Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
229 Cards in this Set
- Front
- Back
|
What does IP Intelligence (IPI) provide for BIG-IP |
Multiple categories of malicious behavior which IP address may be placed in. The BIG-IP can then perform actions on packets whose source and/or destination matches a malicious category. |
|
|
How is the IP Intelligence list maintained |
By third-party in the cloud and the BIG-IP can reach it for update every 5 minutes |
|
|
How does IP Intelligence integrate with ASM |
It acts like an entity and can be alarmed, blocked excluded and learned against. |
|
|
What are four main attacks IP Intelligence blocks at the edge |
Phishing Annonymous attackers Botnet Scanners |
|
|
How does IP Intelligence help with DoS mitigation |
By allowing blocking against IPs which originate the attacks. |
|
|
Is IP Intelligence only for ingress traffic |
No it also can scan egress for example blocking call home from infect pc to Botnet C&C node on IPI known address. |
|
|
Besides AFM and ASM what is another way to interact with IP Intelligence |
iRules |
|
|
What is the command to look up an IP in IP Intelligence |
iprep_lookup 1.2.3.4 |
|
|
What are the three things needed for IP Intelligence to work |
1. IPI license 2. DNS server configured 3. Internet Connection |
|
|
What are the four DDoS categories |
Volumetric Asymmetric Computational Vulnerability-based |
|
|
What are volumetric DDoS attacks |
Flood attacks at layer 3, 4 or 7 that try to overwhelm the bandwidth. |
|
|
How are volumetric DDoS attacks prevented |
Cloud based scrubbing (Silverline) and WAF (ASM) |
|
|
What are asymmetric DDoS attacks |
Designed to trigger timeouts or state changes |
|
|
How are asymmetric DDoS attacks prevented |
WAF like ASM at layer 7 |
|
|
What are computational DDoS attacks |
Designed to consume CPU or memory. Also called resource attacks. |
|
|
How are computational DDoS attacks prevented |
Application Delivery Controller (LTM), Network Firewall (AFM) |
|
|
What is a vulnerability-based DDoS attack |
Attack that exploits software weaknesses |
|
|
How are vulnerability-based DDoS attacks prevented |
IP reputation (IPI), IDS/IPS (ASM), Application Delivery Controller (LTM) |
|
|
What is Silverline |
Cloud based scrubbing service for volumetric DDoS attacks |
|
|
What is the difference between Silverline Always Available or Ready Defense modes |
Always available is primary scrubbing service and Ready Defense is as-needed secondary. |
|
|
What are Silverline's two main return traffic modes |
Routed configuration with BGP and GRE tunnels or IP reflection with Destination NAT. |
|
|
What is FPS and which module provides it |
FPS is WebSafe Fraud Protection Service |
|
|
What does WebSafe FPS do |
It protects the client side of an HTTP transaction from user identity theft and automated malware attacks |
|
|
How does WebSafe protect users from from fraud |
By injected hidden code into the responses from BIG-IP to client which monitors alteration. Any alteration is reported to BIG-IP which reports to F5 and customer security team via alert. |
|
|
What data structure and protocol does WebSafe interact with |
HTML and the Document Object Model (DOM) |
|
|
What does WebSafe's Anti-Fraud Profile do |
Controls security processing of the data that will be sent client-side and configuration of the alert pool for any potential alerts |
|
|
How are WebSafe threats monitored |
Via the Alert Dashboard on the Alert Server (not BIG-IP) or Alert cloud service. |
|
|
Does WebSafe protect all HTTP traffic on a virtual server or specific URLs |
Specific URLs outlined in the Anti-Fraud Profile |
|
|
How is WebSafe similar to ASM when it comes to protecting a page |
Both have to be told specific parameters to watch to guard them |
|
|
Does WebSafe have a flat rating for transactions or use an aggregate of factors |
It uses an aggregate of many factors to separate human from fraudulent |
|
|
What is the difference between forward and reverse proxies |
Forward proxies aggregate intranet clients and send them to the Internet. Reverse proxies aggregate Internet traffic and send them to pool members. |
|
|
What is the difference between a transparent and explicit forward proxy |
An explicit forward proxy is configured in the client (typically browser) while transparent sides in-line between client and its destination just beyond the gateway. |
|
|
What makes SWG Secure rather than a normal forward proxy |
Beyond providing forward proxy functionality, SWG provides access control based on URL categorization |
|
|
Does SWG have Captive Portal ability in transparent mode |
Yes |
|
|
Does SWG have HTTP 407 credential capture in Explicit Mode |
Yes |
|
|
Can SWG perform any best effort credential observation in transparent mode |
Yes |
|
|
What is the main reason to use SWG |
Filtering of outbound traffic based on URL categorization and malware inspection |
|
|
Besides filtering on URLs, can SWG do anything with malicious content |
