1
00:00:00,090 --> 00:00:00,930
In this lesson,

2
00:00:00,930 --> 00:00:03,330
we're going to discuss segmentation zones.

3
00:00:03,330 --> 00:00:05,250
Using our firewalls, boundary devices,

4
00:00:05,250 --> 00:00:06,660
and access control lists,

5
00:00:06,660 --> 00:00:08,280
we can create segmentation zones

6
00:00:08,280 --> 00:00:10,410
and we can set up rules based on these zones

7
00:00:10,410 --> 00:00:12,690
so that all the inside rules apply to these interfaces

8
00:00:12,690 --> 00:00:13,830
and all the outside rules apply

9
00:00:13,830 --> 00:00:15,720
to those interfaces over there.

10
00:00:15,720 --> 00:00:17,550
Now, when it comes to segmentation zones,

11
00:00:17,550 --> 00:00:19,860
we're going to have three main zones that we talk about.

12
00:00:19,860 --> 00:00:23,460
These are the trusted, untrusted and screened subnet zones.

13
00:00:23,460 --> 00:00:25,140
Now, the first zone we have is what's known

14
00:00:25,140 --> 00:00:27,690
as the trusted zone or the inside zone.

15
00:00:27,690 --> 00:00:30,180
When you think about this, this is your local area network,

16
00:00:30,180 --> 00:00:31,860
and it really is your intranet.

17
00:00:31,860 --> 00:00:32,692
Anytime you're connecting

18
00:00:32,692 --> 00:00:34,170
to your corporate local area network,

19
00:00:34,170 --> 00:00:35,790
you're really talking about being inside

20
00:00:35,790 --> 00:00:37,470
of this trusted zone.

21
00:00:37,470 --> 00:00:39,570
And anytime you start talking about things outside of that,

22
00:00:39,570 --> 00:00:41,100
you start going into the next zone,

23
00:00:41,100 --> 00:00:43,890
which is called the untrusted or outside zone.

24
00:00:43,890 --> 00:00:45,330
This is going to be things like the internet

25
00:00:45,330 --> 00:00:47,550
or other networks that you may connect to.

26
00:00:47,550 --> 00:00:50,100
Now there's a third zone that we have that's kind of trusted

27
00:00:50,100 --> 00:00:51,510
and kind of untrusted,

28
00:00:51,510 --> 00:00:53,820
and so we call this a screened subnet.

29
00:00:53,820 --> 00:00:56,010
In the screened subnet, we're going to connect devices

30
00:00:56,010 --> 00:00:58,410
that should have some restricted access from the untrusted

31
00:00:58,410 --> 00:01:01,380
or outside zone, like our web servers and email servers,

32
00:01:01,380 --> 00:01:03,120
but they still aren't necessarily trusted

33
00:01:03,120 --> 00:01:04,650
by our internal networks either,

34
00:01:04,650 --> 00:01:06,720
and so they're not part of our trusted zones.

35
00:01:06,720 --> 00:01:08,520
This is kind of this in-between land,

36
00:01:08,520 --> 00:01:11,340
between the trusted inside and the untrusted outside,

37
00:01:11,340 --> 00:01:12,930
and it really is the part of your network

38
00:01:12,930 --> 00:01:15,000
where we're going to segment off this screened subnet

39
00:01:15,000 --> 00:01:17,400
so we can apply various boundary defenses to protect things

40
00:01:17,400 --> 00:01:20,310
that we need inside of the screened subnet like web servers,

41
00:01:20,310 --> 00:01:22,980
email servers, and other publicly accessible servers

42
00:01:22,980 --> 00:01:24,780
that people need to access from the internet

43
00:01:24,780 --> 00:01:26,790
and from your internal network.

44
00:01:26,790 --> 00:01:28,680
That's the idea of this screened subnet,

45
00:01:28,680 --> 00:01:30,720
is this semi-trusted area.

46
00:01:30,720 --> 00:01:32,430
Now what does this really look like?

47
00:01:32,430 --> 00:01:35,760
Well, here's an example where I have three PCs and a switch.

48
00:01:35,760 --> 00:01:37,500
Now here we're going to see that we can tie this all

49
00:01:37,500 --> 00:01:39,030
into a firewall and allow traffic

50
00:01:39,030 --> 00:01:40,830
to go between certain zones.

