Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career. Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity.
In this episode, Shon will talk about the following items that are included within Domain 4 (Communication and Network Security) of the CISSP Exam.
BTW - Get access to all my CISSP Training Courses here at: https://shongerber.com/
CISSP Exam Question
Serve as a gateway between a trusted and untrusted network that gives limited, authorized access to untrusted hosts.
CORRECT ANSWER - Bastion hosts
A basic network mapping technique that helps narrow the scope of an attack:
CORRECT ANSWER - Bridges
Layering model structured into four layers (link layer, network layer, transport layer and application layer.
CORRECT ANSWER - TCP/IP or Department of Defense (DoD) model
Want to find Shon Gerber elsewhere on the internet?
LinkedIn – www.linkedin.com/in/shongerber
Facebook - https://www.facebook.com/CyberRiskReduced/
welcome to the reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cyber-security career hi my name is Sean Gerber and I'm your host of this action-packed informative podcasts join me each week cuz I provide the information you need to grow your knowledge so that you're better prepared to pass the cissp exam all right real Sean Gerber again with reduce cyber risk podcast and Sean gerber.com hope you all are having a wonderful blessed day this great week and I hope things that are happening in your lives that are making everything wonderful is far as in the homefront here in Wichita Kansas that is where I'm based out of it is a great day it's got your kind of cold today there are the winds picked out of the out of the North about 50 miles an hour and I believe snow is blowing into the area so by the time I'm recording this podcast it's in November and he had some kind of a little bit chilly it's not too bad but it's a little chilly and as we get into the further into the winter months it's going to be quite a bit cooler as what they're saying at least so this is the time that everything can a Huddle's down here and the Midwest United States and start thinking of warmer places that I would be nice to go to and that my wife talked about before the Kona Ice business would do shaved ice and it's interesting how that part of the business is slow down now but and then we'll be very very busy once again so life is good cannot complain at all other than I have too many children at home and sometimes they drive me nuts but if any of you out there have children you would know exactly what I'm talking about the hole and of those for three are girls so you're a female out there I apologize but bottom line is driving me nuts yeah I'd be happy to live wherever you are right now at this point all right so let's get started into the training for today in this training we're going to be focused on number for Ennis communication and network security and where be focused around the cissp taking the cissp and passing the test the first time so that you don't have to do what I didn't make it take it multiple times and the Goldsmith Culligan of this training that we provide on Shawn gerber.com and at the reduce Shepard's podcast is to help you with your cissp training online blog and you can check them out at secure ops.com and the are the links will I be in the show notes that you can get at Shawn gerber.com and you can check it out there now there's some key aspects as we get into secure network design the things you need to consider as you're taking the cissp in the future you potentially might be a security architect you might be dealing La Raza so it's a chief information security officer within a company and so therefore understanding Network design is extremely important task and thing that you must do and when you're going through Network design it's important that you secure it in a weary understanding that resigned well enough that you can end up actually secure in this environment and especially as we go into the cloud and we get moving in that direction it's extremely important that you do understand how to adequately secure your environment now when you're dealing with the network security design in architecture that is basically your kind of figured out that the role that you need to do that and their security architecture it utilizes organizations and current resources so you take when you're looking at architecture from your environment what do you currently have in place and how would you utilize those so as an example of say do you have firewalls in her employees how are utilizing those how are you positioning those are those set up in a good spot to best protect your your information in your data they also secure design and that might be how do you have communication with let's just say your facility that you're working at that you have your your business at and how is it communicating to say cloud servers or anything that's in the cloud you need to understand those Concepts in this just comes down to you really must have a broad-brush understanding of one networking but then to how do they Network Within These various environments as well now each has a role but other factors can influence the effectiveness of it and so when you're looking at security you must have leadership buying now who Could That leadership be well depending upon the size of your company and who you work for could be anywhere from the president to the CFO to the CIO and it could just or could be potentially just you but ideally you'd want to have multiple people involved in how you are architecting you're the security within your environment you also need to have the technical capability to be able to do it and then not have the ability to do it now finding those resources can be expensive if you don't have them internally they can cost a lot of money and so you need to consider that as well as if you have a technical capability in house or do you have to go to a third party to get that information what is your budget depending upon Moore's organizations they have a budget that they have to stay within and that budget is a certain percentage of their overall spend for the year and it could be as little as 1% 2% of Seattle high as 10% a lot of it comes down to where does your business value the see the risk and then how do they value security to be able to help them mitigate that risk now there's four core tenants of a secure network design based on what I agree with them on this you understand the value of the systems and the assets you need to understand what is the value of these systems and what are they what are they worth and and are they something that you want to protect so for example let's say you are like Kentucky Fried Chicken and Kentucky Fried Chicken in United States and all over the world while travel the globe stuff but let's just say they're