1
00:00:00,180 --> 00:00:01,890
In this lesson, we're going to discuss

2
00:00:01,890 --> 00:00:04,320
a lot of the different types of remote access options

3
00:00:04,320 --> 00:00:06,450
that you may be supporting as a network technician

4
00:00:06,450 --> 00:00:08,189
or network administrator.

5
00:00:08,189 --> 00:00:09,930
These different methods will allow a client

6
00:00:09,930 --> 00:00:11,220
to access a server

7
00:00:11,220 --> 00:00:14,040
or a network device remotely over your network.

8
00:00:14,040 --> 00:00:15,990
Now, as an administrator, you're going to be using

9
00:00:15,990 --> 00:00:17,250
some of these methods to reach

10
00:00:17,250 --> 00:00:19,320
into the command line interface of your routers,

11
00:00:19,320 --> 00:00:21,210
your switches, and your firewalls as well

12
00:00:21,210 --> 00:00:22,043
in order for you to be able

13
00:00:22,043 --> 00:00:24,240
to modify their settings and configurations

14
00:00:24,240 --> 00:00:26,070
as part of your job functions.

15
00:00:26,070 --> 00:00:29,040
Now, there are many ways to access this data remotely,

16
00:00:29,040 --> 00:00:32,310
and you can also control these devices remotely as well.

17
00:00:32,310 --> 00:00:35,370
So in this lesson, we're going to discuss Telnet,

18
00:00:35,370 --> 00:00:38,340
SSH, RDP, RDG,

19
00:00:38,340 --> 00:00:40,380
VNC, VDI,

20
00:00:40,380 --> 00:00:43,890
In-Band versus Out-of-Band Management and APIs.

21
00:00:43,890 --> 00:00:45,420
Now, the first thing we need to talk about

22
00:00:45,420 --> 00:00:48,270
with remote access technology is Telnet.

23
00:00:48,270 --> 00:00:50,820
Now, Telnet operates on Port 23

24
00:00:50,820 --> 00:00:53,130
and Telnet is used to send text-based commands

25
00:00:53,130 --> 00:00:54,330
to remote devices

26
00:00:54,330 --> 00:00:57,270
and is considered a very old networking protocol.

27
00:00:57,270 --> 00:01:00,030
Everything you do in Telnet is going to be text-based,

28
00:01:00,030 --> 00:01:02,610
and here you can see that I'm connecting over Telnet

29
00:01:02,610 --> 00:01:05,340
to rainmaker.wunderground.com.

30
00:01:05,340 --> 00:01:06,900
By doing this, I can then look up

31
00:01:06,900 --> 00:01:08,850
the daily weather for my area.

32
00:01:08,850 --> 00:01:11,340
Now, one of the biggest drawbacks using Telnet is

33
00:01:11,340 --> 00:01:13,920
that it sends everything over the network in plain text

34
00:01:13,920 --> 00:01:15,600
or unencrypted formats.

35
00:01:15,600 --> 00:01:17,550
Now, in this case, I really don't care

36
00:01:17,550 --> 00:01:19,200
that I'm sending things in plain text

37
00:01:19,200 --> 00:01:21,780
because the only information I have to send to the server is

38
00:01:21,780 --> 00:01:23,280
the three digit airport code

39
00:01:23,280 --> 00:01:25,530
for the city that I want to check the weather within.

40
00:01:25,530 --> 00:01:27,360
But if I'm going to send something private

41
00:01:27,360 --> 00:01:29,820
like my social security number or my password,

42
00:01:29,820 --> 00:01:31,170
or my credit card number,

43
00:01:31,170 --> 00:01:34,020
then I would never ever want to use Telnet for that.

44
00:01:34,020 --> 00:01:37,620
Remember, Telnet should never, never, not ever be used

45
00:01:37,620 --> 00:01:39,390
for anything when you're connecting

46
00:01:39,390 --> 00:01:41,160
to one of your secure devices.

47
00:01:41,160 --> 00:01:43,830
Anything like a router or a switch or a firewall.

