Cisco NETACAD Routing and Switching v6.0 – Chapter 11, Part 1 of 2

welcome to the Cisco netacad CCNAintroduction to networks video series by Jason Johnson this video is chapter 11build a small network part 1 of 2 and part 2 the links will be in thedescription below the material in this video covers the6.0 version of the cisco netacad CCNA introduction to networks course thankyou for watching my videos your time is appreciated and if you find thatmaterial helpful you can subscribe to my channel and remember to click thenotification button if you want to see when I post new content if you have anyquestions or if you have any questions you can leave a comment below and if youwatch to the end of the video I’ll have links to the next chapter which will bepart 2 and I’ll also have a link back to chapter 10 so let’s take a look here atchapter 11 part 1 of 2 in part 1 we’re going to be looking at network designidentifying the devices used in a small network identify the protocols used in asmall network and explain how a network serves as the basis of larger networksand then 11.2 we’re gonna look at network security and then we’ll have apart 2 so make sure that you check the description below for the links to thator watch to the end of the video to be able to get the links to part 2 now with11.1 network design small network topologies when we do when we havedevices in a small network they comprise usually and this is thisis just a general is generalization here they usually have some type one type ofrouter maybe a couple of switches and then the user pcs in real small networksyou’re not going to have the switches I know at my house we have a router it’sactually the modem and router when it comes down the cable modem it’s a cable/ router and then I have two other routers in the house because I want tosegment out my networks one goes to my son does his gaming on his xbox and thenI have another one set up for regular regular Network and then Wi-Fi and thenI also segment out the Wi-Fi so that I have guest Wi-Fi I have a regular Wi-Fiand it’s segmented out as well so you can do different things like that youcan have you can have multiple routers usuallyyou’re only going to see maybe one or two routers and a small networkdepending on the size of it you might see a switch if you’re going to run fromwhat we’re talking about a small office or a small network and you might berunning to two different rooms or two different areas of a building you mightput a switch in to be able to segment those local area networks off but whereyou wouldn’t necessarily need a router so also small network topologies accessto the Internet usually through a single LAN link a cable or a DSL management isusually by a third party small companies small businesses usually hire somecontractor which is probably what you may be training to do you may be workingfor a company that hires yourself out you may be doing contracting workyourself I’ve done some contracting myself where I’ll go out and help smallcompanies out they do not have the money to be able to go out and hire afull-time IT person nor should they because it’s not a it’s notcost-effective because they may only need IT support maybe one or two hoursthree hours a week on a regular basis and for setup they may only need thatperson to come in you know maybe one or two weeks I’ve helped set up a smallcompany and I work farm for about six months getting everything set up theserver making sure the server is connected to the databases you knowworking with the database person and then they didn’t need a full-time ITperson after that they needed some training and some things like that butthey only needed the initial setup and then they needed somebody to contractwith them from time to time to be able to work on computers and things likethat so it’s usually by a third party company or a contractor now the deviceselection for a small network you’re gonna be looking at some differentissues you want security you want quality of service if you’re gonna dovoice over IP that’s gonna dictate the type of equipment that you’re gonna dodo you need to do network address translation and do you need to have n doyou have to have DHCP services set up so those are some those are some thingsthat you might have on a small network now on a small network with IPaddressing address space is a crucial component of a network design alldevices connected to a network do require an address however they don’thave to have an Internet enabled IP address when we’re talking about the v4you can use a network address translation to do the v4but the address scheme must be planned out documented and maintained anddocumented is the big one right here you want you when you plan something outthat’s fine but you want a document document document you want to havedocuments down especially if you are a third party person coming in and doingthat documentation you want to have everything written down because you maynot be the follow-up person to that to come in and work on that Network andsomebody that comes in behind you and I’ve done it before where you come inand you’re like well where does this wire go and why is this which was puthere you know why was this Switchfoot here and why why don’t why are theyusing this IP addressing scheme and so if you document that you can put yourthoughts to paper it may just be a Google Doc I mean it may just be anelectronic document that you have put