all right. Our next step, we looked at threat modeling, secure design and engineering. While those two elements apply to working with the network, we have to think about protecting our network building securely and then continuing to secure throughout the network life cycle. So
first thing that we're gonna talk about
is network protection. If you were to hire me to come out to your company and say, Kelly, I need you to give a security speech. In less than five minutes, I would walk out in front,
tell your audience segmentation is important.
Then I take my check and I would leave.
Okay. You probably don't want to hire me to come to your office for less than five minute lecture. But in all seriousness, if I had nothing but a couple of minutes to tell you how to protect your network segmentation
separate out trusted resource is thes air. The things that I want to protect from untrusted entities don't let untrusted entities access your trusted resource is Well, how do I do that? I segment my network in two different layers of trust. So for Internet and, uh,
the internet is the greatest area of untrusted. Untrustworthy, right, the Internet. We don't trust anything there while our local area network is very trusting.
And then we might have a d M. C. That is semi trust.
So the idea is, I use devices like firewalls to create the separate segments on my network.
Routers do that. Routers segment the network. They divide the network up into separate sub nets, if you will. And then villains do that. Also, vey lands stands for virtual lands.
The lanes are very quickly replacing routers because they can essentially do everything. A router used to be done,
particularly if Dylan's air implemented on a Layer three switch. Now that's more technical than we're gonna go in this class. Absolutely. But you know, when we're looking at areas of segmentation, the devices that do this force routers,
virtual lands, firewalls. Okay, now lots of different types of firewalls. The first firewalls called the packet filter, and that's a very low in, but it's very fast firewall.
What that would set his things like source and destination. I p address. It looks at port number looks a protocol usage, and it makes a decision.
Usually firewalls, we're gonna use what we refer to his white listing and white listing means everything's walked
except what I allow on the white list, so to speak. So that's kind of Ah, none shall pass. Sort of means Okay. Now, with Black listing the problem with white listing even though it's very good for devices like firewalls, think about spam filters.
I'm not gonna allow any email to come through except from these 10 known domains.
We're gonna miss out on the Thanh of email. So white listing. Where is white listing blocks? Everything Black listing allows everything except what is expressly forbidden on the blacklist.
Okay, s So that's one type of firewall. Very basic. These used to be called generation One.
Then we have state full firewalls. These were called generation three. Don't ask me what happened to I do not know.
Eso state Full firewalls are aware of the connection state between devices. So is where, with a packet filter. Very basic firewall. I could block D N s Block and D and s is gonna prevent a lot of necessary traffic
with the state Full firewall. I can block misbehaving D N s. I can block a D. N s reply when it's not the result of a query that's called unsolicited reply, and that's a problem. But because state full firewalls can view the state of the connection, we can do that with state full firewalls. So that's a step. Better
application proxies. Though those air the devices that are the smart moons, you might hear him just called proxies. You could hear him called application gateways. Colonel Firewalls You know these air your Gen five again. Jen four.
I don't know,
but generations five. These air the devices that are specific to application layer protocols so you'll have a Web proxy. You'll have an FTP proxy. You'll have a male proxy, but what they need but that means is thes prop Cesaire very specialized into a specific protocol,
so your Web proxy can look for things like malformed or
yet malformed, a cheapie headers or malicious injection, perhaps Karl site scripting. So we get a lot deeper inspection with application firewalls,
but deeper inspection is slower,
so when you look at packet filters the most basic, they're cheap and fast. When you go up the application proxies. They cost more money, but they're and they're slower, but they're more.
Okay. Ah, that other idea was segmentation. I just mentioned the d M Z is a semi trusted zone. So you're going to allow traffic from the Internet into the d M Z, but it's gonna be very restricted. What you can allow you're not gonna allow everything in there. So you've got some control over the network. But because you're allowing
because you're allowing
access from the Internet, it's not full of trust.
And then the idea of air gaps, I'll tell you what the best way to secure network computer
pull it right off the network, right? So physically segmenting your own router A. Your own router be unless you provide some means of connectivity. That's pretty good segmentation. So that's what they mean by air gaps. So segmentation in my mind
is the single most important concept
in network security.
Isolate, trusted from untrusted.
And then, if untrusted entities have to access your precious resource is
make sure that that protection or that access is guarded, that you use devices for screening like firewalls, and that you make sure front and applications do the same things AP eyes. So whether it's in a system or an application,
Web app, database, whatever,
we make sure that untrusted doesn't access trust