Hello and welcome to Siberia is cop Tia Certified Van Security Practitioners Certification Preparation course.
This is a continuation of marginal eight, which is tired of secure network configuration
here. Objectives which encompasses this particular module.
What we're gonna do not turn our teacher or discussing off securing network infrastructure devices.
Let's begin by first are taking a look at this pre assessment course in and the course of is as follows Ha. Can you improve the security of a network infrastructure devices so that all that apply is it a segment and segregate network and functions Be lemon Unnecessary lateral communication. See heartening that were devices or D
technical requirements. Again, you say all that apply.
If you say like that A, B and C, you're absolutely correct. You want a segment and segregate your network and functions, live in unnecessary lateral communication and hardened your network devices.
So let's begin by discussing what are never infrastructure devices.
Never in Victor's devices, all components of a network that transport communication needed for data applications, service's and multimedia. These advice include rodders, firewall switches, servers, low balancers, intrusion detection system, domain name and systems,
as well as storage area networks.
So what? Security threats are socially, never. Infrastructure devices. They're often easy targets for Attackers. Once a star, many number devices are not maintained at the same security level as general purpose, desktop and server. The following facts also contributed to vulnerability network devices, but we have few network devices. Smith Small Officers
manufacturers build and describe it. These Network Advisor Exportable Service's, which are enabled for ease of use for insulation, operation and maintenance. Also, owners and operators of network devices often don't change vendor default settings, heart in them for operation or perform what we call regular patching of these devices.
Also, we have again the Internet service of bottles mean that replace the equipment on a customer's property once the equipment's on. Longer. Supported by a manufacturer of vendor owners and operators, often overlooked network devices when they investigate or look for intruders and restore
general purpose holes. Apple. A cyber type intrusion.
So how can you improve the security? Never interested devices. You can segment and segregate the network devices and functions. You can limit unnecessary latal communication. You can harm those network devices. You can secure access to the infrastructure devices you could perform out of band networks type management,
as was validated integrity of the hardware and the software.
The 1st 1 would take a look at segment and segregate network and functions. Proper segmentation is effective security mechanism to prevent an intruder from propagating exploits or laterally moving around internal network.
If you have a Polish seven network, what happens and shoes are able to extend the impact to control critical devices or gain access
to your sister data and an actual property. Segregation also separates the network segment based on the role as well as a functionality.
We can also implore what we call physical separation of sensitive information. Judicial network devices such as your routers can separate local area networks. Other words segment It owns this and also place rodders between and network to create what we call boundaries. You can increase the number broadcaster main and effectively what you do.
You filter uses broadcast traffic for his recommendation.
You want to implement what we are. Incorporate the prices of least privilege or need to know when you're designing your various networks segments. You want to separate the safe, sensitive information and security requirements into network segments. Also, when I apply security recommendations and security configuration, all your network segments
and the network layers.
We can also implore visual separation of your sensitive information. This is a logical isolation. Networks on the same physical network Virtual segmentation uses the same design principle as physical segmentation but requires no additional hardware
force recommendations. You can use a private virtual land on the land and the own device you can configure The land is on a switch.
You can also use virtual routing involving technology to segment. Your network can also use virtual private network to sequentially. Other words. Secure extended host networks by tunneling through public and private network. Other words. You implore VPN, which employs the price of what you have in the end encryption.
Another thing that we can do is amendment unnecessary lateral communication. Allow unfiltered peer to peer communicates, including workstation workstation. What it does. It creates serious vulnerabilities and can allow a network and shooter access to spread easier to multiple systems.
And in this case, once an intruder, ex tablets and effective beach it within your network.
Unfiltered latal communication allowed the intruder the creek back. Those two aren't your network Now what we can do to mitigate it. As regards to recommendation, you can rescript me to kiss and using our host based firewall rules to the night of floor packed trip packages. Other words from other holes. You can also imprint of the land virtual land,
But again, it's a field I control access
to and from your villain. You can also logically segregate the network use and physical or virtual separation, allowing network administrator isolate critical devices
onto your network segments.
We also want to make sure we harden those devices. Ah, fundamental way to enhance your network infrastructure Security is a safeguard network and vices which other words were hard? Those devices America should implement the following recommendation in conjunction with laws, regulations, site security, policy standards and industry best practices.
You want a disabled unencrypted remote at men protocol used. Imagine that we're infrastructure words Tell Net
and also file transfer protocol
continue on with a heart and I network devices. A fundamental your hand should never in Frisco is the safeguard Network devices were secure configuration.
As an administrator, you should, in fact, the father recommendation in conjunction that laws, regulations, site policies and so forth. Some examples and disabled unencrypted remote ataman protocol going to save unnecessary service is, for example, discovery protocol source routing hypertext transfer protocol.
management type protocol is and it's an MP or boots *** protocol.
