WEBVTT 00:00.019 --> 00:02.400 >> Continuing on with network 00:02.400 --> 00:05.069 >> security architecture Part 2. 00:05.069 --> 00:08.010 >> The learning objectives for this lesson are to 00:08.010 --> 00:11.085 show how network segmentation improves security, 00:11.085 --> 00:13.410 to explain deperimeterization and 00:13.410 --> 00:15.255 how it relates to zero trust, 00:15.255 --> 00:16.800 and to demonstrate the use of 00:16.800 --> 00:19.470 Software Defined Networks in secure architecture. 00:19.470 --> 00:25.000 Let's get started. Network segmentation. 00:25.000 --> 00:27.630 Network segmentation simply means 00:27.630 --> 00:30.135 breaking a network up into smaller parts. 00:30.135 --> 00:32.610 But for security, the reason we might want to do 00:32.610 --> 00:35.010 this is that some parts of our network 00:35.010 --> 00:36.810 may contain data that we don't want 00:36.810 --> 00:38.340 necessarily want everyone on 00:38.340 --> 00:39.930 the network having access to, 00:39.930 --> 00:41.900 so for example, a corporation's, 00:41.900 --> 00:43.430 HR department may need to 00:43.430 --> 00:45.110 be on its own separate segment of 00:45.110 --> 00:48.860 the network so that it's separated from everyone else. 00:48.860 --> 00:50.480 Another reason for security 00:50.480 --> 00:51.800 that you might want to segment 00:51.800 --> 00:53.330 your network is that if 00:53.330 --> 00:55.445 one part of the network would have become compromised, 00:55.445 --> 00:57.785 it wouldn't bring down the rest of the network. 00:57.785 --> 01:01.115 We can accomplish this through a variety of technologies. 01:01.115 --> 01:02.555 The first is subnetting, 01:02.555 --> 01:05.420 simply breaking the network into smaller pieces. 01:05.420 --> 01:08.750 The next is virtual LANs or VLANs. 01:08.750 --> 01:11.360 These are software-defined and they're usually 01:11.360 --> 01:14.300 performed by your managed network switches. 01:14.300 --> 01:16.790 This allows for one device 01:16.790 --> 01:18.775 to separate your network traffic. 01:18.775 --> 01:21.140 We can also use a screened subnet. 01:21.140 --> 01:25.279 This is placing two firewalls on either side of the DMZ. 01:25.279 --> 01:26.630 The firewall that faces the 01:26.630 --> 01:28.700 outside is known as a screening firewall 01:28.700 --> 01:30.050 and the one that faces the 01:30.050 --> 01:33.030 inside is known as a choke firewall. 01:34.420 --> 01:36.770 We can also use environments 01:36.770 --> 01:38.615 to help us segment our network. 01:38.615 --> 01:40.520 A staging environment is where we 01:40.520 --> 01:42.380 create an exact duplicate of 01:42.380 --> 01:44.660 our production environment for 01:44.660 --> 01:47.090 the purposes of testing new software, 01:47.090 --> 01:50.450 security patches, hardware, or setting changes that we 01:50.450 --> 01:52.250 might want to use before 01:52.250 --> 01:54.440 pushing it out to our production environment. 01:54.440 --> 01:56.360 We could also use a guest environment 01:56.360 --> 01:58.055 which is an isolated network, 01:58.055 --> 02:00.995 completely removed from our production network 02:00.995 --> 02:03.510 to allow guest access. 02:04.330 --> 02:06.650 We can use access control lists 02:06.650 --> 02:08.285 to help us with segmentation. 02:08.285 --> 02:12.245 An access control list simply allows data to flow 02:12.245 --> 02:14.450 or to be denied based on 02:14.450 --> 02:17.000 the rules that are set up in the control list itself. 02:17.000 --> 02:19.490 In networking, this is usually handled by 02:19.490 --> 02:21.740 switches and routers who may or 02:21.740 --> 02:23.750 may not allow access to 02:23.750 --> 02:27.210 data based on their own individual ACLs. 02:29.240 --> 02:31.550 We can also use a jump box 02:31.550 --> 02:33.155 to help us segment our network. 02:33.155 --> 02:36.395 A jump box is a hardened and monitored system 02:36.395 --> 02:38.990 that is used to perform administrative functions. 