AWS (Amazon Web Services) is a good example - require extensive preparation by a much smaller group of more skilled network architects and administrators, who provide systems for their end users.

subscription model

A service model in which software is provided by subscription. - Another SaaS implementation that doesn't quite fit the official definition of SaaS is rentable software, or software by subscription - When you buy an annual subscription to Office 365, for example, you install the software on your own computer and you must therefore provide your own hardware with a functioning OS. However, the downloadable software is available in formats that are compatible with multiple OSes, and in many cases, the license provides for installation on multiple devices. In this specific case, the SaaS also can include data storage by connecting the licensed account with OneDrive, a virtual data storage service.

PaaS (Platform as a Service)

A service model in which various platforms are provided virtually, enabling developers to build and test applications within virtual, online environments tailored to the specific needs of a project. - A platform in this context includes the operating system, the runtime libraries or modules the OS provides to applications, and the hardware on which the OS runs. - Developers can build and test their applications within these virtual, online environments, which are tailored to the specific needs of the project. Alternatively, an organization's entire network might be built on platform services provided by a vendor. Any platform managed by a vendor resides on the vendor's hardware and relies on their uptime and accessibility to meet performance parameters. However, the customers are responsible for their own applications and/or data storage, including maintaining backups of the data. - In our pizza analogy, this is the delivery option. You decide on the crust and toppings, the restaurant bakes it for you, and then they bring it to your front door within 30 minutes. You provide your own table and do the cleanup after dinner. - typically used by application developers, both professionals and laypersons, for testing their products.

digital certificate

A small file containing verified identification information about the user and the user's public key. - is issued, maintained, and validated by an organization called a CA (certificate authority). The use of certificate authorities to associate public keys with certain users is known as PKI (Public-key Infrastructure). - provides simple and secure key management - are primarily used to certify and secure websites where financial and other sensitive information is exchanged, but they're also used for other types of websites and to secure email communications, to authenticate client devices in a domain, or to authenticate users to a network.

VPN concentrator

A specialized device that authenticates VPN clients, establishes tunnels for VPN connections, and manages encryption for VPN transmissions. - For large organizations where more than a few simultaneous VPN connections must be maintained - can be used as the VPN server

in-band management

A switch management option, such as Telnet, that uses the existing network and its protocols to interface with a switch. - Telnet, SSH, RDP, VNC, and a management URL all rely on the existing network infrastructure for a network administrator to remotely control the device. Before he or she can configure these devices, they must already be booted up, and they must already have configuration software installed. - inherently limits troubleshooting capabilities

CIA (confidentiality, integrity, and availability) triad

A three-tenet, standard security model describing the primary ways that encryption protects data. Confidentiality ensures that data can only be viewed by its intended recipient or at its intended destination. Integrity ensures that data was not modified after the sender transmitted it and before the receiver picked it up. Availability ensures that data is available to and accessible by the intended recipient when needed.

GRE (Generic Routing Encapsulation)

A tunneling protocol developed by Cisco that is used to transmit PPP data frames through a VPN tunnel. - is a Layer 3 protocol used to transmit PPP, IP, and other kinds of messages through a tunnel - Like L2TP, is used in conjunction with IPsec to increase the security of the transmissions.

site-to-site VPN

A type of VPN in which VPN gateways at multiple sites encrypt and encapsulate data to exchange over tunnels with other VPN gateways. Meanwhile, clients, servers, and other hosts on a siteto- site VPN communicate with the VPN gateway. - At each site, a VPN gateway on the edge of the LAN establishes the secure connection. Each gateway is a router or remote access server with VPN software installed and encrypts and encapsulates data to exchange over the tunnel. Meanwhile, clients, servers, and other hosts on the protected LANs communicate through the VPN gateways as if they were all on the same, private network and do not themselves need to run special VPN software - require that each location have a static public IP address.

client-to-site VPN

A type of VPN in which clients, servers, and other hosts establish tunnels with a private network using a VPN gateway at the edge of the private network. - Each remote client must run VPN software to connect to the VPN gateway. The tunnel created between them encrypts and encapsulates data. This is the type of VPN typically associated with remote access. - As with site-to-site VPNs, clients and hosts on the protected LAN communicate with remote clients by way of the VPN gateway and are not required to run VPN software. - To establish this VPN, only the VPN gateway location needs a static public IP address. - the type of VPN typically associated with remote access.

