CNIT 34220 Exam 2

· Caching · Security · Statistics · Filtering

4 benefits of an outbound proxy server

· Protocols · Addressing · Redundancy · Load Balancing

4 web services for inbound connections

Load balancing with DNS flagging

when multiple hosts are associated with the hostname, DNS server passes out the IP address in a "round robin" fashion, splitting the load across multiple servers, but one server can still carry the bulk of the load

Ratio

technique to load balancing, adjusts Round Robin technique based on perceived capability of servers

Round robin

technique to load balancing, send connection requests to app servers in turn, regardless of capability or current load

Set/Pool of application servers

the ADC sends data to and receives responses from these servers, allows the load to be split up between servers

Dynamic load balancers

the load balancer has a separate control channel with the web servers (used to keep track of current utilization), the requesting node makes an official request to the load balancer and the load balancer passes the connection to the least loaded server (the load balancer may decline the connection if there is no server with available capacity to server the connection)

Load balancing

the most basic ADC function, almost always used even if other features are also desired

Cookie-based persistence

type of persistence, only works with HTTP/HTTPS, a browser cookie is added that the ADC uses to indicate to keep connection requests going to the proper server, requires cookies be available within the browser, resolves the client outbound NAT issue

Source address persistence

type of persistence, works with all TCP and UDP applications, the ADC keeps a table of clients and the servers to which they should be redirected

IP based HTTP site identification

type of site identification, multiple IP addresses are bound to the web server's external NIC, but it is an inefficient use of IP addresses

DNS name HTTP site identification

type of site identification, there is one IP address for the whole web server, each site has its own DNS CNAME record that points to the underlying hostname, the preferred method

Network Time Protocol (NTP)

uses UTP complete with leap seconds, Marzullo's algorithm, keeps the clock constantly correct, requires the clock to adjust its internal clock to match the reference time (Slew and drift)

Proxy auto configuration (PAC)

way to configure a browser to use a proxy server, JavaScript returns the proxy server to use, placed on internally accessible web server, clients configure themselves upon hitting the script

Web proxy auto discovery protocol

way to configure a browser to use a proxy server, designed to automatically find a PAC script (through DHCP, service location protocol, or DNS records)

Reverse proxy server

web server placed in a first layer DMZ, answers the incoming connection request then makes a connection back to the actual web server, retrieves the page, and presents it to the requesting node, can add HTTPS level security to a non-HTTPS enabled web application server, can increase the capacity of a dynamic web application

Default page

what is used when a request is made for the base page or a directory (www.page.com or www.page.com/support)

The 19 day month of September 1752

when Great Britain and her colonies had to skip 11 days to make up for leap years not taken in the past

· Authenticates the server · Establishes an encrypted session over which HTTP data is carried · Requires a digital certificate from a trusted authority to work transparently

3 things that HTTPS does

logically in front

An ADC must be ______________________ of the application server.

local

Windows system clock is on a ________ time zone

128

Future versions of NTP (NTP5) will have ____ bit representation

80

HTTP nominally runs on port ?

443

HTTPS nominally runs on port ?

SSL

HTTPS was previously known as ____ (which is now technically TLS)

clients

Ideally, you should load balance ________ across servers (requires a means of ensuring the client gets the same server for each connection)

PDC FSMO, PDC

In a domain, the ____________________ role is the time server; all domain members synchronize to the ________

64, 32 and 32

NTP timestamps have ____ bit time representation: ___ bits for seconds and ___ bits for fractional seconds, down to .233 nanosecond accuracy

136

NTP timestamps wrap up every ___ years, next wrap scheduled for 2036

False - The preferred method for assigning multiple web sites (DNS names) to a single server is to use CNAME DNS records to assign multiple names to a single IP address.

T/F: The preferred method for assigning multiple web sites (DNS names) to a single server is using multiple IP addresses.

True

T/F: Typically, an ADC is in line with the application server

True - SSL Acceleration requires the ADC fully proxy the web site. Otherwise SSL would not be implemented.

SSL Acceleration requires the ADC fully proxy the web site.

False - Virtual machines are poor at time keeping as their CPU clocks vary without their knowledge. This makes NTP a poor choice for them. Instead using VMware Tools or its equivalent to automatically refer to the underlying hypervisor for time information instead.

T/F: Virtual machines should always use NTP because their time tends to drift.

True (there is no method of authenticating and authorizing a user)

T/F: A simple web server often does not support HTTPS

False (however, client should hit the ADC instead of the application server directly)

T/F: ADC and application controller cannot coexist in the DMZ

False - hardware, not software

T/F: ADC is often implemented in software to increase ADC capacity

True

T/F: Acceleration refers to offloading some of the server's functionality to the application delivery controller.

True (Traffic from an application must flow through the ADC)

T/F: An ADC needs to be logically in front of an application/service

True - Transparent proxying requires outbound traffic on destination port 80 and re-routing it to the proxy server which must spoof the source address of the original web server when replying to the source browser.

T/F: Converting to a transparent outbound proxy server requires hijacking traffic and spoofing return source IP addresses.

False - Current versions of NTP use a 64 bit representation that is accurate to 0.233 nanoseconds.

T/F: Current versions of NTP use a 32 bit representation that is accurate to 0.233 nanoseconds.

