Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Now that we now how proxies, firewalls and subnetting works, we explore in details how the network infrastructure is designed for both internal and external purposes. In this network design elements and components lesson, you'll observe how to correctly diagram a network infrastructure, why components are strategically placed, the where and why placements of certain network and security component, and how this configuration impacts remote access. We will now be looking at section 1.3 of the syllabus. This has to do with explaining network design elements and components. We explain network design, elements and components. What the design is - the strategy for the design. What components we use to achieve these strategic designs. The first item we look at is the DMZ. The word DMZ [demilitarized Zone]. Organizations have their internal network. This is the internal network to this organization, and this is the public network. We implement firewalls as the first line of defense. On this network, this organization they have a web server. It is bad practice to put the web server on the internal network because someone coming in across the internet would have access to that server on the inside of your network. It is also possible for them to possibly have access to all of these other servers. What you do is you put that server in a zone protected by firewalls. In this scenario, a user coming across the internet can only come into this web server. Yes. This could be an online business for example. We need your money but we don't trust you we will put the server here in what is called the DMZ Demilitarized Zone. It is a zone that you allow only trusted persons into on your network without granting them access to your internal network. These firewalls will prevent traffic from the public coming into the internal network. This helps makes the server available to users online but they have no access to your internal network and this is what we call the demilitarized zone. Some organizations will put their web servers in a DMZ, their e-mail servers in a DMZ so your staff working from home could also access your e-mail server. Staff internals could also have access to such servers. This is a DMZ. Another item we look at is remote access. Periodically, some of our staff might be required to work from home, or work from other organizations to which we offer service. These people will be connecting remotely to the internal systems on our networks so if we must do remote access, we want to ensure that our communications are going via a VPN across the internet; a Virtual Private Network. These cells guarantee confidentiality for traffic as it moves across the network, the internet. We also would want to ensure that people connecting remotely, we have servers in place. Remote access servers that would do authentication. Authentication is the process by which the system verifies that a user is who they say they are. We want to authenticate all users connecting remotely so that we can say that our users are the ones connecting to our networks. We don't want unauthorized persons connecting to our networks. So, for remote access we will implement these technologies to guarantee who has access to our networks. Another topic we look at in this section is telephoning. At some point in time your users internal to the organization might need to correspond to users or customers outside the organization so telephones come into use. Best practice should be followed within the organizations. If we have desktop phones, phones in your conference rooms, phones on the desktops of all your users, we should have secure code such that if people are on the inside and need to make calls, they have to punch in particular codes. This way, we can monitor who has use of such resources. You don't want people coming into the network, picking up any phone and making a long distance call so each user should have an access code that guarantees exit of the network. We also have VOIP; VOIP solution, Voice over Internet Protocol. Organizations are embracing these technology these days to lower their phone bills. So we can move our voice packets—we digitize and move our voice packets on the same data networks that we have in place. The reliance on regular phone networks will then reduce to lower our overheads. However, whether we are using desktop phones or VOIP solutions, best practice is that we do voice encryption. If we can encrypt our data packets to guarantee confidentiality, it is also good practice to encrypt our voice packets. This way, malicious persons cannot eavesdrop on our voice communications. There are all sorts of types of attacks. A type of attack is called war dialing. Some organizations connect to the internet via telephone lines and they use modems to modulate the traffic coming from the systems, move it into analogue signals on the telephone lines and then demodulate at the other end to their computers. What malicious persons could do is they have software and they load banks of numbers into these machines and call numbers within an organization randomly. Numbers that are being picked up, they know that is a desktop phone. Numbers that are not picked up they know to reserve this for a possible attack later. This could be maybe the numbers to some modems. When you notice a large set of phones just starting to ring collectively, at the same time, what type of attack could be in place? .It could be a war dialing attack. Malicious persons are trying to call to see what phones get picked up and what