Answer these questions before studying the material. Do not worry about getting them wrong -- the goal is to measure what you already know.
1. Your Cohesity cluster only serves VMware backup workloads. A security auditor asks why NFS is still reachable. What is the most appropriate remediation?
A) Add NFS traffic to the IP allowlist so only trusted hosts can connect
B) Disable NFS in the cluster firewall profile for user-facing interface groups
C) Upgrade NFS to NFSv4 to fix the security concern
D) Move NFS traffic to a separate VLAN to satisfy the auditor
2. A View called "HR-Records" should only be accessible from 10.5.0.0/24. The global allowlist permits 10.0.0.0/8. What must you configure to restrict access correctly?
A) Remove 10.0.0.0/8 from the global allowlist
B) Create a VLAN that only contains 10.5.0.0/24
C) Enable "Override Global IP Allowlist" on the View and add only 10.5.0.0/24
D) Set the View protocol to S3 since S3 has stricter access control
3. What distinguishes mutual TLS (mTLS) from standard TLS in Cohesity deployments?
A) mTLS uses TLS 1.3 while standard TLS uses 1.2
B) mTLS encrypts data at rest in addition to data in transit
C) Both client and server present and verify certificates, establishing mutual identity trust
D) mTLS does not require a Certificate Authority because both sides share a pre-shared key
4. Why does Cohesity use Perfect Forward Secrecy (PFS) in its TLS implementation?
A) PFS ensures backup data is deduplicated before encryption for efficiency
B) PFS generates unique ephemeral keys per session so a future key compromise cannot decrypt past traffic
C) PFS eliminates the need for certificate management by using session-only keys
D) PFS allows older TLS versions to be used safely
5. A newly deployed Cohesity cluster uses a self-signed certificate. Which statement best describes the security implication?
A) The cluster cannot encrypt traffic until a CA-signed certificate is installed
B) The encryption is functional but no external authority vouches for the cluster's identity, risking man-in-the-middle attacks
C) Self-signed certificates are more secure because they cannot be revoked by a compromised CA
D) The certificate will expire in 24 hours unless replaced
Supported Protocols and Their Risk Profiles
A Cohesity cluster exposes several data-access protocols. Each one is effectively an open door -- and every open door is an attack surface. The guiding principle is least privilege: enable only what your workloads require.
| Protocol | Purpose | Security Consideration |
|---|
| SMB | Windows file sharing / NAS access | Requires proper authentication; older SMBv1 is vulnerable to exploits |
| NFS | Linux/UNIX file sharing / NAS access | Host-based trust model; must combine with IP allowlisting |
| S3 | Object storage via HTTP/HTTPS | Requires HTTPS enforcement and access key management |
| RPCSEC_GSS | Kerberos security layer for NFS | Provides mutual authentication and encryption for NFS traffic |
Deny-by-Default Posture
By default, all ports on a Cohesity cluster are disabled except a small set of known ports. Protocols like SNMP must be explicitly enabled by an administrator. This means a fresh deployment starts hardened -- you selectively open only what is required rather than closing what is not.
flowchart TD
A[Fresh Cohesity Cluster] --> B[All Ports Disabled by Default]
B --> C{Identify Required Protocols}
C --> D[SMB Needed?]
C --> E[NFS Needed?]
C --> F[S3 Needed?]
