1
00:00:00,000 --> 00:00:02,190
In the last lesson, I introduced the concepts

2
00:00:02,190 --> 00:00:04,710
of zones and I started talking about screened subnets.

3
00:00:04,710 --> 00:00:07,140
In this lesson, I want to dig a little bit further into that,

4
00:00:07,140 --> 00:00:09,090
and then talk about how we can manage them.

5
00:00:09,090 --> 00:00:10,410
So the first thing I had mentioned

6
00:00:10,410 --> 00:00:12,840
was if you have an internet-facing host.

7
00:00:12,840 --> 00:00:14,220
Now, I didn't really go into what that was,

8
00:00:14,220 --> 00:00:15,300
so let me take a step here

9
00:00:15,300 --> 00:00:17,100
and go ahead and define it for you.

10
00:00:17,100 --> 00:00:18,870
When I'm talking about something that's internet-facing,

11
00:00:18,870 --> 00:00:21,690
like an internet-facing host or an internet-facing server,

12
00:00:21,690 --> 00:00:23,790
I'm talking about a host or server that accepts

13
00:00:23,790 --> 00:00:25,770
inbound connections from the internet.

14
00:00:25,770 --> 00:00:27,990
So if I have a web server in my screened subnet,

15
00:00:27,990 --> 00:00:30,090
that is an internet-facing host.

16
00:00:30,090 --> 00:00:31,920
So you can see here, again, if I bring up my diagram,

17
00:00:31,920 --> 00:00:33,840
I have my inside zone, my screened subnet,

18
00:00:33,840 --> 00:00:35,190
and my outside zone.

19
00:00:35,190 --> 00:00:38,490
In that screened subnet, I have two internet-facing hosts,

20
00:00:38,490 --> 00:00:40,980
I have an email server and a web server.

21
00:00:40,980 --> 00:00:42,600
Now, only the email and web servers

22
00:00:42,600 --> 00:00:44,370
that are in the screened subnet are going to be able

23
00:00:44,370 --> 00:00:46,530
to get traffic from the outside,

24
00:00:46,530 --> 00:00:48,570
even though they haven't requested it.

25
00:00:48,570 --> 00:00:50,760
So if you want to connect to my web server,

26
00:00:50,760 --> 00:00:52,650
you're going to go to diontraining.com,

27
00:00:52,650 --> 00:00:54,510
and it's going to go through my screened subnet

28
00:00:54,510 --> 00:00:57,480
into my web server, and then give you back your response.

29
00:00:57,480 --> 00:00:59,790
Now, if you wanted to get to PC2 or PC3

30
00:00:59,790 --> 00:01:01,950
in my inside network, you couldn't do that

31
00:01:01,950 --> 00:01:03,270
because the firewall would block you.

32
00:01:03,270 --> 00:01:05,250
Those are not internet-facing.

33
00:01:05,250 --> 00:01:06,810
They have access to the internet,

34
00:01:06,810 --> 00:01:08,250
but they're not facing the internet,

35
00:01:08,250 --> 00:01:10,830
meaning they are not open and waiting for a connection.

36
00:01:10,830 --> 00:01:11,663
And that's the difference

37
00:01:11,663 --> 00:01:13,590
when you're dealing with internet-facing hosts.

38
00:01:13,590 --> 00:01:15,240
Now, anytime you have internet-facing hosts,

39
00:01:15,240 --> 00:01:17,100
you want to place them into someplace secure,

40
00:01:17,100 --> 00:01:18,540
like your screened subnet.

41
00:01:18,540 --> 00:01:20,760
Now, your screened subnet is actually a segment

42
00:01:20,760 --> 00:01:23,250
that is isolated from the rest of the private network

43
00:01:23,250 --> 00:01:25,710
by one or more firewalls, and it's set up to accept

44
00:01:25,710 --> 00:01:28,620
connections from the internet over designated ports.

45
00:01:28,620 --> 00:01:30,390
Now, the reason we do this is we want to keep

46
00:01:30,390 --> 00:01:31,980
all those forward facing servers

47
00:01:31,980 --> 00:01:34,320
out of our internal network.

48
00:01:34,320 --> 00:01:35,550
We don't want people from the internet

49
00:01:35,550 --> 00:01:36,630
touching our internal network,

50
00:01:36,630 --> 00:01:38,550
we only want them in our screened subnet,

51
00:01:38,550 --> 00:01:40,920
this place that is kind of this semi-trusted zone.

