October 30, 2025 • 24 mins
Security that actually holds under pressure starts long before passwords and antivirus. We pull back the rack door and walk through the parts that make a network resilient: switches that enforce port security, routers that block spoofed traffic, servers that stay patched and locked down, and load balancers that keep services steady when a node falls over. From a small bookstore’s POS to a global bank’s data center, the patterns repeat with higher stakes and tighter controls.
We break down the real tools of infrastructure defense and why they matter. Policy‑based firewalls translate intent like “block social media for guests” into action, while next‑gen engines add deep inspection and URL filtering. Forward proxies protect outbound browsing and reverse proxies hide internal services. Deception tech—honeypots, honeynets, and sinkholes—turns attackers into sources of intel. IDS alerts, IPS blocks, and together they feed visibility into an XDR layer that correlates endpoint, server, cloud, and email signals to stop ransomware chains before they detonate.
Good design contains failure. VLANs limit blast radius when a laptop is compromised. DMZs and jump servers separate public‑facing apps from sensitive systems. Zero trust reframes access with “never trust, always verify,” enforcing MFA, continuous checks, and least privilege across users and APIs. VPNs connect people and sites with SSL and IPsec, while NAC verifies device health and quarantines noncompliant endpoints—a must for any BYOD policy. We tie it all together with practical case studies, a quick quiz to test your instincts, and clear takeaways you can apply to classrooms, clinics, nonprofits, and clouds.
If this deep dive helps you think more clearly about your network’s weak points and how to shrink them, tap follow, share with a teammate, and leave a review so more builders can find it. What’s the first segment you’ll harden this week?
Interviews with Tech Leaders and insights on the latest emerging technology trends.
Listen on: Apple Podcasts Spotify
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:28):
And welcome to Technology Tap.
I'm Professor J.
Rod.
In this episode of Building theDefense, Infrastructure Security
for the Real World.
Let's tap in the Welcome back toTechnology Tap, the show where
(01:10):
technology meets storytellingand security beats common sense.
Today we're talkinginfrastructure security, the
locks, gates, and guards of thedigital world.
When people think cybersecurity,they picture passwords,
antivirus, and firewalls.
But true protection begins deepinside the infrastructure, the
(01:30):
switches, the routers, servers,and devices that make up the
nervous system of your network.
Let's start by walking into twoplaces: a small local bookstore
and a global banks data center.
Both rely on infrastructuresecurity, but they fight very
different battles.
Switches.
The network traffic directors.
(01:51):
A network switch connectsdevices on a local network and
learns which device sits onwhich port by examining MAC
address.
With hardened properly, itenforces port security, limiting
how many MAC addresses canappear on a single port.
Real world example.
At a small bookstore, the pointof sale systems and the receipt
printers share one switch.
(02:12):
A visiting technician plugs in alaptop, unknowingly flooding the
switch with fake MAC address, aMAC flooding attack.
The fix enable port security.
Only known devices can connect.
At the enterprise level,switches segment entire
departments into VLANs,separating accounts from HR and
research from guest.
(02:34):
If one segment is compromised,others remain untouched.
Routers, the gatekeepers betweennetworks.
A router for packets betweennetworks and also acts as a
filter using access controllist.
Routers prevent IP spoofing whena malicious device pretends to
have another computer's IPaddress.
Example (02:56):
a home-based freelancer's router logs
attempts from strange IPsclaiming to be local.
That's anti-spoofing in action.
In a corporate environment,routers enforce routing
policies, VPN tunnels, and DDoSprotections, ensuring that
internal traffic never leaks outwhere it should.
Servers, the workhorses.
(03:18):
A server delivers resources andservices.
Hardening a server meansapplying patches regularly,
monitor for anonymous, controlpermissions, remove unnecessary
software, and secure thelocation physically.
At a community college, a fileserver sits in an unlocked
office.
A student accidentallydisconnects it.
(03:39):
Lesson learned infrastructuresecurity starts with a locked
door.
Load balancers distributing theload.
A load balancer evenlydistributes requests across
multiple servers.
It can detect and stop protocolattacks, hide error pages, and
mask real server IDs.
For regional hospital, loadbalancers keep electronic health
(04:01):
record servers running even ifone node fails.
Infrastructure securityhardware, firewalls, digital
gatekeepers.
A firewall inspects traffic anddecides what to allow or what to
block.
There are two main philosophies.
Rule-based firewalls rely on anexplicit allow denialist, and
policy-based firewalls usehigher-level statements like
(04:23):
block all social media sites forguest users.
Example, a local high schooldistrict blocks TikTok from
students' Wi-Fi.
That's a policy-based filteringin action.
Enterprise networks deploy nextgeneration firewall capable of
deep packet inspection, contentURL filtering, and application
awareness.