on there but it needs to be documentedaddress space a documentation can be very useful for troubleshooting andcontrol and the reason you document especially on a small network I mean youneed to do it for large networks too but especially for a small network just likeI said you may not be the person that tries to come in and fix it down theroad it may be somebody else or you may be coming in behind somebody else tryingto fix it and you would really appreciate some documentation there soaddress documentation is also important when controlling resource access so youwant to be able to know who’s got access you know who’s in what land areas andthings like that so redundancy in a small network youprobably can’t put a whole bunch of a redundancy depending up on coughsbecause usually small networks are limited on when we talk about resourcesthey’re limited in their money that they’re able to spend so a networkshould be reliable by design however the more reliable you make it the moreexpensive it gets so there’s a trade-off there so what you have to do is when youare working with the company you have to understand that cost trade-off and whatis the return on investment for extra extra equipment for example let’s lookat this redundancy over here let’s say that a company says oh we don’t needthat extra router and switch we don’t need this over here but let’s say thatthis switch goes down and they’re down that company can’t operate they cannotget out to the internet but if they have to if they have two routers and twoswitches and let’s say this one goes down then this one can still you canreroute or let’s just say that you this server goes down it can stillreroute to this switch and go this way it doesn’t have to go it can still comethrough here you know it that you’ve got redundancy built in and let’s say thatyou build redundancy and maybe even between your routers so you’re gonnahave redundancy built in there and there’s a cost to it and you just haveto work that out with the company to be able to say network failures are costlyI’ve worked for a company that was a penny-pinching company and they just didnot want to spend money I had a server that went down all the time and so whatI had to do is document the downtime and I did it over a three-month period andthen I showed them here’s how much it’s costing you in downtime and if you wouldjust go spend an extra five thousand dollars let’s just get five thousanddollars put in a new server and here’s what your uptime is gonna be over thenext year and here’s it’s gonna you’re gonna save that money over the next justin one year they saved money on their return on investment just by spending atfive thousand dollars because of downtime on the old server they hadpeople just sitting there not working you know large amounts of time and itwas just very easy to be able to say here’s your downtime here’s what it’scosting you here’s your per hour cost of not being able to work and here’s whatyou’re gonna spend on a new new equipment and here’s what the paybacksgonna be so you just have to make that sell you have to be kind of asalesperson when you do that you have to make it logical and say here you knowhere’s what you’re getting back for your money so redundancy increasesreliability by eliminating single points of failure so that’s basically whenwe’re talking about redundancy in networks that’s what we’re talking aboutredundancy can be achieved by duplicating a network equipment in linkshowever that’s costly so that you have a trade-off there and a good example is anetworks link to the internet or to a server farm a lot of companies will onlyhave one link out to the Internet the company that I was consulting for that Isaid that I worked for about six months doing that we had backup internet eventhough it was costly for them we had a regular DSL on and this was this wasabout ten years ago it’s been a while but actually it’s been more than tenyears Wow okay so we had we had a regular DSL coming inand then we also set up a wireless connection there was a company in thattown that had a point-to-point wireless where we could put up an antenna on ourbuilding and we had that as a backup so that if our main DSL line went downwhich it could tend to happen every now and then they could still send ordersthrough because they were very sensitive they were I don’t want to saywhat they what exactly today because it gives away or what company I worked forbut they the type of work that they did was very time-sensitive when they wouldget when they would have orders placed with them they had a small amount ofwindow of time to be able to get those orders turn back around and back out thedoor and so they could not be down they just could not afford to be down theylost too much money so they spent the extra money well one we had two DSLlines coming in so we had duplicate but when DSL what now both of them went downand then so we put the backup of point-to-point Wi-Fi our pointpoint-to-point wireless in now with traffic management traffic type andpatterns are also considered also be considered when designing a network intraffic patterns and what I mean by that is bandwidth and how much data is gonnabe going through if you have a data base traffic going through that’s gonna beheavier than maybe somebody that’s just going out to a web portal and putting inorders to for a company and so a good network design categorizes trafficaccording to the priority