CompTIA Security+ SY0-601 – 3.3 Implement secure network designs. Part 4

7. Jump and Proxy servers

In this video I’m going to be talking about a jumpservice and proxy service. Let’s get started. Quick video, nothing complex. The first thing I will talk about is something called a jump server. Now all you need to know for your exam is a jump server is basically a server that connects this similar security zones. So take for example this diagram I have here. I have my land and I have my DMZ. So if I want to connect, if I want to have administrator, if I want to have administrators in the land go out and administer these devices in the DMZ, I would set up a jump server. So I would get another machine here, make it a jump server, and I would set up the jump server. The jump server is like that bridge between two different security zones, which is going to be my DMZ and my lab. Just remember that for your exam.

Now the other term here we want to talk about, remember that for your lab. Remember that for your exam. The next term I want to talk about is going to be the term of proxy server. So if you have ever been to like a university, you’ve been to a job where you try to access your personal email or Facebook or something and it redirects you to another place. Like, it’s like, hey, you can’t go here. You got a particular web blocker that’s generally a proxy server. So that’s known as a forward proxy because your data is trying to go out the network. So it’s leaving the network. It’s considered a forward proxy. So basically this is a very popular thing to do because when organization uses these types of forward proxies, what it does is that they’re able to limit the content that the users are consuming.

So we could deny them access to personal email sites, to Facebook, to Twitter, to shopping sites and just give them access to just sites that we want them to have access to. Very popular option. So the way this would work is let’s say there is a Google web server and you want your users just to have access to that. So the proxies are generally on the firewalls. The proxies are basically firewalls. So this user wants to go out the proxy. Remember, proxy needs to do on behalf of so the proxy would be like, okay, you’re allowed to go to Facebook to Google’s web server, but what if you have Facebook web server? So the user is like, okay, I’m going there and the proxy is like going up. The proxy takes your traffic and redirects you here even though you had ax for Facebook.  So this traffic noted, this traffic is all moving in one direction.

This is generally called a forward proxy. Now the other type of proxy that’s mentioned is going to be something called a reverse proxy. Reverse proxies are generally let’s put on R here, reverse proxy. So reverse proxy is basically a middle man between your web server, your hosted web server, and the clients coming off the Internet. So here’s a client coming off the Internet wanting to get traffic to this web server. But the reverse proxy is the middle computer that sits in between that web server and the users. And this can do different types of caching and protection for your machine. So remember, a forward proxy will stop traffic from the internal network going out, can filter traffic from going out, in from going, I should say internal network to your lamp, to Yoang. And then the reverse proxy will stop traffic coming from Yoang into your DMZ or into your land. Okay, make sure to know these terms for your exam. They’re not too complex because they just may show up on your tests.

8. IDS and IPS

In this video I’m going to be talking about network intrusion detection and network intrusion prevention. So basically IDS’s and IPS’s is really what I’m talking about. So let’s get into this. So first of all, you have to understand what these types of things does and you have to understand what is the purpose of them because they’re very useful and you should have them in your network. So let me give you a scenario. Let’s say you’re managing a network with 100 plus computers, let’s say 150 computers on it and everything is going fine. And then one day people start complaining that the network is really slow. So you go to your firewall and you look at it and you see the traffic boost has gone up. That means something in your network is downloading or consuming a lot of the bandwidth.

Now you figured out that it’s some kind of virus, right? You figured out that it’s some kind of worm on somebody’s machine, probably downloading something. How do you find that though? Do you go to every single computer so you could see the traffic going, but you can’t tell where it’s coming from, what device is doing it? How do you figure this out? Like, do you go to every single computer and basically analyze it yourself? You’re going to be there for a long, long time. But if you have 500 machines, then what do you do? So this is where an IDs comes in. An intrusion detection system is basically a computer that sits off your network, that absorbs all of the network traffic, analyzes it for you, and then gives you back a spit out that says, oh, that computer over there, that’s the guy with the virus on it.

This is an intrusion detection system. And I’ll show you guys a famous one. One of the most famous intrusion detection system is Snort. Snort is probably the most famous intrusion detection system. I know they call it an intrusion prevention system, but we’ll talk a little about what this is in a minute. But it really is an IDs. So this here is and I’m going to explain to you guys how this works. And it’s free, by the way. You guys can download this for free. Basically this is maintained by Cisco, so it’s up to date very well. So let me explain to you guys how to set this thing up and basically how it works. So in a network you’re going to always have a main switch, the main switch that all traffic goes through the switch that the router connects to.

So what you’re going to do in that main switch is you’re going to take a computer basic, just a normal computer. Maybe you want to boost up its memory or its processor, dependent on how many hosts you have and you’re going to connect it to the switch. And then what you’re going to do is you’re going to configure something called port forward or port marin. Remember those terms port forward and port marin mean the same thing. What that means is that this particular port on the switch is going to get all the traffic from the network. So every time the switch receives a frame, it’s going to copy it to this particular port and you’re going to connect this snort box to it, this computer. And then you take this computer, you download snort, you install it, you configure it. Now you’re going to have to make sure that you have another term for your exam.