You can also use S and P three or sequential version, but do not use S and S N MP community screens. You can secure access to your console auxiliaries as well. Ask those virtual lines. You can also implement robust password policies. You can protect your routers and switches back and shoulder access list
for remote administration
with strict physical access to the routers as what is old switches back up your configuration and also store them off line. You can also appear RK test the security configuration against security with crime rates. You also protect configuration files with encrypted
encryption in other words, or access control when sending story or backing up those files.
secure access to your infrastructure devices. Administrative privilege can be granted to allow users to access resources that are not widely available. Lemon administrative privileges for infrastructure advice is crucial or critical. In other words, security because intruders can explore administrative privileges that improperly authorized
granite while it are not closely on it,
Adversaries can use these compromised privileges to transfers a network, expand access and take full control off your infrastructure background.
Secure access to infrastructure devices is grace again. This is continuation. You can implement what we call multi factor authentication, not this type of dedication is, in fact, a process used to validate a user's identity. Attackers Comment Sport Weak authentication process is
multi factor authentication in fact, uses, or at least to identity components to authenticate a user's identity.
I didn't components include something a person know, like a password and object to use that possessed like a token,
a trade unique to use, like a fingerprint. Other words. Biometrics. You can manage purpose access you can use a server that allows authentication, authorization and accounting service is to store access information for your network device management.
Actually, server will also enable network administrated to assign different privileged to levels
to use us to. Based on the principle game. Remember, mention before by at least privilege. When the user tries to execute an authorized command, it will be rejected, if possible, in men what we call a heart token authentication server in addition to using the Triple A server.
When you're using the multi fact indication what essence it does, it makes it much more difficult for the intruder to steal and reuse credentials to gain access
to your network devices.
Again, we also want to make sure man's administrative credentials You wanna make sure we change that default passwords. Oftentimes you have these advices that come with default passwords what we want to do to make sure we change that default password. We will also use at least eight characters long. Allow the password as long as 64 cares are greater.
We also want to check the pass word against that blackness on. Except values such as common use
expected a compromise password and, sure, all your store pass was assaulted and hash it. You make sure you keep your password store for mercy, access and pretension off network locations such as a safe
in terms of performance. Out of band type management, our band management uses alternate communication path to remotely Manchu network infrastructure devices. These dedicated communication pass can vary in configuration to include anything from birth fraternal into physical separation
we use is out of band access to manage the network infrastructure.
It was screaming your security by the limited access and separating uses traffic from your network traffic
again. The object. Other words will be called the out of Band
Man can be imprint physically, virtually all through a heifer hybrid off the two
force recommendations In regards to outer band manager. Segregate your standard network traffic from your magic traffic and shoot that man. Check it on management. Traffic own devices comes on. Lee again will be come from out of band. Apply encryption to all of your magic channels
and all remote access to your propulsion devices, such as your terminal or dialing service.
You're makes you manage all administrative function from a dedicated, fully patch holes over secure channel, preferring out of band
you want a heart in your network. Infrastructural measure devices by testing your patches. Turning off unnecessary service is on your routers and switches and forcing scone password policy. You also wanna march to the network and review your logs. Periodically implement access control that only permits were quite administrative or management. Service is such as
P. That's what is the network time protocol, secure shell and so forth.
Another thing we can do is validate the integrity of the hardware software. Illegitimate heart would suffer represents a serious risk to user information and you of all integrity of your network environment.
You wanna purchase products from secondary markets again? When you purchase product from secondary markets, they care the rest of acquiring con effect stolen or secondhand devices because of supply chain bridges. Compromise heart hardware and software can affect your network performance and compromise
all to me, the company jolly the integrity
or development of your network assets now forthe recommendation. To mitigate this, maintain strict control off the supply chain and purchase on Lee from authorized resellers. Required Reese editor and force integrity checks of the supply chain to validate hardware and software authenticity. Up on insulation meeting. You know, make sure that you
inspect all devices for signs of tampering.
Validate that serial numbers for multiple sources and download software update patches and upgrades from ballot
You also wanna perform, has verification and compare values against the vendors database to detect unauthorized modification to the firm where you wanna monitor log files. Verify that network configuration of the devices on a regular schedule.
You want to train your network owners, your administrators and procurement and personal to increase awareness off the gray market devices
That brings us to harden my network infrastructure. You want to create a security baseline,
harden your network devices, insure the firm was up to date and secure it
security Configured In other words, ensure that the manager interface our security.
Allocate the network address carefully you security features on your routers and switches. Enable port security and able are our inspection to protect against ARP spoofing or poison attack on switches. You wanna make sure enable DCP snooping
on routers? You wanna make sure configure access control. This enable Luke Protection and Flood Guard features as well.
Wants one. Employs best life network security systems such as your firewalls, your network and choose your detective system, our network and choosing prevention systems. You also use with done that security systems as well. At this point, we have a post assessment question, which is a true and false question,
and the statement is a fundamental way to ensure Net was a network. Infrastructure Security is to safeguard networking devices with secure configurations that Chul falls
credits. Parts have been true because a fundamental way for you to ensure your network in Frisco Security is a safeguard your network devices with secure configurations.
Doing this particular presentation, we highlight network infrastructure devices, and we learned that their components of the network that transport communication needed for data applications, service's and multimedia learning these vice include your routers, your firewall switches, service, low banisters, intrusion detection system
remain name and systems and your storage area networks.
We also learned we need to make sure we implore redundant security systems as well. And our upcoming presentation. We've been moving on towards a discussion off securing communications. Look for to see you in a very next video.