WEBVTT 1 00:00:00.000 --> 00:00:01.680 In this section of the course, 2 00:00:01.680 --> 00:00:04.740 we are going to discuss Resilient System Design. 3 00:00:04.740 --> 00:00:07.260 The Resilient System Design section of the course 4 00:00:07.260 --> 00:00:10.260 focuses on Domain 2: Security Architecture, 5 00:00:10.260 --> 00:00:13.380 specifically objective 2.1, 6 00:00:13.380 --> 00:00:15.540 which states that given a scenario, 7 00:00:15.540 --> 00:00:17.820 you must be able to analyze requirements 8 00:00:17.820 --> 00:00:20.040 to design resilient systems. 9 00:00:20.040 --> 00:00:23.010 Designing resilient systems requires the deployment 10 00:00:23.010 --> 00:00:26.010 and integration of advanced security measures, 11 00:00:26.010 --> 00:00:27.960 proactive threat detection, 12 00:00:27.960 --> 00:00:29.700 and efficient traffic management 13 00:00:29.700 --> 00:00:32.250 to protect and optimize operation. 14 00:00:32.250 --> 00:00:35.400 By focusing on ensuring application security, 15 00:00:35.400 --> 00:00:36.990 maintaining availability, 16 00:00:36.990 --> 00:00:40.380 and implementing adaptive scaling and recovery techniques, 17 00:00:40.380 --> 00:00:42.870 enterprise network systems can withstand 18 00:00:42.870 --> 00:00:45.180 and quickly recover from disruption. 19 00:00:45.180 --> 00:00:46.770 As we go through this section, 20 00:00:46.770 --> 00:00:48.450 we will cover many topics 21 00:00:48.450 --> 00:00:50.760 related to Resilient System Design, 22 00:00:50.760 --> 00:00:53.130 including Security Devices, 23 00:00:53.130 --> 00:00:56.520 Monitoring and Detection, Network Traffic Management, 24 00:00:56.520 --> 00:00:58.470 Application Layer Security, 25 00:00:58.470 --> 00:01:01.080 Availability and Scaling Considerations, 26 00:01:01.080 --> 00:01:04.440 as well as Deployment and Recovery Strategies. 27 00:01:04.440 --> 00:01:07.500 First, we will look at Security Devices. 28 00:01:07.500 --> 00:01:10.950 Security devices are hardware or software tools 29 00:01:10.950 --> 00:01:15.450 designed to protect networks and data by enforcing policies 30 00:01:15.450 --> 00:01:17.850 while monitoring for malicious activity. 31 00:01:17.850 --> 00:01:20.460 Security devices include Firewalls, 32 00:01:20.460 --> 00:01:24.540 Intrusion Detection Systems, Intrusion Prevention Systems, 33 00:01:24.540 --> 00:01:26.430 Virtual Private Networks, 34 00:01:26.430 --> 00:01:29.040 and Network Access Control systems. 35 00:01:29.040 --> 00:01:32.520 Let's take a moment to further understand each of these. 36 00:01:32.520 --> 00:01:35.970 Firewalls filter incoming and outgoing traffic 37 00:01:35.970 --> 00:01:38.430 based on predefined security rules 38 00:01:38.430 --> 00:01:40.590 called Access Control Lists. 39 00:01:40.590 --> 00:01:43.800 Access Control Lists applied by firewalls 40 00:01:43.800 --> 00:01:47.610 establish a perimeter that controls access to the network. 41 00:01:47.610 --> 00:01:49.500 Intrusion Detection Systems 42 00:01:49.500 --> 00:01:51.510 and Intrusion Prevention Systems 43 00:01:51.510 --> 00:01:54.240 may be employed to complement firewalls 44 00:01:54.240 --> 00:01:57.180 by monitoring traffic for malicious activities. 45 00:01:57.180 --> 00:01:59.040 An Intrusion Detection System 46 00:01:59.040 --> 00:02:02.370 passively detects and alerts on malicious activity, 47 00:02:02.370 --> 00:02:04.350 while an Intrusion Prevention System 48 00:02:04.350 --> 00:02:07.800 detects, alerts, and actively blocks 49 00:02:07.800 --> 00:02:10.590 or mitigates detected malicious activity. 