(04:45):
Proxy servers.
A proxy acts as a middleman.
A forward proxy interceptsoutbound requests from the user.
A reverse proxy handles inboundrequests from the internet and
routes them to internal servers.
Example.
A city library uses a forwardproxy to block gambling sites.
An e-commerce company uses areverse proxy to hide its
(05:09):
internal web servers behind asingle secure gateway.
Deception Technologies.
Enter honeypots, honey nets, andsyncodes.
Systems designed to attractattackers.
A honeypot might mimic a loggingportal.
A sync code redirects malicioustraffic to a safe void.
A small ISP sets up a honeypotthat catches repeated SSH brute
(05:32):
force attempts.
Analysts study these IPs toblock future attacks.
A large defense contractor usesa honey net, multiple decoy
systems to gather intelligenceon attacker behavior.
IDS and IPS.
An intrusion detection systemmonitors traffic and raises
alert.
An intrusion prevention systemactively blocks attacks.
(05:55):
Network versions are called NIDsand NIPs.
Inline systems act in real time.
Passive systems analyze copiesof traffic.
Small firm example, a bakery'sIDS send message alerts about
port scans.
Enterprise example, nips at abank's perimeter automatically
drops packets for unknownmalicious address.
(06:19):
The thing is about IDS and IPS,IDS will tell you, will let you
know something's going on, butthey won't do anything about it.
And IPS will.
IPS does something about it.
Hardware defenses like layers ofa medieval castle, walls, gates,
and watchtowers, but withoutsmart software and good design,
even a castle can fail.
(06:43):
Web and DNS filtering.
Web filtering monitors whatwebsites users visit and blocks
unsafe or inappropriate ones.
Methods include browserscanning, agent-based, proxy,
and cloud scanning.
Filtering uses contentcalendarization, URL scanning,
and reputational score.
(07:03):
DNS filtering blocks maliciousdomains entirely by refusing to
resolve them.
A small clinic uses DNSfiltering to block known
phishing domains.
A Fortune 500 company usesglobal DNS reputation feeds.
File integrity monitoring orFIM.
FIM watches files forunauthorized changes.
Problem, too much noise.
(07:24):
The trick is tuning, monitoringonly critical system files.
Example, a payroll serviceconfiguration changes trigger
alerts to the system on a chip.
Extended detection and response.
While endpoint detection andresponse focus on endpoints, XDR
correlates data across endpointservers.
(07:46):
Across endpoint servers, cloudstorage, and emails.
A manufacturer firm uses XDR tolink a suspicious email
attachment with later PowerShellactivity, stopping a ransomware
chain.
Segmentations.
Networks are divided physicallyand logically.
Logical segmentation createssubnets, often through virtual
(08:09):
lands or VLANs.
If marketing laptops catchmalware, VLANs can keep it from
reaching financial servers.
At a small business, VLANseparates guests Wi-Fi from
internal printers.
At a global bank, segmentationenforces compliance.
Credit card systems isolatedunder PCI DSS.
(08:30):
One thing about VLANs, I'll giveyou a short example of a VLAN.
So for example, when I was ahigh school teacher, we had
computers in a classroom.
And when we first got them, theywanted, you know, of course we
wanted internet access, right?
To teach the kids, you know, howto use the internet, how to get
on, how to fix it, you know,using all the tools that we had
(08:53):
online.
But my boss was like, hey, whydon't you just give Ryzen, put a
router in the back of theclassroom, and then that's your
internet.
But I was worried, because it'sa high school, and you know, in
the class was mostly boys, thatthey were going to inappropriate
websites, and I would beresponsible for that.
So I said, let's do a VLAN,let's get the company who's in
(09:14):
charge of the infrastructurecome in and create a VLAN for
that room.
We were different IP addressesfrom the rest of the school.
The schools were using theprivate IP address was with the
tens, and we were in thatclassroom 192.168.
So anything that we did in thatclassroom would not affect
anybody else.
We can crash the system in thatclassroom, and nothing will
(09:39):
happen to everybody else.
So that actually worked outgood.
And it was like a one-timepayment, I think it was 600
bucks for them to come and doit, rather than paying Verizon
every month.
And because all the traffic wentout of the same router, the
router is where all therestrictions were at.
So you know, it was still goingout out of the same router.
So I had no issues trying toconfigure security because it
(10:02):
was just the same security asbefore.
That's what a V line does.
Physically, you're in the samelocation, but logically, you'd
separate networks.
Demilitarized zone.
A DMZ is a semi-trusted zonebetween the internet and secure
networks.
Web servers live here.
Accessible to outsiders butseparated by firewalls.
(10:23):
A jump server inside the DMZallows admin control access into
the secure zone.