48
00:01:43,830 --> 00:01:45,390
Because when you're configuring them,

49
00:01:45,390 --> 00:01:47,400
everything will be sent in plain text,

50
00:01:47,400 --> 00:01:50,460
including your commands, your username, your passwords,

51
00:01:50,460 --> 00:01:52,950
your access control list, all of that stuff.

52
00:01:52,950 --> 00:01:54,510
Instead, we always want to use

53
00:01:54,510 --> 00:01:57,030
an encrypted text space remote access technology,

54
00:01:57,030 --> 00:01:58,950
something like Secure Shell.

55
00:01:58,950 --> 00:02:01,500
This brings us to our second remote access technology,

56
00:02:01,500 --> 00:02:03,240
which is Secure Shell.

57
00:02:03,240 --> 00:02:07,560
Now Secure Shell or SSH is going to operate over Port 22.

58
00:02:07,560 --> 00:02:09,990
Secure Shell is also known as SSH,

59
00:02:09,990 --> 00:02:11,760
and it works just like Telnet,

60
00:02:11,760 --> 00:02:13,740
but it's going to encrypt everything

61
00:02:13,740 --> 00:02:14,790
that's being sent and received

62
00:02:14,790 --> 00:02:16,290
between the client and the server,

63
00:02:16,290 --> 00:02:19,020
the router or the switch that you're communicating with.

64
00:02:19,020 --> 00:02:21,210
Therefore, you're going to have much better security

65
00:02:21,210 --> 00:02:24,330
when you're using SSH than when you're using Telnet.

66
00:02:24,330 --> 00:02:26,910
Remember, anytime you need to connect to a networking device

67
00:02:26,910 --> 00:02:28,950
to configure it in the Command line interface,

68
00:02:28,950 --> 00:02:32,820
you should always be doing this over SSH using Secure Shell.

69
00:02:32,820 --> 00:02:34,800
This will ensure you have an encrypted connection

70
00:02:34,800 --> 00:02:36,330
to that device.

71
00:02:36,330 --> 00:02:38,910
The third remote access technology we need to discuss is

72
00:02:38,910 --> 00:02:42,210
known as RDP or the Remote Desktop Protocol.

73
00:02:42,210 --> 00:02:46,380
Now, the Remote Desktop Protocol operates over report 3389,

74
00:02:46,380 --> 00:02:49,290
and it's a proprietary protocol developed by Microsoft,

75
00:02:49,290 --> 00:02:51,510
which provides users with a graphical interface

76
00:02:51,510 --> 00:02:54,240
to connect to another computer over a network connection.

77
00:02:54,240 --> 00:02:56,070
While RDP is not really useful

78
00:02:56,070 --> 00:02:57,300
if you're trying to talk to a router,

79
00:02:57,300 --> 00:02:58,620
a switch, or a firewall,

80
00:02:58,620 --> 00:03:01,170
it is really useful when you're trying to remotely access

81
00:03:01,170 --> 00:03:03,960
and control a Windows server or client machine.

82
00:03:03,960 --> 00:03:06,450
For example, if your SIEM or network management system

83
00:03:06,450 --> 00:03:07,950
operates on a Windows machine,

84
00:03:07,950 --> 00:03:10,410
you can RDP into it as a way to connect to it

85
00:03:10,410 --> 00:03:12,300
over your local area network.

86
00:03:12,300 --> 00:03:15,030
RDP is going to provide you with a graphical user interface

87
00:03:15,030 --> 00:03:17,250
known as a GUI or GUI.

88
00:03:17,250 --> 00:03:19,470
This allows you to access a server and desktop

89
00:03:19,470 --> 00:03:21,870
and control it using your mouse and keyboard.

90
00:03:21,870 --> 00:03:23,820
Now, when you're remotely connected to this machine,

91
00:03:23,820 --> 00:03:26,190
it's going to act just as if you were sitting in front of it,

92
00:03:26,190 --> 00:03:28,020
but you could do it from across the network

93
00:03:28,020 --> 00:03:29,790
or across the world.