Yes, SWG can scan packets and filter against malicious content |
|
|
What is the F5 DC Agent and how does it assist SWG |
This Windows app attempts to identify users based on their Windows domain logons and informs SWG of them. |
|
|
What is the IF MAP server and how does it interact with the F5 DC Agent and SWG |
Residing on the BIG-IP, It contains the mappings of usernames to IP addresses (value pairs) |
|
|
How is the Forward Proxy component of SWG acheived |
With an LTM forwarding server (or servers) |
|
|
What is URLF and how does SWG do it |
URLF is URL Filtering, SWG does it through examining the traffic |
|
|
What are two ways SWG helps with Malware |
It filters outbound traffic against malicious URLs and inspects packets for malicious content |
|
|
How does SWG help with Employee productivity and Internet usage |
By classifying traffic into categories and then policing the categories SWG can enforce user Internet usage policies. |
|
|
What are AFM's two deployment modes |
ADC (Application Delivery Controller) the default and Firewall mode |
|
|
What type of proxy is the AFM |
A layer 4 stateful full proxy |
|
|
What type of attack does AFM excel at preventing |
DDoS in a variety of situations, TCP, UDP, DNS, HTTP and floods with attack characteristics defined (similar to ASM attack signatures). |
|
|
Can AFM leverage all the advanced features of the BIG-IP and LTM platforms |
Yes, like advanced routing, IPSec, NAT, SSL, AVR |
|
|
At a high level what sort of blocking or control does AFM provide |
Policy-based access control to and from address/port pairs inside and outside the network |
|
|
What is the big difference between AFM's ADC and Firewall modes |
ADC is default permit and Firewall is default deny for any traffic not matching a rule |
|
|
What is the match order for AFM's rules from most broad to most specific |
Global, Route Domain, Virtual Server, Self IP, default action |
|
|
What is AFM context |
The category the policy applies to, like Global, Route Domain, Virtual Server, Self IP, Mgmt. Each context (except for Mgmt) is evaluated for a packet (if policies exist at it) so a packet may have lots of evaluations before it finally is accepted. |
|
|
What is the difference between Global context and Global drop or reject |
The Global drop or reject context is always applied last rather than first like other Global context |
|
|
What is the difference between AFM's Accept and Accept Decisively |
Accept means to stop processing further rules in the current context while Accept Decisively means to stop processing ALL further rules in ALL further contexts. |
|
|
Can rules be created on AFM for ICMP at the virtual server or Self IP contexts |
Yes but they will be ignored. To process the packets, they can only be created at the Global or Route Domain levels. |
|
|
What is a Redundant Rule on the AFM |
A rule that overlaps with another rule with the same action |
|
|
What is a Conflicting Rule on the AFM |
A rule that overlaps with another rule with a different action - this requires user intervention to correct. |
|
|
What is the difference between AFM's DoS detection threshold PPS and detection threshold percent |
The PPS is a value at which a warning is triggered and then the percent is an increase over the past hour's average which triggers rate limiting equal to that last hour's average, dropping everything above it. |
|
|
When does the AFM stop rate limiting against an attack |
When the packet rate, checked every second, finally goes down to the last hour's average before the attack started |
|
|
What is the AFM's default internal rate limit |
For a specific attack type identified in the packet, the upper number of packets per second allowed. Any packets matching that attack type above the limit are dropped. Set to 0 to disable. |
|
|
What are the two main security benefits of AFM |
Network Firewall and anti-DDoS |
|
|
What are the two main benefits of SWG |
URL Filtering (URLF) and anti-Malware |
|
|
Does AFM rate limit against simple volume of packets or with DDoS attack signatures |
DDoS signatures, breaking monitoring and action into multiple categories for different types of attacks. |
|
|
What is the BIG-IP processing order for AFM, APM, ASM, FLOW_INIT (iRule event), LTM and Packet Filter |
Packet Filter FLOW_INIT AFM LTM APM ASM |
|
|
When does iRule FLOW_INIT occur and what is it used for |
It is triggered once after Packet Filter and before AFM and is used for Overriding ACL or traffic policy (bandwidth, QoS etc) |
|
|
How does ASM interact with LTM in terms of traffic flow |
Traffic first goes to LTM and then to ASM which then tells LTM to either proceed or provide a block page |
|
|
What is Memcache and what is its vulnerability |
It is a general purpose memory cache used to cache things in RAM. The downside is that anything in the cache could be written to or read by an entity that has access to it. |
|
|