False - While DNS flagging (alternating IP addresses from a pool via DNS) can help, it does not ensure that there is any effective load balancing. The caching nature of DNS is especially problematic in that one response can be used by hundreds of hosts while another response could be used by only a single host.

T/F: DNS flagging effectively balances load across multiple web servers.

True (a Control session for the base of the HTML data that defines the web page and Multiple other sessions for pictures, sound, video, etc. that are defined on the page_

T/F: HTTP establishes multiple TCP sessions

False (each site, not server)

T/F: HTTPS acquires and assigns certificates for each server

True (the security is established on an IP basis rather than a name basis)

T/F: HTTPS requires a separate IP address for each site

False - Ideally there should be least two stratum 3 or better time servers with an organization.

T/F: Ideally there should be least one stratum 4 or better time servers with an organization.

True - A Windows PDC or PDC emulator also serves as the domain time server using SNTP (Pre Server 2003 SP1) or NTP (Server 2003 SP1 or newer).

T/F: In a Windows domain, clients receive time information from the Primary Domain Controller or PDC Emulator.

False - By default HTTPS only authenticates the server to the browser. The browser is not authenticated to the server.

T/F: In a basic HTTPS session, both the client and server are authenticated.

True - one between the client and the ADC and another between the ADC and the application server.

T/F: In full proxy load balancing there are two separate data flows.

True

T/F: It is best to block the actual application server at the firewall

True (Default is to sync to time.windows.com via SNTP)

T/F: Non-domains have no built-in synchronization

False (Multiple sites can exist on the same web server)

T/F: Only one type of the same site can exist on the same web server

True - SSL 3.0 has been re-badged TLS 1.0

T/F: SSL and TLS are the same technology.

True (The process depends on constant processor clock speeds, but is problematic if the processor is over/underclocked or when the clock slows to save power or under virtual machines)

T/F: System time is kept by a process running in the OS.

False - SNTP simply asks for the current time once. NTP consistently checks time and uses a drift file to ensure accurate time keeping.

T/F: The SNTP protocol consistently checks time and uses a drift file to ensure accurate time keeping.

data flows

The ADC balances incoming _____________ across the available application servers

static

The reverse proxy can cache __________ content so the actual web server only has to generate the dynamically generated content (multiple web servers can be placed in a second DMZ to further increase capacity)

· Normal/Standard - specified to the browsers · Transparent

Two approaches to outbound proxy server

Round robin and ratio

Two static techniques to load balancing

January 19, 2038

UNIX clock will overflow on this date

UNIX Epoch

UNIX keeps time based on seconds since the

UTC

UNIX system clock

Proxy

Web services for outgoing connections

ADC

When managing data flows through an application delivery controller the return traffic from the application server to the client must have a source address of the _____________________________.

Simple web server

any software that supports the HTTP protocol, often built into other applications as a management or control interface or added on top of existing workstations, does not support web-based applications

Cloud computing

application, services, and data are hosted in a virtual infrastructure that allows for scalability and reliability

Standard proxy server

browser asks the proxy to retrieve pages, browser itself must be configured to use proxy

Stratum 3 servers

get time from multiple stratum 2 servers, peer with other stratum 3 servers within an organization (LAN level connectivity), typically serve clients within an organization, can serve higher level time servers (up to 16 levels)

NTP pools

group of time servers available for public use, provided by the public, geographically organized, structure starts from 0 and counts up

Single dedicated server

highly available web servers running in a secure environment, support both HTTP and HTTPS, IIS and Apache, typically placed in a DMZ (second layer), usually support server-side scripting

Marzullo's algorithm

in NTP, takes into account transmission duration for time data

Real time clock

keeps time in BIOS, keeps time when computer is turned off, notoriously inaccurate

Stratum 0 time sources

machines which have locally accurate clocks, such as atomic clock or GPS receivers, serve as a reference for stratum 1 time servers

Persistence

problem with connection based load balancing, application state data are lost (cookies), the cookie is in the wrong place for the server

Stream processing

processing data streams (content) flowing through the ADC (delete, add, and replace content), typically uses regular expressions, an update can be made to all pages on a served sites with one change

Transparent proxy server

proxy in which client is not aware of the proxy server, outbound traffic is "hijacked" at the gateway then routed to the proxy server (using redirect or port forward rule on the gateway), proxy then spoofs the address of the target server when replying to the client, all direct HTTP connections are blocked, requires no client configuration

Outbound proxy server

proxy server located in DMZ, isolates internet traffic from clients, only works with HTTP (not HTTPS)

Stratum 2 servers

reference at least 2 stratum 1 servers, peer to other stratum 2 servers, typically only service stratum 3 servers

SSL acceleration

requires the ADC fully proxy the website, connections from client to ADC uses HTTPS and connection from ADC to application server uses HTTP

Stratum 1 server

server typically used to service other time servers (not clients directly), as of NTPv3 will downgrade themselves if they tend to drift

Simple Network Time Protocol (SNTP)

single transaction, sets the time once, can be done repeatedly on a schedule, and time can be offered between syncs, the default for "Internet time" in Windows

Application delivery controllers

sits between clients and applications/services, sometimes referred to as application layer switches

Static content acceleration

static content (images, backgrounds, sounds) is kept on and served by the ADC (the HTTP get request is never sent to the app server)

DNS name HTTP site identification

which is preferred between IP based and DNS name HTTP site identification