you're going after their chicken will they have the 11 herbs and spices that makes the KFC chicken finger licking good and so you need to understand what are the systems and what are the values of these systems that are that are storing this data so is that your HR data for Kentucky Fried Chicken is it your how you keep your 11 herbs and spices protected for Kentucky Fried Chicken what are the systems and what are the assets and what are they how much they are they worth to you Network segmentation you need to make sure that desegregated I do have process networks that need to be segregated from an actual business Network like recently there was an action explosion down in Orange Texas where a chemical plant blew up our part of it did are those Network segregated so in the event something bad happens how do you keep hackers out monitoring and prevention how do you deal with with that from your monitoring you're watching what's going on within that organization to make sure that nobody is stealing your information and then alerting do you have an alert incapability in place that in the event somebody does get in or something bad happens on your network you can prevent it or you at least can see what's going on and then lastly it's least privilege access control so we talked about role-based access and and how you is up based on the individual will those controls have to have you want to have people that at least amount of priligy they possibly can you don't want people to be able to get access within an organization that I don't need the access or don't have the rights to the access so understanding the least privilege is really important as you're dealing with trying to find your network designed for your environment value that's a key piece of this actually asset identification so understanding where are the assets play in this can be as simple as doing a lansweeper or some sort of scanning to be able to tell you specifically what is in your environment and as identification is a key piece of this it really is and this is where people do fall down quite a bit as it relates to their environment and pink things will be put in nobody annotate that nobody knows about it and then after about 1 year 2 years 3 years you have all this different equipment that is sprawl through your environment and therefore now you must deal with it so those are those are key pieces around assage the most critical things that you do is finding out what is in your environment what are the different assets there what are some examples of assets you have databases data files archived data software applications operating systems you know if you have voice over IP systems physical beer actual computer equipment communication equipment storage media etc etc and so these different assets are what you need to start annotating now here's the rub it ain't sexy nobody likes doing it because it's so hard to keep and therefore what happens and it in as soon as you create it stale so it really is important but again that's why most people don't do it would be I would think someone important there's a router that's hooked to a I don't know if Masher upper thing right computer is hooked to the chicken masher and the chicken Masher is pretty much low-risk there's no way anybody can it can jump out and chop anybody's heads off it is just a really little mascher and you really can't get your fingers in it so the risk of somebody taking over the chicken Masher is pretty low so therefore I wouldn't put a whole lot of protections around the chicken Masher what I would put a lot more protections around where you keep your 11 herbs and spices so that's an example of that I have an example on the slides at basically is demilitarized zone DMZ that would be an area where you'd want to have higher level of protection because it's transitioning between zones but at the end of the day you got to Value what is that equipment is what is it worth to you now you're doing your logical and your physical access so you're Purdue model this basically deals with process control networks so Network says we talked about on Rudy Severus podcast we've said that there's various networks and these networks are segregated based on your process control environment and your business environment so your process control environment what makes things happen your business environment is where leadership goes and sends e-mails back and forth to each other saying how great you are and how great I am right now I'm just joking of course that's the difference is right so I'll be land where you can use is also a VLAN to help do it provide a logical and physical separation and a VLAN would be a logical separation edit virtual Lan or virtual total area network and this is where older operating systems that you can't put protections on you can put them on a VLAN and then you can watch what goes in and what goes out and therefore insist other systems cannot touch this network it's a great way to segregate your network there's a lot of pros and doing this you know as far as it can keep the bad guys out I can also keep you having control of what's their the downside is it isn't it adds a lot more to manage and maintain and so he will it will take some work to do something like that is monitoring a prevention there are various tools that can help you with this there's an intrusion detection systems intrusion prevention systems at data loss prevention and then various logging and monitoring types of tools so your intrusion detection we color IDs or India Delta Sierra intrusion-prevention isn't India Papa Sierra and data loss prevention sdlp data loss is yes there we go get your military acronyms in for the day fanatic girl. What is that I can't remember what they call that again so anyway you got to do your fund Hooked on Phonics security event incident event monitor your sim this is what washes wash is it doesn't watch anything YouTube equipment that watches what goes John was in your environment and it creates and learning environment for you and your sim and it again it's a peaky P6 can be something that can be very small if you have a small environment or it can be something quite large and extremely expensive depending upon what you have a capability now this can also be outsourced to other parties for small businesses that actually recommend this because you won't be able to afford the skillset to be able to manage it properly and you just kind of wasting your money if you put it in your environment without the people to manage it Operation Center your sock those the people that manage the Sim and the protection tools that are in your environment is a operations center logging and alerting there's a collection of various system about logs in these these system event logs create a login alert a learning environment of the cell allows for