Time
10 hours 28 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson talks about Secure Comprehensive Solutions and teaches about different types of networks with the understanding that every network is going to require its own technology.

  • PAN
  • LAN
  • CAN
  • MAN
  • WAN
  • Switched network
  • Routed network

This lesson also discusses the security issues that come from the following: - Remote access security

  • Critical infrastructure
  • VoIP integration and security
  • IPv6 integration
  • Organizational change
  • Data flow

Video Transcription

00:04
all right. Having talk out virtualization enterprise storage, Let's talk about some comprehensive solutions. Let's talk about the network is, ah, hold enterprises a whole kind of bringing everything together. So the first thing we talked about right off the batter, the different types of networks with, of course, the idea
00:21
that every network type is gonna require its own technology.
00:25
Now, you can really kind of go crazy with some of these, you know, personal area networks, campus area networks. I would really focus on land versus man, so land your local area network, your internal network when anything outside your local area network. So
00:44
if you have multiple branch offices across the city or state or country or world,
00:49
you're now talking about when connective ity now beyond the scope of this test would be man technology. And this would be more the telco with the telephone company's responsibility or other service providers, gathering up region from region or land traffic
01:06
across many different organizations and preparing it to travel cards to the phone company or the provider's network.
01:12
But that's not really our problem. I would focus certainly on ah local area network and a wide area network
01:19
now switch Networks versus Routed Networks. This should be a review for us because we already talked about the evolution of network devices. And it's just a quick reminder. We talk about hubs being sort of the original device to connect our networks together. A cz a matter of fact. Originally, hubs weren't even powered devices. They were simply you plugged into a rat,
01:40
and that rat provided a conduit for the signal.
01:42
So, uh, you know, hubs really didn't give us a lot of value. So we went to switch networks. And if you'll remember, there were two things a switch did force inherently. Ah, switch used Mac addresses and Mac addresses, or the address is bound to each hosts network card.
02:00
And it used those Mac addresses to determine how to direct traffic. But something else equally important that a switched it is an isolated, isolated traffic into collision domains. Ethernet networks are very collision driven and most of us Iran Ethernet networks, so we bring a switch in to eliminate,
02:19
or at least drastically reduced the number of collisions on our network. That's great,
02:23
however, as we talked about what a switch does not do, natively a switch does not isolate broadcast traffic natively. All of switch does is isolate collisions. So if I've got one system that generates a lot of broadcast, that broadcast goes everywhere on the network, and switch doesn't do anything about that.
02:43
So we bring in a router and a router separates out each network into its own broadcast to Maine.
02:50
But the downside of a routers, it's expensive.
02:53
So what do we do? We take a switch
02:55
as long as the switches capable. We install or configure a villain on that switch, and the villain takes a switch and creates different broadcast domains using the ports of a switch rather than having to have this done on a router.
03:10
Remember, if you want those feelings to communicate with each other, though, you need a layer three switch. And the reason for that is broadcast domains are isolated by using I P addresses and a switch being a device that only uses Mac addresses. It can't make those good decisions, so we need a Layer three switch where we bring in a router in order to enable
03:31
All right now, advanced network design remote access security
03:38
again. That's a three week class in and of itself. You know, when we talk about remote access, we're talking about all those ways. Someone not physically wired in or connected to our land can still access land. Resource is
03:53
now. I would be better off from a security perspective to require anybody accessing network Resource is to be in my physical building, plugged into a port on the wall. No wireless, no dial up, no VPN. That would be better. From a security standpoint,
04:12
however, business needs drive us to allow remote access.
04:15
We have people that telecommute, you know, that that worked from home. We have people that need to access files from remote locations. We have people that travel, so that's not gonna work force. But it would be something very much to think about.
04:29
So when we talk about connecting to the network from some sort of remote device, whether it's wireless or dial up or ah, VP and solution,
04:38
we've got to think about things like making sure their traffic is encrypted.
04:42
We have to think about things like making sure they provide that they are required to provide strong authentication on one of the ways that we enforce authentication for a remote access devices
04:56
is through the use of a server called a radius
04:59
server.
05:00
A radius server and radius is all about authentication, and frequently it's associated with remote clients. Or, you could say remote access as a matter of fact radius. You'll either here remote access or remote authentication. Different books call it different things doesn't really matter.
05:19
Remote authentication
05:20
