Welcome to Cyber is Video Siris on the Comp. Tia Security Plus 5 +01 Certification and Exam.
I'm your Instructor, Round Warner
in this video a Review section 3.2.
Given a scenario, implement Secure Network Architecture Concepts.
This section goes very much with a lot of the topics covered in the second domain.
In this video, we'll cover the following concept
zones and apologies,
network segmentation and isolation.
Different security devices you'll find on the network. Such a sensors. Collectors, filters, proxies and firewalls.
Intrusion detection and protection systems.
Tunneling and VPN
software defined networks and honey pots and honey nets.
Network design and it's included. Components play an important role and implementing the overall security of an organization.
An overall security solution includes design elements such a zones and apologies that distinguished private networks, Internet and the Internet.
This topic. You should understand the different types of zones and and apologies
they're seeing on a standard corporate network.
Each zone on the network is separated based on the organizational roll or level of security. For example, you might want to separate your accounting from your manufacturing, and you can do that at the network layer layer
For example, there are security zones, general work zones and low security zones. So security zone are the is the most sensitive data
with payment card industry. It's No. One has the cardholder data environment. C d e. It's a secure zone normally separated on the network.
A general work zone, maybe four year general administrator
purposes. Then low security zones will be before more public level. Access
the different types of zones. You'll see that our standard is a D M Z or D demilitarized zone. Talk more about that in a moment.
Extra Net and Internet
wireless That maybe guest access.
A demilitarized Zone Hunter Network Where D. M Z is a small network between the internal network and the Internet. External networks and it provides a layer of security and privacy. Both internal and external E users might have limited access to systems and servers within the D M Z.
For example, Web or mail servers are often placed in the D. M Z because these devices are exposed to the Internet,
but they also need to be access from the inside network.
The D M Z allowed external users to access information that the organization deems necessary
but will not compromise any internal organizational information.
You see an example of a D M Z on your screen, and you could see how it provides this buffer zone and defence in depth,
and it's usually set up using multiple firewalls.
Keen Mind D M Z concepts are a little bit dated, and not it's applicable in today's cloud architectures.
In addition to a D M Z, many organizations have an intranet and an extra net.
An extra Net is a private network that uses Internet technology so across the Internet and public telecom
to securely share business information and or operations with suppliers, vendors, partners, customers.
Intranet is all internal to the company. It's like having your own private Web server solely within the organizational framework.
We talked about wireless in other videos
for section 3.2, you need to be familiar with wireless segmentation. How do you separate out WiFi?
Because WiFi tends to have a higher risk associated with it.
The idea is on the network layer separating wireless on an internal network, creating the buffer between wireless and wired networks,
also separating out guest wireless access from internal networks.
This is controlled using 801.1 export based access control,
which I talk about in depth in another video.
Another way to segment Wireless is using Mac filtering.
A Mac definition is available on your screen media access Control restricting access on Y If I based on the Nick Network Interface Card address,
keep in mind there's many other ways to segment wireless networks. Use for just a few to keep in mind for security. Plus
also talks about security devices.
But for this section, be aware of where you will place these types of security devices on a network.
Your firewalls were unified threat management systems. Normally, they will be placed on the border of your network between the internal network and your Internet.
You may also have an intrusion detection system within that border area. You could also have ideas and I ps on internal network segments.
A virtual private network allows for remote access. Talk more about VP ends in a while.
goes in between internal users and external websites.
A load balancer you might have to Web servers, and you want to balance the load between them that way. One doesn't get to over bird.
It goes between the two is what a load balancer will do.
A security incident. Invent management system is a lot correlation system.
What brings together logs from multiple systems in tow? One place where then can be correlated easily monitored and reviewed.
Last concept is your di das distributed denial of service mitigation. This will also be placed within your border. Router may also have a service that does Diaz mitigation for your organization.
There are multiple rules to a firewall.
The firewall functions are listed on your screen. First is your packet filter basically your I P filtering or port filtering
proxy firewall, mostly for applications or Web access.
And then state full packet inspection looks into the network packets to make sure that they're not malicious. You can see on your screen typical placement for firewall between the Internet
and the D. M Z.
Some firewalls are known as dual homed fireballs. They have to network interface cards
one to the external network, one to the internal network.
A firewall may also provide network address translation.
