3.3 Given a scenario, implement secure network designs
Collectors
Collectors are used to collect data generated from network sensors. Explanation: As network sensors in various devices generate data from the traffic that flows through them, the collectors collect these data and send them to the aggregator.
Forward
A forward proxy is a proxy server that is used to send requests from a private network to the internet through a firewall. Explanation: With a forward proxy, clients can connect from an internal network out to the internet. When a client seeks to access the internet, the request goes to the proxy and is evaluated to ensure it complies with preconfigured rules; if it does, it is forwarded out, otherwise it is blocked.
Loop prevention
A network loop occurs when there is more than one active path on a network communicating from the same source to the same destination. It could occur in Layer 2 devices, such as switches and bridges, when a cable comes from a switch and returns to it through some other port. Such loops could cause a broadcast storm that could degrade the network performance or cause an outage completely. A good way to prevent network loops is with the use of spanning tree protocol (STP). When STP is deployed to Layer 2 devices, they exchange BPDU frames among themselves in order to calculate the shortest, unique, loop-free paths for communicating with each other. STP instantly blocks ports where loops are detected, and reassigns root ports on the network.
Proxy servers
A proxy server is a system that acts as an intermediary between clients and the resources they are seeking to access. Explanation: With a proxy server, rather than the client's request going straight to the server that hosts the resources, it goes to a proxy server that evaluates the request and forwards it to the server with the resource on behalf of the client. With this arrangement, the server that holds the resources treats the request as coming from the proxy server, and does not communicate directly with the client. When the server responds, the proxy server receives the response and then sends it to the client on behalf of the server. There are several advantages of configuring proxy servers, including the fact that they could act as load balancers, distributing traffic to the various servers; they could also help protect the IPs of other servers as the responses they send to the client carries the IP address of the proxy server and not of the server from which the response came.
Reverse
A reverse proxy is a proxy server that is used to send external requests from the internet to a private network. With a reverse proxy, clients can connect from the internet to an internal network. When such communication is initiated, the request goes to the proxy and is evaluated to ensure it complies with preconfigured rules; if it does, it is sent to the server that hosts the requested resources, which in turn sends the response back to the proxy, and which then sends it to the client.
Access Control List (ACL)
Access control list (ACL) is a list of rules that allow or deny traffic based on specified conditions. Explanation: Access control lists are used to control access of users to IT resources on a network. Network access control lists filter traffic based on their origin and destination as well as port numbers. Apart from specifying which traffic gets into a network, ACLs determine what resources are going to be accessed and what actions will be permitted on them. These ACLs can be placed on network devices such as routers or firewalls.
Active/active
Active/active load balancing is when a load balancer distributes traffic across servers that are all on and running at the same time. Explanation: When more than one server is configured to handle traffic, the network administrator can choose to make them all run at the same time. This is called active/active. Here, all the servers are receiving traffic simultaneously and the load balancer distributes the traffic across them.
Agent and agentless
Agent-based assessment is the process of installing a software on a device which is responsible for checking the state of the device in order to determine whether or not to grant it access to a network. Agentless assessment is the process of conducting this check without having to install an assessment software on the device. Explanation: With agent-based assessment, a software is installed on the device that checks things like firewall configuration on the device, antivirus status, registries, files, installed applications and more, to ensure they meet the specified security benchmark before allowing the device to connect to a network. This software could either be permanently installed on the device (in this case called a persistent agent) or configured to run on the device at the point of connection and terminate after assessment without installing itself on the device (in this case called a dissolvable agent). Agentless assessment, on the other hand, does not require the installation or running of any software (whether persistent or dissolvable). Windows have integrated an assessment tool into Active Directory as an agentless NAC which runs whenever a user logs in or logs out. Access control tools such as firewalls, intrusion detection and prevention tools and more, can also be installed directly on the network to perform agentless assessment of endpoints before allowing them connect. Agent-based assessment is generally more difficult to manage, as the software will have to be installed and managed on every single device connecting to the network.
Aggregators
Aggregators are used to aggregate data from collectors in a centralized location. Explanation: As network sensors in various devices generate data from the traffic that flows through them, and collectors pick those data, they send them to the aggregator which presents them on a dashboard in such a way that they can be easily analyzed.
Always-on
Always-on VPN is a Microsoft virtual private network that is configured to stay on at all times and provide secure connections. Explanation: Always-on was designed to replace Microsoft DirectAccess. It provides secure connection to the internet as well as secure connection to corporate networks. With Always-on, a client automatically establishes VPN connection without any action by the user.
Anomaly
Anomaly-based intrusion detection is a method of detecting threats with the use of machine learning algorithms. Explanation: If an intrusion detection system uses anomaly-based detection, a baseline of what normal traffic looks like is set, and the system is trained to recognize "normal". The system then monitors traffic and flags and reports whatever is a deviation from normal.
Appliance vs. host-based vs. virtual
Appliance firewalls are firewalls on physical devices built specifically for that purpose. Host-based firewalls are firewall software that are installed on endpoints. Virtual firewalls are firewall software that are installed on networks. Explanation: In terms of performance, appliance firewalls have been proven to be most efficient; however, they could be quite expensive and might be rather superfluous for small networks. Host-based firewalls can provide very good endpoint security, and virtual firewalls could serve for small networks that don't have heavy traffic load.
Bridge Protocol Data Unit (BPDU) guard
Bridge Protocol Data Unit (BPDU) guard is a technology that prevents malicious BPDUs from entering a switch port. Explanation: A Bridge Protocol Data Unit (BPDU) is a data frame that contains information on the spanning tree protocol (STP), which is basically information necessary to configure a loop-free topology on a network (see more in Loop Prevention below). When a BPDU is sent by a switch, the spanning tree protocol determines the shortest path of communication through the switches on the network without creating a loop. However, malicious actors can send a BPDU frame from a switch to a non-switch port, causing a loop on the network. This can be prevented with a BPDU guard which recognizes such BPDUs and blocks the port immediately.
Broadcast storm prevention
Broadcast storm prevention is port security method which is put in place to prevent the flooding of a switch with broadcast traffic. Explanation: A broadcast storm occurs when an unusually high amount of broadcast packets is sent to a switch over a very short period of time causing its performance to drop significantly, or completely taking it offline. While broadcast storms could be used by malicious actors to launch a denial of service attack, there are also other non-malicious causes of broadcast storms such as a switching loop in the network, or a large amount of requests for IP addresses from a DHCP. There are various ways to prevent broadcast storms; they include using rate limiting to limit the amount of broadcast traffic the switch is allowed to forward per time, using switches and routers that implement advanced filtering, using virtual local area networks (VLANs) to segment broadcast domains and keep them from being too large, as well as configuring firewalls to block packet amplification attacks.
Content/URL filter
Content/URL filter is a tool that is used to block access to contents that are not allowed on a network. Explanation: Content/URL filter could be configured to block access to specific website, block email from specific senders, or block out specific types of file extensions.
DNS
DNS—Domain Name System—is a distributed naming system for computers, servers, services and resources that associate these entities with domain names on a network. Explanation: DNS is responsible for assigning domain names and mapping them to the associated resources through name servers. DNS resolution also helps in translating domain names to IP address. A good way to implement security in domain name system is to use DNSSEC. DNSSEC provides security by digitally signing data that is exchanged in the Domain Name System with the use of asymmetric cryptography, and providing authentication that makes it impossible to spoof or modify DNS responses; this way, attackers are unable to manipulate a DNS to resolve to a malicious destination.
Port spanning/port mirroring
Definition: Port spanning/port mirroring is the process of copying network packets on a switch port and sending it to a network monitoring port on another switch port. Explanation: It gets the name spanning from switch port analyzer (SPAN); port spanning is very useful in analyzing network traffic by copying this traffic from a specific port and sending to a monitoring port where it can be analyzed separately from the source port.
Dynamic Host Configuration Protocol (DHCP) Snooping
Dynamic Host Configuration Protocol (DHCP) snooping is a security feature integrated into many switches responsible for blocking suspicious and untrusted DHCP traffic. Explanation: Dynamic Host Configuration Protocol (DHCP) is used to provide IP addresses from the DHCP server for devices connected to a network. When clients connect to a network for the first time and do not have an IP address, they call out for one and the DHCP server makes an offer which they accept, and that becomes their IP address. A malicious actor could connect a rouge DHCP server to a network to answer to the call of devices and offer them addresses. This puts every communication with those devices on that network in the palm of the attacker. To prevent this, we use DHCP snooping. DHCP snooping works by classifying the ports on a switch into "Trusted" and "Untrusted"; DHCP server messages sent over Trusted ports are trusted, while those sent over Untrusted ports are not trusted. Thus with DHCP snooping, suspicious DHCP messages that are sent from rouge DHCP servers are dropped, because they will be coming from these untrusted ports.
East-west traffic
East-west traffic is the traffic between devices within a data center. Explanation: East-west traffic occurs when components within a data center communicate with each other. The other side of this is north-south traffic, which occurs when components in a data center communicate with external components. With increase in virtualization, the traffic among internal components will increase. Although this east-west traffic is not considered to pose as much security concern as north-south traffic, since it is internal communication within the data center, it is still important to secure east-west traffic, as insider threats could exist with capacity to compromise the whole internal network.
Extranet
Extranet is a network that is separate from an internal network that is accessible by authenticated third parties. Explanation: In order to have areas of a network where trusted third parties can securely access with proper authentication without having any form of access to other parts of a corporate network, an extranet must be put in place. The extranet is completely isolated from the rest of the corporate network and has a firewall that sits between it and the public internet.
File integrity monitors
File integrity monitors are tools used to monitor and inspect files for changes that could be indicators of compromise. Explanation: File integrity monitoring (FIM) is often applied to configuration files of operating systems and applications. Typically, these file are compared with a known baseline state.
Firewalls
Firewalls are network appliances that provide security by monitoring traffic and allowing or blocking flow based on configured rules. Explanation: Firewalls can be configured to filter traffic based on IP addresses, port numbers, applications, and other parameters. There are various types of firewalls such as web application firewall, next-generation firewall, packet filtering firewall and more.
HSM
HSM—Hardware Security Module—is a hardware that is used for the centralized management of encryption keys. Explanation: Hardware security modules provide a very secure way to manage cryptographic keys and processes. With HSMs the cryptography infrastructure is isolated from the general operational environment on the network. Hardware security modules can be used to create encryption keys, store and backup keys, as well as destroy them at the end of their lifecycle.
HTML5
HTML5 (hypertext transfer markup language 5) is a language used for structuring web content and building offline applications. Explanation: Browsers that support HTML5 are able to establish SSL VPN connections without having to install any additional plugin or software.
Hardware vs. software
Hardware-based firewalls are physical firewall devices that work with proprietary software, while software-based firewalls are virtual firewalls that can be installed to run as a software program. Explanation: Hardware-based firewalls are physical devices that are purpose-built as firewalls to be plugged into a network. They tend to provide more effective functionality and more efficient performance. Hardware-based firewalls are usually much faster, and are less prone to attacks. Software-based firewalls are usually installed and configured on the network without a dedicated purpose-built hardware. They are not as efficient as hardware firewalls, but are significantly more affordable and can be used on small networks.
Heuristic/behavior
Heuristic/behavior-based intrusion detection is a method of detecting threats by scanning for malicious commands or suspicious codes. Explanation: If an intrusion detection system uses heuristic-based detection, it scans network traffic and analyzes for malicious commands that might be contained in them.
IPSec
IPSec VPN is a VPN that uses IPSec protocol to establish secure communication over public internet. Explanation: IPSec—Internet Protocol Security—is a suite of network protocol that is used to provide secure communication among endpoints on an IP network. IPSec can be used to establish VPN connections. IPSec VPN allows secure remote connection between a client and an entire network. Data transmitted through an IPSec VPN tunnel are encapsulated in an IPSec packet and encrypted before being sent through the tunnel.
Implications of IPv6
IPv6 was designed to replace IPv4 due to the fact that IPv4 used a 32-bit address space and was fast running out of addresses as the internet expanded. IPv6 has a 128-bit address space, thus making enormous provision for future addresses. IPv6 also delivers faster speeds, and packets that are bandwidth intensive can be broadcasted to multiple destinations simultaneously with IPv6. It is also much more secure than IPv4.
Inline vs. passive
Inline and passive modes are the two modes in which the sensors of intrusion detection systems can be configured. Explanation: In in-line mode, the sensor of an IDS is placed directly in the path of network traffic, hence the traffic passes right through the sensor. In-line sensors can actively block detected malicious traffic, and so this mode is mostly used in intrusion prevention systems (IPS). In passive mode, the sensors are placed out of the traffic path, and simply receive copies of the traffic for analysis. Passive sensors cannot actively block detected malicious traffic but simply detect them, and so they are mostly used in intrusion detection systems (IDS).
Intranet
Intranet is a private network that is only accessible from the internal corporate network. Explanation: Organizations could deploy servers to an intranet where employees can access work-related resources only from within the internal network. The intranet cannot be accessed from public internet, and so is completely different from a screened subnet (DMZ) and an extranet.
