WEBVTT

00:00.510 --> 00:06.680
Any network is going to be chopped up into individualized zones.

00:06.690 --> 00:11.580
Now if you've been watching other episodes you know we talk about things like land and women and such

00:11.850 --> 00:15.180
but we're actually going to make it a little bit more granular than that.

00:15.180 --> 00:19.980
So what we're going to be doing is really talking about more than anything else an individual local

00:19.980 --> 00:23.020
area network or at most a small way.

00:23.190 --> 00:29.550
And some of the different denizens and pieces and chunks that we divide that land into.

00:29.760 --> 00:34.410
So the best way to get started with understanding the different types of zones that you're going to

00:34.410 --> 00:40.550
be seen on security plus is to start with a good old basic local area network.

00:40.570 --> 00:47.410
Now when you look at a local area network you've always got some number of computers that are all connecting

00:47.440 --> 00:53.440
into one or more switches generating their own broadcast domain.

00:53.440 --> 00:59.110
The important thing I want to stress in terms of a zone though is that this type of local area network

00:59.110 --> 01:06.460
is going to be wired actually will have physical Ethernet connections using physical switches to do

01:06.460 --> 01:07.570
whatever it needs to do.

01:07.570 --> 01:12.710
So this is the core zone of just about any network.

01:12.730 --> 01:15.390
So what we want to do is we want to build from that zone.

01:15.580 --> 01:19.510
And there's a lot of different things you're going to see every one of these on the security plus I

01:19.510 --> 01:24.520
also might add all of these are covered in other episodes with a lot more depth.

01:24.520 --> 01:28.850
All I'm trying to do at this point is to make sure that you're thinking in terms of zones.

01:28.900 --> 01:33.370
There are a number of questions on the security plus where you're asked to think about how this is all

01:33.370 --> 01:34.050
put together.

01:34.050 --> 01:36.670
So for right now we're going to keep it a light touch.

01:36.790 --> 01:42.820
And if you want more detail on DMZ or virtualization I've got a whole other episodes for it so let's

01:42.820 --> 01:46.980
go and get started with the first one which is going to be the plan.

01:47.200 --> 01:56.020
So a villain simply means that we can take one or more physical switches and chop it up into separate

01:56.020 --> 01:57.790
broadcast domains.

01:57.820 --> 02:04.420
So let's imagine our local area network in this case I've got one switch but what I'm going to do instead

02:04.750 --> 02:12.160
is let me just change some colors here so all of the different computers that are on the same color

02:12.340 --> 02:14.780
are on their own broadcast domain.

02:14.980 --> 02:19.500
And if they're in a different color than their color they're not even getting to hear each other.

02:19.600 --> 02:25.930
They can't broadcast to each other anything that would actually have to have a router to interconnect

02:26.290 --> 02:32.630
these different virtual local area networks so the plans are not only common.

02:32.740 --> 02:37.180
They're pretty much standard in all but the smallest of networks out there.

02:37.180 --> 02:42.250
Even my little company Total seminars runs a number of different plans to allow us to have different

02:42.250 --> 02:47.780
zones so I've got one zone that's really more for the front office and the accounting folks.

02:47.800 --> 02:50.590
We've got another zone that's for our video production.

02:50.590 --> 02:57.210
And it just makes it a little bit easier for us to provide good security by setting up the LANs.

02:57.390 --> 03:04.200
The next type zone I want to talk about is pretty much unique for people who are serving stuff out on

03:04.200 --> 03:08.660
the Internet and this is called a DMZ or demilitarized zone.

03:08.730 --> 03:12.260
So if we start off with our little local area network.

03:12.390 --> 03:18.270
Now traditionally you're going to have some kind of router that pre-text your local area network from

03:18.330 --> 03:24.190
the big bad evil internet while still providing new connections through that router that we get to Google

03:24.190 --> 03:25.770
and whatever it might be.

03:26.010 --> 03:31.300
But a DMZ is actually a usage of two different routers.

03:31.350 --> 03:37.050
So what we do is we can have our local area network to have a router connection and then we're going

03:37.050 --> 03:44.750
to connect that router to another router and then out to the Internet by doing this what we can now

03:44.750 --> 03:54.020
do is we can insert servers web servers files servers VPN servers whatever type of actual servers public

03:54.020 --> 03:59.620
facing servers with public IP addresses can be placed between these two routers.

03:59.690 --> 04:06.770
So the IP addresses between the two routers are public IP addresses usually the IP addresses that are

04:06.830 --> 04:10.410
inside the locally or network are private IP addresses.

04:10.460 --> 04:13.360
You can't get to those computers from the Internet itself.

04:13.700 --> 04:20.180
The DMZ is a perfect tool for supporting servers with that what we call the front router the gateway

04:20.180 --> 04:23.530
router the one that's between our servers and the Internet.

04:23.660 --> 04:30.320
We can provide strong firewall services there while at the same time allowing public Internet to come

04:30.320 --> 04:34.250
in and be able to talk to the servers if we've got a web server.

04:34.250 --> 04:38.570
We don't want to block the firewall to the point where they can't even speak to the right that next

04:38.570 --> 04:42.890
firewall in now that's the one that really is going to protect our individual systems.

04:42.890 --> 04:49.640
So it will block all incoming public internet stuff unless somebody on the inside starts the conversation.

04:49.640 --> 04:56.660
So so by the way on the inside here they can go ahead and open up a web browser and type www.youtube.com.

04:56.870 --> 05:02.660
And then because they've started the conversation when it comes back in in that particular case then

05:02.810 --> 05:06.330
public IPs can come into your interior network.

05:06.620 --> 05:10.490
But within the DMZ anybody can query any of those servers.

05:10.640 --> 05:12.700
And we want them to do exactly that.