quick identification correlation and Mitigation Of malicious activities and so these activities it just basically looks for anything bad going on they'll be generated from different logs will be generated from whatever might be in your environment this can be on premises or in the cloud and they they will vary the logs will vary from on-prem and Cloud environments so don't just assume that if you got a nonpareil situation you got all your your logs that is not necessarily the case so they can get very because they get so large and on Wheely they can become very expensive if you want to store them for significant amounts of time so keep that in mind but they can be a great resource to help you find out what's going on in your environment if there's any good guys or bad guys and we assume everybody's good is there bad guys in your environment the other thing that you need to consider how do you manage all of those resources cuz that can get overwhelming but you need I highly recommend that you get your compliance folks involved with whatever you do in this space at least privileged access controls is extremely important piece of the overall puzzle and again this comes down to restricting people's access from do not need access so at least privilege they they don't need it they shouldn't have it and those were important pieces this going to be applied to almost everything at you deal with and security so there's the things that you can put in process is peace we're at least privilege comes into as well so it's important that you consider this when you build out the security for your environment as an example could be database controls vacations all of those things can be considered we could have least privilege added to them or if you're like totally don't care you can just throw it all out there and just see what happens it's up to you buddy bottom line is you need solid processes or an automated application to help you with this so that is what we lie looked at online as far as as a relates to secure apps in secure network design again plug shout-out for secure apps and it's a good job with that blog post and others just kind of the synopsis of that so well before we roll onto our next cissp training which will be over to Maine for go to Sean gerber.com you can get all of my cissp training to help you pass the cissp the first time and then go to Shawn gerber.com and pick out whatever you would like cuz we have a plethora of training for you I've got domains 1 through 8 that you can study for your cissp exam in the process of putting together a study guide to help you with that and to help you walk you through how about you should study how you should study it and what is the format and what you should do that so again go to Sean Gerber that's s h o n Gerber like the baby food the toilet or the knife whichever you find it cuz there ain't many other Sean Gerber's out there I don't think there's any so it's Unique I'm awesome just tell me I'm awesome thank you all right come and get your cissp training on okay so we're going to roll into the next piece of this is domain 4.2 and some out secure network components now this is right out of the cissp training manuals that I've been going over 4 in my video training as well and a lot of the stuff is you will know that comes out of what we just talked about above this all is meant to blend it together and to reaffirm the fact of what we just kind of talked about again you if you go over over and again then things tend to sink in after a little while so that's the purpose of this and what the cissp training is over this audio training you will be as you're driving to and from are going from to and from work you will listen to this and go okay I need to go to bed because his voice is putting me to sleep or you will listen to this and go you may decide that more you may decide this is crazy and I will go listen to some guy that's listening to how he uses the chicken Masher on his chickens Florida to secure network components operation of Hardware is the topic now we talked about before security is from you need to consider it from a network and component-level now there's different types of internal and external networks there's an intranet and Extranet now the intranet is a private internal Network the Extranet is a blend of intranet and internet internet is the world wide web and intranet is your internal Network and that is the Extranet is a blend of the boat okay that we talked about earlier as well about the DMZ or demilitarized zone that this isn't the internet and the business Network and where they meet now you can also put a DMZ between the business Network and the process Network that's where they meet and that's a DMZ as well just really to look at multiple locations patient one is from the internet to the business and then from the business to the process we talked about them and how important that is to set your data and desegregate your network using vlans network access controls when you have a network access control and place these are strong security policies that you need to have that will help you with your access control I highly recommend that you put these in place there when you're dealing with that this aspect of it this is probably the one area that people Fallout on especially on and I will admit even I do is having good solid security policies in place I need to get better at that and then when you have the policies you have something to lose I was at the policies you're kind of making it up as you go every time and that's always a good thing to do Vietnamese network access control do control the access to your environment and they also have automated security controls or device agents which can do filtering detection response all of those things these are just too restricting who can get access to the network itself nothing is a firewall Navi probably heard of these in this is movie out there called firewall the movie to save you when did land before time no that's not it so that's that's another one that you could go check out probably not that good it's okay it's alright it's just a lot of hype over something over a firewall essential they you basically they are the gates that allow in and out now and you're dealing with clouds the firewalls in air quotes are the security groups so these are essential for managing filtering traffic coming in and out and he's rule are configured to allow only specific traffic data packet inspection is available so the data going in and out is being looked at by the eye of Sauron and it is looking at for anything that is malformed or is not right and it's going to say headed to the problem you need to fix it or it won't because in many cases that kind of level of inspection can cause a significant resource on your firewalls directions to sandwich look