Monitoring services
It is important to have a good view of everything that is taking place within a network. There are several tools and methods that make this possible; one of such is a port scanner, which can scan through ports to see which ports are open and what services are running on them. There are also tools that can help with network configuration monitoring, checking the configuration of various network appliances and comparing against a baseline. Also, there are tools to help with network performance monitoring, checking the overall health of the network in order to improve performance.
Jump servers
Jump server, also known as jump box, is a system that is used to manage communication between devices in separate security zones on a network. Explanation: Resources that are highly restricted on a network will need to be kept in a more secure area than other resources. While a firewall might suffice for other resources, something more would be needed for highly restricted resources. A jump server helps put such resources behind stricter security, such that they can only be accessed by tunneling to the jump server—which is thoroughly hardened—and authenticating with privileged credentials.
Layer 2 tunneling protocol (L2TP)
Layer 2 tunnelling protocol (L2TP) is a tunnelling protocol used to establish connection between a user and a VPN server. L2TP is an old protocol and isn't so widely in use. It only encrypts its own control messages but does not provide encryption or authentication for the data that is sent across it.
Load balancing
Load balancing is the process of distributing network traffic across available servers in order to provide high availability and fault tolerance. Explanation: A good network architecture will typically have two or more servers that are configured to handle traffic. A load balancer will be installed and configured to receive incoming traffic and distribute across the available servers in such a way that no server is overworked while another is underworked. It is good security practice to install load balancers on the public facing side of a network while the servers they interact with are in a private subnet.
Media access control (MAC) filtering
Media access control (MAC) filtering is the process of configuring switches to allow or block devices based on their MAC address. Devices have a MAC address which is more like the hardware address that is used to identify them on a network. Switches can be configured to only allow communication from a list of MAC addresses. The switch checks the MAC address of any device trying to connect, and compares it with the list of allowed MAC addresses, if the connecting MAC address is not on the list, the device is not allowed to communicate on the network. The downside of this method is that an attacker could use a simple packet analyzer to get a list of valid MAC addresses on the network and then spoofing them to connect to the network.
Network access control (NAC)
Network Access Control (NAC) is the process of protecting a network by enforcing security controls that monitor and manage access to the network. The goal of network access control is to ensure that only users, clients and entities that comply with administrative and technical access policies are permitted access to resources on a network. There are various ways to implement network access control such as the use of firewalls, IAM (Identity and Access Management), and endpoint security solutions. Access control can be configured to set a benchmark for devices seeking to access a network; this could be checking OS status, antivirus status and running other security checks. Devices failing to meet the benchmark will not be authenticated. Configurations can also be made for users trying to access the network; this could check things like user account status, access location, password expiry and other contextual conditions before granting access.
Network address translation (NAT) gateway
Network address translation (NAT) gateway firewalls are firewalls that are configured on routers to protect private networks. Explanation: A NAT gateway firewall will only allow traffic from the internet into a private network if it is coming in response to a request from within the private network. In other words, a NAT gateway firewall does not allow connection to be initiated from outside a private network.
Network appliances
Network appliances are devices that are used to setup a network infrastructure.
Network segmentation
Network segmentation is the act of dividing networks into distinct segments in order to achieve better security. Explanation: Segmentation can be used to isolate some parts of a network from others, or to connect some parts with others. There are various methods of network segmentation including DMZs, Intranet and VLANs (See VLAN, DMZ and Intranet below).
Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS)
Network-based intrusion detection system (NIDS)/network-based intrusion prevention system (NIPS) is a system that monitors traffic on a network to detect and block suspicious or malicious movements. Explanation: NIDS or NIPS can be installed on a network to monitor traffic in and out of the network for malicious behavior. A network-based intrusion detection system (NIDS) is designed to simply detect such malicious traffic and alert an admin, who will take the necessary action. A network-based intrusion prevention system (NIPS), on the other hand, will not only detect such malicious traffic but actively block them. When an intrusion detection or prevention system is network-based it simply means it is sitting on the network, as opposed to host-based which is installed on an endpoint.
Open-source vs. proprietary
Open-source firewalls are firewalls that are developed and distributed under open-source license, while proprietary firewalls are developed and distributed with proprietary technology. Explanation: Open-source firewalls are very flexible and can easily be customized to meet specific use cases; however, their source codes are usually available in public repositories, which is a major security concern for a firewall. Proprietary firewalls, on the other hand, might not be as customizable as open source, but provide stricter security; however, some licenses for proprietary firewalls could be quite expensive.
