You've learned about security domains in previous courses. Now we will explore one of those domains further, networks. It's important to secure networks because network-based attacks are growing in both frequency and complexity. Hi there. My name is Chris, and I'm the Chief Information Security Officer for Google Fiber.
I'm excited to be your instructor for this course. I've been working in network security and engineering for over 20 years, and I'm looking forward to sharing some of my knowledge and experience with you. This course will help you understand the basic structure of a network, also referred to as a network architecture, and commonly used network tools. You'll also learn about network operations and explore some basic network protocols.
Next, you'll learn about common network attacks and how network intrusion tactics can prevent a threat to a network. Finally, the course will provide an overview of security hardening practices and how you might use them to help secure a network. There's a lot to learn in securing networks, and I'm excited to go on this journey with you. Ready to get started?
Let's go! Before securing a network, you need to understand the basic design of a network and how it functions. In this section of the course, you will learn about the structure of a network, standard networking tools, cloud networks, and the basic framework for organizing communications across a network, called the TCP IP model. Securing networks is a big part of a security analyst's responsibilities, so I'm excited to help you understand how to secure your organization's network from threats, risks, and vulnerabilities. Let's get going.
Welcome. Before you can understand the importance of securing a network, you need to know what a network is. A network is a group of connected devices. At home, the devices connected to your network might be your laptop, cell phones, and smart devices like your refrigerator or air conditioner. In an office, devices like workstations, printers, and servers all connect to the network.
The devices on a network can communicate with each other over network cables or wireless connections. Networks in your home and office can communicate with networks in other locations and the devices on them. Devices need to find each other on a network to establish communications.
These devices will use unique addresses or identifiers to locate each other. The addresses will ensure that communications happens with the right device. These are called the IP and MAC addresses. Devices can communicate on two types of network. A local area network, also known as a LAN, and a wide area network, also known as a WAN.
A local area network, or LAN, spans a small area, like an office building, a school, or a home. For example, when a personal device like your cell phone or tablet connects to the Wi-Fi in your house, they form a LAN. The LAN then connects to the internet. A wide area network, or WAN, spans a large geographical area like a city, state, or country. You can think of the internet as one big WAN.
An employee of a company in San Francisco can communicate and share resources with another employee in Dublin, Ireland over the WAN. Now that you've learned about the structure and types of networks, meet me in an upcoming video to learn about the devices that connect to them. In this video, you'll learn about the common devices that make up a network. Let's get started.
A hub is a network device that broadcasts information to every device on the network. Think of a hub like a radio tower that broadcasts a signal to any radio tuned to the correct frequency. Another network device is a switch. A switch makes connections between specific devices on a network by sending and receiving data between them.
A switch is more intelligent than a hub. It only passes data to the intended destination. This makes switches more secure than hubs and enables them to control the flow of traffic and improve network performance.
Another device that we'll discuss is a router. A router is a network device that connects multiple networks together. For example, if a computer in one network wants to send information to a tablet on another network, then the information will be transferred as follows.
First, the information travels from the computer, router. Then the router reads the destination address and forwards the data to the intended networks router. Finally, the receiving router directs that information to the tablet.
Finally, let's discuss modems. A modem is a device that can be used to connect to a that connects your router to the internet and brings internet access to the LAN. For example, if a computer from one network wants to send information to a device on a network in a different geographic location, it would be transferred as follows.
The computer would send information to the router. The router would then transfer the information through the modem to the internet. The intended recipient's modem receives the information and transfers it to the router.
Finally, the recipient's router forwards that information to the destination device. Network tools such as hubs, switches, routers, and modems are physical devices. However, many functions performed by these physical devices can be completed by virtualization tools. Virtualization tools are pieces of software that perform network operations. Virtualization tools carry out operations that would normally be completed by a hub, switch, router or modem, and they are offered by cloud service providers.
These tools provide opportunities for cost savings and scalability. You'll learn more about them later in the certificate program. Now you've explored some common devices that make up a network.
Coming up, you're going to learn more about cloud computing and how networks can be designed using cloud services. Companies have traditionally owned their network devices and kept them in their own office buildings. But now, a lot of companies are using third-party providers to manage their networks.
Why? Well, this model helps companies save money while giving them access to more network resources. The growth of cloud computing is helping many companies reduce costs and streamline their network operations. Cloud computing is the practice of using remote servers, applications, and network services that are hosted on the internet instead of on local physical devices.
Today, the number of businesses that use cloud computing is increasing every year, so it's important to understand how cloud networks function and how to secure them. Cloud providers offer an alternative to traditional on-premise networks and allow organizations to have the benefit of a traditional network without storing the devices and managing the network on their own. A cloud network is a collection of servers or computers that stores resources and data in a remote data center and can be accessed via the internet.
Because companies don't house the servers at their physical location, these servers are referred to as being in the cloud. Traditional network hosts web servers from a business in its physical location. However, cloud networks are different from traditional networks because they use remote servers which allows online services and web applications to be used from any geographic location.
Cloud security will become increasingly relevant to many security professionals. as more organizations migrate to cloud services. Cloud service providers offer cloud computing to maintain applications. For example, they provide on-demand storage and processing power that their customers only pay as needed. They also provide business and web analytics that organizations can use to monitor their web traffic and sales.
With the transition to cloud networking, I have witnessed an overlap of identity-based security on top of the more traditional network-based solutions. This meant that my focus needed to be on verifying both where the traffic is coming from and the identity that is coming with it. More organizations moving their network services to the cloud to save money and simplify their operations.
As this trend has grown, cloud security has become a significant aspect of network security. Networks help organizations communicate and connect. But communication makes network attacks more likely. because it gives a malicious actor an opportunity to take advantage of vulnerable devices and unprotected networks. Communication over a network happens when data is transferred from one point to another.