What protocol is ICAP similar to |
It is similar to HTTP and is lightweight |
|
|
What is ICAP primarily used for |
Extending transparent proxy servers and most commonly is used for Virus Scanning and Content Filtering. For example, sending traffic to a third-party ICAP server to scan before permitting it to pass. |
|
|
What is PCI DSS and what is its goal |
Payment Card Industry Data Security Standard, developed by the credit card companies to ensure credit card data is handled securely. It has 6 sections with two items in each (12 items total) |
|
|
What is FIPS and what is its goal |
Federal Information Processing Standards, US standards for computing security and interoperability. |
|
|
What is DAST and how does it function |
Dynamic Application Security Testing, a suite of tools that is given an site or URL as input and performs a series of scans, probes and and attacks to determine the vulnerability of the target. ASM blocks most of this activity. |
|
|
What is CIA (AIC) and its goal |
Confidentiality, Integrity, Availability. Confidentiality is the set of rules to limit access to information. Integrity means the information is trustworthy and Availability is guarantee the information accessibly by authorized persons. |
|
|
What is an Asset in security terminology |
People, property or information - the things that need to be protected by some form of security |
|
|
What is a Threat in security terminology |
Anything that can exploit a vulnerability and gain unwanted access to an asset. These are the things that are being protected against. |
|
|
What is a Vulnerability in security terminology |
A weakness or gap in security protection which can be exploited by a threat. |
|
|
What is a Risk in security terminology |
The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability. |
|
|
What is OWASP's Top 10 List |
The Open Web Application Security Project's ten most critical web application security flaws. |
|
|
What are the OWASP Top 10 |
Injection Broken Authentication and Session Management (XSS) Cross Site Scripting (XSS) Insecure Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross Site Request Forgery (CSRF) Using Components with Known Vulnerabilities Unvalidated Redirects and Forwards |
|
|
What is a security accessibility risk and how is it mitigated |
Accessibility is about having the ability to reach to data for customers or business; risks would a DoS or DDoS and AFM and Silverline are good defenses. The four tier model with all the modules is a good defense against that. |
|
|
What is a security availability risk and how is it mitigated |
Availability is about resources being active; risks would be resources being offline. The four tier defense model with all the modules is a good defense against that. |
|
|
What is a security confidentiality risk and how is it mitigated |
Confidentiality is about ensuring data isn't given to unauthorized parties; risks would be just that. LTM for SSL or IPSec and APM are good defenses. |
|
|
What is a security privacy risk and how is it mitigated |
Privacy is about ensuring communications are not intercepted; APM and LTM are good defenses for that. |
|
|
What is an integrity security risk and how is it mitigated |
Integrity is about ensuring information is accurate; risks would be threats altering it. Anti-malware modules FPS and ASM can help with that, as could iRules. |
|
|
What are the LTM SSL modes |
LTM can do SSL offload, bridge, pass-through and can have Client and Server SSL profiles and configuration of ciphers and options. |
|
|
How does SSLDump work |
Based on type of cipher can generate PMS to decrypt packet capture. |
|
|
What happens when Server does not allow any ciphersuite in ClientHello or does not allow SSL/TLS versions in ClientHello |
Server denies connection and sends Fatal Alert to Client, optionally logging. |
|
|
Name the common DNS record types |
A/AAAA - FQDN to IP SOA - Info on zone CNAME - FQDN to FQDN (alias) DNAME (IPv6 reverse lookup) MX - Mail NS - Nameserver PTR - IPv4 reverse lookup) SRV - Service |
|
|
How does DNSSec Work |
It adds data origin authentication and integrity to DNS. Records are signed and signatures are trusted, RRSIG records handle this. |
|
|
What type of client software is required to use APM's Portal Access |
None as links are re-written by APM so any client can access internal resources via the APM virtual server. |
|
|
What security features does APM Portal Access have over Network Access |
With Portal Access content is rewritten and therefore can be policed; with Network Access all information is encrypted and all reachable resources are allowed. |
|
|
Does APM provide any sort of access control to resources |
Yes via ACL and also rewrite profile parameters. |
|
|
What is Network Access |
A SSL VPN tunnel from client (with client software) to BIG-IP. This consumes a CAL. |
|
|
What is Portal Access |