D -->|Yes| G[Enable SMB on specific interface group]
D -->|No| H[Leave Disabled]
E -->|Yes| I[Enable NFS on specific interface group]
E -->|No| H
F -->|Yes| J[Enable S3 with HTTPS enforcement]
F -->|No| H
G --> K[Apply IP Allowlist to permitted sources]
I --> K
J --> K
K --> L[Hardened Cluster with Least-Privilege Access]
VLAN Segmentation
VLAN segmentation divides a physical network into isolated virtual LANs so that a compromise or congestion event in one zone cannot cascade into another. In Cohesity's architecture:
- All MGMT IPs must reside in the same VLAN; all VIPs must reside in the same VLAN (but MGMT and VIP VLANs can differ)
- All cluster nodes require layer-2 connectivity between them
- In multi-tenant environments, Views, VLANs, and Sources are isolated per tenant
| VLAN Type | Traffic Carried | Isolation Rationale |
|---|
| Management VLAN | Admin UI, API calls, cluster management | Restricts administrative access to authorized networks |
| Data VLAN | Backup/restore traffic | High-bandwidth traffic isolated from management |
| Replication VLAN | Cluster-to-cluster replication | DR traffic separated from production backups |
| Client Access VLAN | NFS/SMB/S3 end-user access | User-facing protocols isolated from cluster internals |
IP Allowlisting: Global vs Per-View
IP allowlisting explicitly specifies which IP addresses or subnets may access a resource -- everything else is denied. Cohesity provides two levels:
- Global allowlist -- applies to all Views that do not have their own individual allowlist
- Per-View allowlist -- applies only to a specific View and supersedes the global list when "Override Global IP Allowlist" is enabled
flowchart TD
A[Incoming Access Request to a View] --> B{View has Override Global Allowlist enabled?}
B -->|Yes| C[Check Per-View Allowlist]
B -->|No| D[Check Global Allowlist]
C --> E{Source IP in Per-View Allowlist?}
D --> F{Source IP in Global Allowlist?}
E -->|Yes| G[Access Granted]
E -->|No| H[Access Denied]
F -->|Yes| G
F -->|No| H
Key Points -- Section 1
- Cohesity follows a deny-by-default posture: all ports start disabled
- Only enable the specific protocols (SMB, NFS, S3) your workloads require
- Segment traffic into Management, Data, Replication, and Client Access VLANs
- Use per-View IP allowlists to enforce least-privilege access at the data layer
- Per-View allowlists override the global allowlist when the toggle is enabled
Animation Slot 1: Interactive walkthrough showing a packet arriving at the cluster, being checked against the IP allowlist hierarchy (global vs per-View), and being granted or denied access
TLS Encryption for Data-in-Transit
All access methods to the Cohesity cluster require an SSL connection using TLS 1.2 or above with only FIPS-approved cipher suites and Perfect Forward Secrecy (PFS). Cohesity's encryption module is FIPS 140-2 certified (validated by a third-party federal laboratory through NIST), not merely "compliant."
Standard TLS vs Mutual TLS (mTLS)
Standard TLS verifies only the server's identity. mTLS goes further -- both client and server present certificates and verify each other. Cohesity uses mTLS for Hybrid Extender VMs communicating with the cluster over gRPC.
sequenceDiagram
participant Client
participant Server
Note over Client,Server: Standard TLS (one-way)
Client->>Server: ClientHello
Server->>Client: ServerHello + Server Certificate
Client->>Client: Verify Server Certificate
Client->>Server: Encrypted session key (PFS)
Server->>Client: Session established
Note over Client,Server: mTLS (mutual verification)
Client->>Server: ClientHello
Server->>Client: ServerHello + Server Cert + Request Client Cert
Client->>Server: Client Certificate + Encrypted session key
Server->>Server: Verify Client Certificate
Server->>Client: Mutual trust established
Certificate Management
A self-signed X.509 certificate (PEM format) is auto-generated at cluster creation. For production, replace it with a CA-signed certificate to avoid browser warnings and satisfy enterprise PKI policies. Plan to rotate certificates before expiration (typically 1-2 year maximum lifetime).
Encryption by Connection Type
| Connection Type | Encryption Method | Notes |
|---|
| Agent-based backup | TLS 1.2+ | Agent initiates encrypted connection |
| VMware VADP | HTTPS (443) / port 902 | Encrypted API and data channels |
| NAS backup (NFS/SMB) | Protocol-dependent; NFS can use RPCSEC_GSS | Consider network-level encryption if protocol lacks native encryption |
| Hybrid Extender (cloud) | mTLS over gRPC | Mutual authentication and encryption |
| Replication to DR cluster | TLS 1.2+ on port 443 | Bidirectional encrypted replication |
Key Points -- Section 2
- All Cohesity connections require TLS 1.2+ with FIPS-approved cipher suites and PFS
- Cohesity is FIPS 140-2 certified, not merely compliant -- validated by NIST
- mTLS (mutual TLS) is used for Hybrid Extender cloud connectivity via gRPC
- Replace default self-signed certificates with CA-signed certificates in production
- PFS ensures past sessions remain safe even if a private key is later compromised
6. Why should management and data backup traffic be placed on separate VLANs?
A) Backup data uses UDP which is incompatible with management TCP traffic
B) Segmentation ensures a compromise or congestion in one traffic zone cannot cascade into the other
C) Cohesity licensing requires separate VLANs for management and data
D) Management traffic must use TLS while data traffic does not, so they cannot share a VLAN
7. An attacker poisons your DNS server to redirect rt.cohesity.com to a malicious IP. Which Cohesity function is most directly compromised?