02:38.990 --> 02:42.260 The reason this is a really smart 02:42.260 --> 02:43.580 >> thing to do is that in 02:43.580 --> 02:45.860 >> larger environments you may have many devices 02:45.860 --> 02:48.170 that need to be configured, such as firewalls, 02:48.170 --> 02:49.535 switches, routers, 02:49.535 --> 02:51.590 and you don't want to 02:51.590 --> 02:53.640 perform those from your own workstation, 02:53.640 --> 02:55.400 the one that you're checking email on 02:55.400 --> 02:57.530 or browsing the web or that thing. 02:57.530 --> 03:01.249 A jump box is one that you would log into remotely, 03:01.249 --> 03:03.215 perform all the functions from there, 03:03.215 --> 03:04.700 and then when you're done, you come 03:04.700 --> 03:06.485 back to your regular workstation. 03:06.485 --> 03:08.315 What this does is it allows 03:08.315 --> 03:10.775 one device to have all the credentials, 03:10.775 --> 03:12.800 rather than having it on a workstation that 03:12.800 --> 03:15.260 has a higher chance of being compromised. 03:15.260 --> 03:16.940 We can also air gap, 03:16.940 --> 03:18.770 which is when we physically remove 03:18.770 --> 03:21.050 and disconnect a host from any network. 03:21.050 --> 03:22.520 It's not connected to a network, 03:22.520 --> 03:24.075 it's a lot harder to get to. 03:24.075 --> 03:26.745 We also have a peer-to-peer environment. 03:26.745 --> 03:29.180 These are decentralized networks that provide 03:29.180 --> 03:31.595 services only when you're connected to them. 03:31.595 --> 03:33.170 An example of that today will be 03:33.170 --> 03:35.510 the Tor network, but if you're old school like me, 03:35.510 --> 03:37.530 you might remember Napster. 03:38.260 --> 03:41.380 Cloud-based network segmentation. 03:41.380 --> 03:44.210 The first thing we can use is micro-segmentation, 03:44.210 --> 03:46.510 which is isolating workloads from each other 03:46.510 --> 03:49.555 and then we protect those workloads individually. 03:49.555 --> 03:53.884 We can use virtual private Clouds or virtual networks. 03:53.884 --> 03:55.310 This allows for creating 03:55.310 --> 03:58.435 Cloud resources within a private network. 03:58.435 --> 04:00.915 The last part is Nac lists, 04:00.915 --> 04:02.510 pronounced nackles, but it 04:02.510 --> 04:04.700 stands for network access control. 04:04.700 --> 04:06.170 These are used to control 04:06.170 --> 04:09.805 inbound and outbound traffic between VPCs. 04:09.805 --> 04:12.229 Think of these as just simply ACLs 04:12.229 --> 04:15.330 for your Cloud segmentation. 04:16.120 --> 04:19.025 We can also use security groups. 04:19.025 --> 04:20.885 It's a virtual firewall that limits 04:20.885 --> 04:22.280 inbound and outbound traffic 04:22.280 --> 04:24.305 to a particular Cloud instance. 04:24.305 --> 04:26.600 Regions are the physical location of 04:26.600 --> 04:30.450 our data centers in a globally distributed Cloud. 04:32.450 --> 04:36.050 With Cloud-based network segmentation, 04:36.050 --> 04:37.445 we have data zones. 04:37.445 --> 04:40.580 A data zone simply describes the state and 04:40.580 --> 04:41.930 the location of the data 04:41.930 --> 04:44.045 and how to isolate and protect it. 04:44.045 --> 04:46.265 The first is our raw zone. 04:46.265 --> 04:49.744 This is where data is collected from multiple sources. 04:49.744 --> 04:52.925 Then we go to our structured or curated zone. 04:52.925 --> 04:54.950 In this zone, the data that was collected in 04:54.950 --> 04:56.720 the raw zone is checked for 04:56.720 --> 04:58.519 quality and then it's reformatted 04:58.519 --> 05:01.865 for users to make use of later. 05:01.865 --> 05:04.320 Then we have our analytical zone 05:04.320 --> 05:06.890 and at this zone is where the data is ready 05:06.890 --> 05:07.940 to be used by 05:07.940 --> 05:09.410 the different users for 05:09.410 --> 05:12.480 their particular purposes, such as reporting. 05:13.630 --> 05:16.775 Software defined networking. 05:16.775 --> 05:18.770 The first thing you have to understand with 05:18.770 --> 05:20.240 software defined networking is 05:20.240 --> 05:21.620 to understand what a plane is. 05:21.620 --> 05:22.880 Well, a plane is 05:22.880 --> 05:25.610 just an abstract model that was created to help 05:25.610 --> 05:30.035 us understand software defined networking and in SDN, 05:30.035 --> 05:31.595 we have three different planes. 