Information Technology /Security+ (SY0-701): Lesson 5: Secure Enterprise Part 1
Security+ (SY0-701): Lesson 5: Secure Enterprise Part 1
This deck covers key concepts from Lesson 5 of the Security+ (SY0-701) course, focusing on secure enterprise network infrastructure and security strategies.
Define ‘Network infrastructure’
Appliances, and addressing/forwarding protocols that support basic connectivity.
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/40
Key Terms
Term
Definition
Define ‘Network infrastructure’
Appliances, and addressing/forwarding protocols that support basic connectivity.
Define ‘Network applications’
Services that run on the infrastructure to support business activities.
Define ‘Data assets’
Information that is created, stored, and transferred as a result of business activity.
Define a ‘workflow’
Series of tasks that a business needs to perform.
Define a ‘Email mailbox server’
Stores data assets and must only be accessed by authorized clients; Must be fully available and fault tolerant.
Define a ‘Mail transfer server’
Connects with untrusted Internet hosts to transfer mail; Any email leaving or entering the network must be subject to policy-based controls.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
Define ‘Network infrastructure’ | Appliances, and addressing/forwarding protocols that support basic connectivity. |
Define ‘Network applications’ | Services that run on the infrastructure to support business activities. |
Define ‘Data assets’ | Information that is created, stored, and transferred as a result of business activity. |
Define a ‘workflow’ | Series of tasks that a business needs to perform. |
Define a ‘Email mailbox server’ | Stores data assets and must only be accessed by authorized clients; Must be fully available and fault tolerant. |
Define a ‘Mail transfer server’ | Connects with untrusted Internet hosts to transfer mail; Any email leaving or entering the network must be subject to policy-based controls. |
Define an ‘on-premises network’ | A private network facility that is owned and operated by an organization for use by its employees only; Enterprise local area network (LAN) |
What network topology model describes a typical on-premises network? | Star topology. |
What is the security concern with a star topology? | “Flat” in terms of security; Any host can communicate freely with any other host in the same segment. |
Define ‘logical segmentation’ | Network topology enforced by switch, router, and firewall configuration |
Define ‘attack surface’ | All the points at which a threat actor could gain access to hosts and services. |
What is the attack surface of layer 1 and layer 2 of the OSI model? | Unauthorized connections to physical ports or wireless networks to communicate within the broadcast domain. |
What is the attack surface of layer 3 of the OSI model? | Unauthorized hosts; Authenticating all connections |
What is the attack surface of layer 4 and layer 7 of the OSI model? | Unauthorized connections to TCP/UDP ports to communicate with application layer protocols and services. |
Define ‘port security’ | Preventing a device attached to a switch port from communicating on the network unless it matches a policy. |
Define ‘MAC Filtering’ | Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it. |
What is a more secure type of port security compared to MAC filtering? | 802.1X Port-based Network Access Control (PNAC) |
What is required for Port-based Network Access Control (PNAC) to function? | A switch authenticating a host against a radius server or certificate when it connects to one of its ports. |
What two protocols allow 802.1X Port-based Network Access Control (PNAC) to function? |
|
Define ‘Extensible Authentication Protocol (EAP)’ | Framework for negotiating authentication methods that enable systems to use hardware-based identifiers or digital certificates. |
Define ‘Remote Authentication Dial-In User Service (RADIUS)’ | AAA protocol used to manage remote and wireless authentication infrastructures. |
Define ‘selection of effective controls’ | The process of choosing the type and placement of security controls to ensure the goals of the CIA triad and compliance with any framework requirements. |
What is the goal of ‘selection of effective controls’? | To enforce segmentation, apply access controls, and monitor traffic for policy violations. |
Define ‘Defense in depth’ | Security strategy that positions the layers of diverse security control categories and functions as opposed to relying on perimeter controls |
What are the 3 types of controls in a defense in depth strategy? |
|
How is defense in depth achieved? | Security-critical zones are protected by diverse preventive, detective, and corrective controls at each level of the OSI model. |
What is a critical component of defense in depth? | Device placement. |
Define 'Device placement' | Positioning security controls to protect security zones and individual hosts to implement a defense in depth. |
Define a 'Preventive control' | Often placed at the perimeter of a network segment or zone; Firewall, Load balancers |
Define a 'Detective controls' | Placed within the perimeter; Monitors traffic within a network or subnet; Provides alerting of malicious traffic that has evaded perimeter controls. |
Define a 'Corrective control' | Installed on hosts as a layer of endpoint protection in addition to the network infrastructure controls. |
Define a 'passive security control' | Does not require any sort of client or agent configuration or host data transfer to operate; Analyzes intercepted network traffic instead of sending probes to a target. |
Define an 'active security control' | Requires hosts to be explicitly configured to use the control; Detective and preventive security controls that use an agent or network configuration to monitor hosts. |
Define an 'inline' device | Placement and configuration of a network security control so that it becomes part of the cable path. |
Define the function of a 'SPAN (switched port analyzer)/mirror port' | Copying ingress and/or egress communications from one or more switch ports to another port to monitor communications. |
Define the function of a 'Test access point (TAP)' | A hardware device with ports for incoming and outgoing network cabling inserted into a cable run to copy frames to a mirror port for analysis. |
What are the two states of failures a security device could enter? |
|
Define a 'Fail-open' state of failure | A security control configuration that ensures continued access to resources in the event of failure; Prioritizes availability over confidentiality and integrity. |
What is the risk of entering a fail-open state of failure? | A threat actor could engineer a failure state to defeat the control. |
Define a 'Fail-closed' state of failure | A security control configuration that blocks access to a resource in the event of failure. |