and by that we mean what has the most priority wellvoice is gonna have the highest priority but you know if you’re doing voice overIP because it has to get through your foot your phone’s have to be up andrunning where FTP has a lower priority becausesending files you know in is if you if you you know watch the other chaptersyou know we learned about TCP protocols and reliability and connection orientedand that’s you know FTP would make sure that those files go through well theythey have that those files are going to be being sure that they go through butit’s a lower priority because they can get resent back and forth so if theycan’t upload the file at that at that particular minute it can it can queue itup and send it on back through so you have higher priority and then you havelower priority based on services now common applications in a smallnetwork those are usually Network applications used to communicate overthe network you might have a DNS server maybe on a small network I usuallyusually you don’t have a DNS server on a small network but you could set one upyou might have a telnet server you might or might not have an email serverdepending upon the size of the company you most likely are going to have a DHCPserver set up so be able to pass out IP addresses you may or may not have a webserver again depending on the size of the company in the focus they may chooseto put that out on the cloud and they may have an FTP server and that might bewhere clients could drop files off and things like that email clients webbrowsers are examples of types of applications application layer servicesprograms that interface with the network and prepare the data for transfer andthen each service uses protocols which define the standards and data formats tobe used so that’s the application layer services they’re now common protocolprocesses on either end on either end of the communication session or price youmay let me let me restate that processes on either end of the communicationsession session how messages are sent and the expected response time is settypes in the syntax of messages the meaning of the informational fields yourpackets that are going through and then interaction with the next lower layerlayer that’s what the common protocols do for you and we learned about that inearlier chapters this is just a follow up to that now on voice and videoapplications you have your infrastructure that needs to be set upyou might be using voice over IP IP telephony you might also have real timeapplications that might you might be doing video chat and those are thereal-time applications that you might have on a small network as well now asmall network growth one of the things is for certain is you’re probably goingto grow a small network at some point so we call that scaling or you’ll hear theterm scalability so how how easy is a network to scale or what is thescalability of a network so you have to one first document your network to makesure that you can see where everything is and then you can plan for somescalability now how do you do that well that’s where you get with the businessside and you say or your business plans six months downthe road you know 12 months 18 months down the road 24 months down the roadand you put those tight and you ask those types of questions up are youplanning to add another you know how many how many people are you planning toadd to your network over the next you know six months to a year and then youcan plan for that you know device inventory make sure thatyou have a good device inventory so that you can say okay here’s where we need togrow if we need to add more endpoints you know if we are if we have a 24-portswitch in place and I have 20 end computers connected to that and thecompany says well we know we’re gonna grow by 10 over the next year well youknow you’re gonna need another switch because that 24 port you’ve only gotfour more ports on that and so you’re gonna need another switch in place sothat’s that’s what we’re talking about making sure that you can scale thatbudget comes into play and then traffic analysis also comes into play becauselet’s say that you have let’s say that you have a switch in place here and wehave this switch here and you’re sending all your traffic that switch and it’sgetting bogged down you’re just getting all you know it’s just it’s yourbandwidth is just not being able to handle it you might put another switchin place and let’s say that you segment off your engineers and I’m just using anexample you have an engineering department you know two or threeengineers and they are sending large files out to the cloud because they areupdating engineering files and now maybe they’re doing CAD drawings or somethinglike that and they’re sending those large files out to the cloudwell you might put them on a separate switch so that their bandwidth isn’ttaking up as much of the traffic as maybe the rest of the compression of thecompany so that’s just that’s just one example of how you might analyze trafficnow with protocol analysis you need to understand the protocols and use in thenetwork protocol analyzers are tools designed to help in that task I reallyhave not used a protocol analyzer at a small networks you’re usually going tosee those enlargers larger networks but those are available they capture trafficand high utilization times and in different locations of the network sothat you can kind of do a problem