Out-of-band management
Out-of-band management (OOB) is the process of managing a network infrastructure of an organization without using the corporate local area network. Explanation: OOB management helps network administrators to securely manage network devices, configurations, settings and more remotely on a network that is completely separate from the corporate network itself. A major advantage of this is that, in the event of a network outage with the corporate LAN, the admin will still be able to remotely access, manage and restore the network, since the network management infrastructure is separate from the corporate LAN.
Persistence
Persistence, in load balancing, is the process of a load balancer storing information in order to preserve ongoing sessions. Explanation: If a load balancer distributes traffic from users, and a user and starts a session with Server A, the load balancer stores the information of that session such that when other requests come from that user during that session, they are not sent to another server but to the server where the active session is in progress, in this case Server A. .
Port taps
Port TAP (Test access point) is a device that is placed between network appliances in order to copy traffic for analysis. Explanation: Once a tap is installed between network appliances such as a switch and a router, traffic between those devices flows directly through and across the tap. The tap does not modify the traffic in any way but simply makes copies of it for analysis.
Port security
Port security is the process of securing the individual ports of switches by configuring them to permit or block various kinds of communications. Explanation: There are different ways of implementing port security on a network; they include MAC filtering, BPDU guard, loop prevention and more.
Quality of service (QoS)
Quality of service (QoS) is a process of prioritizing network traffic for differentiated handling. Explanation: Not all traffics have the same priority; however, if the priority information is not communicated to a network, they will all receive the same services, regardless of their priorities. Since network resources, such as bandwidth, are not infinite, the network must be configured to distribute limited resources across traffic based on priority. With QoS, a network administrator can determine the order in which packets are handled. These traffics can be classified based on port number, IP, application, or user, and then a bandwidth management tool is configured with rules on how to prioritize various classes of traffic and assign differential handling.
Remote access vs. site-to-site
Remote access VPN encrypts communication between users and a corporate network, while site-to-site VPN encrypts communication between corporate sites. Explanation: With site-to-site VPN, an organization can encrypt communication between its various sites, such as communication between HQ and some other corporate site, by installing a VPN appliance on both sides of the network. A remote access VPN, on the other hand, works quite differently; it encrypts communication between a remote user/endpoint and an internal corporate network by installing a VPN software on the remote endpoint and a VPN appliance on the corporate network.
Route security
Route security is the act of securing network routes by implementing security controls. Explanation: A good place to implement controls for proper route security is right where the routing takes place—at routers. Routers can be secured with the use of access control lists (ACLs). These lists contain rules that the router can follow to control traffic passing through it. Depending on the rules, an incoming or outgoing traffic can be dropped without being routed.
SSL/TLS
SSL/TLS VPN is a virtual private network that uses secure socket layer (transport layer security) to provide an encrypted connection over the internet. Explanation: SSL/TLS VPNs provide end-to-end encryption along with authentication. It helps ensure the confidentiality and integrity of data in transit over the internet via a web browser or other applications that are used to access the web. SSL VPNs do not require special configurations and will run right out of the box, usually through web browsers or other clients.
Scheduling
Scheduling is the process of configuring how load should be distributed across servers by a load balancer. Explanation: There are different scheduling types with load balancers. One is the Round-robin scheduling that distributes traffic equally across servers in sequence. In other words, if 3 servers are configured with Round-robin schedule, the first set of traffic goes to Server A, then the next goes to Server B and the next to Server C, and then back to Server A, going round in that order. Another type of scheduling is the Weighted scheduling; in this method, the load balancer is configured to distribute traffic across servers in proportions of varying weight. Thus, with 3 servers configured, for example, the load balancer will send 50% of traffic to Server A, 25% of traffic to Server B and 25% to Server C. Also there is Dynamic scheduling, where the load balancer intelligently distributes the traffic, constantly adjusting the volume of traffic sent to each server to ensure that none is overwhelmed while others are underworked.
Screened subnet (DMZ)}
Screened subnet (previously known as demilitarized zone—DMZ) is an isolated area of a network built to allow interaction with the public internet. Explanation: In order to have areas of a network where the public can access via the internet without having any form of access to other parts of a corporate network, a DMZ must be put in place. The DMZ is completely isolated from the rest of the corporate network and has a firewall that sits between it and the public internet. Users can thus access the DMZ, passing through the firewall, and interact with the resources in the screened subnet.
Sensors
Sensors are components of network appliances that gather diverse information about the network for analysis. Explanation: Many network appliances have sensors installed on them; these could be devices such as switches, firewalls, intrusion prevention systems and the likes. As traffic flows through these various devices across the network, these sensors gather information that can be analyzed for improved security and performance.