51
00:01:40,830 --> 00:01:43,140
Then we have the screened subnet where my email

52
00:01:43,140 --> 00:01:45,930
and web servers are going to be located up there at the top.

53
00:01:45,930 --> 00:01:47,250
Then I have this untrusted

54
00:01:47,250 --> 00:01:49,680
or outside internet zone over there.

55
00:01:49,680 --> 00:01:51,750
Now, if I have this untrusted internet,

56
00:01:51,750 --> 00:01:53,100
am I going to allow traffic to go

57
00:01:53,100 --> 00:01:56,100
to my trusted internal network or my inside network?

58
00:01:56,100 --> 00:01:57,900
Well, no, because I don't trust it.

59
00:01:57,900 --> 00:01:59,490
I don't trust things on the internet.

60
00:01:59,490 --> 00:02:02,010
So the only reason I'd let traffic come in from the internet

61
00:02:02,010 --> 00:02:04,530
to my internal zone or that trusted zone,

62
00:02:04,530 --> 00:02:07,770
is if somebody from inside that zone asked for a resource.

63
00:02:07,770 --> 00:02:09,060
For example, if you're sitting

64
00:02:09,060 --> 00:02:11,400
on your corporate network right now watching this video,

65
00:02:11,400 --> 00:02:14,610
you went and accessed our website to request this video.

66
00:02:14,610 --> 00:02:16,950
You made a request out from the internal zone

67
00:02:16,950 --> 00:02:18,840
to the internet, and that opened up

68
00:02:18,840 --> 00:02:20,700
in your stateful firewall, a port,

69
00:02:20,700 --> 00:02:23,280
that allowed the return traffic to come back in.

70
00:02:23,280 --> 00:02:25,500
So in general, we're going to block most things coming

71
00:02:25,500 --> 00:02:27,360
from the internet to your internal zone,

72
00:02:27,360 --> 00:02:30,030
unless it's specifically asked for by a user

73
00:02:30,030 --> 00:02:32,100
by doing something like visiting a website

74
00:02:32,100 --> 00:02:33,810
or downloading a file.

75
00:02:33,810 --> 00:02:36,840
Now, from my internal zone to my screened subnet, again,

76
00:02:36,840 --> 00:02:39,120
I really don't fully trust that screened subnet.

77
00:02:39,120 --> 00:02:40,620
So I'm going to treat it like the internet

78
00:02:40,620 --> 00:02:42,150
from our internal network.

79
00:02:42,150 --> 00:02:44,340
Here, if we request information from the email

80
00:02:44,340 --> 00:02:46,620
or web server inside of that screened subnet,

81
00:02:46,620 --> 00:02:48,120
we'll get the return traffic

82
00:02:48,120 --> 00:02:49,740
and that's good for us because we want to be able

83
00:02:49,740 --> 00:02:50,850
to get those things.

84
00:02:50,850 --> 00:02:53,250
But in general, we're going to block a lot of traffic

85
00:02:53,250 --> 00:02:55,200
between our internal or trusted zone

86
00:02:55,200 --> 00:02:57,480
and the semi-trusted for screened subnet

87
00:02:57,480 --> 00:02:58,980
that we're talking about.

88
00:02:58,980 --> 00:03:00,780
Then let's talk about the screened subnet

89
00:03:00,780 --> 00:03:03,930
and as it goes over to the untrusted or outside zone.

90
00:03:03,930 --> 00:03:05,550
This screen subnet should always be able

91
00:03:05,550 --> 00:03:06,630
to go out to the internet

92
00:03:06,630 --> 00:03:09,000
and request whatever it wants from the outside.

93
00:03:09,000 --> 00:03:09,990
That's okay.

94
00:03:09,990 --> 00:03:11,070
And then in addition to that,

95
00:03:11,070 --> 00:03:12,660
we're going to have certain things that can come back

96
00:03:12,660 --> 00:03:14,220
into the screened subnet.

97
00:03:14,220 --> 00:03:16,290
For example, if I'm hosting an email server

98
00:03:16,290 --> 00:03:18,180
inside the screened subnet, I'm going to have

99
00:03:18,180 --> 00:03:21,030
to have some ports open like port 25 if I want to be able

100
00:03:21,030 --> 00:03:23,790
to send emails or port 110 if I want to be able

101
00:03:23,790 --> 00:03:25,650
to receive mail using POP3

102
00:03:25,650 --> 00:03:29,370
or port 143 if I want to receive email using IMAP.