You can’t have to make sure that you put the nick card in Promiscuous mode. Remember that? Put the Nic card in promiscuous mode. What that means is that it’s going to allow the Nic card to intake all traffic. You see by default, your nick card. If you send traffic to, if you send a frame to somebody’s nick card and the destination Mac address is not there, the discards that it doesn’t even process it. So what you want to do is you want to tell the nick card, hey, don’t do that, let everything in because a lot of frames ain’t going to be destined for it because it’s just copying it. So now the quote unquote, the software snorts up all of the traffic. And what it does is that it has rules. So it has rules where it processes the traffic against. And what this does is that if there’s any type of now the rules is like the Buck virus definition, by the way.

So you’d have to get the rules and the rules are updated fairly often. So you would get the rules and you would keep your device updated. And if there’s any viruses in the network, it would basically tell you that. So here’s the diagram of that. So you take your firewall, right? So the firewall is protecting the network. This router here, this network router like this would come from your ISP. Now you have a host. Let’s say this host comes under attack, but the host wants to get out of the network. Now remember, the IDs on this section here is basically observing all the traffic. That IDs would tell the network administrator, hey, this guy is getting intruder, this guy has been affected. So IDs is a really useful, I should say, software on your network.

The question is how does the IDs learn? The IDs learns who’s on Earth by signature or some kind of behavior or anomaly based thing. So what that means is this generally signature definition is that signature detection is that it has a definition within the software that knows, hey, that type of attack that’s this virus or that’s this worm, an anomaly or a behavior based IDs creates what’s known as a pattern traffic pattern in your network. And when the traffic meets that pattern, it basically knows, okay, that’s normal traffic. But anything abnormal from the pattern that it created, it’s going to prompt you. Now the bad thing with behavior based IDs is they could throw a lot of false positives. In other words, it’s telling you it is an intrusion, but really it’s just a user trying to download a big file signature based.

The bad thing here is if there’s any type of zero day exploit or any type of intrusion that it doesn’t have a signature for, it’s not going to tell you. So you have to do your pros and cons. Some people turn it off the anomaly or the behavior based detection because of the amount of false positives. But it’s probably good to keep it on because it could detect the zero day exploit. Now I do want to point out that IDs just doesn’t have to be on the actual network as a device. It could be something that is on your hosts. So we have hostbased IDs. IDs is installed on individual computer. Those would generally be included in endpoint security packages like semantics endpoint security. If you have one of those, it will probably be included on one of that. Okay, the other thing I want to mention is something called an IPS intrusion Prevention system. IPS are not passive, they’re more in line.

So you notice on the exam objective they mentioned something called inline versus passive. An IDs is just a device that sits off the network and it just gets traffic and then it alerts. It doesn’t touch or manipulate anything. IPS are different. IPS is a piece of software or device that basically if it detects an intrusion in your network, what it does is it can shut the Internet off for that particular device on the network or that particular segment for that means it has to be in line, which means it must be controlling the traffic. It has to be able to shut down the Internet. This sonic wall has the ability to be an IPS. So right now the land port is plugged in. I don’t have nothing in the Wang port, but let’s say I plugged the bang into here. So all computers in this entire network would be using the sonic wall to go out on the Internet. If the sonic determines that, you know what, oh, that host over there, he has a virus.

Okay, I’m shutting the Internet off. For that to happen, it has to control the flow of the traffic. So the traffic coming through here has to come through the traffic coming through the Wang. The land side is going to lead through the Wang side. The sonic is like, yeah, you’re not leaving though. So this is known as an IPS system. So IPSes are more in line, the more active devices versus IDS’s, they’re just passive. They just alert you, okay, so you guys can go out if you want. You can go and try to snort software. Thought was going to do a lab, but it’s not that difficult to set up. But then it takes a lot of time, and it was just going to waste a lot of time. That I think this course is getting too long as it is. But you guys can try it out. It’s not too difficult to set up, so go have some fun setting it up if you want. It is one of the world’s most used IDS’s. If not, I’ll see you in the next video.

9. Other network secure concepts

In this video we’re going to be going through a variety of different terms that you should know about when securing your network. Now some of these things we have already gone through and some of them are just thirdparty things. In fact, a good set of them we have already gone through. Let’s knock it out so we know it’s on our test. So the first thing up is ACL, the access control list. Now access control lists are generally implemented on, on routers or firewalls. Firewalls is where you’re going to find these types of things. Now you can also find them on a folder, an access control list or an ACL basically says whether to allow something or not. When you’re configuring a firewall or a router, basically when you’re configuring a firewall, you saw when I did the configuration video, I was like, allow this, but don’t allow this. That’s an ACL you’re configuring? The next topic here is route security.

Now route security is basically routing security. Now the way to do this if you’re routing data across the network is you’re going to want to make sure that you have encryption, cryption encryption. There encryption could be things we talked about in this course, IPsec or SSL to encrypt your data there. Now comes this topic of QoS that I want to spend a few minutes on. Quality of service, QoS. What is this? For your exam, I want you just to know QoS is associated with VoIP voiceover IP. Here’s why. So when you actually go out and install VoIP in your network, what starts to happen is you’re going to have a contention between data, data and voice data. Sounds bad, right? Sounds weird. Voice data. I just made this up, by the way. It’s not an official term, but let’s just say you’re going to have a contention in the lines between voice and data coming through the lines at the same time.

Now remember how VoIP works, right? So VoIP is based on UDP and it plays the voices you’re receiving in it. So what you want to do is you want to go into your network and you want to prioritize the voice traffic over the data traffic coming into your phone systems and your network devices. To do this, you’re going to use QoS. So QoS is a way to prioritize the bandwidth on our network so we can get that voice traffic faster and more efficient. Yes. What’s going to happen when we start implementing IP version six? I’m not sure how much of you guys study in theirplus or your CCNA. There are some things to consider when we’re going to be talking about implementation of IPV Six. You see, as the world moves towards IPV Six, there are some things to think about. First of all, does the device support IPV Six? Now, most device made in the last ten, I would even go back to 15 years.

No, not 15 years. Some Windows XP 15 years ago is too long. Actually, about ten years. I would say starting around the time of Windows Vista. I can’t remember what year that was. Around that time, the devices around the world started to have IPV Six in them. Even XP had it, but it wasn’t there by default, but by Windows Vista. It came installed there and it was usable. So one of the things is that does the device support and if it doesn’t, you might have to find ways of installing it or the device can’t communicate. IP version six, though, does have more efficient route in its native IP Six. It’s faster, it’s more secure than IP version four. But a lot of legacy and old networks may not support it. In fact, a large part of the mobile network here in the United States already supports it.

Pick up your phone and go to connect to your mobile network and go to Google. It says show my IP address. When I do it, I see an IPV six online. Does everybody else I know? And I’m in New York City. So you guys maybe where you are, maybe you’re getting an IPV Six address. Check it out. I have an IPV Six coming to my home as well as the IPV Four. So as the IPV Six is becoming more and more common, we are going to be starting to use it more. Eventually, our internal networks will. In fact, one of our instructors here at Tia, Juan Astronaut, the other great security instructor, Cisco Guy, his whole house is IPV Six. And here at Tia Networks, we will be upgrading our networks IPV Six very soon. Okay, the other term we want to talk about is port span. And port mary is something I talked about.

We talked about IDs. So what this does, basically, it allows you to tap a port to allow you to forward traffic out copy traffic or frame coming in from that port onto another. Basically remember what port spanning is. So port spanning basically takes a copy and send it to a particular computer to analyze the traffic. That’s where we did IDs is. But I did want to show you guys. Now, I’m not sure what compare was mentioned in here when they talked about port taps, if they actually meant network taps. Network taps. And I got a diagram here for you. Network tapping is basically a device. So this is port spanner. Let me zoom in here for you. So this is network spanner, right? So you take a switch with port mirror, and basically you could mirror a port and basically you send all the traffic to one device.

But a tap is different. A network tap is a physical device that you connect between the switch and its network and the routers or the servers. And this here will physically capture. So the switch sends data in here before it gets to the server. And this thing is analyzing all the traffic coming before it hits the server. So it’s like this intermediary device. And if you were to put this device between the switch and the firewall, it will capture all the traffic trying to get out and get to the firewall to get to the Internet. Network taps are better even though they’re an additional hardware device you have to purchase. They capture all the layer one routing, physical errors and problems that happens at layer one.

Remember, I switched it to see layer one problems so the network tab could so I’m not too sure what they meant, but there’s such a thing as the network tab. Okay, monitoring services. So monitoring services we have here is basically these could be remote third party monitoring services that gathers data from your network and can alert you of any intrusions. So what these are, are basically software that MSP’s managed service providers put into your network and they can remotely monitor your system. So if you’re a small to mid sized business and you have an MSP, they probably have one of these monitoring service installed on your network and they’re monitoring your network traffic. If there’s any kind of problems and errors, you have thresholds set up. So there’s any type of issues, they’ll be able to tell and see it. So here’s one of them. The other thing here that we mentioned is going to be file integrity monitors.

Now, file integrity monitors, the most famous of this is Tripwire. Many businesses use this tripwire. Many large businesses use this file integrity monitoring. So tripwire what exists? So you have a lot of files on your operating system, viruses, malware, gets into these things. They could change the structure to find remember how integrity works. Integrity means modification. Tripwire is able to scan your systems and detect changes, unauthorized changes to the files within your systems, basically detecting if there’s any type of malware in there or any type of unauthorized changes, even if it’s not malware, just done by users. Okay, a lot of different terms here that we went over, make sure to review them. Now we went over a lot of them like ACL port security, QoS port span, we went over. So most of these here we have gone over. Okay, that concludes this. Let’s keep going.