CNIT 34220 Exam 2
· Caching · Security · Statistics · Filtering
4 benefits of an outbound proxy server
· Protocols · Addressing · Redundancy · Load Balancing
4 web services for inbound connections
Load balancing with DNS flagging
when multiple hosts are associated with the hostname, DNS server passes out the IP address in a "round robin" fashion, splitting the load across multiple servers, but one server can still carry the bulk of the load
Ratio
technique to load balancing, adjusts Round Robin technique based on perceived capability of servers
Round robin
technique to load balancing, send connection requests to app servers in turn, regardless of capability or current load
Set/Pool of application servers
the ADC sends data to and receives responses from these servers, allows the load to be split up between servers
Dynamic load balancers
the load balancer has a separate control channel with the web servers (used to keep track of current utilization), the requesting node makes an official request to the load balancer and the load balancer passes the connection to the least loaded server (the load balancer may decline the connection if there is no server with available capacity to server the connection)
Load balancing
the most basic ADC function, almost always used even if other features are also desired
Cookie-based persistence
type of persistence, only works with HTTP/HTTPS, a browser cookie is added that the ADC uses to indicate to keep connection requests going to the proper server, requires cookies be available within the browser, resolves the client outbound NAT issue
Source address persistence
type of persistence, works with all TCP and UDP applications, the ADC keeps a table of clients and the servers to which they should be redirected
IP based HTTP site identification
type of site identification, multiple IP addresses are bound to the web server's external NIC, but it is an inefficient use of IP addresses
DNS name HTTP site identification
type of site identification, there is one IP address for the whole web server, each site has its own DNS CNAME record that points to the underlying hostname, the preferred method
Network Time Protocol (NTP)
uses UTP complete with leap seconds, Marzullo's algorithm, keeps the clock constantly correct, requires the clock to adjust its internal clock to match the reference time (Slew and drift)
Proxy auto configuration (PAC)
way to configure a browser to use a proxy server, JavaScript returns the proxy server to use, placed on internally accessible web server, clients configure themselves upon hitting the script
Web proxy auto discovery protocol
way to configure a browser to use a proxy server, designed to automatically find a PAC script (through DHCP, service location protocol, or DNS records)
Reverse proxy server
web server placed in a first layer DMZ, answers the incoming connection request then makes a connection back to the actual web server, retrieves the page, and presents it to the requesting node, can add HTTPS level security to a non-HTTPS enabled web application server, can increase the capacity of a dynamic web application
Default page
what is used when a request is made for the base page or a directory (www.page.com or www.page.com/support)
The 19 day month of September 1752
when Great Britain and her colonies had to skip 11 days to make up for leap years not taken in the past
· Authenticates the server · Establishes an encrypted session over which HTTP data is carried · Requires a digital certificate from a trusted authority to work transparently
3 things that HTTPS does
logically in front
An ADC must be ______________________ of the application server.
local
Windows system clock is on a ________ time zone
128
Future versions of NTP (NTP5) will have ____ bit representation
80
HTTP nominally runs on port ?
443
HTTPS nominally runs on port ?
SSL
HTTPS was previously known as ____ (which is now technically TLS)
clients
Ideally, you should load balance ________ across servers (requires a means of ensuring the client gets the same server for each connection)
PDC FSMO, PDC
In a domain, the ____________________ role is the time server; all domain members synchronize to the ________
64, 32 and 32
NTP timestamps have ____ bit time representation: ___ bits for seconds and ___ bits for fractional seconds, down to .233 nanosecond accuracy
136
NTP timestamps wrap up every ___ years, next wrap scheduled for 2036
False - The preferred method for assigning multiple web sites (DNS names) to a single server is to use CNAME DNS records to assign multiple names to a single IP address.
T/F: The preferred method for assigning multiple web sites (DNS names) to a single server is using multiple IP addresses.
True
T/F: Typically, an ADC is in line with the application server
True - SSL Acceleration requires the ADC fully proxy the web site. Otherwise SSL would not be implemented.
SSL Acceleration requires the ADC fully proxy the web site.
False - Virtual machines are poor at time keeping as their CPU clocks vary without their knowledge. This makes NTP a poor choice for them. Instead using VMware Tools or its equivalent to automatically refer to the underlying hypervisor for time information instead.
T/F: Virtual machines should always use NTP because their time tends to drift.
True (there is no method of authenticating and authorizing a user)
T/F: A simple web server often does not support HTTPS
False (however, client should hit the ADC instead of the application server directly)
T/F: ADC and application controller cannot coexist in the DMZ
False - hardware, not software
T/F: ADC is often implemented in software to increase ADC capacity
True
T/F: Acceleration refers to offloading some of the server's functionality to the application delivery controller.
True (Traffic from an application must flow through the ADC)
T/F: An ADC needs to be logically in front of an application/service
True - Transparent proxying requires outbound traffic on destination port 80 and re-routing it to the proxy server which must spoof the source address of the original web server when replying to the source browser.
T/F: Converting to a transparent outbound proxy server requires hijacking traffic and spoofing return source IP addresses.
False - Current versions of NTP use a 64 bit representation that is accurate to 0.233 nanoseconds.
T/F: Current versions of NTP use a 32 bit representation that is accurate to 0.233 nanoseconds.