103
00:03:29,370 --> 00:03:31,230
These type of email services need to be able

104
00:03:31,230 --> 00:03:33,150
to have inbound traffic from the internet

105
00:03:33,150 --> 00:03:35,910
because that's what an email server is designed to do,

106
00:03:35,910 --> 00:03:38,640
to serve those emails up to those users.

107
00:03:38,640 --> 00:03:40,380
The same thing would hold true for a web server

108
00:03:40,380 --> 00:03:42,000
inside of the screened subnet.

109
00:03:42,000 --> 00:03:43,500
We would have to open up ports 80

110
00:03:43,500 --> 00:03:45,840
and port 443 to allow for unsecure

111
00:03:45,840 --> 00:03:48,930
and secure web browsing from the internet to that web server

112
00:03:48,930 --> 00:03:51,600
that we're hosting inside of our screened subnet.

113
00:03:51,600 --> 00:03:54,240
Now, if we're running a web server, people from outside

114
00:03:54,240 --> 00:03:56,610
of our network will also want to get to those web servers,

115
00:03:56,610 --> 00:03:59,310
but so do people from inside of our network too.

116
00:03:59,310 --> 00:04:01,140
And that's why the screened subnet is considered

117
00:04:01,140 --> 00:04:02,850
to be this semi-trusted zone

118
00:04:02,850 --> 00:04:04,770
because people from outside of our network,

119
00:04:04,770 --> 00:04:06,480
those on the internet, can actually reach in

120
00:04:06,480 --> 00:04:08,488
and touch the devices that are being hosted inside

121
00:04:08,488 --> 00:04:11,100
that screen subnet if those ports are open.

122
00:04:11,100 --> 00:04:12,570
And we don't want people reaching in

123
00:04:12,570 --> 00:04:14,070
and touching our internal network,

124
00:04:14,070 --> 00:04:16,649
so we keep these servers in this semi-trusted zone

125
00:04:16,649 --> 00:04:18,660
called a screened subnet.

126
00:04:18,660 --> 00:04:20,130
Now we can really lock it down

127
00:04:20,130 --> 00:04:21,779
and put a lot of protections in place

128
00:04:21,779 --> 00:04:23,610
because we now have this screened subnet

129
00:04:23,610 --> 00:04:25,500
and we have a choke point in our networks.

130
00:04:25,500 --> 00:04:27,720
So we could put things like intrusion detection systems,

131
00:04:27,720 --> 00:04:29,280
intrusion prevention systems.

132
00:04:29,280 --> 00:04:30,840
We could put things like firewalls

133
00:04:30,840 --> 00:04:32,340
and unified threat management systems

134
00:04:32,340 --> 00:04:34,140
and other things like that to make sure

135
00:04:34,140 --> 00:04:35,700
that we're checking data as it's coming

136
00:04:35,700 --> 00:04:37,320
in to those screened subnets

137
00:04:37,320 --> 00:04:38,970
so we can better protect those web servers

138
00:04:38,970 --> 00:04:41,280
and email servers that we're hosting there.

139
00:04:41,280 --> 00:04:43,860
But if we didn't have any access to the outside world,

140
00:04:43,860 --> 00:04:46,380
this email server and web server wouldn't be very useful,

141
00:04:46,380 --> 00:04:48,240
and it wouldn't provide any kind of functionality

142
00:04:48,240 --> 00:04:51,060
to our users who are locate outside of the network.

143
00:04:51,060 --> 00:04:53,430
And that's the idea of using a screened subnet.

144
00:04:53,430 --> 00:04:55,140
It really is this semi-trusted zone

145
00:04:55,140 --> 00:04:56,850
between our insider trusted zone

146
00:04:56,850 --> 00:04:58,830
and the outside or untrusted zone.

147
00:04:58,830 --> 00:05:00,000
And it's important to understand

148
00:05:00,000 --> 00:05:02,400
how you can use this when you're hosting different servers

149
00:05:02,400 --> 00:05:04,653
and services inside of your networks.