solving of okay wins our high trafficpoint and why is it at this point you know is it 2:00 to 3:00 o’clock and theyhave two to four o’clock in the afternoon or let’s say that it’s from 3to 4 o’clock in the afternoon so why is it so high during that timewell that’s the time let’s go back up here to our example of the engineers at3 o’clock in the afternoon there’s a deadline for those engineers to gettheir files up to the company or up to the salespeople and so at 3 o’clock theystart uploading and so you’re gonna see a huge spike at 3 o’clock and so thatmight be a business decision to be able to say hey could we get with engineeringdepartment and can we load them earlier or can we do something different becausewe’re having high traffic utilization during that time so analysis resultsallow for more efficient way to manage traffic now employee network utilizationbe aware of how the network use is changing based upon users and I justgave an example of you know time of day and that’s not always something that’sthat’s uh that’s gonna be known you have to talk to the business side to figurethat out because you maybe sit there going man I don’t understand why it 3o’clock every day there’s traffic well that’s if you go talk to the businesspeople and you go talk to your customers and say ok we’re getting high traffic at3 o’clock what’s going on you know what do you do what are you doing in your dayto day work that that’s causing that and then you can find that information outso a network administrator can create in person IT snapshots of employeeapplication utilization you know by person you could say ok this endpoint issending up this amount this endpoint is sending up this amount and then you canfind that am i I have had an example of where we had a user that was of doing aside business using the network in the company and so we did some networkutilization tools and we figured out that there was a large amount of trafficgoing to a particular endpoint and we went and looked at files and things likethat and we were like you know they should have this much network trafficand we found out that they were storing personal business off business it hadnothing related to our business they were doing work outside that company butthey were using our company’s network and storage to put their files on thereso we use the network analysis to be able to figure that outall right well let’s switch over to 11.2 network security so when you get intosecurity you have to you have to figure out what are your types of threats to acompany and let me say I also teach security courses for the communitycollege I work for ins from other places and what I will tell you is no networkis 100% secure it and anybody in the security and security side is gonna tellyou that you’re never gonna get 100% secure what you have to do is it’s it’sa comprehensive it’s a ongoing comprehensive task that you have to bedoing with the security side it’s really never-ending so what you have to startwith is figure out your types of threats digital intrusion can be costly but isit always coming from intrusion could it be from the inside could you know I justgave an example of an employee that was doing something internally that was notnecessarily a security threat but it was it was impacting the business sointruders kim cain access to software through vulnerabilities hardware attacksand stolen credentials a common types of digital threats include those listed onthe graphic over here you know those are physical over there the graphics notokay so not listed in the graphic over there you can you can come in throughdigital attacks I’ll just I’ll just list off a few here but digital threats cancome in through malware that may come into your company you might get a youknow emails that come in say hey you know you know you need to update yourpassword you know click here to do that and so it’s it’s about training and it’sabout layering your security so when we talk about physical security though it’snot always just digital security it’s also physical security is your hardwarephysically secured is it behind you know it are your servers behind you know wehave our servers here are they behind a lot door or can just anybody get in dowe do you have a card reader in place you do do you have somebody close to thedoor that can see people coming in and out and to come another company I workedfor the door to the IT room had a card reader on it but we also had the mainreceptionist person up front where the IT door was so if anybody tried to go inthat IT door that person could see them and so we knew that even if you had akey card you still had to get past the receptionist andthey knew who was supposed to be up in NIT area so we had layers of securityyou have environmental or environmental security you know is your AC back youknow do you have enough AC is your AC in a back-up situation so if you’re youknow what main AC goes down do you have a backup for it you know that those arethings you need to think about to electrical and maintenance so you knowwhat your back-up plan for it when you lose electricity and in maintainingmaintaining your system as well so when we talk about types of vulnerabilitiesthere’s three primary vulnerabilities you have technological configuration andso your security policy and let’s talk about technological first so yourtechnological is what type of technology are you using do you have the rightamount