WEBVTT 1 00:00:00.000 --> 00:00:01.260 In this lesson, 2 00:00:01.260 --> 00:00:04.170 we will learn about security devices. 3 00:00:04.170 --> 00:00:06.180 Security devices are hardware 4 00:00:06.180 --> 00:00:10.380 or software tools designed to protect networks and data 5 00:00:10.380 --> 00:00:11.970 by enforcing policies 6 00:00:11.970 --> 00:00:14.550 while monitoring for malicious activity. 7 00:00:14.550 --> 00:00:17.700 Security devices include firewalls, 8 00:00:17.700 --> 00:00:20.820 intrusion detection systems or IDS, 9 00:00:20.820 --> 00:00:24.030 intrusion prevention systems or IPS, 10 00:00:24.030 --> 00:00:26.910 virtual private networks or VPNs, 11 00:00:26.910 --> 00:00:30.600 and network access control or NAC systems. 12 00:00:30.600 --> 00:00:33.900 Let's explore each of these tools in more detail. 13 00:00:33.900 --> 00:00:36.240 First, we have firewalls. 14 00:00:36.240 --> 00:00:41.130 Firewalls utilize access control lists or ACLs to manage 15 00:00:41.130 --> 00:00:43.920 and filter traffic based on rules. 16 00:00:43.920 --> 00:00:47.430 While routers can implement basic ACLs directly, 17 00:00:47.430 --> 00:00:49.530 hardware and software-based firewalls 18 00:00:49.530 --> 00:00:53.100 are much more effective at managing access control lists 19 00:00:53.100 --> 00:00:55.200 to permit or block traffic. 20 00:00:55.200 --> 00:00:58.410 Access control lists define the type of traffic, 21 00:00:58.410 --> 00:01:00.690 its source, destination, 22 00:01:00.690 --> 00:01:03.420 and the action of firewall should take. 23 00:01:03.420 --> 00:01:06.900 Firewall types include packet-filtering firewalls, 24 00:01:06.900 --> 00:01:10.110 stateful firewalls, proxy firewalls, 25 00:01:10.110 --> 00:01:15.060 next generation firewalls, and web application firewalls. 26 00:01:15.060 --> 00:01:16.920 Packet filtering firewalls 27 00:01:16.920 --> 00:01:19.770 are the most basic type of firewall. 28 00:01:19.770 --> 00:01:22.890 They inspect only the header of the packet, 29 00:01:22.890 --> 00:01:26.100 identifying IP addresses and port numbers 30 00:01:26.100 --> 00:01:30.030 to determine whether to allow or deny traffic. 31 00:01:30.030 --> 00:01:31.980 While efficient and quick, 32 00:01:31.980 --> 00:01:33.480 packet filtering firewalls 33 00:01:33.480 --> 00:01:37.710 can't prevent more advanced attacks like IP spoofing 34 00:01:37.710 --> 00:01:39.270 or session hijacking 35 00:01:39.270 --> 00:01:42.600 since they don't look beyond the packet header. 36 00:01:42.600 --> 00:01:45.090 Stateful firewalls, on the other hand, 37 00:01:45.090 --> 00:01:47.850 track the state of active connections. 38 00:01:47.850 --> 00:01:50.340 They monitor outgoing requests 39 00:01:50.340 --> 00:01:53.880 and only allow corresponding incoming traffic, 40 00:01:53.880 --> 00:01:56.070 making them more secure. 41 00:01:56.070 --> 00:01:59.130 For instance, if you request a webpage, 42 00:01:59.130 --> 00:02:02.250 a stateful firewall will allow the return traffic 43 00:02:02.250 --> 00:02:03.450 from that page, 44 00:02:03.450 --> 00:02:06.060 but block unsolicited traffic. 45 00:02:06.060 --> 00:02:08.760 In this way, stateful firewalls ensure 46 00:02:08.760 --> 00:02:12.300 that only expected responses enter the network 47 00:02:12.300 --> 00:02:14.730 while rejecting potential threats. 48 00:02:14.730 --> 00:02:17.820 Proxy firewalls act as intermediaries 49 00:02:17.820 --> 00:02:20.820 between internal and external connections, 50 00:02:20.820 --> 00:02:24.000 making requests on behalf of a user. 51 00:02:24.000 --> 00:02:27.600 There are two common types of proxy firewalls: 52 00:02:27.600 --> 00:02:31.560 circuit-level proxies, which operate at the session layer, 53 00:02:31.560 --> 00:02:33.900 and application-level proxies, 54 00:02:33.900 --> 00:02:37.170 which inspect traffic at the application layer. 55 00:02:37.170 --> 00:02:40.020 This deeper application layer inspection 56 00:02:40.020 --> 00:02:42.570 allows application level proxies 57 00:02:42.570 --> 00:02:45.120 to filter traffic more precisely, 58 00:02:45.120 --> 00:02:47.640 though they come with a performance cost 59 00:02:47.640 --> 00:02:50.160 due to their in-depth analysis. 