A) Local backup scheduling
B) The support channel connection and potentially cloud services
C) VLAN tagging on cluster interfaces
D) IP allowlist enforcement on Views
8. What is the recommended security posture for the Cohesity support channel?
A) Always-on to ensure fast response times during incidents
B) Enabled only when needed, with change-management approval and a time-limited window
C) Permanently disabled in production environments
D) Enabled but restricted to TLS 1.3 connections only
9. Your automation server uses a Cohesity API token stored in a plaintext config file. Which single change provides the most impactful security improvement?
A) Rotate the token more frequently
B) Move the token to a secrets manager like HashiCorp Vault
C) Add an IP allowlist entry for the automation server
D) Change the API account to use a different username
10. Port 50051 is open on the Cohesity cluster firewall. What type of traffic does this serve?
A) NFS file-sharing access
B) Cluster-to-cluster replication
C) Cohesity agent communication for physical servers, Hyper-V, and Oracle
D) Cohesity support channel SSH tunnel
Network Segmentation
Effective segmentation separates management, data, and replication traffic into distinct zones. Think of a modern airport: passengers (data traffic) move through terminals, staff (management traffic) use restricted corridors, and cargo (replication traffic) travels through a separate logistics network. A security incident in one area does not shut down the others.
flowchart TD
subgraph MgmtVLAN["Management VLAN 100"]
A1[Admin Workstations]
A2[API Clients]
A3[Monitoring Tools]
end
subgraph DataVLAN["Data VLAN 200"]
B1[VMware Hosts]
B2[Physical Agents]
B3[NAS Devices]
end
subgraph ReplVLAN["Replication VLAN 300"]
C1[DR Cluster]
C2[Remote Sites]
end
subgraph ClientVLAN["Client Access VLAN 400"]
D1[NFS/SMB Clients]
D2[S3 Applications]
end
subgraph Cluster["Cohesity Cluster"]
N1[Node 1]
N2[Node 2]
N3[Node 3]
end
A1 -->|HTTPS 443| Cluster
A2 -->|REST API 443| Cluster
B1 -->|VADP 902| Cluster
B2 -->|Agent 50051| Cluster
B3 -->|NFS 2049 / SMB 445| Cluster
Cluster -->|TLS 443, 11111, 11114| C1
D1 -->|NFS/SMB| Cluster
D2 -->|S3 HTTPS| Cluster
Firewall Port Requirements
Cohesity uses application-based firewall profiles that define whether data from specific applications, ports, protocols, and IP sets are allowed or denied through interface groups.
Core Cluster and Replication Ports
| Port | Protocol | Direction | Purpose |
|---|
| 443 | TCP | Bidirectional | Management, API, replication, vCenter |
| 11111 | TCP | Bidirectional | I/O Operations Service between clusters |
| 11114 | TCP | Inbound | Replication Service |
| 24444 | TCP | Inbound | Continuous Replication Management |
Workload-Specific Ports
| Port | Protocol | Purpose |
|---|
| 902 | TCP | VMware VADP data transfer to ESXi |
| 50051 | TCP | Cohesity agent (physical, Hyper-V, Oracle) |
| 1433 | TCP | Microsoft SQL Server backup |
| 2049, 111 | NFS | NAS backup/recovery via NFS |
| 445 | SMB | NAS backup/recovery via SMB |
Infrastructure Services Ports
| Port | Protocol | Purpose |
|---|
| 53 | TCP/UDP | DNS resolution |
| 123, 323 | UDP | NTP time sync; 323 for Chronyc monitoring |
| 22 or 443 | TCP | Support channel (SSH to rt.cohesity.com) |
DNS and NTP Security
These infrastructure services are often overlooked but their compromise can undermine everything else:
- DNS poisoning could redirect replication traffic to a malicious endpoint or block access to Cohesity cloud services
- NTP manipulation could cause certificate validation failures or corrupt backup scheduling
Best practices: use internal hardened DNS servers, configure at least two NTP sources, restrict DNS (port 53) and NTP (ports 123/323) to trusted servers only, and monitor for anomalies via SIEM.