Like restricted Network Access, provides access to port 80/443 service. Clientless VPN but requires components. This consumes a CAL. |
|
|
What is Web Application Access |
APM+LTM where APM just does identity and access management. Doesn't require client software and doesn't consume a CAL. |
|
|
Why does Portal Access need Patching |
Since it is providing reverse proxy, it has to translate all the references to internal IPs and objects to the external BIG-IP proxy references, re-writing them. |
|
|
How are ACLs used with APM |
ACLs help restrict access to APM-granted resources with more granularity. Note that they apply to clientside ingress traffic only. |
|
|
What APM ACL type is used for network access resources |
L4 |
|
|
What APM ACL type is used for portal access resources |
L7 |
|
|
What does Portal Access to do URLs |
It rewrites them when presenting to clientside which ensures the client sends any references back to APM and provided reverse proxy protection to server. |
|
|
What are APM ACLs and ACEs |
Each Access Control List (ACL) is made up of one or more Access Control Entries (ACE) which Allow or Block based clientside ingress traffic based on criteria, like a packet filter. |
|
|
What is a SAML IdP |
Identity Provider - Authenticates and authorizes user and creates security assertion |
|
|
What is a SAML SP |
Service Provider - Receives and validates an assertion from IdP and provides access to requested application |
|
|
How does APM Federation with SAML work |
One APM is configured as IdP and others are SPs. User authenticates with IdP then accesses the SPs without having to re-authenticate. You can even have a single APM federate from one Access Policy to another. |
|
|
What is a WAF |
Web Application firewall, a firewall which protects at level 7 (application) |
|
|
What is an Injection attack |
An injection attack occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. |
|
|
What are Broken Authentication and Session Management attacks |
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. |
|
|
What is Cross-Site Scripting (XSS) |
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. |
|
|
What is an Insecure Direct Object Reference attack |
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. |
|
|
How is Security Misconfiguration exploited |
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. |
|
|
How is Sensitive Data Exposure exploited |
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials... Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. |
|
|
How is Missing Function Level Access Control exploited |
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers can forge requests in order to access functionality without proper authorization. |
|
|
What is a Cross-Site Request Forgery (CSRF) attack |
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. |
|
|
How is one attacked by Using Components with Known Vulnerabilities |
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. |
|
|
How are Unvalidated Redirects and Forwards exploited |
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. |
|
|
Can a layer 3/4 firewall protect against a Slowloris attack |
No because it uses legitimate layer 3/4 information and has a tiny window which only a WAF can detect as an attack. |
|
|
Can a layer 3/4 firewall protect against an HTTP Flood attack |
No because it uses legitimate layer 3/4 information and only a WAF can detect the traffic pattern at layer 7 as an attack. |
|
|
What is positive security |
AKA Whitelist Defines what is allowed and everything else is rejected."Default Deny" |
|
|
What is negative security |
AKA Blacklist Defines what isn't allowed and everything else is accepted."Default Accept" |
|
|
What does ASM Data Guard do |
It inspects egress data and replaces patterns it deems are sensitive (like Credit Card) with asterisks. Can include user-configured patterns as well. |
|
|
What are the two types of ASM DoS protection |
TPS and Stress (aka Latency) based protection. Ingress packets which match attacks and cause changes can be limited, similar to AFM's DDoS protection. |
|
|
How does ASM TPS-based anomaly protection work |
It looks at Transaction rate during detection interval - requests per second to a URL or from a specific IP. The interval is 60 seconds and there is also a history interval of 1 hour. You configure a threshold % and if the interval: history ratio is greater than the % protection is triggered. |
|
|
How does ASM Stress-based anomaly protection work |
Average latency is measured for each virtual server's DoS profile(s) and if the latency increases by a specific threshold % protection is triggered. |
|
|
What are the three ASM DoS Protections that can be triggered |
JavaScript (Client-Side Integrity Defense) - if JS is executed in response to BIG-IP test, client is slowed down. CAPTCHA - CAPTCHA is issued Request Blocking - Blocks requests when protection is active |
|
|
What does the ASM XML profile provide for security |