94
00:03:29,790 --> 00:03:32,280
For example, here you can see there are three devices

95
00:03:32,280 --> 00:03:34,650
and they're all connecting to a Windows seven machine.

96
00:03:34,650 --> 00:03:36,090
You have a Macintosh laptop,

97
00:03:36,090 --> 00:03:37,950
you have an iPad or an Android tablet,

98
00:03:37,950 --> 00:03:39,180
and you have a cell phone,

99
00:03:39,180 --> 00:03:40,860
and all of these are able to reach in

100
00:03:40,860 --> 00:03:43,290
and do the communication using RDP,

101
00:03:43,290 --> 00:03:45,210
just as if I had a mouse and keyboard

102
00:03:45,210 --> 00:03:47,430
sitting right in front of that workstation.

103
00:03:47,430 --> 00:03:49,620
RDP is going to allow you to connect to these devices

104
00:03:49,620 --> 00:03:52,020
from across your network or across the world

105
00:03:52,020 --> 00:03:53,820
depending on how you have it configured.

106
00:03:53,820 --> 00:03:56,730
Now, the remote desktop protocol itself is not considered

107
00:03:56,730 --> 00:03:58,320
to be a secure protocol.

108
00:03:58,320 --> 00:04:00,480
Instead, you need to secure that connection

109
00:04:00,480 --> 00:04:02,700
by using something else to tunnel it over.

110
00:04:02,700 --> 00:04:06,330
For example, you can use a remote desktop gateway or RDG

111
00:04:06,330 --> 00:04:08,700
to create a secure connection between you

112
00:04:08,700 --> 00:04:11,970
and that gateway and then tunnel into the RDP session.

113
00:04:11,970 --> 00:04:15,540
Or you can use a VPN, like a virtual private network.

114
00:04:15,540 --> 00:04:17,220
Now, our fourth remote access technology

115
00:04:17,220 --> 00:04:21,300
we need to discuss is the RDG or the Remote Desktop Gateway.

116
00:04:21,300 --> 00:04:23,850
Now, a remote desktop gateway is a window server

117
00:04:23,850 --> 00:04:26,280
that's going to have the role of creating a secure connection

118
00:04:26,280 --> 00:04:31,140
using either SSL or TLS protocols to a server via RDP.

119
00:04:31,140 --> 00:04:34,710
So if you're using an RDG to secure your RDP client,

120
00:04:34,710 --> 00:04:35,730
this will allow you to create

121
00:04:35,730 --> 00:04:37,560
those secure server connections.

122
00:04:37,560 --> 00:04:39,420
This way, you wouldn't have to run a VPN

123
00:04:39,420 --> 00:04:40,710
to create an encrypted tunnel

124
00:04:40,710 --> 00:04:42,690
because RDG is already going to create

125
00:04:42,690 --> 00:04:46,230
that encrypted tunnel using SSL or TLS protocols.

126
00:04:46,230 --> 00:04:47,790
A remote desktop gateway provides

127
00:04:47,790 --> 00:04:49,140
several security features for you

128
00:04:49,140 --> 00:04:51,540
in terms of securing RDP connections.

129
00:04:51,540 --> 00:04:53,580
This includes things like creating encrypted tunnels

130
00:04:53,580 --> 00:04:56,400
like a VPN would, controlling access to network resources

131
00:04:56,400 --> 00:04:58,170
based on permissions in group roles,

132
00:04:58,170 --> 00:05:00,510
maintaining and enforcing authorization policies,

133
00:05:00,510 --> 00:05:02,280
and monitoring the status of the gateway

134
00:05:02,280 --> 00:05:05,220
and any RDP connections passing through that gateway.

135
00:05:05,220 --> 00:05:07,950
If you're running a Windows server 2008 or newer,

136
00:05:07,950 --> 00:05:10,830
you definitely should be using this RDG

137
00:05:10,830 --> 00:05:12,240
or Remote Desktop Gateway

138
00:05:12,240 --> 00:05:14,940
to better protect your RDP connections.