Key Points -- Section 3
- Segment into Management, Data, and Replication VLANs at minimum
- Port 443 is the most versatile port: management, API, replication, and vCenter all use it
- Use Cohesity firewall profiles to mirror your network firewall rules on the cluster itself
- DNS and NTP are critical security dependencies -- poisoning either can cascade into certificate, replication, and scheduling failures
- Always end firewall policies with a default deny rule
Animation Slot 2: Animated firewall rule evaluation showing a packet traversing the firewall profile chain -- matching against port, protocol, and IP allowlist rules before being permitted or dropped
VPN and SSH Access
Remote administrators should connect via VPN before accessing the Cohesity management interface (HTTPS 443). For advanced CLI operations, SSH access to cluster nodes is available but should be treated like a master key: kept behind a jump host in the management VLAN, logged for audit, and disabled when not actively needed.
Support Channel Security
Cohesity's support channel allows remote troubleshooting via SSH or HTTPS (port 22 or 443) to rt.cohesity.com. It is not always-on and must be explicitly enabled by an administrator.
| Control | Description |
|---|
| Explicit enablement | Must be actively enabled; not always-on |
| Firewall rule | Outbound to rt.cohesity.com on port 22/443 must be explicitly permitted |
| Audit logging | All support sessions should be logged and reviewed |
| Time-limited access | Disable after the troubleshooting session concludes |
API Access Security and Token Management
The Cohesity REST API (HTTPS 443) provides programmatic access to all cluster functions. Securing it requires a layered approach:
- Least privilege -- dedicated service accounts with only the RBAC permissions needed
- Token rotation -- rotate on a regular schedule; never use long-lived tokens
- IP restriction -- combine API access with IP allowlisting
- Secure storage -- store tokens in a secrets manager (e.g., HashiCorp Vault), not plaintext config files
- Audit -- monitor API logs for anomalous patterns
flowchart LR
subgraph External["External Network"]
Admin[Administrator]
Script[Automation Server]
Support[Cohesity Support]
end
subgraph SecurityLayer["Security Controls"]
VPN[VPN Gateway]
JumpHost[Jump Host]
FW[Firewall / IP Allowlist]
end
subgraph Cluster["Cohesity Cluster"]
WebUI[Web UI - HTTPS 443]
CLI[CLI - SSH 22]
API[REST API - HTTPS 443]
SupportCh[Support Channel - 22/443]
end
Admin -->|Encrypted tunnel| VPN
VPN -->|Mgmt VLAN| WebUI
Admin -->|SSH via| JumpHost
JumpHost -->|Restricted access| CLI
Script -->|Token + IP allowlist| FW
FW -->|HTTPS| API
Support -->|Time-limited, admin-enabled| SupportCh
Key Points -- Section 4
- Always access management interfaces through VPN -- never expose them directly to the internet
- SSH is a powerful tool: restrict it to jump hosts, use key-based auth, and log all sessions
- The support channel is not always-on; treat it with change-management rigor and time-limit access
- API tokens should be stored in secrets managers, combined with IP allowlists, and rotated regularly
- Defense in depth: even if a token leaks, IP restrictions and RBAC limit the blast radius
Answer the same questions again. The reveal at the end will compare your pre and post scores by section.
1. Your Cohesity cluster only serves VMware backup workloads. A security auditor asks why NFS is still reachable. What is the most appropriate remediation?
A) Add NFS traffic to the IP allowlist so only trusted hosts can connect
B) Disable NFS in the cluster firewall profile for user-facing interface groups
C) Upgrade NFS to NFSv4 to fix the security concern
D) Move NFS traffic to a separate VLAN to satisfy the auditor
2. A View called "HR-Records" should only be accessible from 10.5.0.0/24. The global allowlist permits 10.0.0.0/8. What must you configure to restrict access correctly?
A) Remove 10.0.0.0/8 from the global allowlist
B) Create a VLAN that only contains 10.5.0.0/24
C) Enable "Override Global IP Allowlist" on the View and add only 10.5.0.0/24
D) Set the View protocol to S3 since S3 has stricter access control
3. What distinguishes mutual TLS (mTLS) from standard TLS in Cohesity deployments?
A) mTLS uses TLS 1.3 while standard TLS uses 1.2
B) mTLS encrypts data at rest in addition to data in transit
C) Both client and server present and verify certificates, establishing mutual identity trust
D) mTLS does not require a Certificate Authority because both sides share a pre-shared key
4. Why does Cohesity use Perfect Forward Secrecy (PFS) in its TLS implementation?
A) PFS ensures backup data is deduplicated before encryption for efficiency
B) PFS generates unique ephemeral keys per session so a future key compromise cannot decrypt past traffic
C) PFS eliminates the need for certificate management by using session-only keys
D) PFS allows older TLS versions to be used safely
5. A newly deployed Cohesity cluster uses a self-signed certificate. Which statement best describes the security implication?
