WEBVTT

00:00.390 --> 00:05.350
If you've got some kind of server that's facing the Internet you need to protect it.

00:05.370 --> 00:11.610
Now we cover things like firewalls and other episodes and firewalls are critical if not the first thing

00:11.610 --> 00:13.610
we need to do to protect our servers.

00:13.680 --> 00:18.480
But since that's well covered in other episodes I want to talk about some of the other denizens that

00:18.480 --> 00:22.280
we install within our DMZ to protect our servers.

00:22.290 --> 00:27.270
Now to start this process up let's go ahead and take a look at a typical network.

00:27.300 --> 00:33.990
So what we have here is a DMZ so we have the router that's connected the Internet and then between that

00:34.050 --> 00:37.740
and our second router This is our public facing servers.

00:37.740 --> 00:39.300
So we've got a little switch here.

00:39.300 --> 00:41.080
These guys are all connected to it.

00:41.100 --> 00:46.740
This is going to be on its own network ID and that's a very very separate from the rest of the network

00:46.920 --> 00:48.670
which is behind that second router in fact.

00:48.750 --> 00:53.450
Let's just fade that out and concentrate on the DMZ itself.

00:53.460 --> 00:58.410
So these are the machines we're protecting these could be file servers they could be web servers they

00:58.410 --> 01:01.650
could be VPN and they could be all kinds of stuff.

01:01.650 --> 01:07.520
The bottom line is these are boxes that have a public presence on the Internet itself.

01:07.530 --> 01:10.260
Now you'll see I've got the router here between that and the unit.

01:10.260 --> 01:13.190
So there's certainly going to be a good firewall on there.

01:13.200 --> 01:15.720
But let's go ahead and take it a step further.

01:15.750 --> 01:19.980
Started with something called an SSL accelerator.

01:20.020 --> 01:27.670
If you're using a lot of asymmetric encryption you're going to be doing a lot of SSL slashed VLS and

01:27.700 --> 01:31.660
asymmetric encryption can really burden's C.P. use.

01:31.660 --> 01:33.950
So what is a very common thing to do.

01:34.150 --> 01:36.800
Let's go back to our diagram now here.

01:36.820 --> 01:40.270
We're going to have all four these are going to be web servers in this case.

01:40.510 --> 01:45.380
And what we're going to do is install a special card into each one of these boxes.

01:45.430 --> 01:52.630
These cards only have one real job and that is to encrypt and decrypt asymmetric encryption on the fly.

01:52.630 --> 01:56.430
Now putting in individual cards is a great idea.

01:56.480 --> 02:02.680
However for larger more enterprise type situations where you have a lot of these systems having individual

02:02.680 --> 02:05.710
cards in each one of your web servers can become onerous.

02:05.710 --> 02:13.270
So what we often see instead is an appliance that sits directly behind our gateway router and is between

02:13.510 --> 02:21.190
the Internet and our switches so this box right here is a dedicated SSL accelerator it only has one

02:21.190 --> 02:28.160
job and that is to handle all the SSL slash T.L. encryption and decryption going across the network.

02:28.210 --> 02:33.730
Now an SSL accelerator isn't going to protect your network so much as it's going to make it run more

02:33.730 --> 02:34.600
efficiently.

02:34.720 --> 02:37.900
But in a way running more efficient is a protection too.

02:37.900 --> 02:42.210
So let's go and take a look at the next one called a load balancer.

02:42.250 --> 02:46.210
Now let's say I've got four different web servers.

02:46.220 --> 02:52.300
Now the problem with these web services that they can all be working on the same web site.

02:52.340 --> 02:59.240
So what we'd like to do is we put a box between our web servers and the Internet called a load balancer.

02:59.240 --> 03:04.970
Now this load balancer is actually a proxy because he takes all the incoming requests for the Web site

03:05.300 --> 03:10.710
and then distribute it around to the four different basically identical web servers.

03:10.730 --> 03:13.130
Now a load balancer works in a lot of different ways.

03:13.160 --> 03:16.060
He can do this by DNS names.

03:16.130 --> 03:21.200
He can go by the work load if there is one web server that's a lot more busy them will put it to another

03:21.200 --> 03:24.260
web server and he can also keep track of sessions.

03:24.350 --> 03:29.180
A lot of times somebody will connect to a particular web server and they're in the middle of buying

03:29.180 --> 03:33.560
something or something like that and maybe they walk away they disconnected they need to re-establish

03:33.560 --> 03:39.900
a session load balancer will remember those things and always get us right back to the correct web server.

03:40.850 --> 03:45.470
Now the last one is kind of an interesting beast and it's called a distributed denial of service mitigator

03:45.500 --> 03:47.390
or a DOS mitigator.

03:47.960 --> 03:52.130
Distributed Denial of Service is the biggest problem that we have on the Internet today there is no

03:52.130 --> 03:53.690
question mark about that.

03:53.690 --> 03:59.280
So there have been a number of interesting tool sets to help us.

03:59.480 --> 04:05.350
While we can't stop denial of service but we can hopefully mitigate it reduce its effect.

04:05.360 --> 04:09.220
So a deal mitigator works kind of like this.

04:09.260 --> 04:14.900
So if we take a look at this diagram what we've done is we put a box here again between the router and

04:14.900 --> 04:15.710
our servers.

04:15.890 --> 04:17.710
And this is a DiDio mitigator.

04:17.840 --> 04:23.570
Now this box can detect when denial of service attacks are coming through.

04:23.570 --> 04:30.230
So it's well updated it knows about denial service attacks and what it will do is it if it detects one.

04:30.320 --> 04:32.360
It will basically go help.

04:32.750 --> 04:39.560
And we have companies with names like CloudFlare for example who then have servers all over the Internet.

04:39.680 --> 04:46.820
Now what these servers will do once this kicks in once are mitigator yells help is that these different

04:46.820 --> 04:53.960
boxes will act as proxies for a particular Web site and what will happen is that these boxes.

04:53.970 --> 04:57.640
I've only got a few drawn here but there are hundreds and hundreds and hundreds of these.

04:57.650 --> 05:04.910
So anytime anybody tries to get to w w w dot whatever is in trouble dot com they can.

05:05.050 --> 05:07.470
Instead they're actually going through these proxy servers.

05:07.570 --> 05:13.780
And so there's so many of them they can filter out bad data they can filter out denial of service attacks.

05:13.870 --> 05:19.330
And at the same time letting the good people who want to get to that particular you are.

05:19.540 --> 05:26.420
All the way back to the site and that's pretty much how a distributed denial of service mitigator works.

05:26.430 --> 05:33.730
Now keep in mind that when we talk about protecting our servers there are all kinds of boxes that we

05:33.730 --> 05:34.840
can put in.

05:35.080 --> 05:41.050
Now it sounds expensive but what's interesting for many people today since we use virtualization and

05:41.050 --> 05:46.280
cloud based services all of the devices I talk to you you don't have to actually buy hardware.

05:46.360 --> 05:52.800
They can manifest as software and sit in the cloud along with all of your virtual servers.