CompTIA Security+ SY0-601 – 3.3 Implement secure network designs. Part 1

1. Load Balancing

In this video we’re going to be talking about load balancing or load balancers. So what exactly is this? Well, let’s just take a look at one really quickly. Here is a load balancer device for $60,000. This is a Citrix load balancer. This is a hardware load balancer. And what this does is that it distributes loads cross web servers when you are managing a big web server farm. So to really understand what this really expensive device does is you have to understand what exactly are load balancers. Here I have a diagram of that. So let’s take a look at this. So you have a load balancer on it and this here is the load balancing cluster. So here you have the internet. Maybe you are hosting websites and you basically have web servers that basically has the same website on it.

You see what happens in the world of it is you can’t have one single web server serving up 2030, 5100 thousand users. You got to distribute that load amounts, different web servers. And to do that you’re going to need a load balancer. And this is where that Citrix device, this here is that Citrix device that we just saw. So basically a load balancer does exactly what it says it does. It balances the load. So the way this would work is let’s say you have many requests coming through the firewall. It would send one request here, then it’ll send another one here. Then it’ll send another one here. How it’s doing it and how it’s distributing the load amounts to different computers in its cluster is known as scheduling. So scheduling, there’s two ways, basically there’s two good ways of doing scheduling.

It’s what’s known as round robin and the other one is lease connection. So round robin is, okay, when this request comes in, I send you here. When another one comes in, I’ll send you here. When another one comes in, I’ll send you here. If another one comes back, I’ll then send you here. Another one comes back, I’ll send you here. And it just keeps doing this over and over and over. This is round robin. So the other one is that they have this other one where lease connection method. So let’s say right now we got connections coming in here. Notice how this one has two connections. This one here has two connections. This one only has one. So the next connection coming in, it’s going to send it here.

Now this has two. The next one coming in, let’s say this now goes up to three. So then the next one coming in might send it here. So what it’s doing is the one with the lease connection, connection gets it. So maybe this has three and people are not leaving. Maybe this one has ten, this one still has two. Remember, when the connection comes in, it stays in there. And then the next one would go to the two. The next one would go to the two, that would be three. And this keeps on happening. Now, there’s a variety of different scheduling methods that you can use for this. This is the load balancing algorithm of how it’s distributing the load amounts the system.

Now, if you don’t have to do a load balancer and a piece of hardware, they are software load balancers, in which case you install software across your web servers. And there is none of this there is none of this hardware load balancer. It’s just a piece of software with a virtual IP address. And the firewall sends all traffic to that virtual IP address, and the software will then distribute the load that amounts to server. So that’s one way of doing it. So generally, if you’re going to be using a software load balancer, which is something you would install across your web servers, you’ll have virtual IP address. The other term I want to mention is persistence or stickiness, we call this. So what this means is, let’s say you have Bob here and then you have Mary. So Mary, when Mary connects to the cloud, she’s going in, she goes to Server A. Bob’s coming in, he’s going to server B.

But what happens if Mary disconnects now and she leaves and then she comes back later? What happens when she comes back in the cloud? So if you configure persistence or stickiness, it will send her right back to Server A. In other words, it always uses this particular server to serve Mary instead of just distributing the load to the next available server if you’re doing round robin or lease connection. Now, load balancers are generally the way that the load balance clusters are going to be set up is you could use this with either what is known as active active or active passive clusters. So most load balancers are active active, which means all of the nodes are active. That means it’s sending requests to all of them. Now, the other one to do it is active passive.

And that’s as its name implies, active passive would be, let’s say you’re doing this with these three node cluster here. So you would put these two in a passive state and this one in an active state. So what it’s doing is it’s always sending requests here. When this one dies, then it starts to send requests to the other one, then this one becomes the active. If that dies, it goes to the other one. So active passive, it’s basically only if a server dies, then the other one kicks in. You’re not utilizing the full power of the cluster. So load balancing clusters, very important to know for your exam. Now, load balances is pretty much something that’s common to see in networks, especially served web servers.

Do you actually think that the whole Amazon is powered up against one single box in a data center? Amazon has thousands and thousands of machines that powers that up but then you need to have all of those servers storing the same information and a load balancer distributed against all of these servers. So you don’t need for your exam, you don’t need to know how to set these things up or configure them, but you do need to understand what’s a load balancer and as you can see, they’re really expensive. But in today’s networking you really need it in order to achieve good connection, good stream rent of the connection you’re going to be able to achieve in case machines are going down. So you have this availability problem you’re solving and then you don’t want to have slow websites because with a load balancer, basically it does exactly what it says it is. You’re balancing that load.

2. Network segmentation

In this video I’m going to be talking about network segmentation. So first of all, you never want a network that’s considered flat. Flat networks are networks that has absolutely no segments, no VLANs to break up the network. All the traffic is in one giant land. Now this is bad because now you’re, you’re sharing. Now you have data sharing amounts different departments. People could sniff the traffic, they could do man in the middle to each other and got to it. You have public servers internally such as you have a web server that you’re allowing outside traffic to access. That service compromised there in your network. So you want to be able to segment your network.