Example, a university hostspublic websites and emails in a
DMZ.
Internal grade database staybehind another firewall.
Zero trust architecture.
Zero trust flips the oldmindset.
(10:43):
It assumes compromise hasalready happened.
Model, never trust, alwaysverify.
Core components, policy engines,decide if access is allowed.
Policy enforcement pointexecutes that decision.
Policy automation appliesconsistent rules.
Control plane data planeseparates decision logic from
(11:03):
data transfer.
A small MSP adopts zero trust byrequiring MFA for every login,
even internal.
A multinational company uses afull ZTA platform verifying
every IPA, API call and usertoken.
Zero trust isn't about paranoia,it's about precision.
(11:25):
It treats access like oxygen.
You can only breathe what youneed.
(11:56):
VPN.
A VPN lets remote users connectsecurely over the internet, as
if they were inside the privatenetwork.
Two types is remote access VPNfor individual users and
site-to-side VPN connectingoffices.
The protocols they use is IPsec,SSL, and L2TP IPsec, since L2TP
(12:18):
alone lacks encryption.
For example, a travelingsalesman logs into HQ using SSL
VPN through a browser portal.
An Enterprise uses site-to-sideIPsec tunnels linking New York,
London, and Tokyo.
NAC, Network Access Control.
NAC checks a device healthbefore letting it on the
(12:40):
network.
If it fails, i.e.
no antivirus, it getsquarantine.
Some NAC agents, some NACs useagents, others integrate with
Active Directory.
Small example, a high school'sWi-Fi NAC blocks unpacked
students' laptops.
Enterprise, a hospital's NACenforces HIPAA compliance before
device access patient data.
(13:00):
So if you have, you know, theythey do this a lot in in if you
work from home and you're usingyour own device to log into your
company.
And usually it's a file less,what they call a file as VPN,
where you just go in through thebrowser.
It checks your computer to seeif your computer meets the
minimal requirements that theNAC sets up.
(13:23):
And if it doesn't, then it'llquarantine you, or in this case,
it will, since you're not inthere in person, it will uh put
you on another web page and itwill tell you, hey, you're
missing this, this, and this.
Like download these things inorder to be compliant.
That's another form of NAC.
Access control isn't aboutdistrust, it's about
(13:45):
stewardship.
You protect the network the waya librarian protects rare books.
Not everyone gets the same key.
Layer defense and real-worldintegration.
Small businesses, a localaccounting firm implements a UTM
appliance, firewall plus IDSplus contact filtering.
Staff uses VPN and NAC to ensureevery laptop has endpoint
(14:08):
protection.
Enterprise.
A cloud provider uses a VLANsubjectations, load balancers,
redundant firewall, XDRtelementary, and zero trust
policies tied to Azura AD.
Case study, the nonprofitnetwork.
A community nonprofit runsdonations through a web portal.
(14:29):
Initially hosted on a singleserver in the office, one power
surge away from disaster.
After a ransomware scare, theymove to a cloud-based low
balance environment, add weeklyvulnerability scans, implement
DNS filtering, and trainvolunteers on phishing
awareness.
Result uptime 99.9%.
(14:52):
Stress down 100%.
Here's another case study.
Enterprise Data Center.
A multinational bank buildsredundant DMZs with jump servers
segmenting swift transactionsfrom retail apps.
Honey nets capture early probes.
IDS, IPS feed data into an XDRdashboard, and zero trust
(15:14):
ensures even admins mustre-authenticate for privileged
tasks.
Key takeaways hardware,software, and design must work
together.
Segmentation limits blastradius.
Zero trust plus NAC equalscontext aware access.
Monitoring and response closesthe loop.
(15:36):
Infrastructure security isn'tone product, it's an ecosystem
of decisions made every day bytext, admin, and leaders.
Alright, here are the fourquestions.
The way I do it is I read youfour questions, I give you the
four choices, I read them again,I give you five seconds, and
(15:59):
then you try to give me theright answer.
Alright, question one.
A small retailer wants afirewall that can block entire
categories like social mediawithout writing individual
rules.
Which type fits best?
A rule-based firewall, Bpolicy-based firewall, C
stateless firewalls, or D proxyfirewalls.
(16:21):
I'll read it again.
A small retailer wants afirewall that can block entire
categories like social mediawithout writing individual
rules.
Which type fits best?
A rule-based firewall, Bpolicy-based firewall, C
stateless firewall, or D proxyfirewall.
Alright, give you five secondsto think about it.
(16:43):
Five, four, three, two, one.
The answer is B policy-basedfirewalls.
Policy-based firewalls usehigh-level policies instead of
manual rule lists.
So you can block social mediasites.
You can block gambling sites,you can block adult sites,
right?
All right, question two.