05:31.595 --> 05:34.070 The first plane is our control plane. 05:34.070 --> 05:36.860 The control plane decides on the traffic priority and 05:36.860 --> 05:40.250 its security and where the data should be switched. 05:40.250 --> 05:42.500 The data plane is the one that handles 05:42.500 --> 05:46.040 the actual switching of the data and routing of traffic, 05:46.040 --> 05:48.835 but it also controls ACLs. 05:48.835 --> 05:51.200 Finally, we have our management plane, 05:51.200 --> 05:52.490 which monitors traffic and 05:52.490 --> 05:54.575 conditions of the overall network. 05:54.575 --> 05:56.150 Think of this as making sure 05:56.150 --> 05:58.620 everything is working well together. 05:59.740 --> 06:03.110 We have three different approaches to SDN. 06:03.110 --> 06:05.615 The first is open SDN, 06:05.615 --> 06:07.880 which makes use of open source and open 06:07.880 --> 06:08.960 standards so that we're not 06:08.960 --> 06:10.985 locked into one particular vendor. 06:10.985 --> 06:14.075 We can also make use of a hybrid SDN, 06:14.075 --> 06:16.250 which uses SDN along 06:16.250 --> 06:18.835 with traditional networks, and they work together. 06:18.835 --> 06:21.330 Finally, we have our SDN overlay. 06:21.330 --> 06:25.039 This uses our existing hardware with the software, 06:25.039 --> 06:26.900 and it allows us to create and 06:26.900 --> 06:29.180 manage new virtual networks. 06:29.180 --> 06:31.790 The overlay is what's responsible for 06:31.790 --> 06:34.685 moving data across physical network infrastructure, 06:34.685 --> 06:37.310 but the SDN is the one managing it all. 06:37.310 --> 06:40.190 The network hardware is moving the data, 06:40.190 --> 06:42.665 but it is controlled by the SDN. 06:42.665 --> 06:45.670 No longer the switches or routers are in control, 06:45.670 --> 06:47.390 the software is the one moving everything 06:47.390 --> 06:50.310 around or controlling the moving. 06:50.600 --> 06:53.525 Deparimeterization. 06:53.525 --> 06:55.285 Up until recently, 06:55.285 --> 06:58.600 you could think of our networks as a castle. 06:58.600 --> 07:00.655 Castles have high walls. 07:00.655 --> 07:03.325 They have towers to watch over everything. 07:03.325 --> 07:05.470 They have gates to control access so 07:05.470 --> 07:07.970 that you can know who's coming in and who's going out. 07:07.970 --> 07:09.780 This is how our networks were. 07:09.780 --> 07:12.595 We had firewalls, intrusion detection systems, 07:12.595 --> 07:16.945 and we were very focused on users and assets. 07:16.945 --> 07:20.880 However, the world is 07:20.880 --> 07:24.820 changing and with that change and that access to data, 07:24.820 --> 07:27.470 we've had to come up with a new system. 07:28.760 --> 07:30.870 Some of the trends that are helping 07:30.870 --> 07:32.005 pushing us towards that, 07:32.005 --> 07:36.010 our remote work, mobile usage in the Cloud adoption. 07:36.010 --> 07:37.720 With mobile usage, now we 07:37.720 --> 07:39.250 have devices that are outside of 07:39.250 --> 07:43.010 our network that need access to our data at all times, 07:43.010 --> 07:44.905 and with Cloud adoption, 07:44.905 --> 07:46.960 it's a similar thing where our data is no longer 07:46.960 --> 07:49.750 behind our closed walls or castle walls, 07:49.750 --> 07:52.115 it is now on a server somewhere else. 07:52.115 --> 07:54.100 Our data being scattered across 07:54.100 --> 07:56.950 the world and then also having need of it 07:56.950 --> 08:01.090 24/7 has changed our approach to controlling 08:01.090 --> 08:05.370 access to our data and that leads us to zero trust. 08:05.370 --> 08:08.425 You can think of zero trust as never trust, 08:08.425 --> 08:11.765 always verify, and always assume breach. 08:11.765 --> 08:14.474 Every connection and request 08:14.474 --> 08:20.035 is individually evaluated, and then validated. 08:20.035 --> 08:24.035 It focuses on resources rather than users and assets, 08:24.035 --> 08:26.420 and if you'd like to read more about zero trust, 08:26.420 --> 08:28.700 you can read the NIST special publication, 08:28.700 --> 08:33.240 800- 207: Zero Trust Architecture. 08:34.100 --> 08:36.760 Network Integration. 