Translating an external I P address one that is used internally,
often with a firewall, is an intrusion detection or intrusion protection system. I D. S I. P s
may also refer to these refer to as and needs or nips network intrusion or network protection systems.
These air sensors that collect data
detecting there we are detecting whether there could be a potential intrusion across the network. They react to detect it events. Traffic outside of normal bounds you have to
detect for anomalies
might be signature or behavioral based
or could be using Curis sticks. Basically a model for normal behavior. A typical needs consists of sensors to monitor packet traffic, a server for management functions and a management console.
Can all of these often be included with a firewall and placed at the border of the network?
Proper network design is important to ensure that the network is stable, reliable, scalable and secure.
The network should be segmented to separate information and infrastructure based on organizational needs and requirements.
The lands are a logical separation of a physical network.
Atlanta is basically a software solution that supports creating unique tagged, identify IRS to be assigned to different ports on the switch
to secure a virtualized environment machine should be segmented by the sensitivity of the information they contain the second method for segregation on a network using different virtual machines.
The third is Air Gaps, which is a physical separation, keeping them on completely different networks. They're not attached by any network.
These were all different forms of network Secord, segmentation and segregation.
Previously, I spoke about a villain, virtual local area network.
You see on your screen an example of a villain, and it's all done through software on a switch. Example on your screen shows a different segment for management
voice over i p maybe cameras. Villains provide a way to limit broadcast traffic in a switch network.
This creates a boundary and, in essence, creates multiple isolated lands. On one switch,
one host in one V land need to communicate with hosting another villain that traffic must be routed between them.
This is called interval and routing.
When a layer to or data link layer switches. Used router is required to pass the traffic from one V land to another.
When a layer three or network layers, which is used interview land routing is done through Layer three. Interface is the most notable benefit of using a villain. Is that conspire and multiple switches. Because users on the same villain did not have to be associated by physical location,
they could be grouped logically.
Another concept to be familiar with is VP ends and cuddling using virtual private networks, and this is normally placed at the border of your network. It's a private network connection through unsecured public networks, and it's used to connect
Remote devices appear as if they are local.
They're multiple methods associated with VP ends on his site to site where you're connecting, maybe another business to your organization across the Internet, so connecting those lands
another is remote access. This is what you might be familiar with with either an SSL or I p SEC VPN. It connects end users or devices to the corporate network.
The third type are remote access servers, allowing remote access from external internal networks.
C Section two dot want for more information on VP Ends.
A software to find network is an entirely virtualized network allows for easier network segmentation. So it's all done logically across multiple physical switches or routers.
That allows administrators to place virtualized security devices
anywhere a lot more flexibility, therefore, allowing a lot more security.
The SD and architecture is directly programmable.
It's agile, very configurable, centrally managed. You don't need to go to separate switches, all done within a single interface.
Programmatically configured so basically easier to configure for your network or security administrator.
And it's based on open standards tends to be vendor neutral.
Be familiar with software to find networks is they're used by many organizations
honey pots and honey nets,
our systems or networks meant to be breached. They are developed and exposed to capture malicious activity.
They are left vulnerable on purpose and may be part of an investigation or to study attack strategies.
You want to make sure that if you are using a honey pot or honey net that it's separate from any business network.
Honey d dot org's is a sight I recommend to learn more about honey pots and honey nets.
Let's practice on some sample quiz questions.
Question one. Alice is a C. I. S O for a financial institution.
She wants to use a device that is it intentionally broken to catch and log potential attacks.
The answer is a
Alice hired you as her network architect.
She wants a file transfer server in an area that's accessible from both the Internet
and to internal users.
What's your best approach?
The answer is D.
Place the server in a D m Z
separate network, accessible from both the Internet and your internal network.
There are many labs. Associate it with the concepts in section 3.2.
1st 1 is the firewall rules based management lab.
Second lap or is the Firewalls and Evasion
Lab where you practice connecting to a hyper V manager. You install zone alarm firewall and anti virus and configure it as a firewall.
Another lap for you to consider is the one where you're configuring an I. D. S and honey pots. The last lab associated with this section is implementing a network policy server.
Re practice, creating and managing a VPN server and client and viewing the logs.
This concludes section 3.2.
Given a scenario, implement secure network architecture concepts. We talked through numerous concepts. Associate it with the placement of security devices within a network.
Please refer to your study material for more information on this section,