60 00:02:50.160 --> 00:02:53.820 Kernel proxy firewalls are a third type of proxy, 61 00:02:53.820 --> 00:02:56.970 which are not used as frequently as circuit-level 62 00:02:56.970 --> 00:02:59.190 and application-level firewalls. 63 00:02:59.190 --> 00:03:02.160 Kernel proxy firewalls enhance performance 64 00:03:02.160 --> 00:03:06.720 by filtering traffic across multiple OSI model layers 65 00:03:06.720 --> 00:03:08.250 with minimal delay, 66 00:03:08.250 --> 00:03:12.180 providing a balance between security and efficiency. 67 00:03:12.180 --> 00:03:15.030 Next generation firewalls takes security 68 00:03:15.030 --> 00:03:18.930 to the next level by being application aware. 69 00:03:18.930 --> 00:03:22.230 This means they do not only inspect traffic, 70 00:03:22.230 --> 00:03:25.290 but can differentiate between types of traffic, 71 00:03:25.290 --> 00:03:26.772 providing greater control 72 00:03:26.772 --> 00:03:30.840 and blocking specific application-based threats. 73 00:03:30.840 --> 00:03:32.850 Next generation firewalls 74 00:03:32.850 --> 00:03:35.400 can work with intrusion prevention systems 75 00:03:35.400 --> 00:03:38.010 and conduct deep packet inspection 76 00:03:38.010 --> 00:03:40.410 while maintaining high throughput. 77 00:03:40.410 --> 00:03:45.060 Our last type of firewall is a web application firewall. 78 00:03:45.060 --> 00:03:49.350 Web application firewalls specifically target web traffic 79 00:03:49.350 --> 00:03:53.340 protecting against common attacks like SQL injection 80 00:03:53.340 --> 00:03:55.140 and cross-site scripting. 81 00:03:55.140 --> 00:03:57.960 They inspect HTTP traffic 82 00:03:57.960 --> 00:04:01.230 and can be placed in line or out of band, 83 00:04:01.230 --> 00:04:05.100 depending upon whether the goal is to actively block threats 84 00:04:05.100 --> 00:04:08.790 or detect them without interfering with live traffic. 85 00:04:08.790 --> 00:04:11.220 Our second set of security devices 86 00:04:11.220 --> 00:04:14.880 are the intrusion detection systems or IDSs 87 00:04:14.880 --> 00:04:18.360 and intrusion prevention systems or IPSs. 88 00:04:18.360 --> 00:04:23.360 Both IDS and IPS monitor traffic for suspicious activity, 89 00:04:23.730 --> 00:04:25.380 but their key difference lies 90 00:04:25.380 --> 00:04:28.140 in how they respond to intrusions. 91 00:04:28.140 --> 00:04:33.140 IDSs detect, log, and alert on malicious activity, 92 00:04:33.300 --> 00:04:37.590 but they do not take action to stop that malicious activity. 93 00:04:37.590 --> 00:04:41.400 IPSs, on the other hand, not only detect threats, 94 00:04:41.400 --> 00:04:43.590 but they also react by blocking 95 00:04:43.590 --> 00:04:47.490 or preventing the threat from continuing its activities. 96 00:04:47.490 --> 00:04:50.400 Where an IDS is placed in the network 97 00:04:50.400 --> 00:04:53.910 affects what it is called and how it's configured. 98 00:04:53.910 --> 00:04:57.930 For example, a network IDS monitors traffic 99 00:04:57.930 --> 00:04:59.340 through a mirrored port, 100 00:04:59.340 --> 00:05:03.120 analyzing data for threats like network port scans 101 00:05:03.120 --> 00:05:05.010 or malicious payloads. 102 00:05:05.010 --> 00:05:09.660 As an IDS, it only alerts and records activity. 103 00:05:09.660 --> 00:05:12.750 A host-based IDS or HIDS 104 00:05:12.750 --> 00:05:16.320 runs on individual servers or endpoints, 105 00:05:16.320 --> 00:05:20.040 detecting suspicious traffic or file access 106 00:05:20.040 --> 00:05:23.490 on the specific system it's installed on only. 107 00:05:23.490 --> 00:05:25.770 Similarly, a wireless IDS 108 00:05:25.770 --> 00:05:30.210 or WIDS focuses on wireless network threats, 109 00:05:30.210 --> 00:05:32.520 such as denial-of-service attacks 110 00:05:32.520 --> 00:05:34.830 or deauthentication attempts. 111 00:05:34.830 --> 00:05:37.050 IDS systems, in general, 112 00:05:37.050 --> 00:05:39.600 typically use signature-based detection, 113 00:05:39.600 --> 00:05:42.120 which recognizes known attack patterns 114 00:05:42.120 --> 00:05:44.610 or anomaly-based detection. 