at heuristics and signature so signature is something like you have your virus and they take a fingerprint of it that is a signature heuristics would be this virus is the new combination of the signature plus it's like doing really funky stuff that it shouldn't be doing then that would be heuristics it's based on what is the that thing doing was it not doing and the firewalls are typically the backbone of the security appliances that you will see out there and you'll see a lot of these and but as we in the clouds are changing the name in the nomenclature and I will say that firewalls are still used in the cloud but the main thing that restricts and might managers access in and out of an environment is what we call a security group play the role of options for the other static pack Tech pack this analyzed the message header so the messages coming in for the day is coming in it's looking at the message header to understand that and then it's also looking at specific rules around the traffic when it's looking at a specific static packet filtering that's just basically focused on one packet and what does it do application-level firewalls these are commonly called a proxy firewall and it copies package from one location to another and this is typically in the layer 7 of The OSI model or the 7-Layer Burrito which is part of the layer of the OSI model application layer call Deanna proxy firewall stateful inspection firewalls these are a dynamic inspection this is where you have to have some really be firewalls and when I say beefy ones I have a lot of computing power cuz they will be doing a dynamic inspection and they typically fall within layer 3 and 4 which is your network and transport layers of your OSI model or the 7-Layer Burrito against a full inspection firewalls and then we roll into a next-generation firewall which is a multi-purpose that I will say with these These are kind of multi-purpose ones are they have an intrusion detection that packet inspection are they basically have the Ginsu knife they have a Swiss army knife they can do pretty much everything for you that there are okay I mean that you have to have a really strong system they can be very effective and small environments they do provide VPN capability Quality Service which basically will help if you are traffic is not meeting up standards and it's got packet failing network error network Mike translation you know I'm I forgetting that acronym right now have top of my head but basically that that is what I will say if you have your different IP addresses that are in place it will not out a certain subset of of IP addresses slurs Nat and then it's also has like I said before has to be very heavy in the horsepower aspect I will say when you're using the firewall for packet inspection and VPN qos wedding is pretty good but when you get in the IDS and IPS capabilities plenty out there that I'm it just worked well but my experience has been as positive in the space as it possibly could be so that's that's my two cents in the Next Generation firewall I do use them and I have using too many places and they work very very well in certain and most use cases but there are times when they may not be the best that you best app for the best tool for what you're trying to accomplish so that is the cissp training for domain 4.2 secure network components and operation of Hardware all right so let's finish this up guys and gals and we're going to roll into the cissp exam questions now these questions came from target.com and pulled some questions directly from is c squared which body that provides you the CIA all right so question number Uno serve as a Gateway between a trusted and untrusted network that gives you limited authorized access to untrusted hosts okay serve as a Gateway between trusted and untrusted networks that gives you limited authorized access to untrusted hosts a layer 6 what that really means just by your 6B traceroute C Bridges Bastion host tell if you don't know that means beat traceroute I'll give you a Gateway I got Bridges okay with a bridge you can Bridge a network that may be Bastion host if you don't know what that means well then okay maybe that's probably it and you're right it is Sebastian knows okay so its original Bastion host and if you don't know guess and it would be Bastion host basic Network mapping technique that helps narrow the scope of an attack attack firewall B voice over IP see ping scanning D Bridges alright best basic network network mapping technique I think that voice over IP ain't that scanning is a network you can map with pink scanning with us very inefficient and a very ineffective so then the answer would be Bridges yes narrow down these questions so that you have a good shot at least get Larry Larry model structured into players link layer Network layer transport layer and application layer a remote procedure calls be TCP IP or Department of Defense model C screen stripper or D traceroute Larry model structured into four layers I link layer Network layer a transport layer and an application layer so now you're layering this this is a model that came up with somebody Kate model model arpc which is remote procedure call TCP IP or jump different Department of Defense DOD model or see screen scraper dtrace Rock TCP IP or Department of Defense DOD against and I feel like it's stump the dummy in many cases do you get a half to turn a break down these questions and and if you think about it you do it logical you'll be able to and go through our training that I've gotten stronger. Com you going to be able to narrow this down quite a bit to where you think even if it is a little confusing so those are the things you're going to have to do with CSP exam all right hope you guys enjoy the training today it's on this podcast and everything's going well in your world of hope you have a wonderful wonderful week and I don't have to Stronger. Calm and check out the training I got a bunch of free stuff as well for the domains one through for some free training it's available if you just sign up for my email list you will get that free training and then you will also get on my email list so I will send you when new printing is put out available to you only all right hope you guys have a wonderful wonderful day and we'll catch you on the flip side my podcast I would greatly appreciate the feedback also check out my cissp videos that you can find out on YouTube just search for Shawn s h o n Gerber like the baby food toilet or whatever you choose and then you will find a plethora of content to help you pass the cissp exam the first time lastly head over to Sean gerber.com and look at the Cornucopia free cissp all my email subscribers thanks again for listening
Join our mailing list to receive the latest news and updates from our team. You'r information will not be shared.