Welcome to Cyber is Video. Siri's in the Company of Security Plus five, Owen Certification and Exam.
I'm Your Instructor, Round Warner.
This video is on section 2.1, talking about the installation in configuration of network components, both hardware and software base to support organisational security.
This is part of Domaine two on technologies and tools.
Please see the domain Introduction video and the video on Networking Basics.
This section has a lot to cover.
We'll be talking about the different types of network components like louder routers and switches, proxies, load balancers,
firewalls, intrusion detection, prevention systems, VPN concentrators, security incident in event management systems, male and media gateways and hardware security modules.
It's a lot to cover, so this series will be split into three parts.
Before we can dive into the world of network security, you need to understand basic components and functions on the network.
In Part one, I'll cover common network devices like routers, switches, bridges, proxies, load balancers and wireless access points.
We'll start by talking about network routers.
The primary instrument used for connectivity between two or more networks is the router.
Routers work by providing a path between networks,
a router has two connections that are used to join the networks. Each connection has its own address, sometimes more, and appears as a valid address in its respective network.
Most writers could be configured to operate as a packet filtering, firewall and use access control lists. Many of the new writers also provide advanced firewall functions.
Routers operate at Layer three, the network layer, and they store information about network destinations within routing tables.
A border router works on the outside of a corporation's network provides that connectivity between the internal land and the external land
router security is provided through access control lists, zones and using anti spoofing technology.
Access control lists Filter packet by the source address destination address protocol were port,
for example. You could block a certain set of I P addresses using your router.
You can also establish zones within your router. Segmenting networks based on functionality or security.
Routers can also be connected internally to other routers. Official. Effectively creating zones that operate autonomously.
Anti spoofing is creating a set of access list that deny access to private I P addresses on local host ranges from the Internet, for example, you can't spoof an internal I P address coming from the outside of the network.
These are all security features she should be looking for in your routers. Switches are the most common choice for connecting death stops to a network.
A switch connects devices with a computer network. Contrast that with router that connect networks together.
A network switches a small hardware device that centralizes communications among multiple connected devices with within one local area network. Does this by using packet switching to receive process and forward data from the source device to that destination. Device switches can work at either layer to
the data link layer
word layer three network layer
packet forwarding decisions are made on the switch based on media access control addresses
to review the basic functions of a switch. Our filter and forwarding frames. Learning Mac addresses and preventing loops.
Let's talk about some switch security
switches can be used to provide layers of security within a network. For example, virtual lands or villains villains are designed that properly segments the network's virtually rather than using physical switches, you can do it within multiple switches by a view Lands.
Port security is a layer to traffic control. Feature on switches. It enables individuals switch ports to be configured to allow on Lee a specified number of source Mac addresses to come in through that port.
It's primary use is to keep two or three users from sharing a single access port.
Port security can be configured to take one of three actions and going to a default shutdown mode, protect mode or restrict mode.
Port security is deterrent, but not a reliable security feature.
Mac addresses can be spoofed, and multiple hosts can still easily be hidden behind. A small router switch is also protect against looping.
When did a unit units can travel from the first land segment, toe a second land segment through multiple paths? It's considered a loop, and this could happen on switches or bridges.
The solution is using spanning tree protocol. STP, which is a link management protocol that provides path redundancy while preventing undesirable loops in the network. Be familiar with looping and have spanning tree protocol protects against that on switches.
A flood guard is an advanced firewall guard feature that used to control network activity associated with DOS and de Das attacks. Flood guard controls how the authentication and counting an authorization or triple A service handles bad log in attempts. They're tying up network connections
it allows. The firewall resource is toe automatically be reclaimed if the authentication subsystem runs out of resource is thereby defeating Das. Indeed, US attacks, for example, to remember the three way handshake the Sin sen Ack ack. I keep sending a sin. That's a flood.
Flood guards protect against that.
The last network device you might find on your network is a bridge that connects two different physical networks using layer to
bridges have basically been replaced by switches. Loops can also occur on bridges like they happen on switches.
A common challenge we found in the earlier days of the Internet was running out of pipe version for network addresses.
This was solved partially by Nat Network address Translation.
It also provides a layer of security by hiding internal I P addresses from external networks.
That is a method of remapping one i p address base say, coming in from the Internet into another by modifying network address information in the I P header of packets while they're in transit across traffic routing devices. So, as you see on your screen is the example from the Internet to internal.
The address is translated from the Internet address to an internal address space.
I suggest you try this yourself by using liken if CONFIG Commander I p convict on your local workstation for one i p address and you'll see it's different than your Internet address. That's a result of network address. Translation.
Another type of network device that provides a layer of security at the network is known as a proxy. It's that boundary device between internal and external networks.
It routes packets on behalf of something internally. A proxy is any device that acts on behalf of others. It could be done for security, logging or cashing,
for example, rather than continually going out to Google or cyber very dot i t. Using up Network Resource is that site can be cashed by a proxy when someone internally goes out to that website that might actually be going into the proxy pulling down that cash.
A proxy server could be used to block known malicious websites based on the URL or particular category.
Ah, forward proxy retrieves data on behalf of the client. The example I just used is a forward proxy where it's pulling information from well known websites to be used by internal resource is therefore reducing network loads.
A reverse proxy protects access to a server on the internal network is coming
from the outside looking inside. It could be proxy along the lines of a Web application firewall,
a transparent proxy also known as an intercepting in line or forced proxy. It's a cashing server that redirects client request without modifying them solely to reduce bandwidth usage.
Familiarize yourself with these different forms and functions of network proxies.
A load balancer is another type of network device, and it's implemented as either software or hardware. It's usually associated with another device, a routers, which network address, translation, appliance and so on.
It's most common implementation. A load balancer splits the traffic intended for a website in tow. Individual requests there, then rotated to redundant servers as they become available
of a server that should be available is busy or down. It could be taken out of the rotation
you see on your screen different benefits of a load balancer, reducing the response time. Maximizing throughput
allows for better allocation of resource is
scheduling and balancing network traffic is a key issue with load balancing. Its job is to determine how to split up the work and distributed across multiple redundant servers.
There's multiple methods for distributing the load.
First is round robin. We're just takes turns in a circular pattern. First server, one server to Server three and so on.
With affinity or sticky sessions, requests are sent to a specific application, so you're always stuck going to that one particular application server with affinity, scheduling
least connections is taking the server that's least busy and distributing you load to it.
Lastly, is just random where the load balancer will just pick at random. Which server wants to send the traffic, too,
With active active load balancing, the servers work together, so if one will fail over dramatically automatically to the other
active passive, all traffic is into an active server. That active server goes down, then will be automatically redistributed to that passive server
with virtual eyepiece. V. I. P. S. At least one physical server is a sign,
but more than one virtual I P address can also be assigned.
Be aware of these different functions of load balancing.
Access points are another common network device normally associated with WiFi wireless access points were W a piece there layer to or data link layer of the O. S. I model.
They can operate as a bridge connecting a shared wired network toe wireless devices or as a router, passing data transmission for one access point
to another. Routers connect networks.
Wireless Access Point consists of a transmitter and a receiver or transceiver. It's the device used to create at wireless land or W land.
A centralized access controller or a C is capable of providing management configuration, encryption and policy settings for all wireless land access points within a corporate network.
The level of control and management options in a C or access controller needs to provide depends on the type of access points the organization implements.
Three main types of wireless access points exist. Fat, fit and thin
fat. Wireless access points are also sometimes called intelligent access points because they're all inclusive. They contain everything needed to manage wireless clients such as A C L's quality of service functions, v land support and band steering
fat. A piece can be used a standalone access points and do not need an access controller.
However, this capability makes them costly because they're built on powerful hardware and require complex software.
A fit access point is a scaled down version of a fat AP and uses an access controller for control and management functions.
A thin access point. There's nothing more than a radio and antenna controlled by a wireless switch. Thin access points are sometimes called intelligent antennas. A thin access point has minimal functionality, so a controller is required thin A peas are simple and do not require complex hardware
can be a lot more cost effective.
Access points can either be controller based or stand alone. They require that access controller like fit or thin a PPIs than their controller based
fat. A piece can be stand alone.
There are different methods for managing wireless access points and providing for their security
the first R S s I. D. S or service set identifiers.
These are basically the name of the wireless access point. They can be common within a corporation If those wireless access points have a sink, RAL have a centralized access controller.
An SS I d can be set to either broadcast so everyone can see it or cloaked meaning hidden so they're not seat. Even hidden SS ideas could be determined. Another WiFi security feature is Mac Fill Trick. You cannot
allow only specific devices onto your WiFi network based on their Mac address.
Review the concept of the Mac address on Nick's. If you're not familiar with it,
it's the specific layer to address for devices, and you can use that to limit who can access a particular WiFi network. This is something you could even do at home.
Signal strength is another management and security feature of WiFi access points. You want to make sure you limit the signal strength. You don't want signal to be leaking outside of your borders outside of your office, outside of your apartment or home, you can limit the signal strength.
You can also determine the band or band with to be used using one of the specific channels.
Lastly, you can use different types of antennas either omni directional, meaning they go everywhere or directional, meaning you're focused where the signal goes.
Normal WiFi access points are omni directional and think of them like a severe, which means they go up, down and sideways. You can use all these different features to better secure your wireless access point and your network
on your screen, you see the differing WiFi standards from IEEE 802.11 how they have different capabilities and signal strength as well as bands.
Review this as you're studying for your security, plus example, and look at your own wireless connectivity to see what IEEE standard you use in this video. I explained some common network components, such as routers, switches, bridges, proxies, load balancers and wireless access points.
Let's practice on a few sample quiz questions.
This condition exists. When did the unit's contract vel from a first land segment? Second Land segment through more than one path and assault by S. T. P.
The answer is D looping
STP spanning tree protocol on bridges and on switches to prevent looping.
This concludes part one of section 2.1, talking about the installation and configuration of network components, hardware and software based to support organisational security