52
00:01:40,920 --> 00:01:43,320
And we know that anything that's behind the screened subnet,

53
00:01:43,320 --> 00:01:44,910
such as my inside zone,

54
00:01:44,910 --> 00:01:47,070
is actually invisible to the outside network.

55
00:01:47,070 --> 00:01:49,860
So if you start scanning my network from the outside,

56
00:01:49,860 --> 00:01:51,420
you're not going to see all those PCs

57
00:01:51,420 --> 00:01:53,340
inside of the inside zone inside.

58
00:01:53,340 --> 00:01:54,960
Instead, you're only going to see the web server

59
00:01:54,960 --> 00:01:57,390
and the email server, 'cause those are forward facing

60
00:01:57,390 --> 00:01:59,040
and they're internet-facing.

61
00:01:59,040 --> 00:02:00,270
Now, the next thing we need to talk about

62
00:02:00,270 --> 00:02:01,710
in terms of the screened subnet is,

63
00:02:01,710 --> 00:02:04,260
what kind of stuff should you put in the screened subnet?

64
00:02:04,260 --> 00:02:06,540
You can see here that I have my email and my web server

65
00:02:06,540 --> 00:02:08,250
in the screened subnet, but any other kind

66
00:02:08,250 --> 00:02:10,350
of communication servers, proxy servers,

67
00:02:10,350 --> 00:02:11,520
or remote access servers

68
00:02:11,520 --> 00:02:13,260
should also be in the screened subnet.

69
00:02:13,260 --> 00:02:14,580
Anything that somebody from the internet

70
00:02:14,580 --> 00:02:17,520
needs access to should be placed in your screened subnet.

71
00:02:17,520 --> 00:02:19,590
This is essentially anything that provides public services,

72
00:02:19,590 --> 00:02:21,810
or even extra net capabilities.

73
00:02:21,810 --> 00:02:24,000
Any of your hosts that are in the screened subnet,

74
00:02:24,000 --> 00:02:26,820
we don't fully trust those, even though they're our devices.

75
00:02:26,820 --> 00:02:29,520
So we want to make sure that we harden them as best as we can.

76
00:02:29,520 --> 00:02:30,960
And we have to remember that those devices,

77
00:02:30,960 --> 00:02:32,250
because they're forward facing,

78
00:02:32,250 --> 00:02:33,870
they could be touched by an attacker,

79
00:02:33,870 --> 00:02:35,670
they could be compromised by an attacker.

80
00:02:35,670 --> 00:02:37,200
So that's why they're not fully trusted

81
00:02:37,200 --> 00:02:38,460
to our internal network.

82
00:02:38,460 --> 00:02:41,040
And that's why we actually have it go through the firewall,

83
00:02:41,040 --> 00:02:42,810
anything that's going from the screened subnet

84
00:02:42,810 --> 00:02:44,490
to the inside, and from the inside

85
00:02:44,490 --> 00:02:45,840
back to the screened subnet.

86
00:02:45,840 --> 00:02:46,680
That's another good place

87
00:02:46,680 --> 00:02:49,020
to put intrusion detection systems, to make sure

88
00:02:49,020 --> 00:02:50,880
that you're catching anything that may be going

89
00:02:50,880 --> 00:02:53,160
from your screened subnet, because a common technique

90
00:02:53,160 --> 00:02:54,780
for an attacker is to compromise something

91
00:02:54,780 --> 00:02:56,580
in the screened subnet and then use that

92
00:02:56,580 --> 00:02:58,230
to pivot into your network.

93
00:02:58,230 --> 00:03:00,240
So you want to protect yourself against that.

94
00:03:00,240 --> 00:03:02,580
Now, any kind of host you put in the screened subnet

95
00:03:02,580 --> 00:03:05,370
should really be what we consider a bastion host.

96
00:03:05,370 --> 00:03:06,720
This is a host or server

97
00:03:06,720 --> 00:03:08,280
that we put into the screened subnet,

98
00:03:08,280 --> 00:03:10,650
which is not configured with any services

99
00:03:10,650 --> 00:03:12,300
that run on the local network.

100
00:03:12,300 --> 00:03:14,490
So I don't want to run something like active directory

101
00:03:14,490 --> 00:03:15,960
inside the screened subnet,

102
00:03:15,960 --> 00:03:18,270
that's an internal network service.

