WEBVTT

00:00:00.970 --> 00:00:05.400
A lot of network security starts with network security design.

00:00:06.340 --> 00:00:10.070
We have a very busy diagram here that tries to show some

00:00:10.070 --> 00:00:13.820
different network segments and so on, and we can see here a

00:00:13.820 --> 00:00:15.990
number of things that we want to look at.

00:00:16.260 --> 00:00:22.660
We have, for example, off on the left, an internet access with customers,

00:00:22.660 --> 00:00:25.710
remote users, and the Internet of Things trying to get

00:00:25.710 --> 00:00:29.650
access. That traffic reaches a firewall.

00:00:30.020 --> 00:00:33.740
That firewall provides network segmentation to an

00:00:33.750 --> 00:00:36.210
extranet down below where we may have,

00:00:36.210 --> 00:00:40.710
for example, a VPN concentrator, a network access controller,

00:00:40.760 --> 00:00:45.350
we could have our wireless access points out there, or even

00:00:45.360 --> 00:00:48.020
Internet of Things connecting there as well.

00:00:48.840 --> 00:00:53.320
At the top, we see that firewall leads to a demilitarized zone,

00:00:53.400 --> 00:00:56.320
where we'll often have something like a web server.

00:00:56.770 --> 00:01:01.340
The difference between a demilitarized zone and an extranet is that a

00:01:01.340 --> 00:01:07.130
demilitarized zone is there for anybody. A customer who wants to come and

00:01:07.130 --> 00:01:12.120
access our systems from over the internet would be routed up into the

00:01:12.120 --> 00:01:16.890
demilitarized zone where they could then go and take a look at the data on our

00:01:16.890 --> 00:01:20.740
website, and that is really open for everybody.

00:01:21.220 --> 00:01:24.540
But if I have, for example, an employee who is working

00:01:24.540 --> 00:01:28.110
remotely and they want to gain access,

00:01:28.350 --> 00:01:31.100
then they'll be directed down into the extranet.

00:01:31.580 --> 00:01:36.590
The purpose of this is that the extranet is only there for people that

00:01:36.600 --> 00:01:42.050
are trusted or where we have set up some type of additional controls,

00:01:42.060 --> 00:01:45.090
much more than in a demilitarized zone.

00:01:45.830 --> 00:01:50.350
So that remote user may even have an encrypted communication using,

00:01:50.350 --> 00:01:54.710
say, for example, a virtual private network, and that virtual

00:01:54.710 --> 00:01:58.620
private network will terminate there in the extranet.

00:01:59.270 --> 00:02:03.600
That allows the traffic now to be in clear text to go back

00:02:03.600 --> 00:02:06.480
through the firewall towards the internal network.

00:02:06.650 --> 00:02:10.610
Now the firewall is able to examine that traffic, because when the

00:02:10.610 --> 00:02:14.360
traffic was encrypted, there's a good chance the firewall was very

00:02:14.360 --> 00:02:19.390
limited and unable to really see very much. When I deal with the

00:02:19.400 --> 00:02:21.020
Internet of Things devices,

00:02:21.020 --> 00:02:25.520
maybe we have some types of sensors or controls that are communicating

00:02:25.520 --> 00:02:29.770
back to us about water level in a river, for example,

00:02:30.390 --> 00:02:34.810
those are using internet connections and those also are being routed

00:02:34.810 --> 00:02:38.840
down into an extranet because it is a trusted device.

00:02:39.420 --> 00:02:44.570
Now the advantage of the extranet is that it doesn't allow those devices or

00:02:44.570 --> 00:02:48.760
those remote users direct access to the internal network.

00:02:48.780 --> 00:02:55.080
It's a segment out there, and it allows us to do more analysis and

00:02:55.080 --> 00:02:58.640
checking to make sure that traffic is certainly appropriate.

00:02:59.140 --> 00:03:04.980
Now, we also see here the use of IDS, intrusion detection systems.

00:03:05.150 --> 00:03:09.600
We have one up towards the web server and the demilitarized zone.

00:03:09.830 --> 00:03:13.140
We have another one after the firewall into the internal

00:03:13.140 --> 00:03:17.610
network, and it is watching the traffic so it can see what

00:03:17.610 --> 00:03:19.040
made it through the firewall.

00:03:19.290 --> 00:03:23.070
Maybe things got through the firewall that we didn't really want, but we now

00:03:23.070 --> 00:03:28.100
have a record of that. Behind that, we have an intrusion prevention system,

00:03:28.100 --> 00:03:34.120
IPS. That works together with a firewall so that we have what we would call

00:03:34.120 --> 00:03:39.530
defense in depth or layered defense. If some type of malicious traffic did

00:03:39.530 --> 00:03:44.540
get through the firewall, hopefully the IPS, being a prevention system,

00:03:44.570 --> 00:03:50.890
would be able to stop that, the second layer of then control we have. Then

00:03:50.890 --> 00:03:56.990
we have maybe servers and into our internal network, but we also have now

00:03:57.000 --> 00:04:03.490
another firewall that separates off other subdomains, and there we can also

00:04:03.490 --> 00:04:06.830
have intrusion detection and intrusion prevention systems,

00:04:06.930 --> 00:04:09.920
both on hosts and on networks.

00:04:10.710 --> 00:04:16.519
We see here that this internal network is then protected behind the firewall,

00:04:16.769 --> 00:04:22.630
but it's also segmented from other more internal networks, where we have now

00:04:22.780 --> 00:04:28.840
various virtual local area networks coming off of the switch. Each one of those

00:04:28.840 --> 00:04:34.110
VLANs would operate as if it's its own independent network. Even though they

00:04:34.110 --> 00:04:36.290
are the same physical network,

00:04:36.300 --> 00:04:41.900
they would operate as completely different logical segments.

00:04:43.100 --> 00:04:47.940
We know that it's important we protect the endpoints on the network.

00:04:48.060 --> 00:04:53.910
We deploy concepts like zero trust and firewalls to protect even a laptop,

00:04:53.910 --> 00:04:57.920
for example. But we know that one of the problems of the firewall is it can

00:04:57.920 --> 00:05:01.100
be a little bit blinded by encrypted traffic.

00:05:01.260 --> 00:05:06.560
That's the vulnerability of, of course, using a VPN, or virtual private

00:05:06.560 --> 00:05:11.760
network. Our laptops that we connect as part of our endpoints should have

00:05:11.760 --> 00:05:15.430
antivirus on them so they're able to pick up if there's some type of

00:05:15.440 --> 00:05:20.060
malicious or unwanted traffic. But there, of course, we need to make sure

00:05:20.060 --> 00:05:25.100
that those antivirus signatures are kept up to date, so as new malware is

00:05:25.100 --> 00:05:25.920
discovered,

00:05:26.200 --> 00:05:32.160
the signature is registered so our antivirus system knows to watch for it.

00:05:34.000 --> 00:05:38.650
We can also go to other types of network models such as the cloud.

00:05:38.650 --> 00:05:44.330
Maybe we use something like a cloud Software as a Service or Platform

00:05:44.330 --> 00:05:47.120
as a Service or Infrastructure as a Service.

00:05:47.650 --> 00:05:51.140
The difference is that in the case of Software as a Service,

00:05:51.300 --> 00:05:54.990
I'm buying a service that is then the application is

00:05:54.990 --> 00:05:57.540
managed by the cloud service provider.

00:05:57.850 --> 00:06:00.140
Many of us do this if we watch,

00:06:00.150 --> 00:06:06.760
say, for example, some type of entertainment shows at home on our television,

00:06:06.770 --> 00:06:10.640
we actually subscribe to a service that then loads those

00:06:10.640 --> 00:06:14.420
movies or tv shows for us, and that would be a Software as

00:06:14.420 --> 00:06:15.960
a Service type of deployment.

00:06:16.990 --> 00:06:23.820
But that company that is then selling us the, should we say, streaming

00:06:23.820 --> 00:06:28.790
services, quite often they are also a cloud consumer.

00:06:28.800 --> 00:06:33.510
They are, for example, using one of the major cloud providers such as,

00:06:33.510 --> 00:06:41.120
say, Amazon or Microsoft, and we have, of course, Google as well, as some

00:06:41.120 --> 00:06:43.870
of the major ones to host their application.

00:06:44.580 --> 00:06:50.570
One of the most common best known streaming services actually is both

00:06:50.570 --> 00:06:55.580
a cloud provider themselves and Software as a Service selling us TV

00:06:55.580 --> 00:07:01.560
shows, and they are a cloud consumer, and that they are hosting their

00:07:01.560 --> 00:07:08.170
data and TV shows on an Amazon cloud, and that is called Platform as

00:07:08.170 --> 00:07:12.180
a Service, because they're using the cloud platform to run their

00:07:12.180 --> 00:07:12.970
application.

00:07:13.860 --> 00:07:18.690
We can also use something known as Infrastructure as a Service, and

00:07:18.690 --> 00:07:22.880
Infrastructure as a Service is where we have a cloud service provider

00:07:22.880 --> 00:07:25.250
that's providing the basic infrastructure,

00:07:25.250 --> 00:07:29.030
power, network, the building, heating, ventilation,

00:07:29.030 --> 00:07:32.130
air conditioning, but we are maybe even running our own

00:07:32.130 --> 00:07:34.830
equipment in that cloud provider's facility.

00:07:35.270 --> 00:07:39.410
And so these are different deployment models that we could look at

00:07:39.410 --> 00:07:42.490
depending on what our needs and what suits, say,

00:07:42.490 --> 00:07:43.160
for example,

00:07:43.170 --> 00:07:49.330
our business model best. One of the things that's helped many companies

00:07:49.340 --> 00:07:54.420
is to outsource a lot of their security, going to a managed security

00:07:54.420 --> 00:07:59.150
service, because it's hard for us to develop our own trained and

00:07:59.150 --> 00:08:05.500
competent staff often in order to make sure that we are able to manage

00:08:05.500 --> 00:08:08.020
our security program well ourselves.

00:08:08.580 --> 00:08:10.140
So we'll have a contract,

00:08:10.140 --> 00:08:14.340
for example, with a third party for certain services being provided.

00:08:14.960 --> 00:08:16.960
Do they monitor our networks?

00:08:16.960 --> 00:08:21.130
Do they do, in some cases even, we've seen that they

00:08:21.130 --> 00:08:23.320
will look after all of our hardware,

00:08:23.320 --> 00:08:28.120
our laptops, and so on as well, so when we have equipment,

00:08:28.120 --> 00:08:28.970
for example,

00:08:28.980 --> 00:08:32.450
we know that that is being managed by someone who probably

00:08:32.450 --> 00:08:35.159
gets a better price on it than we do as well.

00:08:35.919 --> 00:08:41.980
But it's good to have clear contracts. A memorandum of understanding,

00:08:41.990 --> 00:08:46.250
a memorandum of agreement, a service‑level agreement,

00:08:46.260 --> 00:08:51.560
all of these help us to make sure that we have clear understanding of what

00:08:51.560 --> 00:08:56.370
services are provided and which ones aren't, because we don't want to have a

00:08:56.370 --> 00:08:59.580
situation where there is distrust and maybe,

00:08:59.580 --> 00:09:00.260
for example,

00:09:00.270 --> 00:09:04.160
allegations that one party or the other is not living

00:09:04.160 --> 00:09:06.430
up to their side of that agreement.

00:09:07.790 --> 00:09:11.710
Using a managed security service provider has a lot of benefits.

00:09:11.780 --> 00:09:19.090
They have a team of trained staff that looks after services for many companies,

00:09:19.130 --> 00:09:23.490
so therefore, there's economies of scale and very often they have a

00:09:23.490 --> 00:09:29.170
level of competence I can't develop with my own staff, so this has

00:09:29.170 --> 00:09:32.630
been a real advantage for many organizations.

00:09:33.920 --> 00:09:38.370
The Key Points Review. Network security is challenging.

00:09:38.370 --> 00:09:41.940
Why? Because networks are always changing,

00:09:42.240 --> 00:09:48.390
attacks are always evolving, and experienced staff can be very hard to find.

00:09:49.190 --> 00:09:55.820
We know that in the end security is the result of design, not just by chance.