(17:05):
Which device acts as theintermediary to route requests
from internal users to externalwebsites hiding internal IPs?
A a forward proxy, B.
A reverse proxy, C low balanceror D NAC server.
Which device acts as theintermediary to route requests
from internal users to externalwebsites hiding internal IPs?
(17:30):
A forward proxy, B reverseproxy, C load balancers or D NAC
server.
Alright, give me five seconds toanswer.
Five, four, three, two, one.
And the answer is A.
Forward proxy.
A forward proxy handles outboundrequests on behalf of internal
users.
(17:51):
Alright.
We're halfway there.
Are you two for two?
Are you ready to go four forfour?
Let's do question three.
Zero trust architecture is builton which guiding principle?
A trust per verify.
B never trust always verify.
C block everything by default.
Or D authenticate once andassume safe.
(18:14):
I'll read it again.
A zero trust architecture isbuilt on which guiding
principle?
A trust per verify.
B never trust, always verify.
C block everything by default.
Or D authenticate once andassume safe.
Give you five seconds to thinkabout it.
Five, four, three, two, one.
(18:36):
And the answer is B.
Never trust, always verify.
Zero trust assumes compromiseand requires continuous
verification for every request.
That's what makes it zero trust.
You don't trust anybody at anytime.
Alright, last question.
Hopefully you have three forthree and you're gonna go four
(18:57):
for four.
Let's do this.
Before allowing a device to joina corporate network, the system
checks antivirus status and OSpatch level.
Which technology performs thisfunction?
A VPN B DMZ C network accesscontrol or D IDS.
Before allowing, let me readagain.
(19:17):
Before allowing a device to joina corporate network, the system
checks antivirus status and OSpatch level.
Which technology performs thisfunction?
A VPN B DMZ C network accesscontrol or D IDS.
I'll give you five seconds tothink about it.
Five, four, three, two, one.
(19:42):
The answer is C network accesscontrol or NAC.
NAC enforces postureassessments, granting or
restricting network access basedon the device level.
So one thing about this is thisis why I don't like bring your
own devices, right?
When a company allows bring yourown devices to be brought into
(20:02):
the company network, eithervirtually or on site, you have
to build a NAC, right?
Because you don't know what theyhave and what they don't have.
So really it's actually work foryou, right?
That's one of the reasons I'mnot a big fan of bring your own
device.
Because if you had your owndevice, you know, if you had the
(20:22):
company's devices, you alreadyset up, they already set up, so
you don't need a NAC, but it'sthis bring your own device stuff
that that you that you open upthis potential, you know, risk,
I guess, and unless you don't,you know, and or and or you have
to build a NAC, right?
(20:43):
And the companies do this.
Even companies, I've seencompanies where you work from
home and they don't send you thedevice.
They tell you, oh no, no, useyour device because you're
logging into their system.
But your device has to havethese minimal requirements.
And those minimal requirementsare set up by the company, but
if you don't have them, then youhave to install them, you know,
(21:03):
OS patches or just differentwhatever version of software
that they use.
You know, it might be adifferent level of Citrix that
they might use, right?
They might, you know, you mayhave one level of Citrix and
they want you to have another,so they it checks your and it
continuously checks, right?
Every time you log in, it'scontinually checking your stuff,
(21:24):
right?
And you know, so you might havea version of Citrix that they
used to use, and now they wantyou to upgrade to a newer
version or a newer version ofChrome, right?
They used to use one version ofChrome and Chrome updated, so
they updated their DAC, right?
So now you got to go in thereand download the new version of
(21:44):
Chrome.
So, you know, it's a it's a lotof you know, it's some work for
the user, you know, and and itkind of forces you, like after a
while.
I think they give you somecompanies give you a deadline,
like you have until like the endof the week to upgrade.
If you don't upgrade, then it itkind of locks you out of the
system.
So it kind of forces you toupdate.
But again, what do you do withthese people who who work from
(22:06):
home, they're not reallycomputer savvy, right?
I mean, that's that's that's aproblem, or potentially be a
problem, right?
Then you gotta, then, then yougotta call IT, they gotta go on
your machine and install thesoftware yourself or walk you
through the process.
That's just a lot of timewasting.
Where if you, you know, if youjust send them, I don't know,
(22:27):
send them your computer or Idon't know.
I think I guess sending thecomputer to the person's house,
you're still gonna have to dothe updates anyway.
So because you're not you're notin fully control of it.
But still, it's just you know,that's that's why I don't like
bringing your own device.
I'm not a big fan of it.
I've never have been.
I think companies, you know,stop being cheap, buy buy your
(22:49):
own, right?
And send it to the person.
Right?
You know, this is not cellphones.
This is, you know.