dialled in user service's. That's a central server that's gonna provide authentication for these remote devices. So, for instance, let's say that I have a client that's gonna use a modem to connect.
05:35
And, of course, I realise that dial up connective ity is not our main way of connecting into the office, but four particular systems. We do still allow that dial up access also cos this is going to shock. You are not always on the cutting edge of technology, and many organizations
05:54
take what they have, what they paid for what's been working for them.
05:58
And they keep that so you cannot say dial it can. Activity is obsolete. All right, so if I have a dial up
06:03
connecting to remote access servers,
06:08
I might have a couple of Raz in my network.
06:11
I might have
06:13
a lightning bolt. That's not a very good lightning bolt, but you'll get the idea we might have. A VP and server. BP and client
06:21
connecting into VP and concentrator
06:25
might have multiple VP and servers,
06:29
you know. And usually we connect to the VP and across the Internet
06:32
or
06:34
some other network.
06:35
Ah, and then we might also have wireless clients. Well, if I allow all these different ways to connect into my network and many networks do offer all these options, what I have is I have very much a decentralized environment,
06:51
and in some cases that's good. What a decentralized environment does is it allows me great flexibility. So it will allow me to set up a single set of authentication requirements at this access point and that differ from what the configuration requirements are on this access point on this one.
07:10
Every VPN can have a different set of rules
07:13
priorities for processing. Every remote access server can have its own set of authentication requirements. When we talk about a decentralized environment, flexibility would be our goal.
07:24
However,
07:26
you know, when we're talking about allowing remote access to our land,
07:32
any time we bring in these and a lot of times we call these network access servers. Anytime we allow what's essentially a gateway from the outside into our land, we open ourselves up for risk. It's a vulnerability to let people from the outside connected to my land.
07:49
And if you think about it, just making them physically be present.
07:54
They're subject to the physical security of my location, right? Maybe they have to provide swipe card access to get in the door. They walk past a security guard who has them sign in or looks at their swipe card badge. They're under surveillance very hard
08:11
for a total stranger to walk into an office
08:13
without being detected. So
08:16
any time I allow remote access, I have a vulnerability. So I've got a lock that down as much as possible. So one of the things that will do with Radius is we're going to enforce a very strong,
08:30
very consistent set of rules and policies before somebody from the outside can access the inside.
08:37
If I did this decentralized, I would have to configure that policy here. And then here. Then here, then here. Then here, here, here, here and here,
08:46
but instead What I'm gonna do is I'm gonna bring in a remote authentication DIA Linn user service called Radius. And its job is to provide central authentication,
09:00
often for remote access. Doesn't have to be for remote access. And instead of configuring policy on those network access devices,
09:09
I'll point them to the radius server
09:13
for access.
09:15
Okay, so this is central authentication. That's a big benefit. It gives me consistency. It allows me to write one set of strong policy and know that all the systems are going to use that That policy.
09:26
Uh, you may have heard of the standard 802.1 x. That's an IEEE standard.
09:35
Ah, but the IEEE standard 8021 X is what's described here, and it is formally referred to as IV
09:45
over Ethernet. Eat is an authentication protocol, and what that means is authentication requests or forwarded across the land across the Ethernet network to a central server. So whenever you hear this idea of 8021 x,
10:01
I want you immediately in your mind to go to radius
10:05
now. Um, radius was gonna have a successor called diameter.
10:11
The name diameter, as in diameter, is twice the radius that may never really took off, but Radius has evolved throughout the years. It used to be you tp based. It used to not encrypt the initial, uh, set up of the communication
10:26
so Radius has evolved, but we're still calling it radius. A lot of times we don't Most of us don't refer to diameter.
10:33
Cisco has a comparable product that does this and a whole lot more called pack ax. Plus, um,
10:41
one of the things about Tax Plus and I have actually seen this is being a testable idea. This phrase separates the Triple A functions
10:52
Tak Acts Plus was the first of the authentication servers to separate out the Triple A functions.
11:00
The Triple A functions and those Tripoli functions are authentication,
11:05
which means prove your identity. Whether you do that with a password, a smart card, a token device, whatever that is. Authentication allows an individual to prove their claim. I claim to be Kelly Hander Hand. Here's my driver's license is proof that's authentication.
11:22
Authorization is what you can do on the network,
11:26
So based on you proving your identity, you have certain rights and permissions you can access. You can print to the printer. You can access file one. You can install applications, so authorization, your rights and permissions and then all the things sometimes referred to his accounting
11:43
because auditing is all about accountability. So in the tack ax plus server, you create your rule. Set
11:50