115 00:05:44.610 --> 00:05:48.000 Signature-based detection is highly accurate, 116 00:05:48.000 --> 00:05:50.400 but limited to known threats. 117 00:05:50.400 --> 00:05:53.040 Anomaly-based detection can catch new threats 118 00:05:53.040 --> 00:05:55.290 based on anomalous behavior, 119 00:05:55.290 --> 00:05:58.290 but may result in false positives. 120 00:05:58.290 --> 00:06:02.010 As discussed, IPS systems detect, log, 121 00:06:02.010 --> 00:06:05.820 and alert on malicious activity just like an IDS, 122 00:06:05.820 --> 00:06:09.240 but they also have the ability to block threats. 123 00:06:09.240 --> 00:06:10.890 A network IPS, 124 00:06:10.890 --> 00:06:14.010 which is placed directly in line with traffic, 125 00:06:14.010 --> 00:06:16.380 usually near the networks perimeter, 126 00:06:16.380 --> 00:06:18.720 can stop attacks in real time. 127 00:06:18.720 --> 00:06:22.890 Host-based and wireless IPSs work similarly, 128 00:06:22.890 --> 00:06:24.930 responding to suspicious activity 129 00:06:24.930 --> 00:06:29.160 by blocking threats like unauthorized application changes 130 00:06:29.160 --> 00:06:31.080 or wireless attacks. 131 00:06:31.080 --> 00:06:33.300 Our third security device type 132 00:06:33.300 --> 00:06:36.450 is a virtual private network or VPN. 133 00:06:36.450 --> 00:06:40.410 A VPN allows users to create an encrypted tunnel 134 00:06:40.410 --> 00:06:43.680 over an untrusted network, like the internet, 135 00:06:43.680 --> 00:06:46.770 to securely connect to enterprise networks. 136 00:06:46.770 --> 00:06:48.330 Security can be enhanced 137 00:06:48.330 --> 00:06:51.180 not only with a username and password, 138 00:06:51.180 --> 00:06:54.570 but also with additional authentication factors. 139 00:06:54.570 --> 00:06:59.250 The VPN tunnel itself uses strong encryption technologies 140 00:06:59.250 --> 00:07:03.150 such as the advanced encryption standard or AES 141 00:07:03.150 --> 00:07:06.480 with a 256-bit encryption key. 142 00:07:06.480 --> 00:07:10.470 This encryption forms a virtual and secure circuit 143 00:07:10.470 --> 00:07:12.510 between the user's device 144 00:07:12.510 --> 00:07:16.110 and the VPN concentrator receiving the connection, 145 00:07:16.110 --> 00:07:18.570 making it ideal for remote workers 146 00:07:18.570 --> 00:07:22.980 or traveling employees who need access to company resources 147 00:07:22.980 --> 00:07:25.920 like file servers from remote locations. 148 00:07:25.920 --> 00:07:29.340 This setup is called a remote access VPN 149 00:07:29.340 --> 00:07:32.042 or client-to-site VPN. 150 00:07:32.042 --> 00:07:35.550 VPNs can also connect to office locations. 151 00:07:35.550 --> 00:07:38.310 These are known as site-to-site VPNs, 152 00:07:38.310 --> 00:07:41.340 and they offer a more cost-effective solution 153 00:07:41.340 --> 00:07:45.870 than purchasing dedicated leased lines between office sites. 154 00:07:45.870 --> 00:07:49.080 For example, if a company has a satellite office 155 00:07:49.080 --> 00:07:50.790 in Washington D.C. 156 00:07:50.790 --> 00:07:51.930 and wants to connect it 157 00:07:51.930 --> 00:07:54.210 to its headquarters in San Francisco, 158 00:07:54.210 --> 00:07:57.030 they can implement a site-to-site VPN. 159 00:07:57.030 --> 00:08:01.230 In this setup, routers on both ends use encryption keys 160 00:08:01.230 --> 00:08:03.060 to keep all data secured 161 00:08:03.060 --> 00:08:06.270 as it travels across the untrusted internet. 162 00:08:06.270 --> 00:08:09.720 Our fourth and last security device type 163 00:08:09.720 --> 00:08:13.830 are the network access control or NAC systems. 164 00:08:13.830 --> 00:08:18.330 NAC protects networks from unauthorized or unknown devices. 165 00:08:18.330 --> 00:08:21.450 NAC is used to prevent unauthorized users 166 00:08:21.450 --> 00:08:24.630 or devices from accessing a private network. 167 00:08:24.630 --> 00:08:28.470 So when a device attempts to connect to the network, 168 00:08:28.470 --> 00:08:30.930 the NAC system scans the device 169 00:08:30.930 --> 00:08:33.420 to ensure it meets security requirements, 170 00:08:33.420 --> 00:08:37.020 such as having updated antivirus software 171 00:08:37.020 --> 00:08:39.330 and proper security patches. 