50 00:02:10.590 --> 00:02:14.040 Another security device is a Virtual Private Network. 51 00:02:14.040 --> 00:02:16.740 Virtual Private Networks secure communication 52 00:02:16.740 --> 00:02:20.370 by encrypting data across untrusted networks. 53 00:02:20.370 --> 00:02:24.630 Finally, Network Access Control appliances enforce policies 54 00:02:24.630 --> 00:02:28.350 to ensure devices meet security and health requirements 55 00:02:28.350 --> 00:02:30.930 before they are granted network access. 56 00:02:30.930 --> 00:02:34.470 The combination and implementation of security devices 57 00:02:34.470 --> 00:02:38.640 creates a layered defense that integrates traffic filtering, 58 00:02:38.640 --> 00:02:42.570 threat detection and prevention, encrypted communication, 59 00:02:42.570 --> 00:02:44.280 and controlled access. 60 00:02:44.280 --> 00:02:47.820 Next, we will explore monitoring and detection. 61 00:02:47.820 --> 00:02:49.980 Overall, monitoring and detection 62 00:02:49.980 --> 00:02:53.130 involves continuously observing network activities 63 00:02:53.130 --> 00:02:54.990 to identify and respond 64 00:02:54.990 --> 00:02:58.770 to security incidents, anomalies, and vulnerabilities. 65 00:02:58.770 --> 00:03:00.630 Monitoring and detection devices 66 00:03:00.630 --> 00:03:04.140 include Text Access Points or TAPs, 67 00:03:04.140 --> 00:03:06.960 Collectors, and Vulnerability Scanners. 68 00:03:06.960 --> 00:03:10.770 Test Access Points are hardware or software devices 69 00:03:10.770 --> 00:03:14.400 used to capture all network traffic in real-time 70 00:03:14.400 --> 00:03:16.860 without interfering with operations. 71 00:03:16.860 --> 00:03:20.580 Next, Collectors aggregate and process captured data, 72 00:03:20.580 --> 00:03:23.070 centralizing it for further analysis, 73 00:03:23.070 --> 00:03:26.040 such as the identification of patterns or anomalies 74 00:03:26.040 --> 00:03:27.990 indicative of security threats. 75 00:03:27.990 --> 00:03:30.180 Finally, Vulnerability Scanners 76 00:03:30.180 --> 00:03:32.100 are used to identify technical 77 00:03:32.100 --> 00:03:35.370 and known weaknesses in systems and applications, 78 00:03:35.370 --> 00:03:36.990 enabling an organization 79 00:03:36.990 --> 00:03:39.900 to proactively address security gaps. 80 00:03:39.900 --> 00:03:43.140 After that, we will look at Network Traffic Management. 81 00:03:43.140 --> 00:03:46.740 Network Traffic Management involves the control, direction, 82 00:03:46.740 --> 00:03:50.400 and optimization of data flow across a network. 83 00:03:50.400 --> 00:03:52.110 Network traffic management tools 84 00:03:52.110 --> 00:03:54.900 include Forward and Reverse Proxies, 85 00:03:54.900 --> 00:03:57.630 as well as Content Delivery Networks. 86 00:03:57.630 --> 00:04:01.830 In these lessons, we will discuss each tool in more detail. 87 00:04:01.830 --> 00:04:04.770 In general, a proxy acts as an intermediary 88 00:04:04.770 --> 00:04:06.690 between two devices or networks, 89 00:04:06.690 --> 00:04:08.880 such as a client and a server. 90 00:04:08.880 --> 00:04:11.340 Both forward and reverse proxies can be used 91 00:04:11.340 --> 00:04:14.940 to mediate incoming and outgoing network traffic. 