A) The cluster cannot encrypt traffic until a CA-signed certificate is installed
B) The encryption is functional but no external authority vouches for the cluster's identity, risking man-in-the-middle attacks
C) Self-signed certificates are more secure because they cannot be revoked by a compromised CA
D) The certificate will expire in 24 hours unless replaced
6. Why should management and data backup traffic be placed on separate VLANs?
A) Backup data uses UDP which is incompatible with management TCP traffic
B) Segmentation ensures a compromise or congestion in one traffic zone cannot cascade into the other
C) Cohesity licensing requires separate VLANs for management and data
D) Management traffic must use TLS while data traffic does not, so they cannot share a VLAN
7. An attacker poisons your DNS server to redirect rt.cohesity.com to a malicious IP. Which Cohesity function is most directly compromised?
A) Local backup scheduling
B) The support channel connection and potentially cloud services
C) VLAN tagging on cluster interfaces
D) IP allowlist enforcement on Views
8. What is the recommended security posture for the Cohesity support channel?
A) Always-on to ensure fast response times during incidents
B) Enabled only when needed, with change-management approval and a time-limited window
C) Permanently disabled in production environments
D) Enabled but restricted to TLS 1.3 connections only
9. Your automation server uses a Cohesity API token stored in a plaintext config file. Which single change provides the most impactful security improvement?
A) Rotate the token more frequently
B) Move the token to a secrets manager like HashiCorp Vault
C) Add an IP allowlist entry for the automation server
D) Change the API account to use a different username
10. Port 50051 is open on the Cohesity cluster firewall. What type of traffic does this serve?
A) NFS file-sharing access
B) Cluster-to-cluster replication
C) Cohesity agent communication for physical servers, Hyper-V, and Oracle
D) Cohesity support channel SSH tunnel
11. A Cohesity cluster has all MGMT IPs on VLAN 100 and all VIPs on VLAN 200. An engineer proposes moving Node 3's MGMT IP to VLAN 101 for a pilot test. What is wrong with this plan?
A) MGMT IPs can only use VLAN IDs below 100
B) All MGMT IPs must reside in the same VLAN; splitting them breaks cluster layer-2 requirements
C) VIPs and MGMT IPs must always share the same VLAN
D) VLAN 101 is reserved for replication traffic by Cohesity
12. Which combination of controls best implements defense-in-depth for a Cohesity API integration?
A) Long-lived token + full admin RBAC role + open to all IPs
B) Rotated token + least-privilege RBAC + IP allowlist + secrets manager storage + API audit logging
C) Password authentication on each call + VPN-only access
D) mTLS client certificate + no token required + no RBAC restrictions
13. NTP servers for the Cohesity cluster are unrestricted -- any host can query them. An attacker exploits this to skew the cluster's clock forward by 48 hours. Which attack does this most directly enable?
A) The IP allowlist stops working because timestamps are embedded in subnet masks
B) TLS certificates appear expired, causing backup and replication connections to fail
C) VLAN tags become invalid when the clock exceeds the tag expiration time
D) The cluster automatically opens all firewall ports as a failsafe
14. Cohesity's encryption module is described as "FIPS 140-2 certified." Why is the distinction between "certified" and "compliant" important?
A) "Compliant" means the encryption is stronger; "certified" means it passed a basic audit
B) "Certified" means a third-party federal lab validated the module through NIST; "compliant" has no formal meaning
C) Only "compliant" products can use AES-256; "certified" is limited to AES-128
D) There is no practical difference; both terms are used interchangeably in the industry
15. You need to allow a DR cluster at a remote site to replicate with your primary Cohesity cluster. Which minimum set of ports must be open bidirectionally between the two clusters?
A) 443, 902, 50051
B) 443, 11111, 11114, 24444
C) 22, 443, 53, 123
D) 445, 2049, 111, 443