Back in the day, they used tohave to buy your cell phone, and
then people will carry two cellphones, especially the
Blackberry days where people hadtwo phones, but nowadays, you
know, everything's integratedinto your phone.
(23:10):
So, and that's another thing,that's another chapter for
another time about checking youremail from home and all that
stuff.
That's a totally differenttopic.
So, all right.
Infrastructure security is aboutmore than routers and firewalls,
it's about people making smartchoices every day, from the
(23:30):
smallest classroom network tothe biggest data center.
Thanks for tuning in toTechnology Tap.
Until next time, I'm ProfessorJ-Rod, reminding you to keep
tapping into technology.
(24:03):
This has been a presentation ofLittle Chacha Productions, art
by Sarah, music by Joe Kim.
We're now part of the Pod MatchNetwork.
You can follow me at TikTok atProfessor Jrod at J R O D, or
you can email me atprofessorjrodjrod at gmail.com,
(24:36):
you can jump in.
And welcome to Technology Tap.
I'm Professor J.
Rod.
In this episode of Building theDefense, Infrastructure Security
for the Real World.
Let's tap in the Welcome back toTechnology Tap, the show where
(01:10):
technology meets storytellingand security beats common sense.
Today we're talkinginfrastructure security, the
locks, gates, and guards of thedigital world.
When people think cybersecurity,they picture passwords,
antivirus, and firewalls.
But true protection begins deepinside the infrastructure, the
(01:30):
switches, the routers, servers,and devices that make up the
nervous system of your network.
Let's start by walking into twoplaces: a small local bookstore
and a global banks data center.
Both rely on infrastructuresecurity, but they fight very
different battles.
Switches.
The network traffic directors.
(01:51):
A network switch connectsdevices on a local network and
learns which device sits onwhich port by examining MAC
address.
With hardened properly, itenforces port security, limiting
how many MAC addresses canappear on a single port.
Real world example.
At a small bookstore, the pointof sale systems and the receipt
printers share one switch.
(02:12):
A visiting technician plugs in alaptop, unknowingly flooding the
switch with fake MAC address, aMAC flooding attack.
The fix enable port security.
Only known devices can connect.
At the enterprise level,switches segment entire
departments into VLANs,separating accounts from HR and
research from guest.
(02:34):
If one segment is compromised,others remain untouched.
Routers, the gatekeepers betweennetworks.
A router for packets betweennetworks and also acts as a
filter using access controllist.
Routers prevent IP spoofing whena malicious device pretends to
have another computer's IPaddress.
Example (02:56):
a home-based freelancer's router logs
attempts from strange IPsclaiming to be local.
That's anti-spoofing in action.
In a corporate environment,routers enforce routing
policies, VPN tunnels, and DDoSprotections, ensuring that
internal traffic never leaks outwhere it should.
Servers, the workhorses.
(03:18):
A server delivers resources andservices.
Hardening a server meansapplying patches regularly,
monitor for anonymous, controlpermissions, remove unnecessary
software, and secure thelocation physically.
At a community college, a fileserver sits in an unlocked
office.
A student accidentallydisconnects it.
(03:39):
Lesson learned infrastructuresecurity starts with a locked
door.
Load balancers distributing theload.
A load balancer evenlydistributes requests across
multiple servers.
It can detect and stop protocolattacks, hide error pages, and
mask real server IDs.
For regional hospital, loadbalancers keep electronic health
(04:01):
record servers running even ifone node fails.
Infrastructure securityhardware, firewalls, digital
gatekeepers.
A firewall inspects traffic anddecides what to allow or what to
block.
There are two main philosophies.
Rule-based firewalls rely on anexplicit allow denialist, and
policy-based firewalls usehigher-level statements like
(04:23):
block all social media sites forguest users.
Example, a local high schooldistrict blocks TikTok from
students' Wi-Fi.
That's a policy-based filteringin action.
Enterprise networks deploy nextgeneration firewall capable of
deep packet inspection, contentURL filtering, and application
awareness.
(04:45):
Proxy servers.
A proxy acts as a middleman.
A forward proxy interceptsoutbound requests from the user.
A reverse proxy handles inboundrequests from the internet and
routes them to internal servers.
Example.
A city library uses a forwardproxy to block gambling sites.
An e-commerce company uses areverse proxy to hide its
(05:09):
internal web servers behind asingle secure gateway.
Deception Technologies.
Enter honeypots, honey nets, andsyncodes.
Systems designed to attractattackers.
A honeypot might mimic a loggingportal.
A sync code redirects malicioustraffic to a safe void.
A small ISP sets up a honeypotthat catches repeated SSH brute
(05:32):
force attempts.
Analysts study these IPs toblock future attacks.
A large defense contractor usesa honey net, multiple decoy
systems to gather intelligenceon attacker behavior.
IDS and IPS.