92 00:04:14.940 --> 00:04:18.390 However, a forward proxy sits on the internal gateway 93 00:04:18.390 --> 00:04:19.890 of the local area network, 94 00:04:19.890 --> 00:04:21.900 where it applies control policies 95 00:04:21.900 --> 00:04:24.510 before forwarding internal client requests 96 00:04:24.510 --> 00:04:26.730 to external destination servers. 97 00:04:26.730 --> 00:04:29.100 In contrast, a reverse proxy 98 00:04:29.100 --> 00:04:32.280 is positioned on the public interface of the network. 99 00:04:32.280 --> 00:04:35.700 It receives incoming requests from external clients, 100 00:04:35.700 --> 00:04:37.260 applies control policies, 101 00:04:37.260 --> 00:04:38.940 and then forwards these requests 102 00:04:38.940 --> 00:04:41.640 to the appropriate internal resources. 103 00:04:41.640 --> 00:04:43.830 Neither forward nor reverse proxies 104 00:04:43.830 --> 00:04:46.080 solve the problem of ensuring content 105 00:04:46.080 --> 00:04:49.710 is quickly and efficiently available on a global scale. 106 00:04:49.710 --> 00:04:53.940 This is done by Content Delivery Networks or CDNs. 107 00:04:53.940 --> 00:04:55.380 Content Delivery Networks 108 00:04:55.380 --> 00:04:58.380 utilize globally distributed reverse proxies 109 00:04:58.380 --> 00:05:01.680 to cache content closer to end-users, 110 00:05:01.680 --> 00:05:04.170 reducing latency and improving load times 111 00:05:04.170 --> 00:05:07.980 to optimize the delivery of content over the globe. 112 00:05:07.980 --> 00:05:11.940 Next, we will explore Application Layer Security. 113 00:05:11.940 --> 00:05:13.440 Application layer security 114 00:05:13.440 --> 00:05:15.270 involves protecting applications 115 00:05:15.270 --> 00:05:19.230 and their data from unauthorized access and attacks. 116 00:05:19.230 --> 00:05:21.720 Furthermore, application layer security 117 00:05:21.720 --> 00:05:24.720 occurs at the highest layer of the OSI model, 118 00:05:24.720 --> 00:05:26.310 the application layer. 119 00:05:26.310 --> 00:05:29.070 Application layer security involves the implementation 120 00:05:29.070 --> 00:05:32.490 of both application programming interface gateways, 121 00:05:32.490 --> 00:05:37.490 or API gateways, and web application firewalls or WAFs. 122 00:05:37.500 --> 00:05:39.870 An Application Programming Interface Gateway 123 00:05:39.870 --> 00:05:41.460 manages and secures 124 00:05:41.460 --> 00:05:43.830 application programming interface requests, 125 00:05:43.830 --> 00:05:47.550 handling tasks such as authentication, rate limiting, 126 00:05:47.550 --> 00:05:50.040 and data delivery to network services. 127 00:05:50.040 --> 00:05:52.050 A Web Application Firewall 128 00:05:52.050 --> 00:05:55.080 filters and monitors web application traffic 129 00:05:55.080 --> 00:05:57.990 to protect against common web application attacks 130 00:05:57.990 --> 00:06:01.710 such as SQL injection and cross-site scripting. 131 00:06:01.710 --> 00:06:03.720 Because a Web Application Framework 132 00:06:03.720 --> 00:06:06.480 is implemented at the application itself, 133 00:06:06.480 --> 00:06:10.710 it can use a very specific and detailed rule set. 134 00:06:10.710 --> 00:06:14.460 Together, Application Programming Interface Gateways 135 00:06:14.460 --> 00:06:16.680 and Web Application Firewalls 136 00:06:16.680 --> 00:06:20.160 create a layered defense for application security. 137 00:06:20.160 --> 00:06:24.570 Following that, we will look at Availability Considerations. 