Helps prevent illegal usage of XML parameters by client by enforcing limits defined by the application. |
|
|
How does ASM help with detecting and preventing Web Scraping |
Bot detection Session Opening - number of sessions per IP, Session Anomaly - too much traffic Fingerprinting - client browser/OS information Suspicious Clients - additional client details |
|
|
What does ASM require configured for Web Scraping to be enabled |
DNS Clients need JavaScript and cookies enabled Response caching should be disabled (so it can't be scraped) Search Engine exclusion to avoid it being a false positive |
|
|
How do ASM and APM allow User and Session tracking |
ASM can track via login pages and APM via usernames for sessions. Various alerts, limits and thresholds can be configured on them with a variety of variables like IP, number of sessions etc. |
|
|
What is the difference between a resource-based and volumetric attack |
Volumetric attacks are a large amount of traffic trying to fill up the bandwidth pipe while resource-based perform actions designed to consume lots of resources on the server. ASM and SIlverline are good for volumetric while AFM and LTM are good for resource-based. |
|
|
What is a critical vulnerability |
An exploit which doesn't require authentication and results in code execution. |
|
|
What is a Severe vulnerability |
An exploit that doesn't require authentication or has serious service implications like DoS. |
|
|
What is a High vulnerability |
May affect authenticated users and could escalate attacker privilege. |
|
|
What are Low and Medium vulnerabilities |
Information leak or ones with mitigating circumstances. |
|
|
What is the difference between LTM Routed Mode, One-Armed Mode, Bridged Mode and Reverse Proxy |
Routed - Forwarding VS routes traffic to destination One-armed - VS and Nodes in same network with SNAT Bridged - VLAN Group on multiple VLANs one Self IP Reverse Proxy - Nodes have BIG-IP as default GW |
|
|
What is PEM |
Policy Enforcement Manager for cellular devices. It allows policing of subscribers and can snoop RADIUS or IPs to track subscribers. |
|
|
What is CGNAT |
Carrier-Grade NAT, allowing persistent NAT and IPv4 to IPv6 and many other options. |
|
|
What are the four tiers of security per F5 |
Cloud Network Application DNS (next to Application, behind Network as well) |
|
|
What is the TCP Connection Table Size for the 5 platform types |
Chassis/Viprion: 12-144 million High-End: 24-36 million Mid-Range: 24 million Low-Range: 6 million Virtual Edition: 3 million |
|
|
What is the SSL Connection Table Size for the 5 platforms |
Viprion: 1-32 million High-End: 2.5-7 million Mid-Range: 4 million Low-Range: 0.7-2.4 million Virtual Edition: 0.7 million |
|
|
What modules are in On-Premise Network Defense |
AFM+LTM for Layer 3-4 with DNS behind it |
|
|
What modules are in On-Premise Application Defense |
ASM+LTM for Layer 7 and SSL termination |
|
|
What is the throughput for Viprion, High-End, Mid-Range and Low-End |
Viprion: 120 Gbps High-End: 80 Gbps Mid-Range: 40 Gbps Low-End: 30 Gbps |
|
|
What is the platform for an all-in-one a SMB should use for their on-premise defense |
Mid to High End with licenses for all modules |
|
|
What is the platform an Enterprise should use for their on-premise application and DNS defense |
Mid-Range Pairs with ASM/LTM for application and GTM for DNS |
|
|
What is the platform an Enterprise should use for their on-premise network defense |
High-End Pair with AFM/LTM |
|
|
What is the platform an FSI (Financial) should use for their on-premise network defense |
Viprion pair with AFM/LTM |
|
|
What is the platform an FSI (Financial) should use for their on-premise application and DNS defense |
Mid-Range Pairs with ASM/LTM for application and GTM for DNS |
|
|
What are two common types of application (L7) DoS attacks the ASM can block |
HTTP GET and page flood attacks. HTTP GET asks for all resources like images and scripts while page flood requests for specific URLs over and over. |
|
|
Does ASM determine traffic is a DoS attack using transaction rate (TPS) for clientside or serverside |
Clientside |
|
|
Does ASM use stress (latency) to determine if traffic is DoS for clientside or serverside |
Serverside since it can see the complete serverside conversation |
|
|
What are the two requirements for PCI DSS goal "Build and Maintain a Secure Network" |
1. Install and maintain a firewall for cardholder data 2. Do not use default passwords on devices |
|
|
What are the two requirements for PCI DSS goal "Protect Cardholder Data" |
1. Protect stored cardholder data 2. Encrypt transmission of cardholder data |
|
|
What are the two requirements for PCI DSS goal "Maintain a Vulnerability Management Program" |
1. Use and update anti-virus software 2. Develop and maintain secure systems |
|
|
What are the three requirements for PCI DSS goal "Implement Strong Access Control System" |
1. Restrict access to cardholder data 2. Assign a unique ID to each person 3. Restrict physical access to cardholder data |