139
00:05:14,940 --> 00:05:16,740
Now, the fifth remote access technology

140
00:05:16,740 --> 00:05:20,550
we need to discuss is VNC or Virtual Network Computing.

141
00:05:20,550 --> 00:05:23,130
VNC operates over port 5900

142
00:05:23,130 --> 00:05:25,590
and was originally designed for thin client architectures

143
00:05:25,590 --> 00:05:28,950
and things like Virtual Desktop Infrastructure or VDI.

144
00:05:28,950 --> 00:05:31,560
VNC operates a lot like RDP,

145
00:05:31,560 --> 00:05:33,900
but unlike RDP, which only operates

146
00:05:33,900 --> 00:05:35,580
on Windows clients and servers,

147
00:05:35,580 --> 00:05:37,950
VNC is truly cross-platform,

148
00:05:37,950 --> 00:05:40,080
and it can be used on Linux, OS X

149
00:05:40,080 --> 00:05:42,120
or Windows clients and servers.

150
00:05:42,120 --> 00:05:44,670
The sixth remote access technology to discuss is

151
00:05:44,670 --> 00:05:47,280
virtual desktop infrastructure or VDI,

152
00:05:47,280 --> 00:05:48,990
which I just mentioned that we use that

153
00:05:48,990 --> 00:05:50,820
with VNC a lot of times.

154
00:05:50,820 --> 00:05:52,950
Now, virtual desktop infrastructure is used

155
00:05:52,950 --> 00:05:56,010
to host a desktop environment on a centralized server.

156
00:05:56,010 --> 00:05:58,320
VDI is a form of desktop virtualization

157
00:05:58,320 --> 00:06:00,270
and allows a specific desktop image

158
00:06:00,270 --> 00:06:01,860
to be run within a virtual machine

159
00:06:01,860 --> 00:06:04,650
and delivered to an end user over a network.

160
00:06:04,650 --> 00:06:05,880
In cloud computing,

161
00:06:05,880 --> 00:06:08,970
we call this Desktop as a Service or DaaS.

162
00:06:08,970 --> 00:06:11,460
Now, when you're using VDI, you can access it

163
00:06:11,460 --> 00:06:12,930
through a virtual desktop,

164
00:06:12,930 --> 00:06:14,400
either by using a web browser

165
00:06:14,400 --> 00:06:16,200
on a regular Desktop or laptop,

166
00:06:16,200 --> 00:06:18,840
or you can use a specialized thin client device

167
00:06:18,840 --> 00:06:21,000
that uses a PXE network boot image

168
00:06:21,000 --> 00:06:22,650
to load up a specialized client

169
00:06:22,650 --> 00:06:24,390
that can connect to that centralized server

170
00:06:24,390 --> 00:06:26,430
and provide access to the virtual desktop.

171
00:06:26,430 --> 00:06:28,200
Our seventh remote access technology

172
00:06:28,200 --> 00:06:30,150
or concept that we need to talk about is known

173
00:06:30,150 --> 00:06:32,910
as In-Band versus Out-of-Band Management.

174
00:06:32,910 --> 00:06:35,400
Now, In-Band management refers to managing devices

175
00:06:35,400 --> 00:06:39,000
through the use of Telnet or SSH protocols over the network.

176
00:06:39,000 --> 00:06:41,280
For example, if you're going to be using a workstation

177
00:06:41,280 --> 00:06:43,920
on your local area network to configure your LAN routers,

178
00:06:43,920 --> 00:06:46,140
you can connect to those using SSH

179
00:06:46,140 --> 00:06:49,050
by simply connecting to the gateway over Port 22.

180
00:06:49,050 --> 00:06:51,300
This would be considered an In-Band management

181
00:06:51,300 --> 00:06:52,710
because you're using the same network

182
00:06:52,710 --> 00:06:53,910
that you're configuring.

183
00:06:53,910 --> 00:06:56,010
Now Out-of-Band Management on the other hand,

184
00:06:56,010 --> 00:06:57,570
is used when you have an alternate path

185
00:06:57,570 --> 00:06:59,100
or alternate management network

186
00:06:59,100 --> 00:07:00,990
to connect to the different network devices

187
00:07:00,990 --> 00:07:02,280
for configuring them.