138 00:06:24.570 --> 00:06:26.280 Availability considerations 139 00:06:26.280 --> 00:06:29.640 ensure that systems, applications, and services 140 00:06:29.640 --> 00:06:32.820 remain operational and accessible to users 141 00:06:32.820 --> 00:06:35.730 even in the face of failures, high demand, 142 00:06:35.730 --> 00:06:37.170 or other disruption. 143 00:06:37.170 --> 00:06:39.420 Availability considerations result 144 00:06:39.420 --> 00:06:42.000 in the implementation of load balancing, 145 00:06:42.000 --> 00:06:45.120 using persistent and non-persistent affinity, 146 00:06:45.120 --> 00:06:47.490 as well as interoperability. 147 00:06:47.490 --> 00:06:51.570 Affinity is the practice of redirecting client requests 148 00:06:51.570 --> 00:06:55.530 to the same server to maintain session consistency. 149 00:06:55.530 --> 00:06:57.600 In this topic, we will explore 150 00:06:57.600 --> 00:07:00.870 each availability consideration in greater detail. 151 00:07:00.870 --> 00:07:03.150 Load balancing is used to distribute 152 00:07:03.150 --> 00:07:06.450 incoming network traffic across multiple servers, 153 00:07:06.450 --> 00:07:09.360 ensuring no single server becomes a bottleneck. 154 00:07:09.360 --> 00:07:10.710 At the same time, 155 00:07:10.710 --> 00:07:14.910 load balancers also enhance reliability and performance. 156 00:07:14.910 --> 00:07:17.250 Persistence through session affinity 157 00:07:17.250 --> 00:07:18.870 ensures that user sessions 158 00:07:18.870 --> 00:07:21.930 are consistently routed to the same server 159 00:07:21.930 --> 00:07:23.760 to maintain a session state, 160 00:07:23.760 --> 00:07:25.020 while non-persistence 161 00:07:25.020 --> 00:07:27.960 allows sessions to be handled by any server, 162 00:07:27.960 --> 00:07:30.030 promoting better load distribution, 163 00:07:30.030 --> 00:07:32.580 but potentially complicating state management. 164 00:07:32.580 --> 00:07:36.090 Interoperability, in general, refers to the ability 165 00:07:36.090 --> 00:07:37.950 of different systems or components 166 00:07:37.950 --> 00:07:39.600 to work together seamlessly. 167 00:07:39.600 --> 00:07:42.690 In the context of load balancing and session management, 168 00:07:42.690 --> 00:07:46.860 interoperability means that diverse systems and applications 169 00:07:46.860 --> 00:07:49.710 effectively communicate and function together, 170 00:07:49.710 --> 00:07:53.490 maintaining high availability and efficient performance. 171 00:07:53.490 --> 00:07:57.150 Then, we will explore Scaling Considerations. 172 00:07:57.150 --> 00:07:59.340 Scaling considerations ensure systems 173 00:07:59.340 --> 00:08:03.570 can efficiently handle increased loads or real-time demands. 174 00:08:03.570 --> 00:08:05.850 This can be done through vertical scaling 175 00:08:05.850 --> 00:08:07.740 or horizontal scaling. 176 00:08:07.740 --> 00:08:11.760 Vertical scaling, which can be referred to as scaling up, 177 00:08:11.760 --> 00:08:14.190 expands existing resources. 178 00:08:14.190 --> 00:08:17.190 In the context of availability considerations, 179 00:08:17.190 --> 00:08:18.870 vertical scaling involves 180 00:08:18.870 --> 00:08:21.690 increasing the capacity of a machine 181 00:08:21.690 --> 00:08:23.280 by adding more resources, 182 00:08:23.280 --> 00:08:27.030 such as central processing units or CPUs, 183 00:08:27.030 --> 00:08:30.570 random access memory or RAM, or storage. 184 00:08:30.570 --> 00:08:32.970 This addition improves performance 185 00:08:32.970 --> 00:08:36.240 in response to an increase in real-time demand. 