XaaS (Anything as a Service or Everything as a Service)

A type of cloud computing in which the cloud can provide any combination of functions depending on a client's exact needs, or assumes functions beyond networking including, for example, monitoring, storage, applications, and virtual desktops.

asymmetric encryption

A type of encryption (such as public key encryption) that uses a different key for encoding data than is used for decoding the cipher text.

private key encryption

A type of key encryption in which the sender and receiver use a key to which only they have access. Also known as symmetric encryption - because the same key is used during both the encryption and decryption of the data. A potential problem with private key encryption is that the sender must somehow share the key with the recipient without it being intercepted.

host-only mode

A type of network connection in which VMs on a host can exchange data with each other and with their host, but they cannot communicate with any nodes beyond the host. In this mode, VMs use the DHCP service in the host's virtualization software to obtain IP address assignments. - In other words, the vNICs never receive or transmit data via the host machine's physical NIC - VMs use the DHCP service in the host's virtualization software to obtain IP address assignments. - creates an isolated virtual network - is appropriate for test networks or if you simply need to install a different operating system on your workstation to use an application that is incompatible with your host's operating system - vNICs can only talk to other VMs running on that host - because this mode prevents VMs from exchanging data with a physical network, this configuration cannot work for virtual servers that need to be accessed by clients across a LAN. Nor can it be used for virtual workstations that need to access LAN or WAN services, such as email or web pages.

bridged mode

A type of network connection in which a vNIC accesses a physical network using the host machine's NIC. The bridged vNIC obtains its own IP address, default gateway, and subnet mask information from the physical LAN's DHCP server. - In other words, the virtual interface and the physical interface are bridged - although a vNIC communicates through the host's adapter, it obtains its own IP address, default gateway, and subnet mask from a DHCP server on the physical LAN - when connected using this networking mode, a VM appears to other nodes as just another client or server on the network. Other nodes communicate directly with the computer without realizing it is virtual. - this mode is the most common networking mode for VMs hosted by Type 1 hypervisors such as XenServer - VMs that that must be available at a specific IP address, such as mail servers or web servers, should be assigned this network connections

NAT mode

A type of network connection in which a vNIC relies on the host machine to act as a NAT device. The virtualization software acts as a DHCP server. - VMs that other nodes do not need to access directly can be configured to use this networking mode - In other words, the VM obtains IP addressing information from its host, rather than a server or router on the physical network. - To accomplish this, the hypervisor acts as a DHCP server - a vNIC can still communicate with other nodes on the network and vice versa. However, other nodes communicate with the host machine's IP address to reach the VM; the VM itself is invisible to nodes on the physical network - is the default network connection type selected when you create a VM in VMware, VirtualBox, or KVM - once you have selected this networking type, you can configure the pool of IP addresses available to the VMs on a host. - Because these addresses will never be evident beyond the host, you have flexibility in choosing their IP address range. - is appropriate for VMs that do not need to be accessed at a known address by other network nodes. For example, virtual workstations that are mainly used to run stand-alone applications, or serve as test beds to test applications

DTLS (Datagram Transport Layer Security)

A variant of TLS designed specifically for streaming communications. - relies on UDP instead of TCP, which minimizes delays. However, applications using this must provide their own means of packet reordering, flow control, and reliability assurance. - includes security levels that are comparable to TLS and is commonly used by delay-sensitive applications such as VoIP and tunneling applications such as VPN

FTPS (FTP Security or FTP Secure)

A version of FTP that incorporates the TLS and SSL protocols for added security. - type of remote file access - can encrypt both the control and data channels. - Recall that FTP listens at port 21, which is the command channel. Data is usually transferred over port 20, which is the data channel. FTPS is typically configured to listen at port 21, like FTP, but requires two data channels. By default, those data channels are at ports 989 and 990. However, FTPS can also be configured to negotiate its data ports within a predefined range each time it makes a connection.

VPN (virtual private network)

A virtual connection between a client and a remote network, two remote networks, or two remote hosts over the Internet or other types of networks, to remotely provide network resources. - can be tailored to a customer's distance, user, and bandwidth needs, so, of course, every configuration is unique. However, all share the characteristics of privacy achieved over public transmission facilities using encapsulation and, usually, encryption.

management URL

A web-based user interface where the user can make changes directly to a device. - Increasingly, networking devices are configured through a connected computer's browser that navigates to a management URL, where the user can make changes directly to the device. - Ideally, these device consoles will require an encrypted connection over HTTPS, although this is not always the case. - application layer concept

traditional computing

All the hardware, software, and everything else is located and managed at your location. This would be like making your own pizza from scratch at home. You provide all the ingredients, bake it in your own oven, and eat it at your own table - organization manages apps, data storage, OS, virtualization, servers, storage, and networking

DNS spoofing

An attack in which an outsider forges name server records to falsify his host's identity.

virtual firewall

An installation of a firewall's operating system in a VM. - a software firewall is merely an application, like Windows Firewall. It's very limited in scope and features, and only services a single client. A dedicated firewall device, such as those made by Fortinet, Cisco, or Palo Alto Networks, services an entire network (or portion of a network). It has many more features than a firewall app, and runs on its own OS. - There must be a hypervisor present (usually Type 1) for a virtual firewall to exist.

virtual router

An installation of a router's operating system in a VM.