|
|
What are the two requirements for PCI DSS goal "Regularly Monitor and Test Networks" |
1. Track and monitor all access to cardholder data and resources 2. Regularly test security systems/processes |
|
|
What is the requirement for PCI DSS goal "Maintain an Information Security Policy" |
1. Maintain a policy that addresses security for all personnel |
|
|
What are the three items needed to make Google CAPTCHA work |
1. DNS server to resolve FQDN 2. Public and private keys from Google 3. Input parameters for the two words |
|
|
What are three common ways nmap can be used to scan one or more hosts |
1. -sO scans for IP 2. -sP scans with ping 3. -sV scans for version |
|
|
What does the iRule "after" command do |
It pauses the iRule for X milliseconds (1000ms = 1 second) before continuing in its execution |
|
|
What is contained in /var/log/secure and /var/log/audit and how do they relate to security |
/var/log/secure shows logins and can alert for remote logins/failed logs in (i.e. Brute Force) while /var/log/audit shows successful logins and actions taken once logged in (i.e. successfully authenticated attackers). |
|
|
What does SSL Proxy do and how is it configured |
It has the client authenticate against the server through the BIG-IP and needs to be enabled on both Client and Server SSL profiles. Note that since communication is then encrypted BIG-IP acts like SSL pass-through in terms of functionality. |
|
|
What does SSL Proxy Passthrough do to SSL Proxy functionality |
Allows the TLS negotiation if client and server are using ciphersuite not allowed by Client or Server SSL profiles. Must be enabled on both profiles. |
|
|
What are the nine GTM static load balancing methods |
Drop packet - GTM drops packet Fallback IP - GTM returns the IP Global Availability - Sent to first available pool None - skip that method Ratio - Round Robin in pool based on the configured ratio Return to DNS - Send to BIND Round Robin Static Persist - Mask-base persistence Topology |
|
|
What are the ten GTM dynamic load balancing methods |
Completion Rate - VS with lowest failures CPU - VS with lowest CPU usage Hops - VS with lowest hops from client Kbs - VS with lowest Kbs in responses Least Connections - VS with least connections Packet Rate - VS with least packet rate Quality of Service - lowest performance metrics Round Trip Time - from VS to client Virtual Server Score - VS based on configured ranking Virtual Server Capacity - Sent to pool with most free VS in it |
|
|
What are the two important DNSSEC flags (two letters each) |
do - DNSSEC OK - OK to do DNSSEC on response ad - Authenticated Data meaning response was great |
|
|
What is the difference between choosing usability over risk, over a threat or over a vulnerability |
Usability over risk means doing something knowing that a threat may use a vulnerability to access an asset. Over threat means knowing a threat IS present using a vulnerability to access an asset. Over vulnerability means knowing a vulnerability IS present. |
|
|
What does port translation do |
Translates the destination port on serverside packet from BIG-IP to pool member to the pool member's port |
|
|
What does address translation do |
Translates the destination address on serverside packet from BIG-IP to pool member to the pool member's IP |
|
|
What is contained in the ntp reach value |
The result of the last 8 poll attempts represented as three digit number (octal) |
|
|
What are in the /var/log boot, daemon and cron logs |
boot - messages logged after boot cron - messages logged when starting cronjobs daemon - messages from various daemons |
|
|
What are in the /var/log dmesg and pktfilter logs |
dmesg - hardware devices detected at boot pktfilter - message from the packet filter or APM ACLs |
|
|
What are in the /var/log/messages, user and webui logs |
messages - linux system events user - user level logged events webui - Configuration Utility messages |
|
|
How is BIG-IP configured to work with ICAP and what is the traffic flow |
1. 1st VS has Request Adapt profile put on it 2. 2nd VS (Internal) created with ICAP profile to talk to ICAP 3. Client to 1st VS - > 1st VS to 2nd VS -> 2nd VS to ICAP -> ICAP to 2nd VS - 2nd VS to 1st VS -> 1st VS to pool members |
|
|
What is dig used for |
DNS requests including DNSSEC |
|
|
What is nmap used for |
Scanning network devices including subnets of devices |
|
|
What is HTTPWatch used for |
Capturing HTTP data from client to server from the client before it is encrypted and after it is decrypted like Fiddler |
|
|
What is Cain and Able used for |
Network password sniffing and Microsoft password recovery, it can generate a DoS attack with the amount of fake packets it generates. |
|
|
What is THC Hydra used for |
Login cracker for passwords like John the Ripper but online. Performs brute force guessing so it generates a Brute Force Attack. |
|
|
What is John the Ripper used for |
