00:04
okay. Another idea that frequently is associated with separation. Trusted untrusted is Nat, and then it's subset, which is path so network address, translation and port address. Translation.
00:20
So the idea is my local area network is hidden behind a firewall or some other screening device and then is connected out to the Internet.
00:29
And like we said, the Internet really, really poses quite a threat to our internal environment. So we want to make sure that we have multiple layers of defense in protecting our internal network from the external network. And that's one of the things that network address translation was really designed to do.
00:47
So originally, that was what I refer to is a 1 to 1 mapping meaning for every internal host would have. You would have an external IP address so I might have a host on the 10 whose I P addresses 10 111
01:03
And then I would have an external interface on my NAT Device router. Whatever, Um, that's a public address. And if you're not familiar with the fact that there are several reserved I P addresses for internal private use, that's one of the things that naturally allows just quickly.
01:23
Anything in the 10 network,
01:26
anything on the 192168 network and then also, there's a range in the 17 to network from 172.16 through 17 to 31. Those ranges air set aside for internal use. And that's a security benefit as well, because that would
01:46
help us easily identify internal traffic from external traffic.
01:51
That those address range is being set aside for internal use on Lee Internet routers will brought packets with that source, your destination. So that gives us, ah, security benefit. So what Nan originally did would allow me to have one
02:06
private in turn like he addressed from those ranges. And then I would have an external address
02:12
connected to the public Internet, and that would be a means of hiding my internal life. He addressing scheme.
02:17
But the problem with Nat by itself is if I have five internal host, I need five. External interface is so
02:25
so. Nan actually has a subset called Pat
02:30
Port address Translation, And that's what allows me to have one public interface and numerous or many internal hosts that many to one mapping so ultimately what Nat does is it intercepts traffic strips the source address from the traffic
02:46
and replaces it with its own external
02:51
i p address as the source. So ultimately, everything looks like it's coming from the Nat Device, and it doesn't reveal any information about my internal life addressing scheme. So that's certainly a security mechanism that we would have on our connective ity devices. Many firewalls offer meant routers off Burnett, Nat,
03:10
proxy servers as well, Very healthy.
03:14
Now, the last thing that will talk about here on this section is configuration management and configuration. Management is a very important part of securing the organization and creating environment of stability
03:29
and ultimately, with configuration management, what we're gonna do is we're gonna document our hardware and software, and we're gonna control any changes to those elements. Okay, So what that means is those main elements of a system the process or the bios
03:50
operating system Colonel, these air things that when we get this equipment delivered, we document what it is is delivered, and then any changes we make to that baseline configuration is so ultimately if we go through a series of steps too hard in the system.
04:08
We make sure that that those changes get documented
04:12
and we make sure that no changes get made to a system without following a proper change control procedure. We do know changes on the fly. We don't just make a quick modification because it's not a big deal. We always follow the process,
04:30
and that process has changed control,
04:32
which is part of our configuration management process as a whole. You know, the bottom line is, if we allow users to make changes on the fly, they will and, you know, think about maybe a, uh,
04:46
a patch to close up of vulnerability in an operating system.
04:51
You know, if we allow our users just to go down, go out and download whatever patches they think are worth pulling down and then installing those other systems that will wreak havoc on their systems and honor network environment. If we allow users to install applications,
05:11
you think about how many
05:13
um, elements of malicious code are spread by users downloading files, installing them right configuration management says
05:20
any controls to the baseline security settings of a system must go through rigorous process for change control and must be well documented
05:32
configuration management also very important in business continuity and disaster recovery.
05:39
Because ultimately what we're gonna look at is restoring operations to the state that that that the operations were before the disaster.
05:46
If I don't know what that state wasif, I don't have the documentation that I'm not gonna be able to do so. So the primary purpose of configuration management is system and environmental stability very important in the security around.
