Time
3 hours 54 minutes
Difficulty
Advanced
CEU/CPE
4

Video Description

In this lesson we will look at data in transit; data moving from one location to another. Traditionally protocols haven't been designed with security integrated. Using IPv4 as an example; what is built in to secure IPv4? The answer is nothing. There is no built-in element of security wit IPv4. Consequently, we're using a protocol for the movement of data across the internet that has no built-in security. Conversely, IPv6 has been designed with security it is integrated with IPSEC (IP Security), a protocol that is part of the IPv6 protocol. IPv6 was designed to be secure. Important points:

  • Most protocols and software are inherently insecure
  • We need a new philosophy and support from upper management

IPv4 versus Iv6: - IPv4 was not designed to be secure

  • IPV6 was designed fully integrated with IPSEC

Unfortunately, there doesn't appear to be any rush to move over to IPv6. Most organizations are firmly rooted in IPv4 (an inherently insecure protocol). What this means is that we're going to have to find means to make IPv4 more secure. Fortunately, we can take IPSEC and make it backward compatible for IPv4.

Video Transcription

00:04
all right. And then a ce forest, The technology goes The last element that I want to discuss in this section is data in transit that in motion data across the network, for instance, Now, I've addressed the idea that traditionally, protocols have been designed
00:22
not to be secure, you know, not intentionally to be insecure, but they just haven't been designed with security integrated.
00:29
You know, you look at I p version for and you think what is built in to secure I p p. Four
00:36
and the answer to that is nothing. There's no built in element of security with I p version for And if you go back to when I p v four was created and developed, you know, we're going back to the sixties here, and we're looking at the government using I p to transmit information across secured physical lengths
00:55
and the thought of course being well, the links are physically secure. Who needs protocol? Security?
01:00
Well, I be before has certainly expect expanded beyond that use. And we know that I use the protocol of the Internet,
01:08
which is, um, you know, very, uh, wide open. It's the wild, Wild West. So to speak. So we have this protocol that we're using to transmit data that has no built in security. And as a matter of fact, that's where the real push to move toe
01:27
he is The fact that
01:30
I p version six is designed with security. It's designed integrated with I 90 except,
01:38
of course, stands for I P Security.
01:42
And, um, this is a protocol that's bound with I p. V 66 protocol and really isn't something that's easily removed for my p p six. So finally, we've designed a protocol that is actually secure and was designed to be secure.
02:02
However, as you may be aware, we don't seem to be in any real brush to move over to the I. P. V six. Most organizations, including agencies with the government, a CZ wells private sector are firmly rooted in I p V four. So we're going back to this idea of we're using an unsecure protocol.
02:23
Now.
02:23
Just because the protocol itself is not secure doesn't mean that we can achieve security. But what it does mean is we have to find some security and duct taping on top. You know, rather than working with I P p six, it has integrated security. We're using I p four.
02:39
Now we can take I p sec and make it backwards compatible. We have.
02:45
And so you could run a piece set on an I P network and I pee before network to protect it.
02:52
But again, anytime you duck, take security on top, as opposed to designing it into the protocol itself,
03:00
you're always gonna find that it doesn't work is smoothly. Words efficiently. And perhaps it doesn't work is securely as when it's in a great Okay, so I pee before unsecure I p v six is secure because of the use of I p sec.
03:16
The principle here being is we add security on unsecure protocols. I p being insecure. I p sec is one of the ways we can secure it,
03:28
but we really need a different approach to security.
03:31
Uh, we looking applications, you know, applications, air designed. Maybe we develop APS and house. You know, we really need to senior management to support the security function as faras allowing budget time support to integrate security into software.
03:50
So it really has to be a shift in philosophy
03:53
and for any of you who have taken somewhere along the line. If you've taken an introduction to program in class.
04:00
You know, I think a lot of people probably have somewhere along the way. And I'd like you to think back to that class and think about how much of that time was devoted to writing secure code,
04:12
not the writing code, not to sing of the code word, but to writing secure code. And I think most people have the answer of zero none of that time. So we really need a shift in philosophy before we're going to start seeing secure technologies on the market as opposed to technologies
04:31
that are later secured through patches or off stage or whatever that may be.
04:35
All right, So we're adding on security
04:39
I p *** I p set is one of the secure protocols SSL in T l s secure sockets layer, which is largely being replaced by transport layer security. A lot of people still refer to it is the SSL because that's what we've had for so long. Although the reality of it is, we're probably
04:58
really implementing t l s.
05:00
Ah, but any rate SSL is very much based on the need for a public key infrastructure and using public and private key pairs in orderto authenticate users and servers. Usually we think about this for security, Web traffic
05:19
and ah servers providing authentication through the use of certificates. So that's a means that we can use to secure Web traffic. Which, http of course, is unsecure.
05:31
We can also use SS H, which is secure shell.
05:36
But at any rate, secure shell is a secure alternative to many remote administration protocols. So, for instance, if you think about telling that
05:46
so tell that will allow me to remotely log into a system and make some modifications may be changed the configuration.
05:55
But the problem with Tell Nat is that credentials were transmitted across the network in plain text,
06:01
just like with the our utilities. That airport of UNIX, like our walk in
06:06
FTP, inherently unsecure credentials past the network in plain text.
06:14
So we look at using SS H as a substitute for FTP as a substitute for Tell Mette and as a substitute for some of those Argh utilities for units, because ultimately they don't provide any security.
06:27
Sshh provides the credentials in the transmission of information and encrypted format okay. And I've already mentioned the use of certificates. SSL uses certificates. We can also use certificates on our network. Primarily, we think about certificates as a means of exchanging public key information.
06:46
So certificates are
06:48
always there in a pub or always required in a public he infrastructure maybes. But I'd say that, um, I know this is kind of a high level overview, but just hitting the highlights and these ideas that we have weak protocols that we need to go back and secure with stronger protocols. And once again, I want to encourage you.
07:09
If this is information that's valuable to you.
07:12
The C I s s P course that we offer has two sections. We have a section on networking and telecommunications, and then we have a section on cryptography, both of those I teach. And I think there would be helpful for you and filling in any of these gaps from a technical perspective.
07:30
So that's going to wrap up our series on the technology
07:32
that I think is appropriate for a sizzle, you know, have that upper layer understanding. But I will encourage you to go back and review those other courses from C i. D. SSP. Because I do think they're very hopeful

Up Next

Chief Information Security Officer (CISO)

In this CISO certification training, you will learn what other CISO's are focusing their time and attention on. Among the key topics, you will learn how to implement the proven best practices that make for successful cyber security leadership.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor