Question
|
Answer
|
Where can I find Frequently Asked Questions?
|
|
|
ICCT certification FAQs are here: https://ibm.biz/ICCT-Cert-FAQs
|
What if I have questions after the event?
|
|
|
Post questions and find Q&As on our IBM Community Discussion board
|
|
https://ibm.biz/ICCT-SecEngJam
|
Hello Tami, Good morning... I have a question....I am from non technical background and have zero knowledge about Cloud but I am inended to learn Cloud and shift my career from Finance to IT.....how feasible is this?
|
|
|
Good day to you too. With committment to learning, you should be able to meet your goal. I recommend that you take the IBM Cloud Advocate cert, and then IBM Cloud Technical Advocate cert. That will help you understand Cloud. Then, you can move to an appropriate role based or speciality Cloud curriculum/cert.
|
Is this still the official training plan for the IBM Cloud Security Engineer (for IBM'ers) => https://yourlearning.ibm.com/activity/PLAN-F3A012801E4A
|
|
|
Yes, https://yourlearning.ibm.com/activity/PLAN-F3A012801E4A is the correct link.
|
Regarding all rules are evaluated, regardless of order -> what would happen if there are conflicting rules defined? the rule evaluation does not stop after finding a match?
|
|
|
With Security Groups, the rule are allowing traffic - by default everything is blocked - so a rule can only open up access - therefore you cant have conflicts.
|
|
You can have a situation where there are multiple security groups applied to VSI too.... again, if one OPENS access to port 80, but the others don't, then the server will be reachable on Port 80
|
Are VMWare HCX and VMWare NSX-t same?
|
|
|
Hi - no, they are different VMware software components. HCX provides networking that spans between locations - say on premiese to cloud - and allows you to seamlessly move workloads / VMs from one location to another. VMware NSX-T is the networking component that a VMware vSphere / vCenter implementation uses between it's nodes and services
|
could you please explain the order of the ACL allow / deny once again and the Diffie Helman group...
|
|
|
Sure - so ACL rules are evaluated in order and once a rule applies, no more rules are 'read'. So, If you had two rules in this order 1. ALLOW 10.10.0.0/24 and DENY 10.10.0.10 - if a request came from a machine with the IP address 10.10.0.10, access would be allowed becasue it's part of the 10.10.0.0/24 CIDR block range.......
|
|
However, flip the rules to 1. DENY 10.10.0.10 2. ALLOW 10.10.0.0/24 - a request from that same IP would be denied, basially because in each case, the first rule applies and the second rule is then ignored. So this shows why order is important...
|
But access would be allowed to only that IP range - right? why would it allow to the one which we have asked to blcok ?
|
|
|
So, yes, access is being allowed for the block 10.10.0.0/24 - and of course, 10.10.0.10 is part of that block. So, if the ACL has a rule that says ALLOW 0.10.0.0/24, it will allow any IP in that block access, even if the next rule says specifically DENY 10.10.0.10 - basically because that rule won't be processed.
|
|
It's only if you have the DENY 10.10.0.10 first, that the address will be blocked
|
stock image means managed image by IBM?
|
|
|
yes, the terminology 'stock image' refers to predefined OS images offered by IBM Cloud
|
Hi James, Can you throw some more light on the Private Service End Point with an example maybe?
|
|
|
Sure! So one way that IBM Cloud can expose it's services is via Service Endpoints. These are secured using access keys. A Public enpoint is one that's available via the internet - and so is exposed to anyone that wants to access it - where as a Private endpoint is exposed only on the IBM Cloud private network, so only your services can access it and then only through the private network, no need to go out to the internet. Examples where these can be used - services like IBM Cloud Databases or Object Storage
|
Hello James, Is there a plan to have session for Cloud Advocate. If yes when , if its aleady over can u pls share me the recording links. Thanks :)
|
|
|
Here is a link to the recordings from a recent Cloud Advocate jam, https://w3.ibm.com/services/lighthouse/videos/series/2084
|
|
Here is a link to the study materials an recordings from the June jam, https://community.ibm.com/community/user/cloud/discussion/study-jam-discussion-for-ibm-cloud-advocate-2022#bm108e3a23-255b-44cd-8a02-a94dfb394d7b
|
|
Yep, we've already had one and recordings are available.... check this page https://icct-study-jam.17f48735.public.multi-containers.ibm.com/#/lessons/m99zTb1vvhZN0CBBQ84VrDbFOzkdE3_0
|
No charge between the regions in IBM cloud?
|
|
So, if SG disable/deny access to port 80, but then for some weird reason the local IP table rule allows access to port 80, then the access to port will in effect be allowed? (Bad practice, I would say.)
|
|
|
In the scenario you describe, my guess is Nope, the packet would never reach the OS since the Security Group blocked it already.
|
Wow! That's a big differentiator for us. Thanks.
|
|
|
i do this with IBM Cloud Object Storage , too. I tell my developers to configure their microservices to point at the IBM COS private endpoint rather than the public endpoint -- it keeps traffic off the public internet (which is more secure), and it's free since the traffic stays on the IBM Cloud private network
|
How is going evaluation of communication from external into VSI? 1.Firewall -> 2.SG -> 3.ACL -> 4. IP Tables, is it proper way?
|
|
|
I would say Yes, that sounds like the flow a packet would take, but i would also comment that the front-end firewall in your scenario is likely overkill... If we are talking about a VPC, then i would argue that setting up a firewall in front of your VPC is overkill. (i don't personally do that in my env.)
|