of but you do have the right equipment do you have do you have thesoftware is it configured properly that’s the second part do you haveeverything properly set up or do your router or your router is properlyconfigured securely you know do you have passwords did you encrypt your passwordsdid you put banners and message of the days on there and then do you have acomprehensive security policy in place and that is the policy of where it goesdown through and I’m not that the lecture on this goes beyond the scope ofthis presentation but when you put a security policy and you can find all ofall kinds of them out on the internet but when you put a security policy inplace it needs to be comprehensive it needs to be updated and it needs to bereviewed regular regularly and what I mean by regularly it maybe every sixmonths that you pull you know do you have a maybe not just IT people I I’vebeen involved where we have in it we have the IT people we have themaintenance people we have the facilities people you might have the HRpeople involved Human Resources because all of those different areas you pull ateam of people together to review this security policy in a broader scope ofthe security of the company okay so endpoints we’re gonna switch gear toendpoints here they can be under attack as well such as servers and desktopcomputers somebody walking into the facility any of those threevulnerabilities can be exploited and used in an attack so you just have to bewatching for all of those different areas so you have different types ofmalware you know can come in and in this this presentation is not going to coverall security threats so you’re may be saying to yourself well he didn’t coverthis in there well you know right this is not going tocover everything this is not a security class this is just an overview ofsecurity for the routing and switching introduction it networks but some of thetypes of malware you know you might have a virus or a worm or a Trojan horse thatcomes in it may not be somebody from the outsidetrying to get in it may be an employee over here you may have this employeeover here setting it’s a computer and they opened up a file they weren’tsupposed to they brought in a USB Drive from home that they had downloaded thismaybe they have I’ll give you an example this was years and years ago we hadremoved and this was back with Windows 4.1 this will tight that tells you howlong how long ago it was and we had some users that were playing solitaire so themanagement decided hey we want to remove solitaire off the computers well someenterprising employees figured out how to put how to put solitaire on a floppydisk put it back in the computer and play on their break or play when nobodywas around and the way we found that out was we went to boot a computer itwouldn’t boot up properly because that person had left the floppy drive in andso it wouldn’t boot properly because it was trying to boot to the a drive whichwas the floppy drive and so that was an internal threat I mean it’s a it’s anold example but it’s an internal threat of it you can have reconnaissance at Xthose are users from the outside that tried to ping your network they try toget into the router they try to discover and map your systems and services tofigure out what’s there to figure out what vulnerability you have they try toacquire enough information to target the system or network to facilitate thesearch for vulnerabilities so they try to break in so that they can search it’sreally a probing attack and good hackers the good women I mean they’re goodpeople I just mean the ones that know what they’re doing as far as from from afrom a legal standpoint they will leave a smaller footprint as possible theywon’t necessarily try to break in and do anything wrong at first they’re probingfor vulnerabilities because they’re trying to discover how deep they can getinto the network how much information can they get access to what is availableto them so they’re going to keep acquiring information until they getfull access and then they can then pull information out or maybe saying okaywell I’ve got this information over here but wait a minute there might besomething even better I might be able to get all kinds of uh personal informationcredit card information you know database information sothey keep probing so some common tools that they rely on usually are free orpublic internet services such as DNS Whois I mean you would be a you would beamazed at and and I’ve done it with my when I’ve teach security classes we setand we do DNS searches or we do a Whois and we say okay who’s the administratoron this account and we find out that it’s John Smith and so it’s a smallcompany and we call up when we say hey this is I’m working with John Smith toupdate your website I just need to get this information from you can you tellme your IP address and they walk you through and get the IP address from youthe internal IP address so you’re trying to ping in and now if I’ve got theinternal IP address and I’ve got the external IP address on the router I canstart doing some things where I can try to break through the router at thatpoint so I know just things like that looking up a company to see you know whoworks there and get the IT put information or get the CIO informationthings like that you know just searching to see our documents available throughthe through the public network I’ve done that before with my security