103
00:03:18,270 --> 00:03:19,560
Instead, I only want to run things

104
00:03:19,560 --> 00:03:20,760
that should be in the internet.

105
00:03:20,760 --> 00:03:23,160
Things like email, things like web,

106
00:03:23,160 --> 00:03:25,950
things like remote access, those things can be hardened

107
00:03:25,950 --> 00:03:27,870
and put into the screened subnet, because we know

108
00:03:27,870 --> 00:03:30,150
that they're going to be more vulnerable to attack.

109
00:03:30,150 --> 00:03:31,890
Now, when we want to configure our devices

110
00:03:31,890 --> 00:03:34,170
inside the screened subnet, what are we going to do?

111
00:03:34,170 --> 00:03:36,960
Well, we're going to use something known as a jumpbox.

112
00:03:36,960 --> 00:03:39,900
Now, a jumpbox is a hardened server that provides access

113
00:03:39,900 --> 00:03:41,940
to other hosts within the screened subnet.

114
00:03:41,940 --> 00:03:43,980
So essentially, we have this one server,

115
00:03:43,980 --> 00:03:46,350
and it is what can talk to the screened subnet.

116
00:03:46,350 --> 00:03:48,960
And we configure all the access control to make sure

117
00:03:48,960 --> 00:03:50,730
that only the jumpbox can communicate

118
00:03:50,730 --> 00:03:53,010
from the internal network to the screened subnet.

119
00:03:53,010 --> 00:03:54,780
Now, because of that, that jumpbox

120
00:03:54,780 --> 00:03:57,540
has to be heavily hardened, it needs to be protected.

121
00:03:57,540 --> 00:03:59,730
And what ends up happening is the administrator will connect

122
00:03:59,730 --> 00:04:02,010
to the jumpbox and then the jumpbox will connect

123
00:04:02,010 --> 00:04:03,273
to the host and the screened subnet.

124
00:04:03,273 --> 00:04:04,530
Then I call a jump box,

125
00:04:04,530 --> 00:04:06,360
'cause we're almost pivoting off of it.

126
00:04:06,360 --> 00:04:08,040
We're going to connect from me to the jumpbox,

127
00:04:08,040 --> 00:04:10,290
and the jumpbox to the server I want to configure,

128
00:04:10,290 --> 00:04:12,180
and that's why we call it a jumpbox.

129
00:04:12,180 --> 00:04:14,310
Now, this jumpbox can be a physical PC

130
00:04:14,310 --> 00:04:17,010
or it can be a virtual machine, either one is fine.

131
00:04:17,010 --> 00:04:19,500
A lot of people use virtual machines as a jumpbox

132
00:04:19,500 --> 00:04:22,290
because you can have it hardened and secured.

133
00:04:22,290 --> 00:04:23,790
You can use it for the time you need,

134
00:04:23,790 --> 00:04:25,800
and then destroy it and rebuild a new one,

135
00:04:25,800 --> 00:04:27,780
because it's very quick to rebuild an image

136
00:04:27,780 --> 00:04:29,490
from a virtual machine if you already have

137
00:04:29,490 --> 00:04:30,720
a known good image.

138
00:04:30,720 --> 00:04:32,760
And so, a lot of people will do it that way.

139
00:04:32,760 --> 00:04:34,890
Now, the jumpbox and the management workstation

140
00:04:34,890 --> 00:04:36,840
that you're using to connect to that jumpbox

141
00:04:36,840 --> 00:04:39,300
should have only the minimum required software

142
00:04:39,300 --> 00:04:42,240
to perform their job, and they should be well hardened.

143
00:04:42,240 --> 00:04:45,000
Again, this is the one box that has the permissions

144
00:04:45,000 --> 00:04:47,490
to go through the firewall and touch the screened subnet

145
00:04:47,490 --> 00:04:48,930
from your internal network.

146
00:04:48,930 --> 00:04:51,780
So you want to make sure it is well protected.

147
00:04:51,780 --> 00:04:53,730
This is why you want to make sure that management workstation

148
00:04:53,730 --> 00:04:55,710
and the jumpbox are fully hardened,

149
00:04:55,710 --> 00:04:57,960
and they have the least amount of software on them

150
00:04:57,960 --> 00:05:00,660
to make sure they're fully hardened and fully secured.