Now our exam has given us some very specific terms of when it comes to these segmentations. Let’s take a look at it. So the first thing that we want to mention are VLANs. Now remember, VLANs are done in switches and they’re logical segmentation of a land. VLANs are normal and you should have them within your land to separate departments, such as separating them, having departments separated by sales, accounting or finance. We’ll do a video later on that’s where I actually explain more of VLAB. But remember, Vlad is in the land of itself and it separated the computers in the land generally by department. That way computers traffic from the accounting department can hit traffic in the sales department.

So I want you guys VLANs well, let’s take a look at my network that I have here and then we’re really going to get into it and explain all of it. Let me explain this. So here I have a network. Here is the internal land of itself. I got a few computers, I got a desktop, I got a storage server, I got a few, I got a few other desktops there. Here is the firewall. So the firewall is connected to an Internet router which then connects to the Internet and then computers. And the Internet is probably trying to access what I have here. This is known as a DMZ. So here is where the DMZ is where you would put your, your computers that is internet accessible. And this would generally be stored off of the firewall. So here’s how basically this would be set up. Let me just unplug my sonic wall here.

I want to show you the physical segmentation of this. So basically, if this sonic wall was the device that we were setting up, if the sonic wall is what we were setting up, the Wang port. Now this port actually says I know you guys can focus, not a wall. This. Port says Wang. Port? This is what I would connect to the Internet. Connect. So this port here would connect to the Internet router. This one says land on it. So we can connect this one to a land switch, right? So out of this here would go into a switch that we would connect all of our land devices. That’s our internal computers. And then we have another one. We actually have a few more switches here. X one, x two, x three.

These here we can connect into another switch into what’s known as the DMZ. So the DMZ is where we would connect a switch to. We would designate this port as a DMZ. And then when traffic is coming from the Wang to get to maybe we’re hosting a web server, they would come to this port here on the DMZ. So hopefully that helps really to identify what is it that we’re doing.I know these logical diagrams. Any book you read have diagrams that looks like this, but now you’re actually seeing what it means. So basically the firewall has three ports, one here, one here and one here. And as traffic is coming off the Internet and it wants the web server to go into the DMZ server, the DMZ is where you store publicly accessible server. These are servers that are going to be public.

Traffic is going to be on that way. God forbid somebody injects data into the server and takes it over. They’re not in your land, right? So things in your DMZ generally should be public information. So that is what is known as the DMZ, the militarized zone. Now a couple of other words I want to mention is something called east to west traffic. And the other one is north to south. East to west traffic occurs when you have traffic that is going to be within a data center. And then that’s all that means. East to west traffic is traffic shows up and traffic is moving within the data center. You have north to south, let me say south to north. This is basically traffic coming in and out of the data center, not just within the data center.

The other term I have here, it’s is going to be an extranet and intranet. So this here is the intranet. Okay? All the computers within your land is considered part of your intranet. The intranet is the part of your network where everybody generally in your organization has access to. So the intranet, remember, for your exam, is within the company. The other term you’re going to have is something called an extranet. So what if you allow certain customers to access the storage device to update it or to order? And maybe this is an order and System store here to order information. The extranet is a part of your network that you’re going to allow certain customers or certain traffic to come in. So technically it’s in, but it’s still out.

Extranet network. Of course this has to be super secure and you got to configure this well on your firewall. Now the other term here that we want to mention that you guys should become very familiar with is something called Zero Trust. Zero trust is a mentality in network and design. Now it’s not just a mentality it’s implementations, you got to follow up with your implementation. It’s an implementation design that basically specifies zero trust, which means no trust, zero means none. Have no trust in anything you do, not in the people, not in the network, not in the data routing, not in the data where the data is going. Basically, you have zero trust but verify everything. And this is a mentality now network. So you see, by default, when we connect devices to network, we may have had a trust factor.

Humans themselves has trust factors within them. But zero trust is a mentality where we’re saying we don’t trust any humans. We have to train them, we have to secure their data. We don’t trust where they’re going. We have to secure that. So imagine a network systems where there’s no trust and everything has to be verified. You’re basically creating a network that is highly, highly secure because you don’t trust anything. So you basically have to secure everything. It’s really what that means. Okay, so these were different network segmentations. Hopefully you guys had some fun seeing this diagram, and let’s keep on going until we get to the good stuff of configuring these firewalls.

3. How to download and install packet tracer

In this video, I’m going to be showing you how to download and install packet tracer on your computer. Now, packet tracer is a cisco utility that a lot of students use when studying simple certifications like network plus, security plus, and then of course, their own certifications, CCNA, CCNP, and the many variants of those types of certification. This is almost a mandatory piece of software when it comes to studying cisco certifications. It allows you to do a lot of the practices in the lab, such as working on the switches and the routers and testing your connections and getting a good feel of what it’s like to manage cisco networks. So if you’re studying your cisco area in your network plus or security plus, it’s a great utility to have. The best part about this utility is that it’s free to download.