classeswhere we just we scan a company or we scan you know a place and we say do theyhave any documents or Excel dokdo they have any Excel documents open and I’veseen it before where a company just had an Excel document with all kinds ofemployees information and it was available on the internet I mean it wasavailable to the it was forward-facing to the internet you could you could seethat Excel document on the internet and if you just it wasn’t on a web page oranything like that but if you just search their network it somebody hadleft it on a web server and you could get pulled that excel file up they hadshared it with somebody else at some point and they had just left it thereand so it was exposed all right also you use port scanners and packet sniffersthose are commonly used in reconnaissance so you might tie in to aWi-Fi especially like a public Wi-Fi and you start packet sniffing or they findphysical access to a network jack that’s in your building and they plug itthey’ve got access to that they plug in a jack and they can sit there and startwire sniffing it’s just that that’s what that’s why I’m physical security is evenso important you have access attacks those are password attacks trustexploitation port redirection man-in-the-middle attacks where they tryto say that you know make you think that there’s somebody else so like a victimhere is thinks they’re going to a website but they’re actually goingthrough this web server first and then it’s going down here and they’re parseall that information and reading it so it’s unencrypted here may even if it’sencrypted their unencrypted here reading and then forwarding it to the server andthen back so this person thinks they’re on the server but they’re not somebody’sreading it denial of service attacks are also a very real thing a do a or you’llhear the term do s a simple do s attack are you would think that they’re simplebut they’re still dangerous that’s where a an attacker will have all kinds of abotnet maybe or a directed what they call a directed denial of service andwhat they’ll do is they’ll have their bot system start flooding that webserver for an example let’s just say we’re not going to say we have aman-in-the-middle here this person here actually let’s say well this person heresends information all these bots and says ok start pinging this web serverand so they might have 5,000 different endpoints victims start pinging this webserver well if you get start hitting that depending upon what level oftraffic you’re paying for you may shut that web server down and you may not beable to get to it now they didn’t actually hack the web server but whatthey’ve done if they’ve if they’ve effectively shut the road down to thatweb server so they’ve shut your business down so preventing denial of serviceattacks by playing applying the latest security updates there’s also servicesit services that you can employ to fix that but some common do s attacks orping of death the syn flood directed denial of service maybe a smurf attackthere’s different ways and there are solutions to all of those not alwaysright away but they’re usually you can fix those solutions and their servicesthat will help you with that so how do we mitigate Network attacks you backupyou make sure that you’re upgrading your equipment to the newest that that’sthat’s secure make sure that you’re always update and make sure that you’repatched a lot of times a company gets hacked because there’s some kind ofvulnerability out there and they didn’t patch the system so you want to keep upto date with the latest developments your enterprises need to keep currentwith the latest versions of antivirus software patch for all knownvulnerabilities they must be applied and a central patch server is good formanaging large numbers of servers and patches should be installed without userintervention in other words updates need to go out to the endpoints without theusers overriding them stopping them so authentication authorization andaccounting so Triple A here those are services provide access control in anetwork device you want to identify that you know access to a research resourcesauthenticated authorized what can that person do you know who the person iswhat can once that person is known what can that person do or what we call aneed-to-know basis and then accounting tracking actions performed whileaccessing your resource how you know what did that / so we know who theperson is we know who the person is we know what they have access to and weknow where they’re going so I call it www authentication you know who they have access to and where are theygoing and then the triple-eight framework can be helpful in mitigatingNetwork attacks and setting up your security policy firewalls are anotherway to secure and you’re going to be working with firewall systems in this inthis course and future Cisco courses but the firewall controls the traffic andhelp helps prevent unauthorized access it doesn’t stop on 100% but it helps itdoes help prevent techniques for determining what is permitted or deniedyou might pack a filter you might application filter you might filter byURL and you might do a stateful packet inspection and you’re gonna learn aboutthat later on in other classes but where you do a stateful packet inspection orjust packet filtering and you’re saying only certain types of packets come inonly only packets get returned that we know verified that come from