An intrusion detection systemmonitors traffic and raises
alert.
An intrusion prevention systemactively blocks attacks.
(05:55):
Network versions are called NIDsand NIPs.
Inline systems act in real time.
Passive systems analyze copiesof traffic.
Small firm example, a bakery'sIDS send message alerts about
port scans.
Enterprise example, nips at abank's perimeter automatically
drops packets for unknownmalicious address.
(06:19):
The thing is about IDS and IPS,IDS will tell you, will let you
know something's going on, butthey won't do anything about it.
And IPS will.
IPS does something about it.
Hardware defenses like layers ofa medieval castle, walls, gates,
and watchtowers, but withoutsmart software and good design,
even a castle can fail.
(06:43):
Web and DNS filtering.
Web filtering monitors whatwebsites users visit and blocks
unsafe or inappropriate ones.
Methods include browserscanning, agent-based, proxy,
and cloud scanning.
Filtering uses contentcalendarization, URL scanning,
and reputational score.
(07:03):
DNS filtering blocks maliciousdomains entirely by refusing to
resolve them.
A small clinic uses DNSfiltering to block known
phishing domains.
A Fortune 500 company usesglobal DNS reputation feeds.
File integrity monitoring orFIM.
FIM watches files forunauthorized changes.
Problem, too much noise.
(07:24):
The trick is tuning, monitoringonly critical system files.
Example, a payroll serviceconfiguration changes trigger
alerts to the system on a chip.
Extended detection and response.
While endpoint detection andresponse focus on endpoints, XDR
correlates data across endpointservers.
(07:46):
Across endpoint servers, cloudstorage, and emails.
A manufacturer firm uses XDR tolink a suspicious email
attachment with later PowerShellactivity, stopping a ransomware
chain.
Segmentations.
Networks are divided physicallyand logically.
Logical segmentation createssubnets, often through virtual
(08:09):
lands or VLANs.
If marketing laptops catchmalware, VLANs can keep it from
reaching financial servers.
At a small business, VLANseparates guests Wi-Fi from
internal printers.
At a global bank, segmentationenforces compliance.
Credit card systems isolatedunder PCI DSS.
(08:30):
One thing about VLANs, I'll giveyou a short example of a VLAN.
So for example, when I was ahigh school teacher, we had
computers in a classroom.
And when we first got them, theywanted, you know, of course we
wanted internet access, right?
To teach the kids, you know, howto use the internet, how to get
on, how to fix it, you know,using all the tools that we had
(08:53):
online.
But my boss was like, hey, whydon't you just give Ryzen, put a
router in the back of theclassroom, and then that's your
internet.
But I was worried, because it'sa high school, and you know, in
the class was mostly boys, thatthey were going to inappropriate
websites, and I would beresponsible for that.
So I said, let's do a VLAN,let's get the company who's in
(09:14):
charge of the infrastructurecome in and create a VLAN for
that room.
We were different IP addressesfrom the rest of the school.
The schools were using theprivate IP address was with the
tens, and we were in thatclassroom 192.168.
So anything that we did in thatclassroom would not affect
anybody else.
We can crash the system in thatclassroom, and nothing will
(09:39):
happen to everybody else.
So that actually worked outgood.
And it was like a one-timepayment, I think it was 600
bucks for them to come and doit, rather than paying Verizon
every month.
And because all the traffic wentout of the same router, the
router is where all therestrictions were at.
So you know, it was still goingout out of the same router.
So I had no issues trying toconfigure security because it
(10:02):
was just the same security asbefore.
That's what a V line does.
Physically, you're in the samelocation, but logically, you'd
separate networks.
Demilitarized zone.
A DMZ is a semi-trusted zonebetween the internet and secure
networks.
Web servers live here.
Accessible to outsiders butseparated by firewalls.
(10:23):
A jump server inside the DMZallows admin control access into
the secure zone.
Example, a university hostspublic websites and emails in a
DMZ.
Internal grade database staybehind another firewall.
Zero trust architecture.
Zero trust flips the oldmindset.
(10:43):
It assumes compromise hasalready happened.
Model, never trust, alwaysverify.
Core components, policy engines,decide if access is allowed.
Policy enforcement pointexecutes that decision.
Policy automation appliesconsistent rules.
Control plane data planeseparates decision logic from
(11:03):
data transfer.
A small MSP adopts zero trust byrequiring MFA for every login,
even internal.
A multinational company uses afull ZTA platform verifying
every IPA, API call and usertoken.
Zero trust isn't about paranoia,it's about precision.
(11:25):
It treats access like oxygen.
You can only breathe what youneed.
(11:56):
VPN.
A VPN lets remote users connectsecurely over the internet, as
if they were inside the privatenetwork.