Now, we do need to have a valid email address where we can verify the email, and we’re going to have to enroll in one of cisco courses to get the actual software. It’s not as easy as just going to cisco’s website and downloading it. You actually have to enroll in one of their courses in order to get it. So let’s get started on this. So we’re going to have to enroll in one of their courses. So here I am at google, and I’m just going to type download. You could just do cisco’s packet tracer. Packet tracer. And here we are. Cisco’s packet tracer, first link, right? So it’s NetAcad, netneta c a D. Com. So NetAcad is cisco’s network and academy. This is their learning part of their site or their learning part of their business that teaches cisco. So here I am. Now, you notice it says you have to enroll, then download in order to get started. So we’re going to have to enroll in one of their courses.

Now I’m just going to choose the first course that they have on the site here because, hey, it’s free and it’s going to be quick. So I’m going to say intro to package racer. And once again, it’s a free course. So we’re going to say sign up today. And in English, my first name. I’m just going to put in my name in there and an email to receive the communications on. They have to make sure you have a valid email because they’re going to ask us to verify that email in a few minutes. I am 13 years old. I don’t need them to send me anything to my email. I have enough junk. Two plus seven is nine, and I’m going to say submit. Okay? So hopefully I got two plus seven was correct. Okay, here we go. You got to fill out some more information. United States. This is where I am going to put in a password.

You got to create that eight digit password, right? So you want to put a nice complex password in there. This password is important because when you’re logging into the tool. You’re going to have to use your login credentials at least I think that’s right. No, that was in red 524315. Yes, that was correct. Would you like to receive promotions? No, I am okay. All right, register. So we’re creating a Cisco’s identity account. Here is what this is. Okay, so registration is now complete. It’s going to take us here. We’re going to have to log in. Then we have to verify our email address. No, we don’t want Edge to remember this. You never want your browser to remember your password. That’s good security. Put in my email and I have to put in the password. I think I missed a letter there that first time. Never. Okay, so it wants me to verify my email.

Now you only have to do this once. All right, so hopefully they send me this email quickly and I have to keep this video rolling for a while. Yes, I got it already. Okay, so I’m just going to put in the number that they sent me. Let’s see if that’s correct. Okay, so we’re good. Now it’s going to enroll me into the class. So now that I have the Cisco account, now it says, hey, we want to find out some things about you. Send me some news on Cisco Academy. No, I’m okay. Mail state. New York is where I am. More than five years experience I have and you try to be honest on this form as much as you could. Do you have a disability? No, I’m not going to tell you how old I am guys. I’m going to say August 1, but put 2000, we got to be more than I think it was 13. It said there raised. I’m not going to disclose that to you. Military? Nope. Let’s create an account.

All right, so we’re ready. So we are enrolled in their class now if you want you can actually go through the class and learn how to use it. I’ll keep I’ll show you guys. And we have a lot of videos on how to use it in another section of our classes, but in this course we’re seeing how to download it. So here we are. The course is ready to go. I could launch this course here, but I need to download the package racer. So I’m going to scroll down here and here I am at packet tracer. Okay, so in here you have the download. We don’t need to upgrade or anything like that, but you notice the download. And right now as I’m making this video, you have the Windows version 7. 31, you have the Mac, you have Linux. So there’s different if you run it on a Mac OS, you’re running on Linux.

You got your Windows have a Windows 64 bit edition. And so it starts here to download. Now if you have a Linux, if you have the Mac OS, you do have those versions in there. In order to download that. Okay, so we are going to okay, so guys, we’re going to pause this video. When we come back, hopefully it will be finished downloading and then we’ll install it. I’ll see you in a few seconds. Okay, guys, it seems like my Packet tracer is finished downloading. All right, so let’s go ahead and install Packet Tracer. All right. So Packet Tracer is here. We’re going to click on open file. Okay. Yes. We’re going to let this install. Okay, so it says yes, I have to agree to the agreement. We’re going to click on next Cisco’s package. Racer. It’s telling me where it’s going to install it. The start menu is going to say Cisco package eraser. I’ll just put a link on my desktop is fine. And I’m just going to say install.

That’s not a very large piece of software and it installs pretty quickly. But remember, hopefully you had verify your email because it’s going to need that when we start to log into it. Okay, so it’s installed. I don’t think that the installation might be a little different if you run it on that Mac or Linux. And if you have macro Linux, you should know at least not install a program. So it’s not going to be any different. Okay, so launch Cisco’s package Racer. All right, first thing up, we’re going to click on Finish. Would you like to run a multiuser mode? No, that’s fine. And here it is. I mean, that’s basically all there is to it. We’re going to see Allow Access so you can get out there, so you can get out to our Internet. So we’re going to see allow access. And you notice you could continue as it gets.

You can save files up to three times. You want to make sure you have that. Cisco Academy first of all, you couldn’t even get here if you didn’t have it. And by doing this, you’re not really limited. So put in the email that I use. Put in my password. It’s going to check everything. That’s why you want to make sure that’s right before it says, hey, you want to give this program access to blog? Yes. And that is Cisco’s package. Racer I’m not going to get in how to use it. We’ll keep that for another video. But in here you can drag in and add in different kinds of routers and switches and configure them and have a whole lot of fun studying your Cisco certification. So this is the basis of studying for your Cisco certification. Now that we have Packet Tracer, we’re ready to start studying and hopefully we can pass all of our certifications.