CompTIA exam study guide presentations by instructor Brian Ferrill, PACE-IT (Progressive, Accelerated Certifications for Employment in Information Technology)
"Funded by the Department of Labor, Employment and Training Administration, Grant #TC-23745-12-60-A-53"
Learn more about the PACE-IT Online program: www.edcc.edu/pace-it
2. Page 2
Instructor, PACE-IT Program – Edmonds Community College
Areas of Expertise Industry Certifications
PC Hardware
Network Administration
IT Project Management
Network Design
User Training
IT Troubleshooting
Qualifications Summary
Education
M.B.A., IT Management, Western Governor’s University
B.S., IT Security, Western Governor’s University
Entrepreneur, executive leader, and proven manger
with 10+ years of experience turning complex issues
into efficient and effective solutions.
Strengths include developing and mentoring diverse
workforces, improving processes, analyzing
business needs and creating the solutions
required— with a focus on technology.
3. Page 3
– Defense in depth.
– Elements and components of network
design.
PACE-IT.
5. Page 5
Due to the complexity of
modern networks, malicious
attackers have multiple
avenues that they can use to
breach network security.
This same complexity also allows for security to be placed in
multiple areas using different methods.
By placing security at different levels and in different places,
network administrators can increase the overall security posture
of a network. This concept is known as defense in depth.
Security should not just be placed in a single spot, as this creates
a single point of failure. Security should be emplaced at multiple
layers of the network, using a diversity of methods, in order to
create an effectively hardened network.
Secure network design elements and components.
Just as when peeling an onion, once one layer of
security is stripped away, the attacker should find
another layer waiting underneath.
7. Page 7
– Demilitarized zone (DMZ).
» The DMZ is a specific area (zone) created—usually between
two firewalls—that allows outside access to network resources
(e.g., a Web server), while the internal network remains
protected from outside traffic.
• The external facing router allows specific outside traffic into
the DMZ, while the internal router prevents that same outside
traffic from entering the internal network.
– Network address translation (NAT).
» NAT is a technique used to allow private IP addresses to be
routed across, or through, an untrusted public network.
• The NAT device—usually a router—assigns a public routable
IP address to a device that is requesting outside access.
» NAT has the added benefit of protecting the internal private
network.
• The private network’s IP addressing scheme is hidden from
untrusted networks by the NAT enabled router.
Secure network design elements and components.
8. Page 8
– Network access control (NAC).
» NAC is a method of controlling who and what gains access to a
wired or wireless network.
• In most cases, NAC uses a combination of credentials based
security (e.g., 802.1x) and some form of posture assessment
for a device attempting to log on to the network.
» A posture assessment considers the state of the requesting
device. The device must meet a set of minimum standards
before it is allowed access to the network.
• Common device assessments include the type of device,
operating system, patch level of the operating system, the
presence of anti-malware software and how up to date it is.
– Virtualization.
» Virtualization is the process of creating virtual resources
instead of actual resources.
• Hardware, operating systems, and complete networks can be
virtualized.
» A security advantage to virtualization is that, if the virtual
resource is compromised, it can easily be taken down,
recovered, fixed, and then brought back online.
Secure network design elements and components.
9. Page 9
– Subnetting.
» Subnetting is the logical division of a network—a single block of
IP addresses—into discrete separate networks.
• Can be done to match the physical structure of the network
(e.g., the network only requires enough addresses for 100
nodes, not 254).
• Can be done to increase the security of the network by
segmenting resources by needs and security level.
– Segmentation of resources.
» Security can be increased by segmenting a network based on
resources and security needs through the implementation of
virtual local area networks (VLANs).
• The segmentation can be done based on user groups (e.g., a
VLAN for the sales department and another one for human
resources).
• The segmentation can be done based on resource type (e.g., a
VLAN for file servers and another one for Web servers).
• Commonly, segmentation is accomplished with a combination.
» The use of VLANs supports a more secure, layered approach in
the network design.
Secure network design elements and components.
10. Page 10
In modern networks, it is
not uncommon to need to
allow remote access to local
network resources.
Remote workers often need to access resources that are located
on the main business network. This requires the use of remote
access technology in order for it to happen in a secure manner.
Remote access can occur using telephony technology (e.g., dial-
up) or through the use of a virtual private network (VPN). In all
cases, secure protocols and methods should be used in order to
ensure the security of the local network. For example, one of the
forms of Extensible Authentication Protocol (EAP) should be used
when allowing remote access.
Secure network design elements and components.
11. Page 11
Secure network design elements and components.
The complexity of modern networks means that there are different avenues
that attackers can use to breach a network’s security. Defense in depth
involves placing security at many different layers of a network. By placing
security at different layers and by using different security methods, even if
the outer security is breached, the inner security remains in place.
Topic
Defense in depth.
Summary
Defense in depth can be implemented in multiple ways, including adding a
DMZ, using NAT, implementing NAC, using virtualization, employing
subnetting and segmentation, and requiring remote access technology.
Elements and components of
network design.
13. This workforce solution was 100 percent funded by a $3 million grant awarded by the
U.S. Department of Labor's Employment and Training Administration. The solution was
created by the grantee and does not necessarily reflect the official position of the U.S.
Department of Labor. The Department of Labor makes no guarantees, warranties, or
assurances of any kind, express or implied, with respect to such information, including
any information on linked sites and including, but not limited to, accuracy of the
information or its completeness, timeliness, usefulness, adequacy, continued availability
or ownership. Funded by the Department of Labor, Employment and Training
Administration, Grant #TC-23745-12-60-A-53.
PACE-IT is an equal opportunity employer/program and auxiliary aids and services are
available upon request to individuals with disabilities. For those that are hearing
impaired, a video phone is available at the Services for Students with Disabilities (SSD)
office in Mountlake Terrace Hall 159. Check www.edcc.edu/ssd for office hours. Call
425.354.3113 on a video phone for more information about the PACE-IT program. For
any additional special accommodations needed, call the SSD office at 425.640.1814.
Edmonds Community College does not discriminate on the basis of race; color; religion;
national origin; sex; disability; sexual orientation; age; citizenship, marital, or veteran
status; or genetic information in its programs and activities.