Network Hardening Flashcards
Hardening
Securing a system by reducing its surface of vulnerabilities
Healthy balance between operations and security
Patch Management
Involves planning, testing, implementing, and auditing of software patches
Provides security
Increases uptime
Ensures compliance
Improves features
Ensure patches don’t create new problems once installed
Planning
Tracks available patches and updates and determines how to test
and deploy each patch
Testing
Tests any patch received from a manufacturer prior to automating
its deployment through the network
Have a small test network, lab, or machine for testing new
patches before deployment
Implementing/ Implementation
Deploys the patch to all of the workstations and servers that
require it
Disable the Windows Update service from running automatically
on the workstation
Also implement patching through a mobile device manager
(MDM), if needed
Auditing
Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
Also conduct firmware management for your network devices
Password Policy
Specifies minimum password length, complexity, periodic changes, and
limits on password reuse
Strong Password
Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
Long vs Complex
Passwords should be up to 64 ASCII characters long
Password aging policies should not be enforced
Change default passwords
Unneeded Services
A service is an application that runs in the background of an operating system or
device to perform a specific function
Disable any services that are not needed for business operations
Least Functionality
Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
AutoSecure CLI command can be used on Cisco devices
Port Security
Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed
Static Configuration Switch
Allows an administrator to define the static MAC addresses to use on a
given switchport
Dynamic Learning
Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list
Private VLAN (Port Isolation)
A technique where a VLAN contains switchports that are restricted to using a single uplink Primary Secondary isolated Secondary community
Primary VLAN
Forwards frames downstream to all of the secondary VLANs
Isolated VLAN
Includes switchports that can reach the primary VLAN but no other
secondary VLANs
Community VLAN
Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs
Default VLAN is known as VLAN 1
Promiscuous Port (P-Port)
Can communicate with anything connected to the primary or secondary VLANs Host Ports Isolated Ports (I-Port) Community Ports (C-Port)
Isolated Port (I-Port)
Can communicate upwards to a P-Port and cannot talk
with other I-Ports
Community Port (C-Port)
Can communicate with P-Ports and other C-Ports on the
same community VLAN
Native VLAN
VLAN where untagged traffic is put once it is received on a trunk port
(DAI)
Dynamic ARP Inspection (DAI)
Validates the Address Resolution Protocol (ARP) packets in your network
Ensures only valid ARP requests and responses are relayed across the
network device
Invalid ARP packets are dropped and not forwarded
DHCP Snooping
Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table
Untrusted Interface
Any interface that is configured to receive messages from outside the
network or firewall
Trusted Interface
Any interface that is configured to receive messages only from within the
network
Configure switches and VLANs to allow DHCP snooping
(RA-Guard)
IPv6 Router Advertisement Guard (RA-Guard)
Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on
(CPP)
Control Plane Policing (CPP)
Configures a QoS filter that manages the traffic flow of control plane
SNMP
Allows us to easily gather information from our various network devices
back to a centralized management server
Community strings grant access to portions of the device management
planes
Ensure you are NOT using SNMP v1 or SNMP v2
Combine with whitelisting of the Management Information Base (MIB)
Segregate SNMP traffic onto a separate management network
(ACL)
Access Control List (ACL)
A list of permissions associated with a given system or network resource
Block SSH for a single computer based on its IP address
Block any IP using port 110
Block any IP and any port from outside the LAN
Most specific first
Explicit Deny
Blocks matching traffic
Implicit Deny
Blocks traffic to anything not explicitly specified
MAC Filtering
Defines a list of devices and only allows those on your Wi-Fi network
Explicit allow
Implicit allow
Always use explicit allow
Wireless Client Isolation
Prevents wireless clients from communicating with one another
Wireless access points begin to operate like a switch using private VLANs
Guest Network Isolation
Keeps guests away from your internal network communications
Pre-Shared Key (PSK)
Secures wireless networks, including those protected with WEP, WPA,
WPA2, and WPA3
Ensure you choose a long and strong password