your requirements for authentication. You can also configure authorization based on rules based on groups and group memberships as well as auditing features, and you can enable them all to work together. Or you can isolate them and have them work separately.
12:05
So even though a lot of what you read puts diameter tak X plus and radius all in the same boat,
12:13
really, you're two main ones. Air radius in diameter. I'm sorry. Radius and Tak acts Pack Acts Plus, which comes from Cisco, is much more than just a standard authentication server. Okay, so when we think about allowing remote access security,
12:28
we have to take things up a notch. Because of the potential for misuse of these remote access devices,
12:33
we want to require stronger authentication, which is likely going to require us to bring in a radius server as a matter of fact, in relation to a wireless. If you've ever configured wireless security like W P. A or W P. A. To
12:48
when you go in and configure those access points of those devices to use w. P A. You'll choose between personal or enterprise w p A to you choose between personal and enterprise. All that means is enterprise supports. Radius Enterprise supports an 802.1 ex environment, meaning it's
13:07
able
13:09
to provide authentication per the radius server. So that's the difference between it and that's very important element of remote access security. Okay, certainly know what radius does on why we would bring it in. All right, critical infrastructure. I would think skater
13:28
as your acronym de jour.
13:30
When we talk about critical infrastructure and when we're talking about critical infrastructure, we're not just talking about your company. What we're really talking about is the country as a whole as a nation. What are those service is that are critical to the survival
13:46
of the U. S. And certainly we think about this in cyber security. We think about this from attack terrorist attack.
13:52
You know, we think about power. We think about our food sources. We think about water and other infrastructure needs and ideas, so that falls under the category of skater.
14:07
And when we talk about skate at stands for supervisory control and data acquisition
14:13
and, uh, food source, meaning agriculture has recently been added the skater but those elements that are the most critical elements to the infrastructure. So if you're in one of those fields, you have very strict requirements for the security and the protection of your network
14:31
because they're such tremendous repercussions
14:35
if power grids get compromised or the water source gets compromised, all right, Some other ideas with networking VoIP voice over I, P and VoIP is sometimes referred to as telephony.
14:50
You know, um,
14:52
we have two types of signal that we would think about. We have analog signals, and voice is a perfect example of analog signal. They're all sorts of ranges and tones of voice and elements that I can hit with analog signal. Where is digital? Which is, of course, what computer she used
15:09
on and off. Yes or No one or zero
15:13
we've always tried to do in these two different signaling types. They really have in the past required two types of media analog media or digital media. But We've always wanted to take two different signal types and running across the same wire.
15:28
So in the past, when we had analog phone lines, we needed modems that would take digital signature signal from our computers, convert to analog to go across the phone lines and then take that analog convert back to digital for the individual computer systems. Modulator de modulator is what motive stands for.
15:46
All right, so that was a way of taking
15:48
digital signal and running across analog voice lines. But of course, today everything's digital digital, including our phone lines. So now what we want to do is we want to take analog voice and put it on our digital network,
16:02
and we refer to that as telephony and one of the things to really understand. We're not gonna get real in depth and devoid here, but we're gonna just talk about this as a problem that we've already heard again and again and again.
16:15
Voight was not designed securely. VoIP was designed toe work,
16:21
so avoid provides a means for conversion of signal.
16:25
Ah, signal travels through a gateway to connect in tow, larger elements, so to speak. But there's no built in encryption. There's no built in authentication. So what we wind up doing is we wind up coming in and duct taping security on over top.
16:41
There's a protocol called secure Real time protocol
16:45
used to just be RTP, but we have Ellen added encryption elements to make it secure. This is one of the security protocols that provides encryption for voice, voice traffic and what I would also know. The greatest threat to avoid traffic is eavesdropping.
17:03
I would certainly know that's the greatest threat
17:07
wire shark. Really. Any good packet sniffer
17:11
can pick up unencrypted void traffic on the network and allow an attacker to view the contents of that other things. Other issues with VoIP told fraud
17:22
because there's no built in authentication employees or non employees making long distance calls on the company's void network. And I know we all have international calling on our phones. I mean that we all have nationwide calling on our phone today, but international phone calls
17:38
you can rack up a ton of money making international phone calls,
17:44
so why not make it on the company's time and told fraud have just been issues where hundreds of thousands of dollars off false charges or, uh, unauthorized charges have been assigned to companies based on someone misusing their VoIP system.
18:00