OpenVPN

An open-source VPN software that is available for multiple platforms. - uses a custom security protocol called OpenSSL for encryption - has the ability to cross many firewalls where IPsec might be blocked. It is both highly secure and highly configurable.

CA (certificate authority)

An organization that issues and maintains digital certificates as part of the PKI (public-key infrastructure).

cross-platform (features of cloud computing)

Clients of all types, including smartphones, laptops, desktops, thin clients, and tablet computers, can access services, applications, and storage in a cloud, no matter what operating system they run or where they are located, as long as they have a network connection.

at rest (states of data)

Data is most secure when it's stored on a device that is protected by a firewall, anti-malware software, and physical security (such as being inside a locked room). However, these protections are no guarantee. Additional protections include storing portions of the data in separate locations so that no single portion is meaningful on its own.

cloud computing disadvantages

Dependence on the Internet means dependence on your network's connection to the ISP and reliance on other third parties as well. - ISP's uptime - ISP-imposed bandwidth limitations - Cloud provider's uptime - Cloud provider's backup and security systems - Misconfiguration that exposes one client's data to another client - Unauthorized access to data by cloud provider employees or by illegitimate users - Breaches of confidentiality agreements when data is stored online - Data security regulations (such as for healthcare, financial, or government entities) - Questions over ownership of intellectual property stored in the cloud (for example, photos or comments made on social media websites, or files saved in online storage accounts) - Questions over data maintenance if a payment is not made on time

encryption as a security measure

Encryption is the last means of defense against data theft. In other words, if an intruder has bypassed all other methods of security, including physical security (for instance, he has broken into the data center) and network design security (for instance, he has defied a firewall's packet-filtering techniques or removed encapsulated frames from transmissions), data may still be safe if it is encrypted. Encryption protocols use a mathematical code, called a cipher, to scramble data into a format that can be read only by reversing the cipher—that is, by deciphering, or decrypting, the data. The purpose of encryption is to keep information private

PPPoE (PPP over Ethernet)

PPP running over an Ethernet network. - might be used to connect a computer to a modem by way of an Ethernet network adapter and patch cable

in use (states of data)

For data to be used, it must be accessible, which brings inherent risk. Tightly controlling access to the data and reliable authentication of users help reduce these risks.

consolidated (features of cloud computing)

Host computers in the cloud provide multiple virtual machines, resources such as disk space, applications, and services that are pooled, or consolidated. For example, a single cloud computing provider can host hundreds of websites for hundreds of different customers on just a few servers. This is called a multi-tenant service model.

ESP (Encapsulating Security Payload)

In the context of IPsec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques and encrypts the entire IP packet for added security.

AH (authentication header)

In the context of IPsec, a type of encryption that provides authentication of the IP packet's data payload through public key techniques.

client_hello

In the context of SSL encryption, a message issued from the client to the server that contains information about what level of security the client's browser is capable of accepting and what type of encryption the client's browser can decipher.

server_hello

In the context of SSL encryption, a message issued from the server to the client that confirms the information the server received in the client_hello message. It also agrees to certain terms of encryption based on the options the client supplied.

guest

In the context of virtualization, a virtual machine operated and managed by a virtualization program. - a logical computer hosted by the physical computer

dedicated connection (options for cloud computing)

Maximizes predictability and minimizes latency, and of course comes with a high price tag. Some of the larger cloud service providers maintain multiple PoP (Points of Presence) around the world. This means the provider rents space at a data center facility, called a colocation facility or carrier hotel that is shared by a variety of providers. In many cases, ISPs can provide dedicated access from a customer's premises to a cloud provider's PoP. This is more cost effective when an organization subscribes to multiple cloud providers who all use the same colocation.

IKE (Internet Key Exchange)

One of two services in the key management phase of creating a secure IPsec connection. IKE negotiates the exchange of keys, including authentication of the keys.

ISAKMP (Internet Security Association and Key Management Protocol)

One of two services in the key management phase of creating a secure IPsec connection. works within the IKE process to establish policies for managing the keys.

Internet (options for cloud computing)

Provides the simplest and cheapest option, but with high and unpredictable latency as well as significant security concerns.

leased line (options for cloud computing)

Relies on private WAN options to reserve a dedicated amount of bandwidth between the cloud provider and the customer's premises. Depending on the respective locations of provider and customer, this might require the cooperation of multiple ISPs in order to reach the cloud provider's servers. Hybrid pay-per-use models are available where the customer reserves a portion of anticipated bandwidth needs, and then is invoiced for additional bandwidth used during the pay period.

port forwarding

The process of redirecting traffic from its normally assigned port to a different port, either on the client or server. - used by SSH to redirect traffic that would normally use an insecure port (such as FTP) to a SSH-secured port. This allows you to use SSH for more than simply logging on to a host and manipulating files

elastic (features of cloud computing)

Services and storage capacity can be quickly and dynamically—sometimes even automatically—scaled up or down. In other words, they are elastic. The elasticity of cloud computing means that storage space can be increased or reduced, and that applications and clients can be added or removed, as needed. For example, if your database server in the cloud is running out of hard disk space, you can upgrade your subscription to expand it yourself, without your having to alert the service provider.

on demand (features of cloud computing)

Services, applications, and storage in a cloud are available to users at any time, upon the user's request.

VNC (Virtual Network Computing) (remote access protocol)

Software that uses the cross-platform protocol RFB (remote frame buffer) to remotely control a workstation or server. - is slower than Remote Desktop and requires more network bandwidth. However, because VNC is open source, many companies have developed their own software that can: - Run OSes on client computers - Remotely access computers, tablets, and smartphones - Remotely control media equipment and surveillance systems

PKI (Public-key Infrastructure)

The use of certificate authorities to associate public keys with certain users.

data plane

The actual contact made between physical devices and data transmissions as messages traverse a network. - The outcome of those decisions (from control plane)—actual transmissions on the network -

IKEv2

The current version of IKE that offers fast throughput and good stability when moving between wireless hotspots. - is a component of the IPsec protocol suite - It's compatible with a wide variety of devices and is often recommended by VPN providers as the most secure option among the VPN protocols they support.

hypervisor

The element of virtualization software that manages multiple guest machines and their connections to the host (and by association, to a physical network). - creates and manages VMs, and manages resource allocation and sharing between a host and any of its guest VMs

virtualization

The emulation of all or part of a computer or network. - a virtual or logical version of something rather than the actual or physical version

cloud computing

The flexible provision of data storage, applications, or services to clients over the Internet. - ex. drop box, google drive, one drive (Microsoft) - most providers use virtualization software to supply multiple platforms to multiple users. - covers a broad range of services from hosting websites and database servers to providing virtual servers for collaboration or software development.

key management

The method whereby two nodes using key encryption agree on common parameters for the keys they will use to encrypt data.

key encryption

The most popular kind of encryption encodes the original data's bits using a key, or a random string of characters—sometimes several times in different sequences—to scramble the data and from it, generate a unique and consistently sized data block called ciphertext. The key is created according to a specific set of rules, or algorithms.

platform

The operating system, the runtime libraries or modules the OS provides to applications, and the hardware on which the OS runs.

control plane

The process of decision making, such as routing, blocking, and forwarding, that is performed by protocols. - traditionally configured network infrastructure. Each physical and virtual device, whether it's a router, switch, firewall, or load balancer, makes its own decisions about where transmissions should be sent based upon the protocols and other configurations on that device

in motion (states of data)

This is when data is most vulnerable. Especially when data must leave your own, trusted network, it's exposed to a multitude of potential gaps, intrusions, and weak links. As you've seen in earlier chapters, wireless transmissions, especially, are susceptible to interception. And wired transmissions also risk exposure. The number of devices, organizations, and transmission methods involved in sending a single email across the Internet highlights the need for a layer of security that travels with the data.

remote access connections (options for cloud computing)

Uses tunneling or terminal emulation technologies to increase security.

NIST (National Institute of Standards and Technology)

developed a standard definition for each cloud computing category, which varies by the division of labor implemented.

host

int he context of virtualization, the physical computer on which virtualization software operates and manages guests

one way to reduce inherent risks of cloud computing

to use encryption - Another way is to carefully choose the method by which your network connects to your cloud resources. Business requirements, risk management, and cost all factor into this decision