Network Security Architecture Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome to Module 2,
00:00
Lesson 1, network security architecture part 1.
00:00
The learning objectives for
00:00
this lesson are to demonstrate
00:00
how intrusion detection and
00:00
>> prevention aid in insecurity,
00:00
>> describe the types of perimeter security devices,
00:00
and the utilize sensors on
00:00
>> a network to improve security.
00:00
>> Let's get started. An intrusion detection system
00:00
also known as IDS,
00:00
is basically an alarm system for your network.
00:00
We have two broad types of
00:00
intrusion detection systems and these
00:00
are host-based and network-based.
00:00
The key point to remember about
00:00
an intrusion detection system is that
00:00
it just monitors and alerts for signs of an attack.
00:00
It's not going to take any action on any of the alerts
00:00
that happen other than letting
00:00
>> you know that it happened.
00:00
>> All intrusion detection systems make use of
00:00
the following three analysis techniques.
00:00
These are signature-based which
00:00
works like antivirus where it has
00:00
a database of signatures and if something
00:00
matches one of those signatures, it will trigger.
00:00
Anomaly-based,
00:00
looking for things that are out of the ordinary,
00:00
and behavior-based which is very similar,
00:00
it monitors a baseline of
00:00
what behavior is normal on a network or a device,
00:00
and when it sees things that are outside of
00:00
that normal behavior then it will trigger an alert.
00:00
We also have wireless intrusion
00:00
detection systems or WIDS.
00:00
These devices are looking
00:00
for attacks on a wireless network.
00:00
For example, looking for
00:00
rogue access points or evil twins,
00:00
looking for devices that are on
00:00
the network that are not supposed to be there,
00:00
any signs of a denial of service
00:00
attack or also MAC address spoofing.
00:00
The device in the top right is a Hak5 WiFi Pineapple.
00:00
These devices are purpose-built to perform these
00:00
types of attacks for penetration testing on a network.
00:00
The device in the bottom is a pocket Deauther.
00:00
This device can send
00:00
the authorization frames to
00:00
a wireless access point to kickoff clients.
00:00
When those clients re-establish
00:00
then the handshake is captured,
00:00
this can be taken offline and cracked,
00:00
and then you have the password for the network.
00:00
It can also be used as
00:00
a denial-of-service attack device
00:00
blocking all clients from connecting to a network.
00:00
Intrusion prevention systems or
00:00
IPS take this a step further.
00:00
They do the same thing as an intrusion detection system,
00:00
but once something is detected,
00:00
they will take action on it.
00:00
For example, they can reset
00:00
connections or even block traffic altogether.
00:00
The key point to remember about
00:00
an intrusion prevention system is
00:00
that it must be placed
00:00
inline on the network to monitor traffic.
00:00
If it can't see all of the traffic on the network,
00:00
then it can't take action when it detects something.
00:00
Wireless intrusion prevention systems can
00:00
go as far as to block different clients from
00:00
being on the network and
00:00
stopping denial of service attacks.
00:00
Traffic mirroring, this is also
00:00
known as port mirroring or SPAN ports.
00:00
This is where you allow
00:00
another switch port to
00:00
intercept all of the traffic on the switch.
00:00
On switches, traffic typically goes to one port
00:00
only so if you want to
00:00
see all the traffic that's going through the switch,
00:00
you have to build a mirror using something like this.
00:00
This allows you to sniff all the traffic on the network,
00:00
you could run it through a protocol analyzer
00:00
such as Wireshark or
00:00
pipe it into your network intrusion detection system
00:00
so that they can see everything.
00:00
Perimeter security devices. The first one,
00:00
you probably all are familiar with is a router.
00:00
A router in its most basic sense,
00:00
forge traffic from one network to
00:00
another by checking IP addresses.
00:00
But in doing that,
00:00
it is able to determine
00:00
should this traffic be forwarded,
00:00
should it be blocked, should it be sent somewhere else?
00:00
We can do that with access control list.
00:00
Routers are often a first-line inside the network
00:00
of defense by preventing
00:00
traffic from going to different places.
00:00
Load balancers inspect the incoming web traffic,
00:00
and then it will redirect it to
00:00
the available web servers behind it.
00:00
This is usually associated with
00:00
availability and fault tolerance.
00:00
Network address translation.
00:00
If you're using a router at your house,
00:00
maybe the one that your internet
00:00
service provider gave you,
00:00
or you bought a Linksys or that type of device,
00:00
then you're probably using NAT.
00:00
Network address translation allows
00:00
you to have a private subnet behind the device.
00:00
These are the IP addresses that
00:00
we're all familiar with seeing
00:00
, 192.168.0.0.0 type networks.
00:00
The NAT will translate those private addresses into
00:00
the WAN address and allow it to go out on the Internet.
00:00
But on the Internet side,
00:00
it only appears as if you have one IP
00:00
address being your WAN public IP address.
00:00
Forward and transparent proxy.
00:00
The key to remember about these is that
00:00
they are working from inside the network out.