internal tobegin with so if that goes out of the server you know if it comes back in it’sgot to have originated from inside the and from inside the system inside theland on that you also have endpoint security those common endpoints arelaptops desktops servers smartphones tablets all of those are a risk sosecuring endpoint devices is challenging especially when you have your bring yourown devices where you allow your employees or other people to bringdevice and put them on the network that’s also challenging employees needto be trained on proper use of the network training training training Ican’t tell you how I mean it’s just you want to train I and I’ll give you aquick example here I had a manager you know I’m gonna reiterate that it was amanager we had trained our employees not to open emails if they didn’t know whothey were from manager calls me up says I got thisemail from a sales rep but I don’t know I don’t know what it is it’s got anattachment to it and I said well don’t open it I’ll be down in about 15 minutesor so I’m working on a project but you don’t open it we’ll take a look at it ina few minutes I get down to the desk ask the manager hey you know what about thatand and the person said oh I open that up and it was nothing they go they go itwas it was something you know that they had sent me I think effect I think itwas like a it was like a music file or some stupid something like that itwasn’t it wasn’t anything business-related it was just somethingfunny that the person said but I just had to do a facepalm because it was likeit was like did I not train you you’re supposed to be the manager here and didI not tell you don’t open stuff unless we take a look at it first let’s we scanit and you know this was a few years agobefore things got automatically scanned and it was just a point of you knowtraining just failed at that point and and they were like oh no well it’s finebecause nothing happened well yeah that case but it could have happened and thatwas the point I was trying to get across it could have happenedso policies often include the use of antivirus software intrusion preventionand comprehensive endpoint security solutions rely on network access controlyou know logins you know who’s in checking your security logs things likethat data security overview or I’m sorry device security overview defaultsettings are dangerous because they’re well-known Cisco routers have the Ciscoauto secure feature you want to make sure that you always change passwordsthat you update passwords that you encrypt passwords things like that soyou want to change default usernames and passwords immediately about before youput before you put the device on the network or what I call into productionyou want to make sure that you do all these things first don’t put it outthere and then start changing it get it updated get it working and then put itinto the system you want to restrict access to the system’s resources toauthorized individuals only turn off unnecessary services if you’re not usingFTP services turn them off there’s no reason for those ports to be open ifyou’re not using FTP services update any software and install security patchesprior to production operation prior to production operation you always want toget everything up and running and that’s why I’ve had that had that questionbefore as I told you earlier with the company that I worked for for about sixmonths it took me a couple of weeks to get the one server up and running and Ikept you know a couple of people were like well how come it’s taking so longand I’m like because I want to make sure everything is working right on this andsecure before we put it in place they had never had that concept before theprevious IT person just didn’t do that they just do things into production andhad no thought for security whatsoever and then when they had somebody comealong that was actually applying the policies and things like that theycouldn’t understand why I was taking extra time and I’m just you know havingto tell them if you want it done right it’s gonna take a little bit extra timeyou know if you want it done the proper way make sure that you have goodpassword policies in place you know use strong passwords and for strongpasswords make sure it’s at least eight characters I always go with 12says preferably 10 or more I always go with 12 or more you want to make surethat you have a mix of uppercase and lowercase numbers symbols and spaces Idon’t really go with spaces because that can really mess you up sometimes butlowercase numbers and symbols no repetition no common dictionary wordsexcept for I would I will go I will tell you I’m IMing the camp from the securityside where you could use let’s say that you have five different words that youput together and you put you know horse and I’m not gonna spell it out but youknow horse eats or let’s say say you should do horse first boat duck buggyhorse duck horse horse duck boat buggy and you can spell that out and that’sthat’s a fairly good password because it’s long and if you put uppercase andlowercase in there it’s gonna take a little bit of time for a passwordcracker to get that but you want to do know user names should be you be using arelative or pet names no other easily identified pieces of information justrecently Equifax if you if you go back and search the news if you’re watchingthis video later on but this is in September of 2017Equifax the credit