186 00:08:36.240 --> 00:08:37.620 Horizontal scaling, 187 00:08:37.620 --> 00:08:40.680 which can also be referred to as scaling out, 188 00:08:40.680 --> 00:08:42.810 entails adding new resources. 189 00:08:42.810 --> 00:08:45.660 In the context of availability considerations, 190 00:08:45.660 --> 00:08:49.110 horizontal scaling involves adding additional machines 191 00:08:49.110 --> 00:08:51.900 to distribute increased real-time load. 192 00:08:51.900 --> 00:08:55.110 After that, we will look at Recovery Strategies. 193 00:08:55.110 --> 00:08:57.090 Recovery strategies involve planning 194 00:08:57.090 --> 00:08:58.560 and implementing methods 195 00:08:58.560 --> 00:09:02.550 to restore systems and services to operational status 196 00:09:02.550 --> 00:09:04.710 after disruptions or failures. 197 00:09:04.710 --> 00:09:07.260 Recoverability methods include backups 198 00:09:07.260 --> 00:09:08.910 and failover mechanisms 199 00:09:08.910 --> 00:09:10.080 to ensure that systems 200 00:09:10.080 --> 00:09:12.570 can be quickly restored after disruption. 201 00:09:12.570 --> 00:09:15.000 For example, regular backups ensure 202 00:09:15.000 --> 00:09:18.690 that data can be restored in case of corruption or loss, 203 00:09:18.690 --> 00:09:20.070 while failover systems 204 00:09:20.070 --> 00:09:23.520 automatically switch operations to a standby device 205 00:09:23.520 --> 00:09:25.470 if the primary device fails. 206 00:09:25.470 --> 00:09:29.010 Finally, we will explore Deployment Strategies. 207 00:09:29.010 --> 00:09:31.230 Deployment strategies involve planning 208 00:09:31.230 --> 00:09:34.860 and carrying out the process of installing, configuring, 209 00:09:34.860 --> 00:09:36.990 and running software and systems. 210 00:09:36.990 --> 00:09:40.350 Geographical considerations play an important role 211 00:09:40.350 --> 00:09:42.810 in the planning of deployment strategies 212 00:09:42.810 --> 00:09:45.810 and involve strategically placing infrastructure 213 00:09:45.810 --> 00:09:48.000 in dispersed physical locations. 214 00:09:48.000 --> 00:09:49.590 Depending upon the company, 215 00:09:49.590 --> 00:09:52.530 this may mean having locations throughout a country 216 00:09:52.530 --> 00:09:54.180 or even throughout the world. 217 00:09:54.180 --> 00:09:55.590 By placing the infrastructure 218 00:09:55.590 --> 00:09:57.960 in a variety of physical locations, 219 00:09:57.960 --> 00:10:01.410 we can optimize performance, reduce latency, 220 00:10:01.410 --> 00:10:03.480 and enhance network redundancy. 221 00:10:03.480 --> 00:10:07.890 However, placing services or servers in different locations 222 00:10:07.890 --> 00:10:10.230 can lead to compliance issues. 223 00:10:10.230 --> 00:10:12.150 The infrastructure will be subject 224 00:10:12.150 --> 00:10:14.370 to local laws and regulations 225 00:10:14.370 --> 00:10:17.790 which dictate how data can be stored and processed, 226 00:10:17.790 --> 00:10:19.980 which may complicate operations. 227 00:10:19.980 --> 00:10:22.830 To finish things off, we'll take a short quiz 228 00:10:22.830 --> 00:10:25.740 to see what you learned during this section of the course, 229 00:10:25.740 --> 00:10:28.860 and we will review each of those quiz questions fully 230 00:10:28.860 --> 00:10:31.890 to ensure you can explain why the right answers were right 231 00:10:31.890 --> 00:10:33.690 and the wrong answers were wrong. 232 00:10:33.690 --> 00:10:37.890 So, let's get ready to dive into resilient system design 233 00:10:37.890 --> 00:10:40.023 in this section of the course!