False - While DNS flagging (alternating IP addresses from a pool via DNS) can help, it does not ensure that there is any effective load balancing. The caching nature of DNS is especially problematic in that one response can be used by hundreds of hosts while another response could be used by only a single host.
T/F: DNS flagging effectively balances load across multiple web servers.
True (a Control session for the base of the HTML data that defines the web page and Multiple other sessions for pictures, sound, video, etc. that are defined on the page_
T/F: HTTP establishes multiple TCP sessions
False (each site, not server)
T/F: HTTPS acquires and assigns certificates for each server
True (the security is established on an IP basis rather than a name basis)
T/F: HTTPS requires a separate IP address for each site
False - Ideally there should be least two stratum 3 or better time servers with an organization.
T/F: Ideally there should be least one stratum 4 or better time servers with an organization.
True - A Windows PDC or PDC emulator also serves as the domain time server using SNTP (Pre Server 2003 SP1) or NTP (Server 2003 SP1 or newer).
T/F: In a Windows domain, clients receive time information from the Primary Domain Controller or PDC Emulator.
False - By default HTTPS only authenticates the server to the browser. The browser is not authenticated to the server.
T/F: In a basic HTTPS session, both the client and server are authenticated.
True - one between the client and the ADC and another between the ADC and the application server.
T/F: In full proxy load balancing there are two separate data flows.
True
T/F: It is best to block the actual application server at the firewall
True (Default is to sync to time.windows.com via SNTP)
T/F: Non-domains have no built-in synchronization
False (Multiple sites can exist on the same web server)
T/F: Only one type of the same site can exist on the same web server
True - SSL 3.0 has been re-badged TLS 1.0
T/F: SSL and TLS are the same technology.
True (The process depends on constant processor clock speeds, but is problematic if the processor is over/underclocked or when the clock slows to save power or under virtual machines)
T/F: System time is kept by a process running in the OS.
False - SNTP simply asks for the current time once. NTP consistently checks time and uses a drift file to ensure accurate time keeping.
T/F: The SNTP protocol consistently checks time and uses a drift file to ensure accurate time keeping.
data flows
The ADC balances incoming _____________ across the available application servers
static
The reverse proxy can cache __________ content so the actual web server only has to generate the dynamically generated content (multiple web servers can be placed in a second DMZ to further increase capacity)
· Normal/Standard - specified to the browsers · Transparent
Two approaches to outbound proxy server
Round robin and ratio
Two static techniques to load balancing
January 19, 2038
UNIX clock will overflow on this date
UNIX Epoch
UNIX keeps time based on seconds since the
UTC
UNIX system clock
Proxy
Web services for outgoing connections
ADC
When managing data flows through an application delivery controller the return traffic from the application server to the client must have a source address of the _____________________________.
Simple web server
any software that supports the HTTP protocol, often built into other applications as a management or control interface or added on top of existing workstations, does not support web-based applications
Cloud computing
application, services, and data are hosted in a virtual infrastructure that allows for scalability and reliability
Standard proxy server
browser asks the proxy to retrieve pages, browser itself must be configured to use proxy
Stratum 3 servers
get time from multiple stratum 2 servers, peer with other stratum 3 servers within an organization (LAN level connectivity), typically serve clients within an organization, can serve higher level time servers (up to 16 levels)
NTP pools
group of time servers available for public use, provided by the public, geographically organized, structure starts from 0 and counts up
Single dedicated server
highly available web servers running in a secure environment, support both HTTP and HTTPS, IIS and Apache, typically placed in a DMZ (second layer), usually support server-side scripting
Marzullo's algorithm
in NTP, takes into account transmission duration for time data
Real time clock
keeps time in BIOS, keeps time when computer is turned off, notoriously inaccurate
Stratum 0 time sources
machines which have locally accurate clocks, such as atomic clock or GPS receivers, serve as a reference for stratum 1 time servers
Persistence
problem with connection based load balancing, application state data are lost (cookies), the cookie is in the wrong place for the server
Stream processing
processing data streams (content) flowing through the ADC (delete, add, and replace content), typically uses regular expressions, an update can be made to all pages on a served sites with one change
Transparent proxy server
proxy in which client is not aware of the proxy server, outbound traffic is "hijacked" at the gateway then routed to the proxy server (using redirect or port forward rule on the gateway), proxy then spoofs the address of the target server when replying to the client, all direct HTTP connections are blocked, requires no client configuration
Outbound proxy server
proxy server located in DMZ, isolates internet traffic from clients, only works with HTTP (not HTTPS)
Stratum 2 servers
reference at least 2 stratum 1 servers, peer to other stratum 2 servers, typically only service stratum 3 servers
SSL acceleration
requires the ADC fully proxy the website, connections from client to ADC uses HTTPS and connection from ADC to application server uses HTTP
Stratum 1 server
server typically used to service other time servers (not clients directly), as of NTPv3 will downgrade themselves if they tend to drift
Simple Network Time Protocol (SNTP)
single transaction, sets the time once, can be done repeatedly on a schedule, and time can be offered between syncs, the default for "Internet time" in Windows
Application delivery controllers
sits between clients and applications/services, sometimes referred to as application layer switches
Static content acceleration
static content (images, backgrounds, sounds) is kept on and served by the ADC (the HTTP get request is never sent to the app server)
DNS name HTTP site identification
which is preferred between IP based and DNS name HTTP site identification