What we talked about a lot is the fact that we've traditionally had protocols. We've had software, we've had even hardware that wasn't designed to be secure.
18:11
So we go back in and add security on the back end, A friend of mine says He says security should be baked in, not sprayed on. And I think that's kind of a good analogy because you want to incorporate security into the design and you don't have to duct tape it later. Well, that really
18:30
eyes one of the benefits of I p Version six.
18:33
And I think we've all heard we're goingto i p v six. We're going to I P v six. I have a tail, Yeah, but in this field for over 20 years and I feel like
18:41
I've heard we're going to I P v six. Ever since I've been in the field, that's a little bit of an exaggeration, but we keep hearing it. We keep hearing it, and I have the feeling that some of us are kind of hoping I p v six goes the way of the metric system
18:56
because if you think about the metric system, how many countries in the world are on the metric system?
19:03
Pretty much everybody but us. You know, the occasional country here there, but pretty much we're one of the few nations that's not on the metric system. And honestly, the reason we didn't go to the metric system
19:15
it's hard. It looks hard. It's different than what I already know.
19:21
Um, it's a little more complex than that. Of course, we have tohave new software. We have to have new hardware that use thes new measurements, and that's true of I. P. V six is punches. It is metric. There's obviously a really analogy there. There's expense. There's training, there's reconfiguration.
19:40
So there really are legitimate reasons that we're not
19:42
hurriedly moving towards I. P V. Six. But honestly, to some degree, I think part of the reason is,
19:49
you know, it's 128 bit address. It's written in Colon Hexi decimal.
19:56
So you have this address that's not very user friendly to look at. We'll talk a little bit more about I P v six later on, and I think people kind of dread moving towards it. But one of the things with I p V six is we're gonna be shifting much more toe a dynamic configuration. So it's not like I'm gonna have to walk from host to host a host remembering
20:15
various hexi decimal addresses.
20:18
Necessarily. It's gonna be a very different environment, but I want to point out from a security perspective, I p v six was designed to be secure. I p v six was the format for which I p sec was created. An I. P. SEC was created as a part of I P version six
20:37
and cannot be separated for my p p six.
20:41
Now, I want to say that for test purposes, if you've got a crowbar, you can separate anything. So technically you can have i p v six without I p set
20:51
way beyond the scope of what we do for this examined for this exam. Why would you want to separate the built in security feature? So that's not something we would look into, but I p sec I p Security was designed to provide a framework for security. Service is like encryption, authentication,
21:10
integrity, non repudiation,
21:11
and have it built into the protocol as opposed to something we add on later. Now, because I PVC I'm sorry I p sec was pretty good. We've made it backwards compatible, so you can add I p sec to i p version four. But again, it's an ad on Where's I? P V six is integrated.
21:30
So many people say up, we're going to I p B six because we're running out of I P addresses running out of I P addresses.
21:37
That's not really the case because we have a lot of band aids. We put on the issue of running out of I P addresses. The rial concern is we continue to use a protocol that has no inherent security. So we want to move to a protocol that's more secure
21:55
that is designed to be secure
21:56
and then add security on additionally,
22:00
but to allow it to be secure from design up. So I p version six integration is something that's gonna happen. The government was gonna be i p v six fully compliant by January 1st.
22:11
Think was 2012 not there yet on some organizations are running a dual stack, so they're still running. I pee before, but also fully i p v six capable. We're going to see the shift moving along. It's just something that, because
22:29
originally one of the pushes to Goto I. P v six was we're running out of I p addresses and we really had that imminent need for a larger dressing system. There was a lot more of a rush to move toe I p v six when it was about getting additional addresses. Now that it's just about security,
22:48
we're not so pressed about it.
22:49
Okay, but I P v six really is gonna provide us greater security because it was designed to be secure. Other issues here in relation to the network organizational changes must be documented, must be controlled must be addressed from a security perspective.
23:07
So when we talk about organizational changes, we're not just talking about changes to individual systems.
23:12
We're talking about the company as a whole. What happens if I do merge with another organization? What happens if I'm acquired? What happens if we partner so the ideas as our organization, what happens if if we scale back
23:26
what happens if we grow
23:29
so all those considerations have tohave a specific process, and we have to consider security how these two elements are gonna merge together. And we still maintain the security baselines for both organizations. If we do merge and then data flow how we're gonna enforce
23:47
data flow in such a means that it follows
23:49
the organisation's security policy that we allow access to data to those that are authorized to do so and not toe others. This will be something that will continue to discuss across the next few slides.

Up Next

CompTIA CASP

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor