WEBVTT 00:00.109 --> 00:02.820 >> Welcome to Module 2, 00:02.820 --> 00:06.510 Lesson 1, network security architecture part 1. 00:06.510 --> 00:08.340 The learning objectives for 00:08.340 --> 00:09.870 this lesson are to demonstrate 00:09.870 --> 00:11.160 how intrusion detection and 00:11.160 --> 00:12.974 >> prevention aid in insecurity, 00:12.974 --> 00:16.335 >> describe the types of perimeter security devices, 00:16.335 --> 00:17.880 and the utilize sensors on 00:17.880 --> 00:19.839 >> a network to improve security. 00:19.839 --> 00:24.270 >> Let's get started. An intrusion detection system 00:24.270 --> 00:25.560 also known as IDS, 00:25.560 --> 00:28.080 is basically an alarm system for your network. 00:28.080 --> 00:29.970 We have two broad types of 00:29.970 --> 00:31.560 intrusion detection systems and these 00:31.560 --> 00:34.045 are host-based and network-based. 00:34.045 --> 00:36.080 The key point to remember about 00:36.080 --> 00:37.850 an intrusion detection system is that 00:37.850 --> 00:41.495 it just monitors and alerts for signs of an attack. 00:41.495 --> 00:44.390 It's not going to take any action on any of the alerts 00:44.390 --> 00:46.400 that happen other than letting 00:46.400 --> 00:48.019 >> you know that it happened. 00:48.019 --> 00:50.930 >> All intrusion detection systems make use of 00:50.930 --> 00:53.344 the following three analysis techniques. 00:53.344 --> 00:55.040 These are signature-based which 00:55.040 --> 00:56.930 works like antivirus where it has 00:56.930 --> 00:58.700 a database of signatures and if something 00:58.700 --> 01:00.995 matches one of those signatures, it will trigger. 01:00.995 --> 01:02.390 Anomaly-based, 01:02.390 --> 01:05.015 looking for things that are out of the ordinary, 01:05.015 --> 01:07.130 and behavior-based which is very similar, 01:07.130 --> 01:08.600 it monitors a baseline of 01:08.600 --> 01:11.630 what behavior is normal on a network or a device, 01:11.630 --> 01:13.610 and when it sees things that are outside of 01:13.610 --> 01:17.160 that normal behavior then it will trigger an alert. 01:18.430 --> 01:20.990 We also have wireless intrusion 01:20.990 --> 01:22.975 detection systems or WIDS. 01:22.975 --> 01:24.710 These devices are looking 01:24.710 --> 01:27.065 for attacks on a wireless network. 01:27.065 --> 01:28.280 For example, looking for 01:28.280 --> 01:30.740 rogue access points or evil twins, 01:30.740 --> 01:32.510 looking for devices that are on 01:32.510 --> 01:34.615 the network that are not supposed to be there, 01:34.615 --> 01:36.680 any signs of a denial of service 01:36.680 --> 01:39.620 attack or also MAC address spoofing. 01:39.620 --> 01:43.505 The device in the top right is a Hak5 WiFi Pineapple. 01:43.505 --> 01:46.070 These devices are purpose-built to perform these 01:46.070 --> 01:49.040 types of attacks for penetration testing on a network. 01:49.040 --> 01:52.130 The device in the bottom is a pocket Deauther. 01:52.130 --> 01:53.195 This device can send 01:53.195 --> 01:56.255 the authorization frames to 01:56.255 --> 01:58.805 a wireless access point to kickoff clients. 01:58.805 --> 02:00.910 When those clients re-establish 02:00.910 --> 02:02.585 then the handshake is captured, 02:02.585 --> 02:04.310 this can be taken offline and cracked, 02:04.310 --> 02:05.960 and then you have the password for the network. 02:05.960 --> 02:07.520 It can also be used as 02:07.520 --> 02:09.470 a denial-of-service attack device 02:09.470 --> 02:13.470 blocking all clients from connecting to a network. 02:14.020 --> 02:16.585 Intrusion prevention systems or 02:16.585 --> 02:18.405 IPS take this a step further. 02:18.405 --> 02:21.110 They do the same thing as an intrusion detection system, 02:21.110 --> 02:23.060 but once something is detected, 02:23.060 --> 02:24.590 they will take action on it. 02:24.590 --> 02:25.910 For example, they can reset 02:25.910 --> 02:28.415 connections or even block traffic altogether. 02:28.415 --> 02:29.930 The key point to remember about 02:29.930 --> 02:31.910 an intrusion prevention system is 02:31.910 --> 02:32.990 that it must be placed 02:32.990 --> 02:35.555 inline on the network to monitor traffic. 02:35.555 --> 02:38.150 If it can't see all of the traffic on the network, 02:38.150 --> 02:41.610 then it can't take action when it detects something. 02:41.610 --> 02:44.440 Wireless intrusion prevention systems can 02:44.440 --> 02:46.540 go as far as to block different clients from 02:46.540 --> 02:48.640 being on the network and 02:48.640 --> 02:51.860 stopping denial of service attacks. 02:53.270 --> 02:56.230 Traffic mirroring, this is also 02:56.230 --> 02:58.990 known as port mirroring or SPAN ports. 02:58.990 --> 03:00.805 This is where you allow 03:00.805 --> 03:02.050 another switch port to 03:02.050 --> 03:04.810 intercept all of the traffic on the switch. 03:04.810 --> 03:08.455 On switches, traffic typically goes to one port 03:08.455 --> 03:09.940 only so if you want to 03:09.940 --> 03:11.935 see all the traffic that's going through the switch, 03:11.935 --> 03:14.525 you have to build a mirror using something like this. 03:14.525 --> 03:17.040 This allows you to sniff all the traffic on the network, 03:17.040 --> 03:18.910 you could run it through a protocol analyzer 03:18.910 --> 03:20.440 such as Wireshark or 03:20.440 --> 03:22.735 pipe it into your network intrusion detection system 03:22.735 --> 03:24.980 so that they can see everything. 03:27.770 --> 03:31.705 Perimeter security devices. The first one, 03:31.705 --> 03:34.075 you probably all are familiar with is a router. 03:34.075 --> 03:36.265 A router in its most basic sense, 03:36.265 --> 03:38.050 forge traffic from one network to 03:38.050 --> 03:40.360 another by checking IP addresses. 03:40.360 --> 03:41.935 But in doing that, 03:41.935 --> 03:43.450 it is able to determine 03:43.450 --> 03:45.100 should this traffic be forwarded, 03:45.100 --> 03:47.980 should it be blocked, should it be sent somewhere else? 03:47.980 --> 03:50.515 We can do that with access control list. 03:50.515 --> 03:54.475 Routers are often a first-line inside the network 03:54.475 --> 03:56.680 of defense by preventing 03:56.680 --> 03:58.945 traffic from going to different places. 03:58.945 --> 04:02.110 Load balancers inspect the incoming web traffic, 04:02.110 --> 04:03.460 and then it will redirect it to 04:03.460 --> 04:05.320 the available web servers behind it. 04:05.320 --> 04:06.910 This is usually associated with 04:06.910 --> 04:09.560 availability and fault tolerance. 04:11.000 --> 04:13.605 Network address translation. 04:13.605 --> 04:15.640 If you're using a router at your house, 04:15.640 --> 04:16.960 maybe the one that your internet 04:16.960 --> 04:18.520 service provider gave you, 04:18.520 --> 04:20.740 or you bought a Linksys or that type of device, 04:20.740 --> 04:22.470 then you're probably using NAT. 04:22.470 --> 04:25.930 Network address translation allows 04:25.930 --> 04:29.155 you to have a private subnet behind the device. 04:29.155 --> 04:30.760 These are the IP addresses that 04:30.760 --> 04:32.500 we're all familiar with seeing 04:32.500 --> 04:36.580 , 192.168.0.0.0 type networks. 04:36.580 --> 04:39.880 The NAT will translate those private addresses into 04:39.880 --> 04:43.090 the WAN address and allow it to go out on the Internet. 04:43.090 --> 04:44.440 But on the Internet side, 04:44.440 --> 04:46.180 it only appears as if you have one IP 04:46.180 --> 04:49.570 address being your WAN public IP address. 04:50.420 --> 04:53.850 Forward and transparent proxy. 04:53.850 --> 04:56.620 The key to remember about these is that 04:56.620 --> 04:59.605 they are working from inside the network out. 04:59.605 --> 05:01.330 When a client on the inside of 05:01.330 --> 05:03.730 the network wants to go to a particular webpage, 05:03.730 --> 05:05.380 they first go to the proxy, 05:05.380 --> 05:06.910 and then the proxy will request 05:06.910 --> 05:09.320 that for the client and send it back. 05:09.320 --> 05:12.300 Everything is routed through the proxy. 05:12.300 --> 05:14.380 This allows the proxy to intercept 05:14.380 --> 05:16.810 the traffic and see if there's anything malicious in it, 05:16.810 --> 05:19.780 but it also allows it to deny clients access to 05:19.780 --> 05:20.800 sites that may not be 05:20.800 --> 05:23.660 approved for those clients to surf to. 05:23.660 --> 05:25.600 Proxies also have to 05:25.600 --> 05:27.580 understand the protocol that 05:27.580 --> 05:29.380 they're going to be handling. 05:29.380 --> 05:32.065 Multipurpose proxies can handle 05:32.065 --> 05:36.650 several protocols such as HTTP, FTP, and SMTP. 05:37.860 --> 05:41.050 A reverse proxy is the exact opposite. 05:41.050 --> 05:42.700 This is for traffic on the outside 05:42.700 --> 05:44.620 of the network coming in. 05:44.620 --> 05:48.400 It can be used to improve performance of 05:48.400 --> 05:50.350 a website because it can cache data 05:50.350 --> 05:52.690 and send the data faster to clients. 05:52.690 --> 05:54.355 It's in line with traffic, 05:54.355 --> 05:56.170 and it has to be between the clients, 05:56.170 --> 06:00.135 the requesting server going from the outside in. 06:00.135 --> 06:02.225 Reverse proxies are outside in, 06:02.225 --> 06:05.450 transparent proxies are inside out. 06:06.680 --> 06:10.650 Firewalls. At its most basic level, 06:10.650 --> 06:12.280 a firewall is a device that 06:12.280 --> 06:14.605 filters traffic that passes through it. 06:14.605 --> 06:17.950 This is done by looking at the source of the traffic, 06:17.950 --> 06:20.055 the destination, the protocol, 06:20.055 --> 06:22.085 and the ports that it wants to go to. 06:22.085 --> 06:24.515 From there, the firewall will make a decision 06:24.515 --> 06:27.620 on what it needs to do with that particular traffic. 06:27.620 --> 06:29.945 For example, if we have a website that's 06:29.945 --> 06:32.120 open on port 80 behind the firewall, 06:32.120 --> 06:35.300 the firewall may allow all traffic to port 80 to be 06:35.300 --> 06:37.340 forwarded over to that IP address 06:37.340 --> 06:39.215 of the webserver behind the firewall. 06:39.215 --> 06:44.230 It's really good for doing this type of direct traffic, 06:44.540 --> 06:47.305 sending to a particular server, 06:47.305 --> 06:49.895 or blocking everything based on rules. 06:49.895 --> 06:52.820 But if you want something more complex such as looking 06:52.820 --> 06:55.700 at the actual content of the traffic coming through, 06:55.700 --> 06:58.885 you need a more robust device. 06:58.885 --> 07:02.370 That brings us to a unified threat management system. 07:02.370 --> 07:05.290 UTMs add additional capability 07:05.290 --> 07:07.404 to firewalls with content filtering, 07:07.404 --> 07:09.520 spam filtering, antivirus scanning, 07:09.520 --> 07:10.990 and traffic and web filtering. 07:10.990 --> 07:12.830 This is where the industry has moved to, 07:12.830 --> 07:16.210 these are the devices that we're most likely to be seeing 07:16.210 --> 07:17.770 now is they're more capable of 07:17.770 --> 07:20.215 defending a network than a standard firewall. 07:20.215 --> 07:22.840 You also have next-generation firewalls that are 07:22.840 --> 07:25.300 able to inspect higher-level protocols 07:25.300 --> 07:27.715 such as HTTP so that they can look 07:27.715 --> 07:30.654 inside the packets and see if there's anything malicious. 07:30.654 --> 07:32.755 Once they inspect the traffic, 07:32.755 --> 07:34.030 if there is anything malicious, 07:34.030 --> 07:35.170 then they can drop it based 07:35.170 --> 07:38.480 on the content of the data itself. 07:38.480 --> 07:43.005 We also have web application firewalls or WAFs. 07:43.005 --> 07:46.185 These act as a shield to a website; 07:46.185 --> 07:49.850 they're very specific for protecting web servers 07:49.850 --> 07:53.285 from a wide range of attacks. 07:53.285 --> 07:56.495 But some examples would be SQL injection, 07:56.495 --> 07:59.930 cross-site scripting, cross-site request forgery, 07:59.930 --> 08:02.345 file inclusions, and directory transversal. 08:02.345 --> 08:04.610 There are quite a number of attacks that 08:04.610 --> 08:07.090 these can protect from but these are the most common. 08:07.090 --> 08:10.845 We have three basic types of WAF devices. 08:10.845 --> 08:12.255 The first is network-based, 08:12.255 --> 08:15.020 is a separate host or it could be a virtual machine 08:15.020 --> 08:18.935 that sits in front of the website that it's protecting. 08:18.935 --> 08:20.595 These are the most expensive, 08:20.595 --> 08:22.750 but they offer the most flexibility. 08:22.750 --> 08:24.890 Host-based is software that 08:24.890 --> 08:27.275 runs on the actual web server itself, 08:27.275 --> 08:29.335 and it's very inexpensive. 08:29.335 --> 08:31.540 In fact, some case is free like the example of 08:31.540 --> 08:33.280 ModSecurity but it means it's 08:33.280 --> 08:35.530 very complicated to get configured. 08:35.530 --> 08:37.420 The last is Cloud-based, 08:37.420 --> 08:39.685 and it's delivered by a Cloud service provider. 08:39.685 --> 08:41.185 It's less expensive, 08:41.185 --> 08:43.300 and it offers expert implementation 08:43.300 --> 08:44.380 with low maintenance since 08:44.380 --> 08:45.820 the Cloud service provider is usually 08:45.820 --> 08:49.520 the one implementing and maintaining it for you. 08:50.389 --> 08:52.905 >> Virtual Private Networks. 08:52.905 --> 08:54.600 If you watch any YouTube videos, 08:54.600 --> 08:56.415 you've seen advertisements for these. 08:56.415 --> 08:58.470 But the most basic use of 08:58.470 --> 09:00.060 a virtual private network is to 09:00.060 --> 09:02.160 connect two networks together. 09:02.160 --> 09:03.870 So if you have a remote office in 09:03.870 --> 09:05.895 one city and the main office in another, 09:05.895 --> 09:08.100 you can create a virtual private network, 09:08.100 --> 09:10.770 which is an encrypted tunnel between the two, 09:10.770 --> 09:12.630 allowing the two networks to be able to 09:12.630 --> 09:15.540 communicate with each other securely across the Internet. 09:15.540 --> 09:18.255 Another common use of a VPN 09:18.255 --> 09:21.750 is for remote workers to connect back to the main office. 09:21.750 --> 09:24.840 With a pandemic that occurred in 2020, 09:24.840 --> 09:27.240 a lot of workers were shifted home to do 09:27.240 --> 09:28.500 their work and this 09:28.500 --> 09:29.925 was the way they were all able to connect. 09:29.925 --> 09:32.655 Again, was using a virtual private network. 09:32.655 --> 09:35.640 Here are some common VPN protocols. 09:35.640 --> 09:39.675 OpenVPN, L2TP teamed up with IPSec, 09:39.675 --> 09:42.180 IKEA teamed up with IPSec, 09:42.180 --> 09:47.829 WireGuard, SSTP, IPSec, and PPTP. 09:49.640 --> 09:52.725 Network Access Control. 09:52.725 --> 09:56.220 These devices create a baseline for 09:56.220 --> 09:57.930 what every device that's connected 09:57.930 --> 09:59.790 to the network should adhere to. 09:59.790 --> 10:02.760 So for example, patch level must have 10:02.760 --> 10:04.650 an anti-virus program that's on 10:04.650 --> 10:07.065 the excepted list and it must be updated. 10:07.065 --> 10:09.885 Maybe you have to have a host firewall enabled. 10:09.885 --> 10:12.075 When a device is plugged into the network, 10:12.075 --> 10:13.860 if it doesn't meet the standards, 10:13.860 --> 10:16.200 it will not allow the device to connect. 10:16.200 --> 10:18.225 This way you're only allowing 10:18.225 --> 10:21.700 access to the network, to trusted devices. 10:25.430 --> 10:29.550 System Information and Event Management, or SIEM. 10:29.550 --> 10:32.085 These are devices that collect 10:32.085 --> 10:35.940 data from multitude of sources on your network. 10:35.940 --> 10:39.090 For example, it may collect data from your firewall, 10:39.090 --> 10:42.179 your endpoints, your domain controllers, 10:42.179 --> 10:44.340 and many other types of devices and bring them 10:44.340 --> 10:46.410 all into one source and then look 10:46.410 --> 10:47.745 at all of that data at 10:47.745 --> 10:50.805 one time to spot patterns of an attack. 10:50.805 --> 10:52.590 So for example, seeing 10:52.590 --> 10:55.440 one failed user login 10:55.440 --> 10:57.600 on one machine might not be a big deal. 10:57.600 --> 11:00.615 But if it happened across 20 machines at the same time, 11:00.615 --> 11:02.965 that might be an indicative of an attack. 11:02.965 --> 11:06.020 The SIEM would be able to take all of that data in 11:06.020 --> 11:07.310 and then alert you to it 11:07.310 --> 11:09.050 so that you can take further action. 11:09.050 --> 11:11.390 SIEM typically have the following functions 11:11.390 --> 11:14.675 that aggregation, correlation, alerting, 11:14.675 --> 11:18.630 visibility, compliance, and data retention. 11:19.840 --> 11:22.730 Activity and traffic sensors, 11:22.730 --> 11:24.695 NetFlow, and S flow. 11:24.695 --> 11:26.210 These are network protocols for 11:26.210 --> 11:28.674 capturing network traffic for analysis. 11:28.674 --> 11:31.785 We also have fallen integrity monitoring. 11:31.785 --> 11:33.780 This ensures that the files on 11:33.780 --> 11:36.615 different devices or endpoints haven't changed. 11:36.615 --> 11:39.720 This is looking for signs of a malicious attack, 11:39.720 --> 11:41.730 where an attacker would come in and 11:41.730 --> 11:43.995 make changes to specific system files, 11:43.995 --> 11:46.890 such as DLL files on Windows machines. 11:46.890 --> 11:49.770 A file integrity monitoring system 11:49.770 --> 11:52.240 ensures that hasn't been done. 11:55.370 --> 11:59.580 Simple Network Management Protocol, SNMP. 11:59.580 --> 12:03.405 This operates on UDP ports 161 and 162. 12:03.405 --> 12:05.760 This is a very common system for 12:05.760 --> 12:08.145 monitoring and managing network infrastructure. 12:08.145 --> 12:10.410 Switches, routers, firewalls, 12:10.410 --> 12:14.985 and sometimes even actual workstations will have SNMP. 12:14.985 --> 12:16.920 It consists of two parts, 12:16.920 --> 12:18.810 which are the monitors and the agents. 12:18.810 --> 12:20.760 If you're not using SNMP on 12:20.760 --> 12:22.830 your network or if a device doesn't need it, 12:22.830 --> 12:24.270 it's highly recommended that you 12:24.270 --> 12:26.580 disable it because a lot of information can be 12:26.580 --> 12:30.300 gleaned from querying an SNMP daemon 12:30.300 --> 12:32.980 that's running on a particular system. 12:34.580 --> 12:38.265 Data loss prevention or DLP. 12:38.265 --> 12:40.170 This is software that's designed to 12:40.170 --> 12:42.810 protect the data that's on a network. 12:42.810 --> 12:46.725 Once the sensitive data on a network has been defined, 12:46.725 --> 12:48.990 you can allow different levels of 12:48.990 --> 12:53.160 access on that data and who is allowed to access it, 12:53.160 --> 12:54.465 and then what they're able to do with it, 12:54.465 --> 12:56.340 for example, are they able to print? 12:56.340 --> 12:57.915 Are they able to copy it? 12:57.915 --> 13:00.450 Are they able to email it? That type of thing. 13:00.450 --> 13:03.810 We can set these rules up for all users to ensure 13:03.810 --> 13:07.690 that data is not exfiltrated from the network improperly. 13:09.830 --> 13:13.950 Distributed Denial of Service Protection. 13:13.950 --> 13:17.040 This has become a massive problem in 13:17.040 --> 13:20.490 our industry where different websites are under attack, 13:20.490 --> 13:22.380 and there are some things we can do about 13:22.380 --> 13:24.060 it to help prevent those attacks from 13:24.060 --> 13:27.840 causing outages of our web resources. 13:27.840 --> 13:29.790 The first one we can do is rate-limiting, 13:29.790 --> 13:30.990 which reduces the amount of 13:30.990 --> 13:33.330 throughput that goes to the server. 13:33.330 --> 13:34.740 So that way the total 13:34.740 --> 13:37.095 bandwidth is not actually being used. 13:37.095 --> 13:39.870 We can put a web application firewall in 13:39.870 --> 13:41.670 line to prevent the traffic 13:41.670 --> 13:43.725 from actually reaching the webserver. 13:43.725 --> 13:45.960 We can do black hole routing, 13:45.960 --> 13:47.610 which drops all inbound traffic 13:47.610 --> 13:49.035 that is destined to the endpoint, 13:49.035 --> 13:50.580 in this case, a web server. 13:50.580 --> 13:52.980 We can use cloud service providers like 13:52.980 --> 13:55.710 Cloudflare that route all traffic. 13:55.710 --> 13:57.510 We ran all traffic through them first and then 13:57.510 --> 14:00.450 they handle it before it ever reaches our website. 14:00.450 --> 14:02.715 We can also use 14:02.715 --> 14:06.465 a DDoS mitigation software or an appliance, 14:06.465 --> 14:08.670 which is a purpose-built device to help 14:08.670 --> 14:11.920 us prevent this type of attack on our web servers. 14:13.190 --> 14:16.530 Let's summarize what we went over in this lesson. 14:16.530 --> 14:18.030 We went over how intrusion 14:18.030 --> 14:20.280 detection intrusion prevention systems work. 14:20.280 --> 14:21.810 We went over a wireless intrusion 14:21.810 --> 14:23.715 detection and prevention systems. 14:23.715 --> 14:25.830 We discussed perimeter security 14:25.830 --> 14:27.510 devices such as firewalls, 14:27.510 --> 14:29.595 proxies, routers, and VPNs. 14:29.595 --> 14:32.010 We also went over using sensors to collect 14:32.010 --> 14:35.115 data from the network to improve network security. 14:35.115 --> 14:38.250 Let's look at some example questions. 14:38.250 --> 14:41.160 Which technology solution would you need to 14:41.160 --> 14:43.380 implement to prevent rogue access points on 14:43.380 --> 14:47.370 a network or 14:47.370 --> 14:50.650 wireless intrusion prevention system or a WIPS? 14:50.960 --> 14:53.730 Question 2, you 14:53.730 --> 14:55.320 have been asked to provide a solution to help 14:55.320 --> 14:57.000 a company prevent its confidential and 14:57.000 --> 14:59.505 proprietary information from being copied, 14:59.505 --> 15:01.590 printed, or used improperly. 15:01.590 --> 15:04.690 What type of technology would you recommend? 15:05.840 --> 15:09.550 A data loss or DLP system? 15:11.300 --> 15:15.540 Example 3, what tool must be placed in 15:15.540 --> 15:18.900 line to allow a NIDS to inspect all network traffic? 15:18.900 --> 15:24.310 A sniffer. 15:26.420 --> 15:29.920 What is the purpose of a SIEM? 15:31.580 --> 15:35.160 To aggregate logs from a variety of systems and 15:35.160 --> 15:38.940 provide real-time alerting based on the collected data. 15:38.940 --> 15:43.260 Well, that brings us to the end of Module 2, Lesson 1. 15:43.260 --> 15:45.750 I hope this was helpful for you and explained 15:45.750 --> 15:47.730 everything in enough detail that 15:47.730 --> 15:50.830 you can pass the exam. Thank you.