Signature-based
Signature-based intrusion detection is a method of detecting threats with the use of a signature database of known threats. Explanation: If an intrusion detection system uses signature-based detection, it has a database of known threats and attack signatures. As traffic goes in and out of the network, the packets are compared with these signatures and suspicious matches are flagged.
Split tunnel vs. full tunnel
Split tunnel is a VPN deployment model that allows users communicate to servers without having to reach the VPN concentrator, while full tunnel is a deployment model that enforces all communications to go through the VPN concentrator. Explanation: A VPN concentrator is a device that helps manage multiple remote VPN connections. When a VPN is set to full tunnel, every remote connection through the VPN must first be tunnelled through the concentrator, from where it will be sent to its destination. However, when split tunnel is deployed, certain connections can be configured to first be tunnelled through the concentrator, while others are configured to be tunnelled straight to their destination without having to first go through the concentrator.
Stateful
Stateful firewalls are firewalls that monitor network traffic and sessions with capacity to keep track of the state of all sessions. Explanation: Stateful firewalls monitor all traffic and network sessions and know which sessions are active or not. When a session is established, a stateful firewall detects this, and traffic that comes in response to an active session are recognized and would not have to be analyzed by the firewall. In order to use fewer ports to monitor traffic, a network administrator configures a stateful firewall, as it does not have to open as much ports as the stateless firewall.
Stateless
Stateless firewalls are firewalls that monitor network traffic without keeping track of the state of sessions. Explanation: Stateless firewalls monitor all traffic based on rules that apply to inbound and outbound traffic with no regards to whether the traffic is in response to an active session or not. Application: A network administrator configures a stateless firewall with rules for traffic in both directions at every point.
Unified threat management (UTM)
Unified threat management (UTM) is a security device that combines various security solutions in one. Explanation: A UTM could be installed to perform various security functions such as content filtering, URL filtering, malware scanning, virus scanning, intrusion detection and prevention—all in one unit.
Virtual IP
Virtual IP is an IP that does not correspond to any physical network adapter. Explanation: While networks consist of physical network adapters, they could also have logical network adapters which are not hardware devices but installed software. Virtual IPs are assigned to such virtual interfaces in order to provide identity and location for them.
Virtual private network (VPN)
Virtual Private Network (VPN) is a means of establishing secure communication over unsecure networks. Explanation: Most VPNs work by providing an encrypted channel through which data exchange can occur. There are various types of VPNs such as IPSec, SSL/TLS, L2TP and more.
Virtual local area network (VLAN)
Virtual local area network (VLAN) is a partition of a single switch network into a collection of isolated networks within a local area network. Explanation: When a VLAN is used to partition a network into segments, each segment operates distinctly and can be configured to communicate with another segment or to be completely isolated from it. With a VLAN, an organization can implement different sets of security controls on each distinct partition; thus segments that are considered to be highly sensitive can have more layers of security controls than other less sensitive segments.
Web application firewall (WAF)
Web application firewall (WAF) is used to protect web applications from various application-layer attacks. Explanation: WAFs monitor traffic that go in and out of web applications and block out malicious traffic. They analyze HTTP requests and detect any malicious content such as SQL injections or cross-site scripting. These HTTP requests could be analyzed against a whitelist of allowed requests, of which if the content of a request does not comply with the whitelist, it is immediately blocked. Requests could also be analyzed against a blacklist of prohibited requests, of which if the content of a request matches anything on the blacklist, it is immediately blocked. Web Application Firewalls could be network-based (installed on the network), host-based (installed on an endpoint), or cloud-based (installed in the cloud).
Active/passive
When more than one server is configured to handle traffic, the network administrator can choose to make some of them actively process traffic while others stay passive. In this case, a passive server will become active in the event of failure of any of the active servers.
Zero Trust
Zero Trust is a security model that treats every internal activity within a network as untrusted and implements security controls and checks that will otherwise only be implemented externally. Explanation: The traditional trust model treats external communications and traffic with high suspicion, and only allows into a network traffic which has passed rigorous security checks; after which, once in, is treated as "friendly". Zero trust adopts a different approach. With zero trust there are no "friendlies"; every communication within the network is subject to security checks, encryptions, and authentications, just like communications from outside.
NGFW
generation Firewall (NGFW) is a firewall that can be used to provide advanced protection beyond traditional firewalls. Explanation: NGFWs are able to detect and prevent more sophisticated attacks than traditional firewalls. They work by providing context-aware security, and have a broad combination of features such as identity awareness, user control, intrusion prevention systems, deep packet inspection, SSL inspection and much more.