Two types is remote access VPNfor individual users and
site-to-side VPN connectingoffices.
The protocols they use is IPsec,SSL, and L2TP IPsec, since L2TP
(12:18):
alone lacks encryption.
For example, a travelingsalesman logs into HQ using SSL
VPN through a browser portal.
An Enterprise uses site-to-sideIPsec tunnels linking New York,
London, and Tokyo.
NAC, Network Access Control.
NAC checks a device healthbefore letting it on the
(12:40):
network.
If it fails, i.e.
no antivirus, it getsquarantine.
Some NAC agents, some NACs useagents, others integrate with
Active Directory.
Small example, a high school'sWi-Fi NAC blocks unpacked
students' laptops.
Enterprise, a hospital's NACenforces HIPAA compliance before
device access patient data.
(13:00):
So if you have, you know, theythey do this a lot in in if you
work from home and you're usingyour own device to log into your
company.
And usually it's a file less,what they call a file as VPN,
where you just go in through thebrowser.
It checks your computer to seeif your computer meets the
minimal requirements that theNAC sets up.
(13:23):
And if it doesn't, then it'llquarantine you, or in this case,
it will, since you're not inthere in person, it will uh put
you on another web page and itwill tell you, hey, you're
missing this, this, and this.
Like download these things inorder to be compliant.
That's another form of NAC.
Access control isn't aboutdistrust, it's about
(13:45):
stewardship.
You protect the network the waya librarian protects rare books.
Not everyone gets the same key.
Layer defense and real-worldintegration.
Small businesses, a localaccounting firm implements a UTM
appliance, firewall plus IDSplus contact filtering.
Staff uses VPN and NAC to ensureevery laptop has endpoint
(14:08):
protection.
Enterprise.
A cloud provider uses a VLANsubjectations, load balancers,
redundant firewall, XDRtelementary, and zero trust
policies tied to Azura AD.
Case study, the nonprofitnetwork.
A community nonprofit runsdonations through a web portal.
(14:29):
Initially hosted on a singleserver in the office, one power
surge away from disaster.
After a ransomware scare, theymove to a cloud-based low
balance environment, add weeklyvulnerability scans, implement
DNS filtering, and trainvolunteers on phishing
awareness.
Result uptime 99.9%.
(14:52):
Stress down 100%.
Here's another case study.
Enterprise Data Center.
A multinational bank buildsredundant DMZs with jump servers
segmenting swift transactionsfrom retail apps.
Honey nets capture early probes.
IDS, IPS feed data into an XDRdashboard, and zero trust
(15:14):
ensures even admins mustre-authenticate for privileged
tasks.
Key takeaways hardware,software, and design must work
together.
Segmentation limits blastradius.
Zero trust plus NAC equalscontext aware access.
Monitoring and response closesthe loop.
(15:36):
Infrastructure security isn'tone product, it's an ecosystem
of decisions made every day bytext, admin, and leaders.
Alright, here are the fourquestions.
The way I do it is I read youfour questions, I give you the
four choices, I read them again,I give you five seconds, and
(15:59):
then you try to give me theright answer.
Alright, question one.
A small retailer wants afirewall that can block entire
categories like social mediawithout writing individual
rules.
Which type fits best?
A rule-based firewall, Bpolicy-based firewall, C
stateless firewalls, or D proxyfirewalls.
(16:21):
I'll read it again.
A small retailer wants afirewall that can block entire
categories like social mediawithout writing individual
rules.
Which type fits best?
A rule-based firewall, Bpolicy-based firewall, C
stateless firewall, or D proxyfirewall.
Alright, give you five secondsto think about it.
(16:43):
Five, four, three, two, one.
The answer is B policy-basedfirewalls.
Policy-based firewalls usehigh-level policies instead of
manual rule lists.
So you can block social mediasites.
You can block gambling sites,you can block adult sites,
right?
All right, question two.
(17:05):
Which device acts as theintermediary to route requests
from internal users to externalwebsites hiding internal IPs?
A a forward proxy, B.
A reverse proxy, C low balanceror D NAC server.
Which device acts as theintermediary to route requests
from internal users to externalwebsites hiding internal IPs?
(17:30):
A forward proxy, B reverseproxy, C load balancers or D NAC
server.
Alright, give me five seconds toanswer.
Five, four, three, two, one.
And the answer is A.
Forward proxy.
A forward proxy handles outboundrequests on behalf of internal
users.
(17:51):
Alright.
We're halfway there.
Are you two for two?
Are you ready to go four forfour?
Let's do question three.
Zero trust architecture is builton which guiding principle?
A trust per verify.
B never trust always verify.
C block everything by default.
Or D authenticate once andassume safe.
(18:14):
I'll read it again.
A zero trust architecture isbuilt on which guiding
principle?