Password cracker for passwords like THC Hydra but offline. Also generates a Brute Force Attack in its cracking attempts. |
|
|
What is OWASP ZAP/Zed Attack Proxy |
DAST/Web Application Security Scanner that does scanning and vulnerability testing like Burp Suite. Also able to proxy and manipulate proxied traffic. |
|
|
What is Burp Suite used for |
Java-based DAST/Web Application Security Scanner like Zed Attack Proxy |
|
|
What is Fiddler used for |
Captures HTTP/HTTPS traffic to review like HTTPWatch |
|
|
What is W3af used for |
Web application security scanner |
|
|
What is HTTrack used for |
Web crawler/web scraper |
|
|
What argument to you add to dig to enable DNSSEC |
+dnssec and then the do flag is set |
|
|
What kind of system does the ISO27001 describe |
An ISMS - Information Security Management System |
|
|
What is a WSDL and what is it used with |
Web Services Description Language (rather a definition file of) provides an XML a grammar to describe details. It specifies the XML parameters. |
|
|
What are the two modes an AFM firewall policy can be in |
Enforcement: Actually processing traffic Staging: Just log traffic This is very much like ASM's Enforcing and Transparent modes |
|
|
On the AFM does Global -> Route Domain -> Virtual Server precedence apply to Firewall policies and IP Intelligence policies |
Yes, first anything at Global is evaluated before anything at Route Domain and then anything at Virtual Server. |
|
|
Can IP Intelligence Policies be applied to Self IPs |
No, just Global, Route Domain and Virtual Server |
|
|
What is the processing order for an AFM context which has the following: Firewall Policy, IPI Policy, DDOS Profile |
IPI Policy (accept or drop) DDoS Profile (accept or drop) Firewall Policy (accept, drop or accept-decisively) |
|
|
What does the default APM ACL deny page look like |
You do not have permission to access this page.Access was denied by an access control list.
Click here to return to previous page The session reference number: 1d15fa1c |
|
|
What are two common Internet usages controlled by SWG's web application control |
Social Networking and Internet communication |
|
|
What are SWG URL categories, filters and schemes |
Filters match URLs and are in categories. Schemes are made up of filters which work in concert to result in an allowed traffic scheme. |
|
|
How do SWG URL filters work |
The request and response are examined and allowed or blocked |
|
|
Can SWG police instant communications over protocols besides HTTP and HTTPS |
No |
|
|
Does SWG use APM session cookies |
No it ignores them |
|
|
What is required for SWG to police by IP |
Each IP has to be unique and trusted |
|
|
What does SWG need to inspect SSL traffic |
It needs to bridge the traffic so it can decrypt, inspect and encrypt. |
|
|
What are the two actions ASM can take on IP addresses meeting one of the IP Intelligence categories |
Alarm and/or Block |
|
|
Why are SWG URL category updates important and what danger occurs when after updating |
Without updates the categories get out of date. After downloading the database indexes which causes high CPU usage. |
|
|
What is a way a trojan could modify HTML to gather a client's information |
By injecting a script which changes the HTML the client receives to have additional fields like social security number which the original form never had. |
|
|
What profile is needed in addition to the Anti-Fraud profile for WebSafe FPS to work |
HTTP Profile - otherwise FPS cannot parse the data it is examining and altering |
|
|
Is the FPS Alerts server a service on the BIG-IP or a standalone virtual server |
Standalone server |
|
|
What are 5 items configured in the WebSafe FPS Anti-Fraud Profile |
Alert Identifier - matches ID in Alert Dashboard Alerts Pool - Servers to receive alerts Log Publisher - Sends alerts to Alert Dashboard Login Page(s) - Pages to protect Parameters - Parameters like username to protect on Login pages |
|
|
Does WebSafe FPS have cloud-based and on-premise options for its Alerts Dashboard |
Yes |
|
|
What option is needed in the WebSafe FPS's HTTP profile to ensure the client IP address is accurately presented to the Alerts Dashboard |
Insert X-Forwarded-For is needed to store the client IP address so it can be presented to the Alerts Dashboard |
|
|
What are the four sections of WebSafe FPS detection and protection |
Phishing detection Malware detection Application layer encryption Automated transaction protection |
|
|
What is the BIG-IP Bridge mode deployment, what is its advantage and what is the big configuration component that sets it apart from other modes |
Bridge mode sits transparently in-line between WAN and LAN. It doesn't require router/network reconfiguration It has both VLANs in a VLAN group with a single Self IP on the group and only intercepts traffic matching its virtual servers, forwarding the rest. |
|
|