188
00:07:02,280 --> 00:07:05,070
This is considered a best practice in security.

189
00:07:05,070 --> 00:07:06,300
For example, in the last

190
00:07:06,300 --> 00:07:08,400
large scale enterprise network I worked on,

191
00:07:08,400 --> 00:07:09,720
we had a production network

192
00:07:09,720 --> 00:07:11,400
with the users we're connected to,

193
00:07:11,400 --> 00:07:13,110
everyone's workstations were there,

194
00:07:13,110 --> 00:07:14,940
be able to do their work on a daily basis,

195
00:07:14,940 --> 00:07:17,010
and they could access our servers and the internet.

196
00:07:17,010 --> 00:07:17,910
From this network,

197
00:07:17,910 --> 00:07:19,650
you couldn't connect to the routers and switches

198
00:07:19,650 --> 00:07:21,300
in order to configure them though.

199
00:07:21,300 --> 00:07:23,490
Instead, we had a separate network

200
00:07:23,490 --> 00:07:24,960
called a management network,

201
00:07:24,960 --> 00:07:26,520
which was an Out-of-Band Network.

202
00:07:26,520 --> 00:07:28,020
This was a more secure network

203
00:07:28,020 --> 00:07:29,580
and it was limited in its functions.

204
00:07:29,580 --> 00:07:31,560
If I need to configure the routers or switches,

205
00:07:31,560 --> 00:07:33,390
I would connect to the Out-of-Band Network

206
00:07:33,390 --> 00:07:35,280
and then I could talk to those routers and switches

207
00:07:35,280 --> 00:07:36,480
and configure them.

208
00:07:36,480 --> 00:07:38,490
Another Out-of-Band Management connection would be

209
00:07:38,490 --> 00:07:40,530
if you had a laptop and you directly connected

210
00:07:40,530 --> 00:07:41,970
to the switch or router using

211
00:07:41,970 --> 00:07:44,190
a serial connection or a console port.

212
00:07:44,190 --> 00:07:46,080
Now, this direct connection is going to be established

213
00:07:46,080 --> 00:07:47,880
when you need to configure the router or switch,

214
00:07:47,880 --> 00:07:49,680
and when you're done doing that configuration,

215
00:07:49,680 --> 00:07:51,810
you'd unplug it and disconnect it.

216
00:07:51,810 --> 00:07:54,300
This is a truly Out-of-Band solution.

217
00:07:54,300 --> 00:07:56,580
Now, the goal with using an Out-of-Band solution is

218
00:07:56,580 --> 00:07:58,350
to prevent a regular user's machine

219
00:07:58,350 --> 00:07:59,280
from being able to connect

220
00:07:59,280 --> 00:08:01,620
to the management interfaces of your devices.

221
00:08:01,620 --> 00:08:04,830
This way, if a user's computer is taken over by an attacker,

222
00:08:04,830 --> 00:08:07,440
they would then be unable to cause large scale havoc

223
00:08:07,440 --> 00:08:08,820
across your network.

224
00:08:08,820 --> 00:08:10,650
Now, by using an Out-of-Band network,

225
00:08:10,650 --> 00:08:12,090
you can provide separation of data

226
00:08:12,090 --> 00:08:13,320
between your production networks

227
00:08:13,320 --> 00:08:14,670
and your management networks,

228
00:08:14,670 --> 00:08:16,770
which gives you additional layers of security.

229
00:08:16,770 --> 00:08:18,570
Now, Out-of-Band networks do require

230
00:08:18,570 --> 00:08:21,330
additional configuration and equipment to implement though.

231
00:08:21,330 --> 00:08:22,260
If you want to be able to have

232
00:08:22,260 --> 00:08:24,270
a management network and a user network,

233
00:08:24,270 --> 00:08:25,740
you're going to need two sets of routers

234
00:08:25,740 --> 00:08:27,000
and two sets of switches,

235
00:08:27,000 --> 00:08:30,030
and all that starts to get very expensive over time.