reporting company was hacked and in that hack process it cameout that the CIO and some of the top people in the company were using justcommon names they were using pet names or relative names birthdates things likethat that the top people that are supposed to be the most aware the CIOthe chief information officer was using insecure passwords it’s just uh you knowit’s inconceivable that that’s happening and today you know in 2017 but it stillis misspelled words were can still be cracked because data dictionary an BOEdictionaries got cracking dictionaries put misspelled words at commonmisspelled words on there and you want to make sure that you change them oftennow there’s a lot of debate on how often should you change it should it be 90days should it be 30 should it be 60 that’s that’s really where you need tocome up with your security policy and come up with a plan on that and and andresearch what common is and you know how often do you think you need to change itthings like that well in Cisco routers they do support the use of Pat afraiduse of a phrase made of many words like I just said you know horsehorse duck buggy boat would be an example of that and that’s which iscalled a passphrase and it is supported in there however I would say you wouldstill probably want to put a some uppercase and lowercase in there andmaybe do some what I call hay stacking or maybe you put some symbols on thefront the back maybe you put five stars on the front and five hashtags on theend into point so you kind of make it longer and you could do what they callhay stacking with the password now some basic security practices strongpasswords are only as useful as they are secret so if you lose your password itdoesn’t matter it doesn’t matter if it’s twenty characters long doesn’t matter if100 characters a lot of my my Google password is over 100 characters long Ithink it’s 102 characters long upper case lower case number symbols I don’tremember I use a password manager to do that if I lost that password it’s nolonger secure except for the fact I use two-factor authentication you have tohave a USB key to log into unknown devices on my gmail account so you knowyou put those things in place now on the Cisco side the service passwordencryption command encrypts the passwords and configuration always dothat always do it the security passwords minimum length always do that thatensures all configured passwords have a minimum specified length you can forcepassword links do that blocking several consecutive loginattempts helps minimize password brute-force attacks you want to do thatand then you want to log in blocks for 120 attempts tamps 3 within 60 thatlittle block login attempts for 120 seconds if there are 3 failed loginattempts within 60 seconds now you may say to yourself why would you do thatwell that’s way if you’ve got somebody to just constantly pinging the thedevice trying to get in if it gets it wrong three times within 60 seconds itlocks it down for 120 seconds and it makes it that much longer for them tokeep trying to put passwords in because then it’s gonna have to wait 120 second120 seconds before it can try again and if it tries wrong again then it’s doit again and that’s where my password manager that I use does that so ifsomebody was trying to crack my password using a dictionary attack or somethingalong those lines after so many failed attempts it will lock it down for acertain amount of time and it gets increasingly the one I use getsincreasingly longer so it does it may do it for 106 you know you may do it for 60seconds the first time then one 20 the next time and then maybe threeyou know 300 – the next time so but with your Cisco devices you want to put thatin place and then you also want to do the exact time out that automaticallydisconnects idle users on a line always make sure you have that in place as wellall right you want to make sure that you enable SSH telnet is not secure is notsecure so enable SSH it’s highly recommended to use SSH for all remoteshell protocols just do it you know when I says highly recommended just do itdon’t don’t use telnet to configure a Cisco device to support SSH you need totake these 4 steps you need to ensure the router has a unique hostname and anIP domain name you need to generate the SSH keys you need to generate a localusername and then you need to enable vty inbound SSH sessions sessions and therouter can then mail be remotely accessed only by using SSH only by yesSH note no telnet just don’t use telnet they’re not good you’ll have a bad dayall right so this has been chapter 11 part 1 I know it’s a little bit longerand oh I have that’s I have chapter summary part 2 on there this is part 1we looked at how to how small networks can scale into a not larger network andwe also looked at how configuring switches and routers and devicehardening features to enhance security and we looked at security kind of in ageneral face so this has been a little bit longer video in this series and Iapologize for that for the length but there’s just so much material here inchapter 11 and we have a second part part two so if you hold on for a fewseconds you’ll see the links to that or check in the description below and Ihope this video was helpful for you and I hope you have a great day

application layer services

As found on YouTube

Book Now For Environmental Consultingl In Newcastle

Leave a Reply

Your email address will not be published.