What is BIG-IP Reverse Proxy mode deployment, what is its advantage and what is the big configuration component that sets it apart from other modes |
Reverse Proxy mode has pool members behind the BIG-IP. It hides pool members behind the Virtual Server of the BIG-IP. It requires pool member default gateway to point to BIG-IP and may or may not use SNAT. |
|
|
What is BIG-IP One-Arm mode deployment, what is its advantage and what is the big configuration component that sets it apart from other modes |
One-Arm mode has serverside and clientside in the same network. It can be inserted into an existing network without reconfiguration. It requires SNAT on serverside to force the pool members to respond to BIG-IP rather than directly to client. |
|
|
What is BIG-IP Routed mode deployment, what is its advantage and what is the big configuration component that sets it apart from other modes |
Routed mode uses Forwarding Virtual Servers to match traffic and route it using routing table to destinations. It can be used to send route traffic like a router. It requires forwarding virtual servers and doesn't typically have pools and may use SNAT. |
|
|
Why would an APM configuration want to use persistent APM cookies in a situation where persistence beyond the session is not important |
Persistent cookies are written to disk and can be used by multiple applications, for example a session started by Word could generate a cookie then used by Excel. This is most commonly used with Microsoft products. |
|
|
What does the HttpOnly flag restrict about the way a cookie can be used |
When a cookie has the HttpOnly flag it can only be used for HTTP, meaning it can't be used for something else like JavaScript. This makes it harder to steal. |
|
|
What does the secure flag restrict about the way a cookie can be used |
The secure flag restricts the cookie to only being sent over HTTPS so it is secure. |
|
|
For a DNS GSLB object, what is the address and translation address and when are they used |
They are used when there is NAT between the querying big3d and the destination. The address is the external IP and the translation is the internal address. Packets are sent to the external but understand that to the destination device the internal address is what it knows. |
|
|
What are gtm_add, bigip_add and big3d_install |
gtm_add - overwrite local GTM's config with Sync Group's config + device certs bigip_add - exchange device certs between two BIG-IPs big3d_install - update big3d version on remote BIG-IP |
|
|
Are ASM Support IDs generated for matches unique per request or shared among several |
They are unique |
|
|
What is session tracking used for in the ASM |
It allows actions to per enforced against the session when the session has reached a threshold, for example 5 requests flagged as attacks in 30 seconds results in all further requests being blocked for 60 seconds. It can also be manually overridden at the requests screen. |
|
|
What are three types of attacks blocked by Cloud defense |
All are layer 3/4 Volumetric floods (layer 3/4) Amplification Protocol Note that ASM covers volumetric floods at layer 7 |
|
|
What are five types of attacks blocked by Network tier defense |
All are layer 3/4 SYN flood ICMP flood TCP flood Malformed packet Known bad actor |
|
|
What are five types of attacks blocked by the Application tier defense |
All are layer 7 Slowloris Slow POST Apache Killer RUDY/Keep Dead SSL attacks |
|
|
What are four attacks blocked by the DNS tier defense |
UDP floods DNS floods NXDOMAIN floods DNSSEC attacks |
|
|
What is ASM's Client Side Integrity Defense |
Java-Script challenges sent to the client browser when a suspect TPS based DoS attack is occurring (has to be configured). If the client executes Java-Script in response it takes about 2 seconds to complete. A human-piloted browser is unaffected but an automated attacker is disrupted. |
|
|
How do ASM and APM interact with session and policy tracking |
ASM can define a login page and track user sessions (with session awareness enabled) or retrieve the user names from APM. |
|
|
How does ASM Session Tracking work |
ASM inserts a cookie starting with "ts" called the main ASM cookie. It is used to track requests and groups them in a session. Actions can then be performed against the session's requests as a whole. |
|
|
What is a OTP and when is it used |
OTP means One Time Passcode, used for a single session or transaction like signing onto a VPN. It typically needs a delivery medium like email, phone call or a SMS/text. |
|
|
What are three things ASM generates and uses cookies for? |
Tracking requests as a common session Detecting cookie tampering Detecting flow tampering |
|
|
When the AFM evaluates in ingress packet, does it look in the Connection table for an existing flow before or after evaluating against policies in contexts |
The AFM first performs a lookup against the Connection table and then only passes the packet to Global context and below if there was no match. |