phones don't get picked up and that is what we call a war dialing attack. They use this to identify modems on the networks so that they can possibly attack those networks. One strategy to control access to our networks is to implement network access control. The idea behind this is you want to monitor the state of health of all your machines. All the machines accessing your network should meet a specific baseline so you set the baseline on a server such that any system attempting to log on will be reviewed by that server to see that the systems meet the baseline. Periodically, some users disconnect from the network possibly to go work remotely, or some are on vacation for some reason or the other. When they do disconnect from the network. When they are returning to the network, it could be that they have been infected, it could be that there's been an update in the applications or drivers or other solutions in use on the network. When these systems return to connect to the network, we want to monitor them to see do they meet the baseline? If they don't, we fix them before they connect. If they do, we allow access so if we follow this diagram, we can illustrate a typical example where network access control is implemented. This is not a one solution strategy, this is just an illustration to show how we could do network access control. We have over here, a health check server. On this server, we dictate our baseline. Now let's put down here the user PC that is logging on. Up here we put a remediation server. We all know that on a network, authentication takes place on the domain controller. We will have specified on this health check server the baseline, what version of explorer, what versions of all programs we are using. We name and we put in there all the programs we are running, their versions, all the drivers. Everything is populated on this health check server. So, what we see here is, if this PC, User PC, attempts to log on to the network, the user PC is directed to the health check server. The health check server will review the machine; is it lacking some updates? Is it missing some applications or is it even missing some...? We moved from one version to another version. Possibly, the last time these[issues] are connected to the network, we were running internet explorer version 7. Now we are running internet explorer version 11. Maybe some vulnerabilities have been discovered in version 7, we've upgraded to version 11. If this person is attempting to log on the system is redirected to a health check server that will scan that machine to see. If the machine does not meet the baseline, it is directed to the remediation server. As the name dictates, this is a server at which this PC will be fixed. What this PC does next is to route that back and say ok check him out, fixed him. Now once this machine deems this PC fit, that machine is then allowed connection to the domain controller. The user is able to log on and join the network. With this strategy in place, every machine gets inspected by the health check server to guarantee the state of health of all the computers connecting to the network. This is what we call network access control. You're controlling access to your network for all the devices connecting to your network. Now we talk about virtualization. In the past what we could do is, we have one operating system running on a machine. We can only run XP on this computer because only XP is installed. Later on we learn to partition machines. When you have a partition you could install one operating system into one partition. So in this system, we are said to be multi-booting. We have multiple partitions and we have multiple operating systems, different operating systems installed on each partition. In this scenario, when the system starts off it will tell you, it will advertise to you all the operating systems installed but then you make a choice. Do you want to run windows XP, 7 or Ubuntu? You can only run one operating system at a time. Even though you have multiple operating systems installed, you can only run one at a time. Then we discovered virtualization. With virtualization you have your host PC On which you install a hypervisor. You install the Hypervisor on your PC .The hypervisor is the software environment within which you can build other computers. You can build one computer within another computer using the hypervisor. The hypervisor will share resources with your host computer. Resources like the processor, resources like the memory, ports, et cetera. These are the most important. Not all systems support virtualization but those that support virtualization will allow you to do virtualization and you must enable virtualization in the BIOS before people can do virtualization on that system. You install the hypervisor on the host machine, it will share resources with the host machine then you create your virtual machines. This could be Windows 7 on your host machine and this could be XP, Windows 7, Windows Vista, Server 2003, Server 2008, Server 2012, Ubuntu, another XP, you could even have Suse Linux on there provided you have enough memory and the processors that are robust, it is possible to install your printing systems in each of this machines and run them all at the same time. Yes so you can run them all at the same time. Beautiful solution, rather than having to buy one, two, three, four, five, six, seven, eight, nine, [these] boxes plus these ten boxes, you only buy one box and using the hypervisor, you can build this virtual machines all in one. Organizations are able to save cost this way. We have different types of hypervisors out there but that is not the focus of the exam. All we need to know about the hypervisor is that it is the software environment within which we build the virtual machines. Some hypervisors could be, you have Microsoft Virtual PC, you have Windows Virtual PC, you have Hyper V, you have Sound virtual Box, you have VMware, you have VM Fusion. Virtualization has come to stay. A lot of organizations have started to use virtualization for their servers so it is good practice to learn to use all of these hypervisors. Most of them are available online for free. So Virtualization does offer some benefits. It allows organizations to save costs, rather than having to buy 12 boxes, the organization can buy one very solid box and build the other machines within that box as virtual machines. Organizations could also save cost in terms of hardware. They could save cost in terms of overheads, electricity. You don't need electricity for seven, eight boxes anymore. You only need electricity for one box. What about saving cost in terms of licensing? You could have virtual applications. Before, say an application like Microsoft Office. If we assume a particular application set is $500 and you have three thousand users. All these users need portions of Microsoft office for example. You are not going to spend $500 in 3000 different places. You could save cost. You install these virtual applications on a server. When users need it, they connect, use it, disconnect. This allows you to only buy a limited number yet you can service 3000 users. Maybe we buy for 600 users, so as people need it, they connect, use it and disconnect. Now that we install it for users who probably even use it for two minutes a day, or five minutes a day so we could install virtual applications to save cost on licensing. The use of virtualization also allows us to maximize our hardware. In many cases we buy machines that are very robust but we are only using a fraction of their capabilities. With virtualization now, we are going to make these machines really do the work they are designed for. We maximize the use of this hardware. Virtualization gives a lot of organizations the ability to test software. So you want to test, how will this software react with XP? Test it on the virtual machine. You could have a test machine, a test server that is hosting multiple operating systems. When you get your drivers, when you get your updates, don't just deploy them straight away, test them on these different operating systems to see how they perform. Once you are satisfied, then you can move this to your production networks. This is virtualization. There are some security concerns with virtualization. When we do virtualization, all the configurations we do to protect our host machines should also be done on our virtual machines. These virtual machines are being hosted on these host machines because if we don't secure our virtual machines, malicious persons could attack the virtual machines via the internet take over the hypervisor, cripple other computers, virtual machines or possibly cripple your host PC. It is also possible that some of your staff might want to run prohibited software within the virtual machine. It is much more difficult to detect people running prohibited software within the virtual machine. How do you protect against this? Prohibited software, maybe gambling software, the one they are running within the virtual machines to hide the fact that they are running it. Administrators will go into BIOS, disable the use of virtualization in the BIOS so that user cannot even build the virtual machine. Once you disable the use of virtualization in BIOS, you then lock your configurations with the BIOS passwords. When you lock the configuration with the BIOS password, you then lock the box with a padlock, physical lock. So you see here, we are having multiples layers of defense. This is what we call defense in depth. Otherwise if you disable the virtualization in BIOS, and not lock the box with a padlock that has a key, If I have access to that box I can simply remove a jumper on the motherboard, a very tiny plastic. Once I remove the jumper on that motherboard, the sister will forget the passwords. That way, I can then change the configuration settings to enable virtualization. We must have several layers of defense to secure our networks. In the previous topics we talked about virtualization. How to protect users or rather how to prevent users from setting up virtual machines. If we were to look at defense in depth, using that example, our systems or resources could be configured in such a way that we have multiple layers of defense around them. The idea is that when you have multiple layers of defense, the malicious person will have to go through several layers to get at your resource. These layers will be protected by different types of technologies such that no one technology can compromise all the layers. Our resource is being protected by the BIOS configurations to disallow users from setting up virtual machines. We could then lock the box with the padlock, another layer. Ensure that there is a door lock to that room, another layer. Ensure that we have CCTV close circuit television, another layer and possibly have guards for physical at the perimeter. You can see how applying several Layers, we can protect our resource. This is what we call layered security or defense in depth. You apply several layers such that the layers have different levels of technology before they can get to your resources at the core of the strategy.