236
00:08:30,030 --> 00:08:31,920
Now, it is considered a best practice,

237
00:08:31,920 --> 00:08:33,600
especially in large scale networks,

238
00:08:33,600 --> 00:08:34,650
where you can't physically walk

239
00:08:34,650 --> 00:08:37,169
to every single switch or router that you want to reconfigure,

240
00:08:37,169 --> 00:08:38,940
so in those cases, you definitely need

241
00:08:38,940 --> 00:08:40,590
to have a management network.

242
00:08:40,590 --> 00:08:42,510
Our eighth remote access technology we need

243
00:08:42,510 --> 00:08:45,060
to talk about is known as APIs.

244
00:08:45,060 --> 00:08:47,970
An API or Application programming interface is

245
00:08:47,970 --> 00:08:50,070
a set of protocols and routines for building

246
00:08:50,070 --> 00:08:52,500
and interacting with software applications.

247
00:08:52,500 --> 00:08:54,750
Essentially, it serves as an intermediary

248
00:08:54,750 --> 00:08:57,360
between different systems, allowing them to communicate

249
00:08:57,360 --> 00:08:59,130
and exchange data with each other.

250
00:08:59,130 --> 00:09:00,990
This is a key concept when discussing

251
00:09:00,990 --> 00:09:03,090
the use of service-oriented architectures

252
00:09:03,090 --> 00:09:04,770
to be able to include different systems

253
00:09:04,770 --> 00:09:06,690
and piece them all together.

254
00:09:06,690 --> 00:09:09,030
APIs allow for automated administration,

255
00:09:09,030 --> 00:09:11,070
management and monitoring of cloud services

256
00:09:11,070 --> 00:09:14,160
as well as many other different types of applications.

257
00:09:14,160 --> 00:09:15,300
They're typically built using

258
00:09:15,300 --> 00:09:18,360
either the Representational State Transfer known as REST,

259
00:09:18,360 --> 00:09:21,780
or the Simple Object Access Protocol known as SOAP.

260
00:09:21,780 --> 00:09:24,060
When considering APIs, it's always important

261
00:09:24,060 --> 00:09:25,830
to think about their role in the integration

262
00:09:25,830 --> 00:09:26,790
that you're going to create,

263
00:09:26,790 --> 00:09:28,920
because APIs allow for direct integration

264
00:09:28,920 --> 00:09:30,780
of different third party applications

265
00:09:30,780 --> 00:09:32,490
into your own web applications,

266
00:09:32,490 --> 00:09:33,810
and they provide a means

267
00:09:33,810 --> 00:09:35,640
for integrating different cloud services

268
00:09:35,640 --> 00:09:37,980
by configuring, provisioning and automating

269
00:09:37,980 --> 00:09:40,410
a bunch of different business functions for us.

270
00:09:40,410 --> 00:09:43,020
Remember, there are different types of remote access options

271
00:09:43,020 --> 00:09:45,150
that you may be supporting as a network technician

272
00:09:45,150 --> 00:09:46,920
or network administrator.

273
00:09:46,920 --> 00:09:48,660
These different methods will allow a client

274
00:09:48,660 --> 00:09:51,420
to access a server or a network device remotely

275
00:09:51,420 --> 00:09:52,680
over your network.

276
00:09:52,680 --> 00:09:53,970
Now, as an administrator,

277
00:09:53,970 --> 00:09:55,440
you're going to be using some of these methods

278
00:09:55,440 --> 00:09:57,120
to reach into the command line interface

279
00:09:57,120 --> 00:09:59,880
of your routers, your switches, and your firewalls as well

280
00:09:59,880 --> 00:10:01,950
in order for you to be able to modify their settings

281
00:10:01,950 --> 00:10:04,110
and configurations using Telnet,

282
00:10:04,110 --> 00:10:07,050
SSH, RDP, RDG,

283
00:10:07,050 --> 00:10:11,910
VNC, VDI, In-Band versus Out-of-Band Management and APIs.