00:00
When a client on the inside of
00:00
the network wants to go to a particular webpage,
00:00
they first go to the proxy,
00:00
and then the proxy will request
00:00
that for the client and send it back.
00:00
Everything is routed through the proxy.
00:00
This allows the proxy to intercept
00:00
the traffic and see if there's anything malicious in it,
00:00
but it also allows it to deny clients access to
00:00
sites that may not be
00:00
approved for those clients to surf to.
00:00
Proxies also have to
00:00
understand the protocol that
00:00
they're going to be handling.
00:00
Multipurpose proxies can handle
00:00
several protocols such as HTTP, FTP, and SMTP.
00:00
A reverse proxy is the exact opposite.
00:00
This is for traffic on the outside
00:00
of the network coming in.
00:00
It can be used to improve performance of
00:00
a website because it can cache data
00:00
and send the data faster to clients.
00:00
It's in line with traffic,
00:00
and it has to be between the clients,
00:00
the requesting server going from the outside in.
00:00
Reverse proxies are outside in,
00:00
transparent proxies are inside out.
00:00
Firewalls. At its most basic level,
00:00
a firewall is a device that
00:00
filters traffic that passes through it.
00:00
This is done by looking at the source of the traffic,
00:00
the destination, the protocol,
00:00
and the ports that it wants to go to.
00:00
From there, the firewall will make a decision
00:00
on what it needs to do with that particular traffic.
00:00
For example, if we have a website that's
00:00
open on port 80 behind the firewall,
00:00
the firewall may allow all traffic to port 80 to be
00:00
forwarded over to that IP address
00:00
of the webserver behind the firewall.
00:00
It's really good for doing this type of direct traffic,
00:00
sending to a particular server,
00:00
or blocking everything based on rules.
00:00
But if you want something more complex such as looking
00:00
at the actual content of the traffic coming through,
00:00
you need a more robust device.
00:00
That brings us to a unified threat management system.
00:00
UTMs add additional capability
00:00
to firewalls with content filtering,
00:00
spam filtering, antivirus scanning,
00:00
and traffic and web filtering.
00:00
This is where the industry has moved to,
00:00
these are the devices that we're most likely to be seeing
00:00
now is they're more capable of
00:00
defending a network than a standard firewall.
00:00
You also have next-generation firewalls that are
00:00
able to inspect higher-level protocols
00:00
such as HTTP so that they can look
00:00
inside the packets and see if there's anything malicious.
00:00
Once they inspect the traffic,
00:00
if there is anything malicious,
00:00
then they can drop it based
00:00
on the content of the data itself.
00:00
We also have web application firewalls or WAFs.
00:00
These act as a shield to a website;
00:00
they're very specific for protecting web servers
00:00
from a wide range of attacks.
00:00
But some examples would be SQL injection,
00:00
cross-site scripting, cross-site request forgery,
00:00
file inclusions, and directory transversal.
00:00
There are quite a number of attacks that
00:00
these can protect from but these are the most common.
00:00
We have three basic types of WAF devices.
00:00
The first is network-based,
00:00
is a separate host or it could be a virtual machine
00:00
that sits in front of the website that it's protecting.
00:00
These are the most expensive,
00:00
but they offer the most flexibility.
00:00
Host-based is software that
00:00
runs on the actual web server itself,
00:00
and it's very inexpensive.
00:00
In fact, some case is free like the example of
00:00
ModSecurity but it means it's
00:00
very complicated to get configured.
00:00
The last is Cloud-based,
00:00
and it's delivered by a Cloud service provider.
00:00
It's less expensive,
00:00
and it offers expert implementation
00:00
with low maintenance since
00:00
the Cloud service provider is usually
00:00
the one implementing and maintaining it for you.
00:00
>> Virtual Private Networks.
00:00
If you watch any YouTube videos,
00:00
you've seen advertisements for these.
00:00
But the most basic use of
00:00
a virtual private network is to
00:00
connect two networks together.
00:00
So if you have a remote office in
00:00
one city and the main office in another,
00:00
you can create a virtual private network,
00:00
which is an encrypted tunnel between the two,
00:00
allowing the two networks to be able to
00:00
communicate with each other securely across the Internet.
00:00
Another common use of a VPN
00:00
is for remote workers to connect back to the main office.
00:00
With a pandemic that occurred in 2020,
00:00
a lot of workers were shifted home to do
00:00
their work and this
00:00
was the way they were all able to connect.
00:00
Again, was using a virtual private network.
00:00
Here are some common VPN protocols.
00:00
OpenVPN, L2TP teamed up with IPSec,
00:00
IKEA teamed up with IPSec,
00:00
WireGuard, SSTP, IPSec, and PPTP.
00:00
Network Access Control.
00:00
These devices create a baseline for
00:00
what every device that's connected
00:00
to the network should adhere to.
00:00
So for example, patch level must have
00:00
an anti-virus program that's on
00:00
the excepted list and it must be updated.
00:00
Maybe you have to have a host firewall enabled.
