Enterprise Computing (part 7.2) Secure Infrastructure Design

Video Activity

This lesson focuses on secure infrastructure design and where to place security devices (i.e., firewalls) within a building. This lesson also discusses advanced configuration parameters: Transport Security Trunking Security Route protection This lesson concludes with advanced authentication concepts and how they can keep networks secure and a revi...

Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

10 hours 28 minutes
Video Description

This lesson focuses on secure infrastructure design and where to place security devices (i.e., firewalls) within a building. This lesson also discusses advanced configuration parameters:

  • Transport Security
  • Trunking Security
  • Route protection

This lesson concludes with advanced authentication concepts and how they can keep networks secure and a review of the previous lessons.

Video Transcription
now within the internal portions of your building, you've got to consider where you're gonna place your security devices. Firewalls, for instance. Firewalls air generally used to separate out, trusted from untrusted.
So the ultimate untrusted entity is tthe e Internet. No traffic should come towards your network from the Internet without some degree of inspection. Usually, a firewall is used to isolate your DMC, your demilitarized zone. That's where you have your Web servers and those servers that you want to be publicly available.
The D M Z is generally considered to be semi trusted. You got Internet firewall, semi trusted network. Then you go through another firewall before access to your internal land environment. You may have layers of firewall on and certainly would be a good idea to do so.
One of the things that we talk about is a diversity of equipment, specifically vendor diversity
of security devices. So, for instance, if I have an A f A firewall between me and the Internet, I would have a different vendors firewall between the D. M. Z and my internal network, because if there's a compromise that's published for the A s, a firewall and all the firewalls in my network use our essays.
Then Obviously,
uh, all my defensive mechanisms or my firewalls really can all be thwarted instead of just one. So we like vendor diversity.
Um, other security devices, proxy servers. Ah, and sometimes firewalls run proxy service is, as a matter of fact, a lot of times you'll hear of an application proxy, and that's really just a high level firewall. But proxy servers are generally used. We talk about proxy. They're used to inspect outgoing traffic
and can also be used to inspect incoming traffic.
So from an outgoing traffic perspective, all my user's Web requests I want to inspect and restrict what users do and where they go on the Web. So maybe I want to prevent them from downloading software that hasn't been digitally signed by trusted authority.
Maybe I want to keep my users off the Internet after 8 p.m.
Uh, maybe I want to keep them from going to sites with violent content, whatever that might be. Proxy servers would be another device that would do that for me.
Other security devices routers, in their very basic sense, can provide packet filtering. Service is like firewalls
as a matter of fact, Routers really were the original firewalls because we used access control list on our routers to restrict what traffic comes and goes. Other devices like network access control devices. I may have mentioned this the other day, but network access control devices,
rather than allowing any system to join the domain just based on rights and permissions.
Uh, network access control requires clients to be healthy for connecting to the network from before connecting to the network. So, for instance, do you have an anti virus program? Is it up today? Have you patched your system? Do you have any spy? Where do you have firewalls?
So they're all sorts of security devices that you would consider
other advanced configuration parameters. Transport security. Um, you know, when we talk about data, we think about that. It rest. We think about that in process and data in transport. So when we talk about transport security,
I p. Sec. While data is traversing the network, is it protected?
S s l N T L s is You're making secure connections to the internet. Is your dad a protected? So not just protected while at rest on your system? But is it protected in transit?
I may have mentioned trunk ing security and pretty sure that I did earlier. Going back to the idea of villains and trunk ing is a means of connecting or spanning billions across multiple switches or perhaps routers. So there's a dynamic trunk ing protocol that learns as
certain devices get added to the network.
And we want to make sure for allowing this dynamic trunk ING protocol toe be implemented in tow work because it does save us time and effort that we monitor it closely. Anytime you allow dynamic protocols, you run the risk of security issues and then with routers as well.
Routers learned the network from other routers.
Well, we need to make sure that the other routers are trustworthy and that the routes are legitimate. You know, sometimes you hear ideas of route poisoning. And, uh, most routers through their routing protocols have security mechanisms that you can implement.
Obviously, I don't want my router to learn from just any connected resource
what path to go to get to the Internet or to get to my other office. So we want to just maintain close security. We wanna audit We wanna limit physical access to some of these devices just to provide that additional layer of security.
Now, the last little thing in this chapter talks about some ideas with authentication. Now we could spend a lot of time on authentication, and we will in later chapters and just talk about users authenticating. But this particular slide talks more about authentication protocols across the Internet,
primarily with the idea of Super
Sign on and to refresh your memory. Super sign on means let me provide one set of credentials, and I can access Resource is across multiple domains, or perhaps across multiple multiple domains across the Internet.
Based on that single set of authentication mechanisms, this is used when you access Pandora with your Facebook account. For instance, Pen Door and Facebook really don't have anything to do with each other. They're separate entities. But the fact that authentication requests can be passed along to a backend Facebook server
requires a Federated trust relationship.
What it also requires is the use of standard based formats like, for instance, XML extensible markup language and really were these ideas of Super Sign on have really blossomed comes from the development in the implementation of XML.
Traditionally, different types of databases stored their information differently.
Every database kind of did its own thing. We had proprietary storage formats. But with the advent of and the implementation of XML, which is a universal data storage format,
data can be stored in this universal format that could be exchanged rapidly and easily from vendor to vendor.
So XML is the format in which data is stored and every database today can use XML. And again, I hate the word everybody. But you get the gist of what I'm saying and then we have additional protocols like X a, CML, samel s PML and soap.
And these protocols provide certain service is with that exchange of information
for instant samels security assert assertion, markup language. This is what allows the exchange of authentication credentials across a Federated trust. So this is the security, peace, the authentication peace now ex a CML The phrase I would have is access control.
So this is kind of a hierarchical, standard way of organizing the structure to grant permission to access. Resource is so okay. I've logged in with my credentials. What do I have access to? That's where X A CML comes in. It's based on a rule set
and the collection of rules pulled together and owner's policies.
But x a CML So where Samuels about authentication? This is more about access control. What can a subject
due to an object? So that's what it's broken down to subject, which is that active entity. The object is known as a research resource. It's what I'm trying toe to read, for instance, or trying to access. And then what I do to that resource is my action read, Delete right, whatever that would be.
So that's kind of the heart and soul of X. A CML
so kind of goes along here is well that allows, uh, the exchange of message from one platform to another. It's sort of this generic sort of protocol, our language that's understood across many different platforms. And then you have S P M. L.
That's used for provisioning.
It's a way of
tracking what resource is Ah, subject would have access to. It's a way of controlling that access in an automated fashion. So you have all of these different protocols that come together that really are the basis for super sign on. But of course,
the predecessor to Super Sign on was just simply a Federated trust environment.
And these were the protocols in the language is really that make that work
So this particular chapter, enterprise Security, is every bit as large and every bit as diverse as you would expect it to be. With a name like Enterprise Security, we've looked at virtual ization. We've looked at standard based formats and elements to exchange data.
We've looked at storage solutions, network attached storage storage area networks.
We've talked about network devices like hubs, which router villian layer three switches. We've covered a ton of material out of all the domains that we will cover. This is Thesing Gle largest domain on the exam. So you definitely want to take your time, go back and review.
And if there was any material that I moved through quickly
go back rewind. Sit through it again. Take notes based on the slides. Make sure that you're solid on this topic. Big, big, big on the exam. So I wish you well with it.
Up Next

In our online CompTIA CASP training, you will learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components.

Instructed By