4 hours 25 minutes
Now we move on the s S t p and S S T P stands for secure socket
um, tunneling protocol.
Now, in this situation, the big difference between this one is it operates at layer four through seven instead of layer three.
So instead of needing those gateways between the two endpoints to negotiate that tunnel and then sending traffic through it, Thean points themselves are actually negotiating the VPN tunnel.
And what that does is it gives more granular control so we can have if we've got to in points that are talking to each other. And there's a VPN between the two, we can actually create a separate VPN for every application. Maybe one application is a Web application, and the other one is, you know, some database. And then there's some other application.
Each time this in point connects to each one of these, we can create separate VPN tunnels for each one of them,
and then that further secures the environment, cause we're not passing everything through one single tunnel. It's each. Each session has its own tunnel
field on the SSL VPN model Onda. As I said, it's usually terminated behind the firewalls. It's not on those gateway devices themselves.
So what is this STP look like? Again? We've got our two endpoints, but this time the negotiation happens directly between the endpoints that negotiation compete just like with L two tp. That negotiation
can be in the form of P K I or can be in the form of pressure keys. There's a lot of different ways it can happen, usually with SS TP. It's in the form of PK I, where there's a public key encryption mechanism used
on and then the tunnel is created and data can be passed from in point in point. And it's on an application by application basis.
All right, moving on from VPN, we're gonna now start talking about multi factor authentication and multi factor authentication simply just means using more than one mechanism for authentication. So the one everybody's familiar with is user name and password. Well, user name password is just one form of authentication, right? But if someone
happens to get access to your user name and password,
then that's it. They have access to everything. The idea behind multi factor authentication is the same concept we talk about with defense in depth we're just adding more stringent controls. We're adding another layer to what has to happen before we can authenticate to a system
to make it more difficult for someone in case they, if they still one piece of information, they can't have the other
multi factor. Authentication is defined by having at least two of the following types of components when you're dealing with authentication,
so the 1st 1 is knowledge. That's something you know. That's the famous user name or password, right? Your you know your password. It's something you know. It's part of knowledge.
Possession is the 2nd 1 Something you have. This could be in the form of, say, a cellphone, your smartphone or some device like that. It's something you physically have, and in the 3rd 1 is inherent. It's something you are. And generally speaking, this is some form of biometrics. Maybe it's your retinas or your or your fingerprint,
but multi factor authentication is at least
two of those components. You need to have something you have and something you know, for example, would be one form of multi multi factor authentication. You can have all three you can. You can require somebody to have a user name, password, some application on their cell phone that spits out a code and biometrics altogether
if you're dealing with very, very sensitive information. So
using different levels of multi factor authentication for different levels of sensitive information is also a good idea.
Let's talk about one of the most common examples of multi factor authentication, and that's possession. Well, possession mixed with knowledge. So we're gonna assume that knowledge is one factor. That's your user name and password, something you know. And the next one is something you have that's possession.
And what I'm showing you here is a screenshot from Google authenticator so you can have your cell phone. You can have it. You can download an application on your cell phone. In this case, it's Google authenticator. And then when you are in an application and you've logged in with your user name and password, you want to set up multi factor authentication to make it more difficult for someone to break into your account
from within the application. A lot of them have Google authenticator built in. You can just choose it from the drop down box when you do that, Ah barcode will appear on the screen, and then you go into your Google authenticator app and you scan the barcode on the screen. And that's what links your phone something you have
to Google the Google Authenticator service that the application is tied to.
Then the next time you log in, you're gonna be prompted for user name and password. Once you type that in, you'll be prompted for your authenticator code. When you pull up your Google authenticator app, you'll see something that looks like this. It's essentially six digits, and there's a little timer in the right hand bottom right hand corner that shows how much time is left.
This six digit number in your authenticator will stay by default. It's for 60 seconds.
So for one minute this code is valid. If someone happens to still this code, if they're looking over your shoulder and they still this code, they see what's on your screen. It's only good for 60 seconds. After 60 seconds, they have to see what the next coat is, so they'll be a little timer there, and as that timer starts running out of the start, turning red and in it when it when it expires,
the six digit number will change.
So you have within that one minute timer, you have to put your usual even password in. And then when it prompts you for your code, you have to put whatever code is is you know in that 62nd window. And that's an example of something you know and something you have in an example of how it makes it much, much more difficult for someone to break in or use your credentials
to gain access to something that they shouldn't
in remote access. The reason. This is important multi factor authentication can be used anywhere. But it's extremely important when you're dealing with remote access because remote access is inherently dangerous, were allowed allowing these remote entities to connect into our environment. And it's very easy to pretend to be something you're not. When you're a remote entity,
multi factor authentication is just one more mechanism that we can authenticate that
unknown remote entity.
Last thing we'll talk about in this remote access section is mobile device management, So if you choose to allow in users to gain access to resource is on their mobile phones, you could do it a couple different ways you can. You should. You can either have a mobile device that you
that you assigned to the user and then you manage the entire device.
Or you can have a mobile device that you hand are that the user brings themselves their own personal device and you can manage a portion of that device. But in either case, mold of mobile device management is all about managing the policies that relate to how that mobile device accesses information in your internal network.
One example would be this. Let's say our end users got their personal phone. We're gonna allow them to use their personal phone to gain access to some internal resource is popular. Example is email. You can use your mobile phone to check your email,
but we don't. We still want to control that email experience where we don't want them to be able to take something that this on email and just save it off under their phone and then send it to somewhere else because that's outside of our visit building in our control, and we've now let data leak outside of our environment.
So the way we do this is with mobile device management. You can create a container on that on that mobile phone,
and that container within that encrypted container is where all of the applications live. That you're going to allow to interface with remote with the internal systems in your environment. So anything outside of that container is not allowed to interface with the with your internal environment, so you can't. For example, in this situation, you can't use
your Gmail application that you downloaded from the IOS store
to directly access your mail system, right. It has to be a new approved male application with an approved version and prove patches on it that live within that encrypted container.
Now with mobile device management, there's always some some management device that's on the edge that's on the perimeter in your environment that can communicate with these mobile devices out there in the world so you can push policy to those devices.
Like I said, if you don't want people to be able to save emails outside of that container, that's a policy that could be pushed to those devices, so it needs to be in constant communication
and then if that device gets stolen, if he gets lost or stolen, or if someone quits and just walks out, you can send commands from the mobile device management system toe wipe that container. You can kill the whole container so it's It's gone. It's removed from the phone. If you're managing the entire device, you can wipe the whole device.
So mobile device management is just a way that you can allow users to have that convenience of that mobile device but still maintain some sort of control over the data in that environment.
And that brings us to the end of our our section on remote access and to the end of our section on the perimeter layer in general. Next up, we're gonna goto lesson 2.3. We're gonna start to talk about some of the network layer components.