00:00
When a device is plugged into the network,
00:00
if it doesn't meet the standards,
00:00
it will not allow the device to connect.
00:00
This way you're only allowing
00:00
access to the network, to trusted devices.
00:00
System Information and Event Management, or SIEM.
00:00
These are devices that collect
00:00
data from multitude of sources on your network.
00:00
For example, it may collect data from your firewall,
00:00
your endpoints, your domain controllers,
00:00
and many other types of devices and bring them
00:00
all into one source and then look
00:00
at all of that data at
00:00
one time to spot patterns of an attack.
00:00
So for example, seeing
00:00
one failed user login
00:00
on one machine might not be a big deal.
00:00
But if it happened across 20 machines at the same time,
00:00
that might be an indicative of an attack.
00:00
The SIEM would be able to take all of that data in
00:00
and then alert you to it
00:00
so that you can take further action.
00:00
SIEM typically have the following functions
00:00
that aggregation, correlation, alerting,
00:00
visibility, compliance, and data retention.
00:00
Activity and traffic sensors,
00:00
NetFlow, and S flow.
00:00
These are network protocols for
00:00
capturing network traffic for analysis.
00:00
We also have fallen integrity monitoring.
00:00
This ensures that the files on
00:00
different devices or endpoints haven't changed.
00:00
This is looking for signs of a malicious attack,
00:00
where an attacker would come in and
00:00
make changes to specific system files,
00:00
such as DLL files on Windows machines.
00:00
A file integrity monitoring system
00:00
ensures that hasn't been done.
00:00
Simple Network Management Protocol, SNMP.
00:00
This operates on UDP ports 161 and 162.
00:00
This is a very common system for
00:00
monitoring and managing network infrastructure.
00:00
Switches, routers, firewalls,
00:00
and sometimes even actual workstations will have SNMP.
00:00
It consists of two parts,
00:00
which are the monitors and the agents.
00:00
If you're not using SNMP on
00:00
your network or if a device doesn't need it,
00:00
it's highly recommended that you
00:00
disable it because a lot of information can be
00:00
gleaned from querying an SNMP daemon
00:00
that's running on a particular system.
00:00
Data loss prevention or DLP.
00:00
This is software that's designed to
00:00
protect the data that's on a network.
00:00
Once the sensitive data on a network has been defined,
00:00
you can allow different levels of
00:00
access on that data and who is allowed to access it,
00:00
and then what they're able to do with it,
00:00
for example, are they able to print?
00:00
Are they able to copy it?
00:00
Are they able to email it? That type of thing.
00:00
We can set these rules up for all users to ensure
00:00
that data is not exfiltrated from the network improperly.
00:00
Distributed Denial of Service Protection.
00:00
This has become a massive problem in
00:00
our industry where different websites are under attack,
00:00
and there are some things we can do about
00:00
it to help prevent those attacks from
00:00
causing outages of our web resources.
00:00
The first one we can do is rate-limiting,
00:00
which reduces the amount of
00:00
throughput that goes to the server.
00:00
So that way the total
00:00
bandwidth is not actually being used.
00:00
We can put a web application firewall in
00:00
line to prevent the traffic
00:00
from actually reaching the webserver.
00:00
We can do black hole routing,
00:00
which drops all inbound traffic
00:00
that is destined to the endpoint,
00:00
in this case, a web server.
00:00
We can use cloud service providers like
00:00
Cloudflare that route all traffic.
00:00
We ran all traffic through them first and then
00:00
they handle it before it ever reaches our website.
00:00
We can also use
00:00
a DDoS mitigation software or an appliance,
00:00
which is a purpose-built device to help
00:00
us prevent this type of attack on our web servers.
00:00
Let's summarize what we went over in this lesson.
00:00
We went over how intrusion
00:00
detection intrusion prevention systems work.
00:00
We went over a wireless intrusion
00:00
detection and prevention systems.
00:00
We discussed perimeter security
00:00
devices such as firewalls,
00:00
proxies, routers, and VPNs.
00:00
We also went over using sensors to collect
00:00
data from the network to improve network security.
00:00
Let's look at some example questions.
00:00
Which technology solution would you need to
00:00
implement to prevent rogue access points on
00:00
a network or
00:00
wireless intrusion prevention system or a WIPS?
00:00
Question 2, you
00:00
have been asked to provide a solution to help
00:00
a company prevent its confidential and
00:00
proprietary information from being copied,
00:00
printed, or used improperly.
00:00
What type of technology would you recommend?
00:00
A data loss or DLP system?
00:00
Example 3, what tool must be placed in
00:00
line to allow a NIDS to inspect all network traffic?
00:00
A sniffer.
00:00
What is the purpose of a SIEM?
00:00
To aggregate logs from a variety of systems and
00:00
provide real-time alerting based on the collected data.
00:00
Well, that brings us to the end of Module 2, Lesson 1.
00:00
I hope this was helpful for you and explained
00:00
everything in enough detail that
00:00
you can pass the exam. Thank you.
Up Next
Instructed By