172 00:08:39.330 --> 00:08:43.470 This applies to both devices physically on the network 173 00:08:43.470 --> 00:08:47.100 and those connecting remotely via a VPN. 174 00:08:47.100 --> 00:08:50.400 If the device passes this health verification, 175 00:08:50.400 --> 00:08:52.680 it is granted full access. 176 00:08:52.680 --> 00:08:57.030 If it fails, it's likely quarantined into a remediation area 177 00:08:57.030 --> 00:08:58.650 where it can receive updates, 178 00:08:58.650 --> 00:09:01.110 but not access the production network 179 00:09:01.110 --> 00:09:04.200 until it meets the required health standards. 180 00:09:04.200 --> 00:09:06.960 Many organizations combined VPNs 181 00:09:06.960 --> 00:09:09.750 with network access control solutions, 182 00:09:09.750 --> 00:09:11.730 allowing the VPN connection 183 00:09:11.730 --> 00:09:14.550 to check the compliance of a remote device 184 00:09:14.550 --> 00:09:17.670 before granting full access to the network. 185 00:09:17.670 --> 00:09:20.130 NAC solutions come in three types: 186 00:09:20.130 --> 00:09:24.000 persistent, non-persistent, and agentless. 187 00:09:24.000 --> 00:09:28.290 Persistent agents are installed directly on devices, 188 00:09:28.290 --> 00:09:31.530 making them ideal for corporate environments 189 00:09:31.530 --> 00:09:33.930 where the company controls the hardware. 190 00:09:33.930 --> 00:09:35.670 Non-persistent agents, 191 00:09:35.670 --> 00:09:38.280 common in places like college campuses, 192 00:09:38.280 --> 00:09:42.660 are temporarily installed and scan devices upon connection. 193 00:09:42.660 --> 00:09:45.060 Non-persistent agents delete themselves 194 00:09:45.060 --> 00:09:47.070 when the scanning is complete. 195 00:09:47.070 --> 00:09:50.460 Agentless solutions don't require software installation 196 00:09:50.460 --> 00:09:52.380 on individual devices, 197 00:09:52.380 --> 00:09:55.380 instead, they run from a domain controller, 198 00:09:55.380 --> 00:09:57.690 making them ideal for environments 199 00:09:57.690 --> 00:10:00.000 where devices aren't company-owned. 200 00:10:00.000 --> 00:10:03.120 While agent-based solutions provide deeper scans, 201 00:10:03.120 --> 00:10:06.060 agentless systems are continually improving 202 00:10:06.060 --> 00:10:08.670 and are commonly used in bring your own device 203 00:10:08.670 --> 00:10:10.920 or BYOD scenarios. 204 00:10:10.920 --> 00:10:14.970 So remember, security devices are tools 205 00:10:14.970 --> 00:10:18.450 that protect networks and data by enforcing policies 206 00:10:18.450 --> 00:10:20.940 and monitoring for malicious activity. 207 00:10:20.940 --> 00:10:24.360 Key security devices include firewalls, 208 00:10:24.360 --> 00:10:28.440 intrusion detection systems, intrusion prevention systems, 209 00:10:28.440 --> 00:10:30.420 virtual private networks, 210 00:10:30.420 --> 00:10:33.210 and network access control systems. 211 00:10:33.210 --> 00:10:36.900 Furthermore, firewalls use access control lists 212 00:10:36.900 --> 00:10:38.520 to filter traffic. 213 00:10:38.520 --> 00:10:42.660 IDSs or intrusion detection systems detect threats 214 00:10:42.660 --> 00:10:44.250 without blocking them, 215 00:10:44.250 --> 00:10:47.460 while IPS or intrusion prevention systems 216 00:10:47.460 --> 00:10:50.820 take positive action to mitigate those threats. 217 00:10:50.820 --> 00:10:52.260 Virtual private networks 218 00:10:52.260 --> 00:10:55.620 or VPNs create secure encrypted tunnels 219 00:10:55.620 --> 00:10:57.180 for remote connections, 220 00:10:57.180 --> 00:11:01.140 making them ideal for accessing company resources securely 221 00:11:01.140 --> 00:11:02.370 over the internet. 222 00:11:02.370 --> 00:11:06.510 And finally, network access control or NAC solutions 223 00:11:06.510 --> 00:11:08.070 ensure only authorized 224 00:11:08.070 --> 00:11:10.980 and compliant devices can access the network, 225 00:11:10.980 --> 00:11:15.363 scanning devices before allowing network access.