Effective CISSP Questions

Micro-segmentation is a security technique that isolates workloads using logical or virtual perimeter, provides granular security controls, and mediates east-west traffic to reduce the network attack surface. Which of the following is least related to micro-segmentation? (Wentz QOTD)
A. Software Defined Networks (SDN)
B. Software Defined Perimeter (SDP)
C. Virtual Local Area Network (VLAN)
D. Virtual eXtensible Local Area Network (VXLAN)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Virtual Local Area Network (VLAN).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

VLAN Groups
VLAN Groups (Source: Cisco Press)

Generally speaking, segmentation refers to dividing the whole into smaller parts; micro-segmentation emphasizes the division into even smaller pieces. Network segmentation divides a network into segments mostly based on physical means, e.g., network ports. Virtual Local Area Network (VLAN) is considered a conventional network segmentation mechanism.

However, the boundary or perimeter of networks gets blurred. Branches and subsidiaries, remote users and road warriors, hybrid and multi-cloud, and on-site/third-party consultants and vendors make the hands of traditional network segmentation mechanisms such as firewall, security zone, VLAN, etc., tied. That’s why Zero Trust comes in that relies on the virtual or software-defined perimeter in terms of data or resources.

Network Security Challenges
Network Security Challenges

Virtual eXtensible Local Area Network (VXLAN)

Virtual Extensible LAN (VXLAN) is a network virtualization technology that attempts to address the scalability problems associated with large cloud computing deployments. The VXLAN specification was originally created by VMware, Arista Networks and Cisco. (Wikipedia)

It’s a software-defined overlay network that uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP port number. One of the most common applications is the overlay network that connects the docker containers.

Docker overlay networking
Docker overlay networking (Source: nigelpoulton)

Software Defined Networks (SDN)

Software-defined networking (SDN) technology is an approach to network management that enables dynamic, programmatically efficient network configuration in order to improve network performance and monitoring, making it more like cloud computing than traditional network management. SDN attempts to centralize network intelligence in one network component by disassociating the forwarding process of network packets (data plane) from the routing process (control plane). The control plane consists of one or more controllers, which are considered the brain of the SDN network where the whole intelligence is incorporated.

Source: Wikipedia

SDN Architecture
SDN Architecture

Software Defined Perimeter (SDP)

Software Defined Perimeter (SDP), also called a “Black Cloud”, is an approach to computer security which evolved from the work done at the Defense Information Systems Agency (DISA) under the Global Information Grid (GIG) Black Core Network initiative around 2007.

Software-defined perimeter (SDP) framework was developed by the Cloud Security Alliance (CSA) to control access to resources based on identity. Connectivity in a Software Defined Perimeter is based on a need-to-know model, in which device posture and identity are verified before access to application infrastructure is granted.

Software defined perimeters address these issues by giving application owners the ability to deploy perimeters that retain the traditional model’s value of invisibility and inaccessibility to outsiders, but can be deployed anywhere – on the internet, in the cloud, at a hosting center, on the private corporate network, or across some or all of these locations.

Source: Wikipedia

SDP Architecture
SDP Architecture


微分段(micro-segmentation)是一種安全技術,它使用邏輯或虛擬邊界隔離工作負載(workload),提供精細的安全控制,並調解東西向流量以減少網絡攻擊面。 以下哪一項與微分段最不相關? (Wentz QOTD)
A. 軟件定義網絡 (SDN)
B. 軟件定義邊界 (SDP)
C. 虛擬局域網 (VLAN)
D. 虛擬可擴展局域網 (VXLAN)

1 thought on “CISSP PRACTICE QUESTIONS – 20210815

  1. Pingback: 微分段(micro-segmentation) – Choson資安大小事

Leave a Reply