05:13.950 --> 05:20.150
DMZ is or I'm not going to say they're gone but there's a lot of new opportunities out there.

05:20.150 --> 05:26.120
With cloudbase tools we're a traditional old school DMZ with two routers is more rare than it used to

05:26.120 --> 05:28.920
be but it's certainly on the exam.

05:28.980 --> 05:32.160
The next thing I want to talk about are wireless networks.

05:32.160 --> 05:38.280
So if we start with our little local area network we can do things like for example just plug a wireless

05:38.340 --> 05:45.750
access point into our switch and then provide another zone of network called a wireless network.

05:45.750 --> 05:51.360
This is based on the ATO to 11 standard that little wireless access point broadcasts out what we call

05:51.660 --> 05:59.220
SS IDs service set identifiers and that's when you get on your phone or on your laptop and you're looking

05:59.220 --> 06:01.020
at all those wacky names.

06:01.230 --> 06:04.120
That's really what those are individual societies.

06:04.200 --> 06:07.710
So that gives us a another set of connectivity.

06:07.710 --> 06:14.970
Now keep in mind that unless you do something special a wireless connection is just as good as plugging

06:14.970 --> 06:17.110
a piece of Ethernet into a switch.

06:17.400 --> 06:22.210
So a lot of times that's where we'll see people do things like for example set up a separate Vili's

06:22.210 --> 06:24.540
And that's just for wireless clients.

06:24.600 --> 06:30.810
So make a little separation maybe put a firewall between the wireless clients and your actual LAN itself

06:32.050 --> 06:37.910
now after that we have what the exam calls a guest network.

06:37.920 --> 06:43.320
That guest is an interesting name because guest has so many different means to it.

06:43.330 --> 06:48.640
For example a guest network could be at a coffee shop where you're just providing public Wi-Fi to your

06:48.640 --> 06:49.720
patrons.

06:49.720 --> 06:55.780
A guest network could be something I've done a lot of work with the United States Department of Justice

06:56.260 --> 07:03.460
and they need to be able to give defense attorneys a way to get to look at any type of evidence that's

07:03.460 --> 07:08.320
being used against their client so they have to set up little guest network which manifest is nothing

07:08.320 --> 07:11.440
more than a piece of Ethernet that they can plug into.

07:11.440 --> 07:17.140
The important thing is that a guest network is a pretty much always going to be a separate view and

07:17.140 --> 07:24.370
one way or another it is designed and protected because you're assuming that guests are not people who

07:24.370 --> 07:26.520
can log into your actual network.

07:26.680 --> 07:33.910
So there's a it's a very much a segmented almost isolated zone that really is used for one specific

07:33.910 --> 07:35.050
job.

07:35.050 --> 07:41.980
It can be wired it could be wireless but there's always going to be certainly a violation and almost

07:41.980 --> 07:47.860
certainly some big firewall between the guest network and your real network because we don't want those

07:47.860 --> 07:50.020
defense attorneys looking at anything else.

07:51.900 --> 07:54.410
So you have all of these different types of zones.

07:54.420 --> 08:02.130
But today probably one of the most common zones that we get into are virtualization zones in virtualization

08:02.140 --> 08:05.770
and again we have whole episodes that cover this in more detail.

08:05.880 --> 08:12.720
We can take one computer and make it look like a gazillion individual computers.

08:12.720 --> 08:14.580
So here's my one computer.

08:14.760 --> 08:19.520
And what we do is just put a bunch of virtual machines on top of that.

08:19.590 --> 08:23.480
It's actually all of these machines are running within this one physical computer.

08:23.520 --> 08:29.820
In fact with virtualization whereas each system can be connected to your actual network it's actually

08:29.820 --> 08:34.410
very common where you have your own virtual ised network.

08:34.410 --> 08:39.410
So all of these computers can be their own little LAN running together by themselves.

08:39.570 --> 08:42.830
And it just depends on what your application requirements are.

08:43.020 --> 08:47.460
So virtualization is used a lot in terms of when we think about the zones.

08:47.460 --> 08:51.940
Now the last kind of zone and this is an important one is called air gap.

08:52.320 --> 08:58.020
So let's imagine I've got two local area networks now it's nothing for me to run a cable between two

08:58.020 --> 09:04.680
switches and I can make these two local area networks become one larger local area network an air gap

09:04.680 --> 09:06.960
simply means a disconnect.

09:06.960 --> 09:15.660
We unplug different networks from each other to provide real isolation when a system is not connected

09:15.660 --> 09:17.020
to any other systems.

09:17.070 --> 09:20.220
It is completely isolated and this is actually very common.

09:20.220 --> 09:25.260
Did you don't here in the United States we have the Internet which everybody uses.

09:25.350 --> 09:30.810
But there's another Internet in fact arguably there's three other internets and they're completely air

09:30.810 --> 09:34.260
gapped from each other they're used by the United States Department of Defense.

09:34.320 --> 09:39.570
They're used by university research departments and they're a completely separate Internet from the

09:39.570 --> 09:46.630
one that you get on google with so it's very very common to see these types of air gapped networks.

09:46.630 --> 09:47.170
All right.

09:47.220 --> 09:48.560
Now for the exam.

09:48.570 --> 09:52.580
Just make sure you're comfortable conceptually with the idea of zones.

09:52.650 --> 09:57.210
Hopefully most of these terms you're familiar with if not don't worry about it.

09:57.210 --> 10:02.980
We've got plenty of that acids that will talk in detail about virtualization and lands and DMZ.

10:03.160 --> 10:05.120
You're just going to have to poke around a little bit and find them.

10:05.130 --> 10:05.750
But they're there

10:09.910 --> 10:11.600
for

10:16.620 --> 10:26.060
an.