A trust per verify.
B never trust, always verify.
C block everything by default.
Or D authenticate once andassume safe.
Give you five seconds to thinkabout it.
Five, four, three, two, one.
(18:36):
And the answer is B.
Never trust, always verify.
Zero trust assumes compromiseand requires continuous
verification for every request.
That's what makes it zero trust.
You don't trust anybody at anytime.
Alright, last question.
Hopefully you have three forthree and you're gonna go four
(18:57):
for four.
Let's do this.
Before allowing a device to joina corporate network, the system
checks antivirus status and OSpatch level.
Which technology performs thisfunction?
A VPN B DMZ C network accesscontrol or D IDS.
Before allowing, let me readagain.
(19:17):
Before allowing a device to joina corporate network, the system
checks antivirus status and OSpatch level.
Which technology performs thisfunction?
A VPN B DMZ C network accesscontrol or D IDS.
I'll give you five seconds tothink about it.
Five, four, three, two, one.
(19:42):
The answer is C network accesscontrol or NAC.
NAC enforces postureassessments, granting or
restricting network access basedon the device level.
So one thing about this is thisis why I don't like bring your
own devices, right?
When a company allows bring yourown devices to be brought into
(20:02):
the company network, eithervirtually or on site, you have
to build a NAC, right?
Because you don't know what theyhave and what they don't have.
So really it's actually work foryou, right?
That's one of the reasons I'mnot a big fan of bring your own
device.
Because if you had your owndevice, you know, if you had the
(20:22):
company's devices, you alreadyset up, they already set up, so
you don't need a NAC, but it'sthis bring your own device stuff
that that you that you open upthis potential, you know, risk,
I guess, and unless you don't,you know, and or and or you have
to build a NAC, right?
(20:43):
And the companies do this.
Even companies, I've seencompanies where you work from
home and they don't send you thedevice.
They tell you, oh no, no, useyour device because you're
logging into their system.
But your device has to havethese minimal requirements.
And those minimal requirementsare set up by the company, but
if you don't have them, then youhave to install them, you know,
(21:03):
OS patches or just differentwhatever version of software
that they use.
You know, it might be adifferent level of Citrix that
they might use, right?
They might, you know, you mayhave one level of Citrix and
they want you to have another,so they it checks your and it
continuously checks, right?
Every time you log in, it'scontinually checking your stuff,
(21:24):
right?
And you know, so you might havea version of Citrix that they
used to use, and now they wantyou to upgrade to a newer
version or a newer version ofChrome, right?
They used to use one version ofChrome and Chrome updated, so
they updated their DAC, right?
So now you got to go in thereand download the new version of
(21:44):
Chrome.
So, you know, it's a it's a lotof you know, it's some work for
the user, you know, and and itkind of forces you, like after a
while.
I think they give you somecompanies give you a deadline,
like you have until like the endof the week to upgrade.
If you don't upgrade, then it itkind of locks you out of the
system.
So it kind of forces you toupdate.
But again, what do you do withthese people who who work from
(22:06):
home, they're not reallycomputer savvy, right?
I mean, that's that's that's aproblem, or potentially be a
problem, right?
Then you gotta, then, then yougotta call IT, they gotta go on
your machine and install thesoftware yourself or walk you
through the process.
That's just a lot of timewasting.
Where if you, you know, if youjust send them, I don't know,
(22:27):
send them your computer or Idon't know.
I think I guess sending thecomputer to the person's house,
you're still gonna have to dothe updates anyway.
So because you're not you're notin fully control of it.
But still, it's just you know,that's that's why I don't like
bringing your own device.
I'm not a big fan of it.
I've never have been.
I think companies, you know,stop being cheap, buy buy your
(22:49):
own, right?
And send it to the person.
Right?
You know, this is not cellphones.
This is, you know.
Back in the day, they used tohave to buy your cell phone, and
then people will carry two cellphones, especially the
Blackberry days where people hadtwo phones, but nowadays, you
know, everything's integratedinto your phone.
(23:10):
So, and that's another thing,that's another chapter for
another time about checking youremail from home and all that
stuff.
That's a totally differenttopic.
So, all right.
Infrastructure security is aboutmore than routers and firewalls,
it's about people making smartchoices every day, from the
(23:30):
smallest classroom network tothe biggest data center.
Thanks for tuning in toTechnology Tap.
Until next time, I'm ProfessorJ-Rod, reminding you to keep
tapping into technology.
(24:03):
This has been a presentation ofLittle Chacha Productions, art
by Sarah, music by Joe Kim.
We're now part of the Pod MatchNetwork.
You can follow me at TikTok atProfessor Jrod at J R O D, or
you can email me atprofessorjrodjrod at gmail.com,
(24:36):
you can jump in.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.