08:36.760 --> 08:39.125 There are a lot of different things that 08:39.125 --> 08:41.690 impact how our networks are integrated together, 08:41.690 --> 08:43.355 so for example, with peering, 08:43.355 --> 08:45.140 we're connecting virtual private Clouds 08:45.140 --> 08:48.515 together with a VPC peering connection, 08:48.515 --> 08:50.150 but we also have mergers and 08:50.150 --> 08:51.890 acquisitions to think about when 08:51.890 --> 08:53.585 a company buys out another one 08:53.585 --> 08:54.995 or it merges with another one, 08:54.995 --> 08:56.030 we have to find a way to 08:56.030 --> 08:58.040 integrate those networks together. 08:58.040 --> 09:00.575 We also have directory services. 09:00.575 --> 09:02.750 This is similar to a database that 09:02.750 --> 09:05.285 contains attributes for users, 09:05.285 --> 09:06.710 security groups, 09:06.710 --> 09:10.760 and devices for the purposes of privilege management. 09:10.760 --> 09:12.230 The active airectory for 09:12.230 --> 09:14.750 Microsoft is a directory service. 09:14.750 --> 09:16.730 We also have federation. 09:16.730 --> 09:18.680 This is simply trusting the accounts 09:18.680 --> 09:22.050 created and managed by another organization. 09:24.470 --> 09:27.420 Identity providers and testing. 09:27.420 --> 09:29.720 This is a four-step process. 09:29.720 --> 09:31.160 I'm going to break it down to make 09:31.160 --> 09:33.455 it in its most basic form. 09:33.455 --> 09:35.375 If a user wants to access 09:35.375 --> 09:38.045 a service or data at a service provider, 09:38.045 --> 09:41.210 they will be redirected to an identity provider. 09:41.210 --> 09:43.340 The user authenticates with 09:43.340 --> 09:45.050 the identity provider and they will 09:45.050 --> 09:47.210 receive an attestation of identity. 09:47.210 --> 09:49.330 This is usually in the form of a token. 09:49.330 --> 09:51.515 The user then takes that token 09:51.515 --> 09:53.900 or attestation and presents it 09:53.900 --> 09:55.865 back to the service provider 09:55.865 --> 09:58.355 and then based on that token, 09:58.355 --> 10:01.650 the service provider will allow access to the user. 10:03.100 --> 10:05.600 Let's summarize what we did. 10:05.600 --> 10:08.120 We discussed various ways we can 10:08.120 --> 10:10.760 segment networks, including Cloud networks. 10:10.760 --> 10:14.750 We discussed software-defined networks and their parts. 10:14.750 --> 10:17.390 We went over deperimeterization and how that is 10:17.390 --> 10:20.090 shifting us towards zero trust and finally, 10:20.090 --> 10:22.655 we went over the different types of network integration. 10:22.655 --> 10:25.405 Let's do some example questions. 10:25.405 --> 10:28.250 Example 1, what type 10:28.250 --> 10:30.185 of device would be described as being 10:30.185 --> 10:32.300 a hardened and closely monitored system 10:32.300 --> 10:35.130 for performing administrative tasks? 10:35.450 --> 10:38.240 Jump box. We use these 10:38.240 --> 10:40.100 so we can configure routers, firewalls, 10:40.100 --> 10:42.305 and switches from a hardened system, 10:42.305 --> 10:45.270 rather than doing it from our own workstations. 10:45.800 --> 10:49.070 Number 2. What type of environment 10:49.070 --> 10:51.650 is a mirror of the production environment and is used 10:51.650 --> 10:53.960 to test the changes to hardware and software 10:53.960 --> 10:55.685 before implementing those changes 10:55.685 --> 10:57.750 on the production network? 10:58.730 --> 11:04.530 Staging environment. Example 3. 11:04.530 --> 11:07.910 What process is described as isolating the workloads 11:07.910 --> 11:09.605 themselves from each other 11:09.605 --> 11:12.120 and protecting them individually? 11:12.590 --> 11:15.600 Microsegmentation. 11:15.600 --> 11:18.045 Finally, Question 4. 11:18.045 --> 11:21.050 What type of architecture considers everything to be 11:21.050 --> 11:24.155 external and follows the never trust, 11:24.155 --> 11:27.120 always verify and assume breach? 11:28.400 --> 11:31.110 Zero trust architecture. 11:31.110 --> 11:33.365 I hope this lesson was helpful to you, 11:33.365 --> 11:35.880 and I'll see you in the next one.