Pieces of data are typically referred to as data packets. A data packet is a basic unit of information that travels from one device to another within a network. When data is sent from one device to another across a network, it is sent as a packet. It contains information about where the packet is going, where it's coming from, and the content of the message.
Think about data packets like a piece of physical mail. Imagine you want to send a letter to a friend. The envelope will need to have the address where you want the letter to go and your return address.
Inside the envelope is a letter that contains the message that you want your friend to read. A data packet is very similar to a physical letter. It contains a header that includes the Internet Protocol address, the IP address, and the Media Access Control, or MAC address, of the destination device.
It also includes a protocol number that tells the receiving device what to do with the information in the packet. Then there's the body of the packet, which contains the message that needs to be transmitted to the receiving device. Finally, at the end of the packet, there's a footer.
Similar to a signature on a letter, the footer signals to the receiving device that the packet is finished. The movement of data packets across a network can provide an indication of how well the network is performing. Network performance can be measured by bandwidth. Bandwidth refers to the amount of data a device receives every second. You can calculate bandwidth by dividing the quantity of data by the time in seconds.
Speed refers to the rate at which data packets are received or downloaded. Security personnel are interested in network bandwidth and speed because if either are irregular, it can be an indication of an attack. Packet sniffing is the practice of capturing and inspecting data packets across the network.
Communication on a network is important for sharing resources and data because it allows organizations to function effectively. Coming up, you'll learn more about the protocols that support network communication. Hello again! In this video, you'll learn more about a communication protocol that devices use to communicate with each other across the Internet. This is called the TCP-IP model.
TCP-IP stands for Transmission Control Protocol and Internet Protocol. TCP IP is the standard model used for network communication. Let's take a closer look at this model by defining TCP and IP separately.
First, TCP, or Transmission Control Protocol, is an internet communication protocol that allows two devices to form a connection and stream data. The protocol includes a set of instructions to organize data so it can be sent across a network. It also establishes a connection between two devices and makes sure the packet reaches the appropriate destination. The IP in TCP IP stands for Internet Protocol.
IP is a set of standards used for routing and addressing data packets as they travel between devices on a network. Included in the Internet Protocol is the IP address that functions as an address for each private network. You'll learn more about IP addresses a bit later. When data packets are sent and received across a network, they are assigned a port.
Within the operating system of a network device, a port is a software-based location that organizes the sending and receiving of data between devices on a network. Ports divide network traffic into segments based on the service they will perform between two devices. The computer sending and receiving these data segments knows how to prioritize and process these segments based on their port number.
This is like sending a letter to a friend who lives in an apartment building. The mail delivery person not only knows how to find the building, but they also know exactly where to go in the building to find the apartment number where your friend lives. lives. Data packets include instructions that tell the receiving device what to do with the information.
These instructions come in the form of a port number. Port numbers allow computers to split the network traffic and prioritize the operations they will perform with the data. Some common port numbers are Port 25, which is used for email, Port 443, which is used for secure internet communications, and Port 20 for large file transfers. As you've learned in this video, a lot of information and instructions are contained in data packets as they travel across the network. Coming up, you'll learn more about the TCP IP model.
Now that we've discussed the structure of a network and how communications takes place, it's important for you to know how the security professionals identify problems that might arise. The TCP IP model is a framework that is used to visualize how data is organized and transmitted across the network. The TCP IP model has four layers. The four layers are the Network Access Layer, the Internet Layer, the Transport Layer, and the Application Layer.
Knowing how the TCP IP model organizes network activity allows security professionals to monitor and secure against risks. Let's examine these layers one at a time. Layer 1 is the Network Access Layer.
The Network Access Layer deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables, and switches that direct the data to its destination. Layer 2 is the Internet layer.
The Internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The Internet layer also focuses on how networks connect to each other. For example, data packets contain information that determine whether they will stay on the LAN or be sent to a remote network, like the Internet. The Transport layer includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection.
Activities of this layer include error control, which... ensures data is flowing smoothly across the network. Finally, at the application layer, protocols determine how the data packets will interact with receiving devices.
Functions that are organized at application layer include file transfers and email services. Now you have an understanding of the TCP IP model and its four layers. Meet you in the next video.
Let's learn about how IP addresses are used to communicate over a network. IP stands for Internet Protocol. An Internet Protocol Address, or IP address, is a unique string of characters that identifies the location of a device on the Internet.
Each device on the Internet has a unique IP address, just like every house on a street has its own mailing address. There are two types of IP addresses, IPv4 or IPv4, and IPv6 or IPv6. Let's look at examples of an IPv4 address.
IPv4 addresses are written as four, one, two, or three digit numbers separated by a decimal point. In the early days of the Internet, IP addresses were all IPv4. But as the use of the Internet grew, all the IPv4 addresses started to get used up, so IPv6 was developed. IPv6 addresses are made up of 32 characters. The length of the IPv6 address will allow for more devices to be connected to the Internet.
Without rounding out of addresses as quickly as IPv4, IP addresses can be either public or private. Your internet service provider assigns a public IP address that is connected to your geographic location. When network communications goes out for... your device on the internet, they all have the same public-facing address. Just like all the roommates in one home share the same mailing address, all the devices on a network share the same public-facing IP address.
Private IP addresses are only seen by other devices on the same local network. This means that all the devices on your home network communicate with each other using unique IP addresses that the rest of the internet can't see. Another kind of address used in network communications is called a MAC address.
A MAC address is a unique alphanumeric identifier that is assigned to each physical device on a network. When a switch receives a data packet, it reads the MAC address of the destination device and maps it to a port. It then keeps this information in a MAC address address table.
Think of the MAC address table like an address book that the switch uses to direct data packets to the appropriate device. In this video, you learned about IP version 4 and IP version 6 addresses. You learned how IP and MAC addresses are used in network communication and the difference between a public and a private IP address.
Hey, you made it! Well done. Let's wrap up what you've learned in this section of the course.
We explored the structure of a network including WANs and LANs. We also discussed standard networking tools like hubs, switches, routers, and modems. We briefly...
introduce cloud networks and we discuss their benefits. We also spend some time on the TCP IP model. As a reminder, technicians and security analysts often use this framework when communicating where network problems have occurred.
That wraps up this section. Next you'll learn more about network operations and how data is transmitted over wireless networks. Congratulations on the progress you've made so far.
In this section, you'll learn about how networks operate using tools and protocols. These are the concepts that you'll use every day in your work as a security analyst. The tools and protocols you'll learn in this section of the program will help you protect your organization's network from attack. Did you know that malicious actors can take advantage of data moving from one device to another on a network? Thankfully, there are tools and protocols to ensure the network stays protected against this type of threat.
As an example, I once identified an attack based solely on the fact they were using the wrong protocol. The network traffic volumes were right. It was coming from a trusted IP, but it was on the wrong protocol, which tipped us off enough to shut down the attack before they caused real... damage.
First, we'll discuss some common network protocols. Then we'll discuss virtual private networks or VPNs. And finally, we'll learn about firewalls, security zones, and proxy servers. Now that you have an idea of where we're headed, let's get started.
Networks benefit from having rules. Rules ensure the data sent over the network gets to the right place. These rules are known as network protocols.
Network protocols are a set of rules used by two or more devices on a network to describe the order of delivery and the structure of the data. Let's use a scenario to demonstrate a few different types of network protocols and how they work together on a network. Say you want to access your favorite recipe website. You go to the address bar at the top of your browser and type in the website's address. For example, www.yummyrecipesforme.org.
Before you gain access to the website, your device will establish communications with a web server. That communication uses a protocol called the Transmission Control Protocol, or TCP. TCP is an internet communications protocol that allows two devices to form a connection and stream data. TCP also verifies both devices before allowing any further communications to take place.
This is often referred to as a handshake. Once communication is established using a TCP handshake, a request is made to the network. Using our example, we have requested data from the Yummy Recipe for Me server. Their servers will respond to that request and send data packets back to your device so that you can view the web page. As data packets move across the network, they move between network devices such as routers.
The Address Resolution Protocol, or ARP, is used to determine the MAC address of the next router or device in the path. This ensures that the data gets to the right place. Now that communication has been established and the destination device is known, it's time to access the Yummy Recipe for Me website.
The Hypertext Transfer Protocol, secure, or HTTPS, is a network protocol that provides a secure method of communication between client and website servers. It allows your web browser to securely send a request for a web page to the Yummy Recipes for Me server and receive a web page as a response. Next comes a protocol called the Domain Name System or DNS, which is a network protocol that translates internet domain names into IP addresses.
The DNS protocol sends the domain name and the web address to a DNS server that retrieves the IP address of the website you are trying to access, in this case Yummy Recipes for Me. The IP address is included as a destination address for the data packets traveling to the Yummy Recipes for Me web server. So just by visiting one website, the device on your networks are using four different protocols.
TCP, ARP, HTTPS, and DNS. These are just some of the protocols used in network communications. To help you learn more about the different protocols, we'll discuss them further in an upcoming course material.
But how do these protocols relate to security? Well, in the Yummy Recipes for Me website example, we used HTTPS. which is a secure protocol that requests a web page from a web server.
HTTPS encrypts data using the secure socket layer and transport layer security, otherwise known as SSL TLS. This helps keep the information secure for malicious actors who want to steal valuable information. That's a lot of information and a lot of protocols to remember. Throughout your career as a security analyst, you'll become more familiar with network protocols and use them in your daily activities. So far you've learned about a variety of network protocols, including communications protocols like TCP IP.
Now we're going to go more in-depth into a class of communications protocols called the IEEE 802.11. IEEE 802.11, commonly known as Wi-Fi, is a set of standards that define communications for wireless LANs. IEEE stands for the Institute of Electrical and Electronics Engineers. which is an organization that maintains Wi-Fi standards.
And 802.11 is a suite of protocols used in wireless communications. Wi-Fi protocols have adapted over the years to become more secure and reliable to provide the same level of security as a wired connection. In 2004, a secure protocol called the Wi-Fi Protected Access, or WPA, was introduced. WPA is a wireless security protocol for devices to connect to the Internet. Since then, WPA has evolved into newer versions like WPA2 and WPA3, which include further security improvements like more advanced encryption.
As a security analyst, you might be responsible for making sure that the wireless connections in your organization are secure. Let's learn more about security measures. In this video, you'll learn about different types of firewalls. These include hardware, software, and cloud-based firewalls. You'll also learn the difference between a stateless and stateful firewall, and cover some of the basic operations that a firewall performs.
Finally, you'll explore how proxy servers are used to add a layer of security to the network. A firewall is a network security device that monitors traffic to and from your network. It either allows traffic, or it blocks it based on a defined set of security rules. A firewall can use port filtering, which blocks or allows certain port numbers to limit unwanted communication.
For example, it could have a rule that only allows communications on port 443 for HTTPS, or port 25 for email, and blocks everything else. These firewall settings would be determined by the organization's security policy. Let's talk about a few different kinds of firewalls.
A hardware firewall is considered the most basic way to defend against threats to a network. A hardware firewall inspects each data packet before it's allowed to enter the network. A software firewall performs the same functions as a hardware firewall, but it's not a physical device.
Instead, it's a software program installed on a computer or on a server. If the software firewall is installed on a computer, it will analyze all the traffic received by that computer. If the software firewall is installed on a server, it will protect all the devices connected to the server. A software firewall typically costs less than purchasing a separate physical device. And it doesn't take up any extra space.
But because it is a software program, it will add some processing burden to the individual devices. Organizations may choose to use a cloud-based firewall. Cloud service providers offer Firewalls as a Service, or FAAS, for organizations.
Cloud-based firewalls are software firewalls hosted by a cloud service provider. Organizations can configure the firewall rules on the cloud service provider's interface, and the firewall will perform security operations on all incoming traffic before before it reaches the organization's on-site network. Cloud-based firewalls also protect any assets or processes that an organization might be using in the cloud.
All the firewalls we have discussed can be either stateful or stateless. The terms stateful and stateless refer to how the firewall operates. Stateful refers to a class of firewall that keeps track of information passing through it and proactively filters out threats.
A stateful firewall analyzes network traffic for characteristics and behavior that appears to support the user. suspicious and stops them from entering the network. Stateless refers to a class of firewall that operates based on predefined rules and does not keep track of information from data packets. A stateless firewall only acts according to pre-configured rules set by the firewall administrator. The rules programmed by the firewall administrator tell.
the device what to accept and what to reject. A stateless firewall doesn't store analyzed information. It also doesn't discover suspicious trends like a stateful firewall does. For this reason, stateless firewalls are considered less secure than stateful firewalls.
A next-generation firewall, or NGFW, provides even more security than a stateful firewall. Not only does an NGFW provide stateful inspection of incoming and outgoing traffic, but it also performs more in-depth security functions like deep packet inspection and intrusion protection. Some NGFWs connect to cloud-based threat intelligence services so they can quickly update to protect against emerging cyber threats.
Now you have a basic understanding of firewalls and how they work. Firewalls can be hardware or software. We also discussed the difference between a stateless and stateful firewall and the security benefits of a stateful firewall. Finally, we discussed next generation firewalls and the security benefits they provide. Coming up, we'll learn more about virtual networks.
In this video, we're going to discuss how virtual private networks, or VPNs, add security to your network. When you connect to the Internet, your Internet service provider receives your network's requests and forwards it to the correct destination server. But your Internet requests include... your private information.
That means if the traffic gets intercepted, someone could potentially connect your internet activity with your physical location and your personal information. This includes some information that you want to keep private, like bank accounts and credit card numbers. A virtual private A private network, also known as a VPN, is a network security service that changes your public IP address and hides your virtual location so that you can keep your data private when you're using a public network, like the Internet.
VPNs also encrypt your data as it travels across the Internet to preserve confidentiality. A VPN service performs encapsulation on your data in transit. Encapsulation is a process performed by a VPN service that protects your data by wrapping sensitive data in other data packets.
Previously, you You learned how the MAC and IP address of the destination device is contained in the header and footer of a data packet. This is a security threat because it shows the IP and virtual location of your private network. You could secure a data packet by encrypting it to make sure your information can't be deciphered, but then network routers won't be able to read the IP and MAC address to know where to send it to. This means you won't be able to connect to the internet site or the service that you want.
Encapsulation solves this problem while still maintaining your privacy. VPN services encrypt your data packets and encapsulate them in other data packets. packets that the routers can read.
This allows your network requests to reach their destination but still encrypts your personal data so it's unreadable while in transit. A VPN also uses an encrypted tunnel between your device and the VPN server. The encryption is unhackable without a cryptographic key so no one can access your data. VPN services are simple and offer significant protection while you're on the Internet. With a VPN you have the added assurance that your data is encrypted your IP address and virtual location are unreadable to malicious actors.
In this section, we'll discuss a type of network security feature called a security zone. Security zones are a segment of a network that protects the internal network from the internet. They are part of the security technique called network segmentation.
It divides the network into segments. Each network segment has its own access permissions and security rules. Security zones control who can access different segments of a network. Security zones act as a barrier to internal networks, maintain privacy within corporate groups, and prevent issues from spreading to the whole network. One example of network segmentation is a hotel that offers free public Wi-Fi.
The unsecured guest network is kept separate from another encrypted network used by the hotel staff. Additionally, an organization's network can be divided into two. into subnetworks, or subnets, to maintain privacy for each department and organization. For instance, at a university, there may be a faculty subnet and a separate student subnet. If there is contamination on the student subnet, network may be affected.
Network administrators can isolate it and keep the rest of the network free from contamination. An organization's network is classified into two types of security zones. First, there's the uncontrolled zone, which is any network outside the organization's control, like the Internet.
Then there's the controlled zone, which is a subnet that protects the internal network from the uncontrolled zone. There are several types of network within the controlled zone. On the outer layer is the demilitarized zone, or DMZ, which contains public-facing services that can access the Internet.
This includes web servers, proxy servers that host websites for the public, and DNS servers that provide IP addresses for Internet users. It also includes email and file servers that handle external communications. The DMZ acts as a network perimeter to the internal network.
The internal network contains private servers and data that the organization needs to protect. Inside the internal network is another zone called the restricted zone. The restricted zone protects highly confidential information that is only accessible to employees with certain privileges. Now let's try to picture these security zones. Ideally, the DMZ is situated between two firewalls.
One of them filters traffic outside the DMZ, and one of them filters traffic entering the internal network. This protects the internal network with several lines of defense. If there's a restricted zone, that too would be protected with another firewall. This way, attacks that penetrate into the DMZ network cannot spread to the internal network.
internal network and attacks that penetrate the internal network cannot access the restricted zone. As a security analyst, you may be responsible for regulating access control policies on these firewalls. Security teams can control traffic reaching the DMZ and the internal network by restricting IPs and ports. For example, an analyst may ensure that only HTTPS traffic is allowed to access web servers in the DMZ. Security zones are an important part of securing networks, especially at large organizations.
Understanding how they are used is essential for all security analysts. Coming up, we'll learn about securing internal networks. Previously, we discussed how firewalls, VPNs, and security zones help to secure networks.
Next, we'll cover how to secure internal networks with proxy servers. Proxy servers are another system that helps secure networks. The definition of a proxy server is a server that fulfills the request of a client by forwarding them on to other servers.
The proxy server is a dedicated server that sits between the Internet and the rest of the network. When a request to connect to the network comes in from the Internet, the proxy server will determine if the connection request is safe. The proxy server uses a public IP address that is different from the rest of the private network.
This hides the private network's IP address from malicious actors on the internet and adds a layer of security. Let's examine how this will work with an example. When a client receives an HTTPS response, They will notice a distorted IP address or no IP address rather than the real IP address of the organization's web server. A proxy server can also be used to block unsafe websites that users aren't allowed to access on an organization's network. A proxy server uses temporary memory to store data that's regularly requested by external servers.
This way, it doesn't have to fetch data from an organization's internal servers every time. This enhances security by reducing contact with the internal server. There are different types of proxy servers that support network security.
This is important for security analysts who monitor traffic from various proxy servers and may need to know what purpose they serve. Let's explore some different types of proxy servers. A forward proxy server regulates and restricts a person with access to the internet. The goal is to hide a user's IP address and approve all outgoing requests. In the context of an organization, a forward proxy server receives outgoing traffic from an employee, approves it, and then forwards it on to the destination on the internet.
A reverse proxy server regulates and restricts the internet's access to an internal server. The goal is to accept traffic from external parties, approve it, and forward it to the internal servers. This setup is useful for protecting internal web servers containing confidential data from exposing their IP address to external parties.
An email proxy server is another valuable security tool. It filters spam email by verifying whether a sender's address was forged. This reduced the risk of phishing attacks that impersonate people known to the organization.
Let's talk about a real world example of an email proxy. Several years ago, when I was working at a large US broadband ISP, We used a proxy server to implement multiple layers of anti-spam filtering before the message was allowed in for delivery. It ended up tagging around 95% of messages as spam.
The proxy server is what allowed us to filter and then scale those filters without impacting the underlying email platform. Proxy servers play an important part in network security. By filtering incoming and outgoing traffic and staying alert to network attacks, these devices add a layer of protection from unsecured public network that we call the Internet.
You've learned a lot about some complex topics. I want to congratulate you for coming this far in the program. Let's recap what we've covered in this section.
First, we discussed common network protocols like TCP, ARP, HTTPS, and DNS. And then we covered how virtual private networks, or VPNs, can be used to maintain privacy on a public network. Finally, we explored how firewalls, security zones, and proxy servers help to secure network infrastructure. Overall, network operations is a vast topic involving various tools, protocols, and techniques that help networks run smoothly and securely. Feel free to come back and review these videos at any time.
You'll use this information in any type of role as a security analyst. Hey there! Welcome to this video about securing networks from attacks. You've come a long way already in your understanding of networks and network security.
Now you'll learn how to secure networks so that the valuable information they contain doesn't get into the wrong hands. We're going to discuss how network intrusion tactics can present a threat to networks and how a security analyst can protect against network attacks. Let's get started. Let's start by answering the question, why do we need to secure networks?
As you've learned, networks are constantly at risk of attack from malicious actors. Attackers can infiltrate networks via malware, spoofing, or packet sniffing. Network operations can also be disrupted by attacks such as packet flooding.
As we go along, you're going to learn about these and other common network intrusion attacks in more detail. Protecting a network from these types of attacks is important. If even one of them happens, it could be a catastrophic impact on an organization. Attacks can harm an organization by leaking valuable or confidential information. They can...
also be damaging to an organization's reputation and impact customer retention. Mitigating attacks may also cost the organization money and time. Over the last few years, there have been a number of examples of damage that cyber attacks can cause.
One notorious example was an attack against the American home improvement chain Home Depot in 2014. A group of hackers compromised and infected Home Depot's servers with malware. By the time network administrators shut down the attack, the hackers had already taken the credit and debit card information for over 56 million customers. Now you know why it's so important to secure a network.
But to keep a network secure, you need to know what kinds of attacks to protect it from. Coming up, you'll learn about some common network attacks. Welcome back. In this video, we are going to discuss denial of service attacks. A denial of service attack.
is an attack that targets a network or server and floods it with network traffic. The objective of a denial of service attack, or a DOS attack, is to disrupt the normal business operations by overloading an organization's network. The goal of the attack is to send so much information to a networked device that it crashes or is unable to respond to legitimate users.
This means that the organization won't be able to conduct their normal business operations, which can cost them money and time. A network crash can also leave them vulnerable to other security threats and attacks. A distributed denial of service attack, or DDoS, is a kind of DoS attack that uses multiple devices or servers in different locations to flood the target network with unwanted traffic.
Use of numerous devices makes it more likely that the total amount of traffic sent will overwhelm the target server. Remember, DoS stands for denial of service, so it doesn't matter what part of the network the attacker overloads, if they overload anything, they win. An unfortunate example I've seen is an attacker who crafted a very careful packet that caused a router to spend extra time processing the request. The overall traffic volume didn't overload the router.
The specifics within the packet did. Now we'll discuss network level DOS attacks that target network bandwidth to slow traffic. Let's learn about three common network level DOS attacks. The first is called a SYN flood attack. A SYN flood attack is a type of DOS attack that simulates the TCP connection and floods a server with SYN packets.
So let's break this definition down a bit more by taking a closer look at the handshake process that is used to establish a TCP connection between a device and a server. The first step in the handshake is for the device to send a SYN, or synchronize, request to the server. Then the server responds with a SYNACK packet to acknowledge the receipt of the device's request, and leaves a port open for the final step of the handshake.
Once the server receives the final ACK packet from the device, a TCP connection is established. Malicious actors can take advantage of the protocol by flooding a server with SYN packet requests for the first part of the handshake. But if the number of SYN requests is larger than the number of available ports on the server, then the server will be overwhelmed and become unable to function. Let's discuss two other common DOS attacks. that use another protocol called ICMP.
ICMP stands for Internet Control Message Protocol. ICMP is an internet protocol used by devices to tell each other about data transmission errors across the network. Think of ICMP like a request for a status update from a device. The device will return error messages if there is a network concern.
You can think of this like the ICMP request checking in with the device to make sure that all is well. An ICMP flood attack is a type of DOS attack performed by an attacker repeatedly sending ICMP packets to a network server. This forces the server to send an ICMP packet.
This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash. Both of the attacks we've discussed so far, SYN flood and ICMP flood, Take advantage of communication protocols by sending an overwhelming number of requests. There are also attacks that can overwhelm a server with one big request. One example that we'll discuss is called the ping of death.
A ping of death attack is a type of DOS attack that is caused when a hacker pings a system by sending in an oversized ICMP packet that is bigger than 64 kilobytes, the maximum size for a correctly formed ICMP packet. Pinging a vulnerable network server with an oversized ICMP packet will overload the system and cause it to crash. Think of this like dropping a rock on a small anthill. Each individual ant can carry a certain amount of weight while transporting food to and from the anthill.
But if a large rock is dropped on the anthill, then many ants will be crushed, and the colony is unable to function until it rebuilds its operations elsewhere. That's it for DOS and DDoS attacks. Coming up, we'll continue to discuss common network attacks. In this video, we'll discuss packet sniffing, with a focus on how threat actors may use this technique to gain unauthorized access to information. Previously, you learned about the information and data packets that travel across the network.
Packets include a header, which contains the sender's and receiver's IP addresses. Packets also contain a body, which may contain valuable information like names, date of birth, personal messages, financial information, credit card numbers. Packet sniffing is the practice of using software tools to observe data as it moves across a network.
As a security analyst, you may use packet sniffing to analyze and capture packets when investigating ongoing incidents or debugging network issues. Later in this certificate program, you'll gain hands-on practice with some packet sniffing software. However, malicious actors may also use packet sniffing to look at data that has not been sent to them. This is a little bit like opening somebody else's mail.
It's important for you to learn about how threat actors use packet sniffing with harmful intent, so you can be prepared to protect against these malicious acts. Malicious actors may insert themselves in the middle of an authorized connection between two devices. Then they can use packet sniffing to spy on every data packet as it comes across their device.
The goal is to find valuable information in the data packets that they can then use in their advantage. Attackers can use software applications or a hardware device. to look into data packets.
Malicious actors can access a network packet with a packet sniffer and make changes to the data. They may change the information in the body of the packet, like altering a recipient's bank account number. Packet sniffing can be passive or active.
Passive packet sniffing is a type of attack where data packets are read in transit. Since all the traffic on a network is visible to any host on the hub, malicious actors can view all the information going in and out of the device they are targeting. Thinking back to the example of a letter being delivered, we can compare a passive packet sniffing attack to a postal delivery person maliciously reading somebody's mail. The postal worker has the right to deliver the mail, but not the right to read the information inside. Active packet sniffing is a type of attack where data packets are manipulated in transit.
This may include injecting internet protocols to redirect the packets to an unintended port, or changing the information the packet contains. An active packet sniffing attack would be like a neighbor telling the delivery person, I'll deliver that mail for you, and then reading the mail or changing the letter before putting it in your mailbox. Even though your neighbor knows you, and even if they deliver it to the correct house, they are actively going out of their way to engage in malicious behavior.
The good news is that malicious packet sniffing can be prevented. Let's look at a few ways. A network security professional can prevent these attacks.
One way to protect against malicious packet sniffing is to use a VPN to encrypt and protect data as it travels across the network. If you don't remember how VPNs work, you can revisit the video about this topic in the previous section of the program. When you use a VPN, hackers might interfere with your traffic, but they won't be able to decode it to read it and read your private information. Another way to add a layer of protection against packet sniffing is to make sure the websites you have are protected. Use HTTPS at the beginning of the domain address.
Previously we discussed how HTTPS uses SSL TLS to encrypt data and prevent eavesdropping when malicious actors spy on network transmissions. One final way to help protect yourself against malicious packet sniffing is to avoid using unprotected Wi-Fi. You usually find unprotected Wi-Fi in public places like coffee shops, restaurants, or airports.
These networks don't use encryption. This means that anyone on the network can access all of the data traveling to and from your device. One precaution you can take is avoiding free public Wi-Fi unless you have a VPN service already installed on your device.
Okay, now you know how threat actors may use packet sniffing and how to protect a network from these attacks. Let's move on to discuss other network intrusions. Next, let's learn about another kind of network attack called IP spoofing. IP spoofing is a network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network. In this kind of attack, the hacker is pretending to be someone they are not so they can communicate over the network with the target computer and get past firewall rules that may prevent outside traffic.
Some common IP spoofing attacks are on-path attacks, replay attacks, and smurf attacks. Let's discuss these one at a time. An on-path attack is an attack where the malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit. On-path attackers gain access to the network and put themselves between two devices, like a web browser and a web server.
Then they sniff the packet information to learn the IP and MAC addresses of the two devices that are communicating with each other. After they have this information, they can pretend to be either of these devices. Another type of attack is a replay attack. A replay attack is a network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time.
A delayed packet can cause connection issues between target computers. Or a malicious actor may take a network transmission that was sent by an authorized user and repeat it at a later time to impersonate the authorized user. A smurf attack is a combination of a DDoS attack and an IP spoofing attack.
The attacker sniffs an authorized user's IP address and floods it with packets. This overwhelms the target computer and can bring down a server or the entire network. Now that you've learned about different kinds of IP spoofing, let's talk about how you can protect a network from this kind of attack.
As you previously learned, encryption should always be implemented so that the data in your network transfers can't be read by malicious actors. Firewalls can be configured to protect against IP spoofing. IP spoofing makes it seem like the malicious actor is an authorized user by changing the sender's address of the data packet to match the target network's address.
So if a firewall receives a data packet from the internet where the sender's IP address is the same as the private network, then the firewall will deny the transmission since all the devices with that IP address should already be on the local network. You can make sure that your firewall is configured correctly by creating a rule to reject all incoming traffic that has the same IP address as the local network. That's it for IP spoofing. You've learned how IP spoofing is used in some common attacks like on-path attacks, replay attacks, and smurf attacks. Nice job finishing this section.
Let's review what you've learned so far. We discussed how to secure networks. We also learned about network intrusion tactics, like malicious packet sniffing and IP spoofing. Finally, we discussed how a security analyst can protect against these kinds of attacks. You've learned about DOS and DDoS attacks, like ICMP flooding, SYN attacks, and the ping of death, which try to overwhelm a network by flooding it with unwanted data packets.
Well, just think about everything you know already about network attacks. What you've learned in these videos will be essential in your work as a security analyst. Coming up, you'll learn about how security analysts can protect a network using various security hardening techniques. I wanna take a moment to congratulate you on your progress so far. First, you learned about network operations.
Then, you learned about the tools and protocols. that help network systems function. Next, you learned how vulnerabilities in networks expose them to various security intrusions. Now we'll discuss security hardening.
Then we'll learn about OS hardening, explore network hardening practices, and discuss cloud hardening practices. Security hardening can be implemented in devices, networks, applications, and cloud infrastructure. Security analysts may perform tasks such as patch updates and backups as part of security hardening.
We'll discuss these tasks as you progress through the course. As a security analyst, hardening will play a major role in your day-to-day tasks, which is why it's important for you to understand how it works. I'm excited to accompany you in this journey.
Meet you in the next video. Security analysts and the organizations they work with have to be proactive about protecting systems from attack. This is where security hardening comes in.
Security hardening is the process of strengthening a system to reduce its vulnerability and attack surface. All the potential vulnerabilities that a threat actor could exploit are referred to as a system's attack surface. Let's use an example that compares a network to a house. The attack surface would be all the doors and windows that a robber could use to gain access to that house. Just like putting locks on all the doors and windows in a house, security hardening involves minimizing the attack surface or potential vulnerabilities and keeping a network as secure as possible.
As part of security hardening, security analysts perform regular maintenance procedures to keep a network device and systems functioning securely and optimally. Security hardening can be conducted on any device or system that can be compromised, such as hardware, operating systems, applications, computer networks, and databases. Physical security is also a part of security hardening. This may include securing a physical space with security cameras and security guards.
Some common types of hardening procedures include software updates, also called patches, and device or application configuration changes. These updates and changes are done to increase security and fix security vulnerabilities on a network. An example of a security configuration change would be requiring longer passwords or more frequent password changes.
This makes it harder for a malicious actor to gain login credentials. An example of a configuration check is updating the encryption standards for data that is stored in a database. Keeping encryption up to date makes it harder for malicious actors to access the database.
Other examples of security hardening include removing or disabling unused applications and services, Disabling unused ports and reducing access permissions across devices and network. Minimizing the number of applications, devices, ports, and access permissions makes network and device monitoring more efficient and reduces the overall attack surface, which is one of the best ways to secure an organization. Another important strategy for security hardening is to conduct regular penetration testing. A penetration test, also called a pen test, is a simulated attack that helps identify vulnerabilities in a system, network, website, application, and process. Penetration testers document their findings in a report.
Depending on where the test fails, security teams can determine the type of security vulnerabilities that require fixing. Organizations can then review these vulnerabilities and come up with a plan to fix them. Coming up, you'll learn more about how security hardening is an essential aspect of securing networks. It's a foundational part of network security that strengthens a network in order to reduce the number of successful attacks. Hi there!
In this video, we'll discuss operating system, or OS, hardening, and why it's essential to keep the entire network secure. The operating system is the interface between computer hardware and the user. The OS is the first program loaded when a computer turns on.
The OS acts as an intermediary between software applications and the computer hardware. It's important to secure the OS in each system because if one secure OS can lead to a whole network being compromised. There are many types of operating systems and they all share similar security hardening practices.
Let's talk about some of those security hardening practices that are recommended to secure an OS. Some OS hardening tasks are performed at regular intervals, like updates, backups, and keeping an up-to-date list of devices and authorized users. Other tasks are performed only once, as part of preliminary safety measures. One example would be configuring a device setting to fit a secure encryption standard. Let's begin with OS hardening tasks that are performed at a regular interval.
such as patch installation, also known as patch updates. A patch update is a software and operating system, or OS, update that addresses security vulnerabilities within a program or product. Now we'll discuss patch updates provided to the company by the OS software vendor.
With patch updates, the OS should be upgraded to its latest software version. Sometimes, patches are released to fix a security vulnerability in the software. As soon as OS vendors publish a patch and the vulnerability fix, malicious actors know exactly where the vulnerability is in the system, running the out-of-date OS.
This is why it's important for organizations to run patch updates as soon as they are released. For example, my team had to perform an emergency patch to address a recent vulnerability found in a commonly used programming library. The library is used almost everywhere, so we had to quickly patch most of our servers and applications.
to fix the vulnerability. The newly updated OS should be added to the baseline configuration, also called the baseline image. A baseline configuration is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates. For example, a baseline may contain a firewall rule with a list of allowed and disallowed network ports. If a security team suspects unusual activity affecting the OS, they can compare the current configuration to the baseline and make sure that nothing has been changed.
Another hardening task performed regularly is hardware and software disposal. This ensures that all old hardware is properly wiped and disposed of. It's also a good idea to delete any unused software applications, since some popular programming languages have known vulnerabilities. Removing unused software makes sure that there aren't any unnecessary vulnerabilities connected with the programs that the software uses.
The final OS hardening technique that we'll discuss is implementing a strong password policy. Strong password policies require that passwords follow specific rules. For example, an organization may set a password policy that requires a minimum of eight characters, a capital letter, a number, and a symbol. To discourage malicious actors, A password policy usually states that a user will lose access to the network after entering the wrong password a certain number of times in a row. Some systems also require multi-factor authentication, or MFA.
MFA is a security measure which requires a user to verify their identity in two or more ways to access a system or network. Ways of identifying yourself include something you know, like a password, something you have, like an ID card, or something unique about you, like your fingerprint. To review, OS hardening is a set of procedures that maintains OS security and improves it. Security measures like access privileges and password policies frequently undergo regular security checks as part of OS hardening. Coming up, we'll discuss network hardening practices.
Earlier, you learned that OS hardening focuses on device safety and uses patch updates, secure configuration, and account access policies. Now we'll focus on network hardening. Network hardening focuses on network-related security hardening, like port filtering, network access privileges, and encryption over networks.
Certain network hardening tasks are performed regularly. while others are performed once and then updated as needed. Some tasks that are regularly performed are firewall rule maintenance, network log analysis, patch updates, and server backups.
Earlier, you learned that a log is a record of events that occurs within an organization's systems. Network log analysis is the process of examining network logs to identify events of interest. Security teams use a log analyzer tool or a Security Information and Event Management tool, also known as a SIM, to conduct network log analysis. A SIM tool is an application that collects and analyzes log data to monitor critical activities in an organization.
It gathers security data from a network and presents that data on a single dashboard. The dashboard interface is sometimes called a single pane of glass. A SIM helps analysts to inspect, analyze, and react to security events across the network based on their priority. Reports from the SIEM provide a list of new or ongoing network vulnerabilities and list them on a scale of priority from high to low, where high priority vulnerabilities have a much shorter deadline for mitigation.
Now that we've covered tasks that are performed regularly, let's examine tasks that are performed once. These tasks include port filtering on firewalls, network access privileges, and encryption for communication, among many things. Let's start with port filtering. Port filtering can be formed over the network. Port filtering is a firewall function that blocks or allows certain port numbers to limit unwanted communication.
A basic principle is the only ports that are needed are the ones that are allowed. Any port that isn't being used by the normal network operations should be disallowed. This protects against port vulnerabilities. Networks should be set up with the most up-to-date wireless protocols available, and older wireless protocols should be disabled.
Security analysts also use network segmentation to create isolated subnets for different departments in an organization. For example, they might make one for the marketing department and one for the finance department. This is done so that issues in each subnet don't spread across the whole company, and only specified users are given access to the part of the network that they require for their role. Network segmentation may also be used to separate different security zones.
Any restricted zone on a network containing highly classified or confidential data should be separate from the rest of the network. Lastly, all network communication should be encrypted using the latest encryption standards. Encryption standards are rules or methods used to conceal outgoing data and uncover or decrypt incoming data. Data in restricted zones should have much higher encryption standards, which makes them more difficult to access. You've learned about the most common hardening practices.
This knowledge will be useful as you complete the certificate program, and it's essential to your career as a security analyst. In recent years, many organizations are using network services in the cloud. So in addition to securing on-premises networks, a security analyst will need to secure cloud networks.
In a previous video, you learned that a cloud network is a collection of servers or computers that stores resources and data in a remote data center that can be accessed via the internet. They can host company data and applications using cloud computing to provide on-demand storage, processing power, and data analytics. Just like regular web servers, cloud servers also require proper maintenance done through various security hardening procedures. Although cloud servers are hosted by a cloud service provider, these providers cannot prevent intrusions in the cloud, especially intrusions from malicious actors, both internal and external to an organization.
One distinction between cloud network hardening and traditional network hardening is the use of a server baseline image for all server instances stored in the cloud. This allows you to compare data in the cloud servers to the baseline image to make sure there haven't been any Unverified changes. An unverified change could come from an intrusion in the cloud network.
Similar to OS hardening, data and applications on a cloud network are kept separate depending on their service category. For example, older applications should be kept separate from newer applications. And software that deals with internal functions should be kept separate from front-end applications seen by users. Even though the cloud service provider has a a shared responsibility with the organization using their services, there are still security measures that need to be taken by the organization to make sure their cloud network is safe. Just like traditional networks, operations in the cloud need to be secured.
You're doing great. Meet you in the next video. Great work on learning about security hardening. Let's take a few minutes to wrap up what you've learned. You learned about security hardening and its importance to an organization's infrastructure.
First, we discussed how security hardening strengthens systems and... networks to reduce the likelihood of an attack. Next, we covered the importance of OS hardening, including patch updates, baseline configurations, and hardware and software disposal. Then we explored network hardening practices. such as network log analysis and firewall rule maintenance.
Finally, we examine cloud network hardening and the responsibilities of both organizations and cloud service providers in maintaining security. As a security analyst, you'll be working with operating systems, on-premise networks, and cloud networks. You'll be using all the knowledge that we learned in this section in your career as a security analyst. Wow, we have covered a lot in this course.
let's review everything we've discussed. You learned about networks, network architecture, and the best practices used by security professionals to secure a network against security breaches. As we bring this course to a close, let's review what you've learned about security networks so far. First, we explored the structure of a network. A security analyst must understand how a network is designed to be able to identify parts of a network that present vulnerabilities and need to be secured.
Next. Next, we learned about network operations and how they affect the communication of data. Network protocols determine how the data is transmitted over the network. As communication takes place over the network, malicious actors may use tactics such as denial of service attacks, packet sniffing, and IP spoofing.
Security analysts employ tools and measures, such as firewall rules, to protect against these attacks. We also discussed security hardening. Security hardening is used to protect against attacks.
to reduce the attack area of a network. This means the attack does not disable an entire network. Security hardening can be done at the hardware level, the software level, or the network level. Securing networks is an essential part of a security analyst's duties. Knowledge of a network and its operations and security practices will ensure that you are successful in your career as a security analyst.
And that brings us to the topic of our next course, which will cover computing basics for security analysts. In that course, you'll learn how to use the Linux command line to authenticate and authorize users on a network, and to use SQL, otherwise known as SQL, to communicate with databases. Great work getting here. All the concepts you've learned in this section will be essential for success in your role as a security analyst. Now you can move on to the next course.
Enjoy.