Network Hardening

Question 1

Hardening

Answer 1

Securing a system by reducing its surface of vulnerabilities

Healthy balance between operations and security

Question 2

Patch Management

Answer 2

Involves planning, testing, implementing, and auditing of software patches
Provides security
Increases uptime
Ensures compliance
Improves features
Ensure patches don’t create new problems once installed

Question 3

Planning

Answer 3

Tracks available patches and updates and determines how to test
and deploy each patch

Question 4

Testing

Answer 4

Tests any patch received from a manufacturer prior to automating
its deployment through the network
Have a small test network, lab, or machine for testing new
patches before deployment

Question 5

Implementing/ Implementation

Answer 5

Deploys the patch to all of the workstations and servers that
require it
Disable the Windows Update service from running automatically
on the workstation
Also implement patching through a mobile device manager
(MDM), if needed

Question 6

Auditing

Answer 6

Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
Also conduct firmware management for your network devices

Question 7

Password Policy

Answer 7

Specifies minimum password length, complexity, periodic changes, and
limits on password reuse

Question 8

Strong Password

Answer 8

Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
Long vs Complex
Passwords should be up to 64 ASCII characters long
Password aging policies should not be enforced
Change default passwords

Question 9

Unneeded Services

Answer 9

A service is an application that runs in the background of an operating system or
device to perform a specific function
Disable any services that are not needed for business operations

Question 10

Least Functionality

Answer 10

Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
AutoSecure CLI command can be used on Cisco devices

Question 11

Port Security

Answer 11

Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed

Question 12

Static Configuration Switch

Answer 12

Allows an administrator to define the static MAC addresses to use on a
given switchport

Question 13

Dynamic Learning

Answer 13

Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list

Question 14

Private VLAN (Port Isolation)

Answer 14

A technique where a VLAN contains switchports that are restricted to
using a single uplink
Primary
Secondary isolated
Secondary community

Question 15

Primary VLAN

Answer 15

Forwards frames downstream to all of the secondary VLANs

Question 16

Isolated VLAN

Answer 16

Includes switchports that can reach the primary VLAN but no other
secondary VLANs

Question 17

Community VLAN

Answer 17

Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs
Default VLAN is known as VLAN 1

Question 18

Promiscuous Port (P-Port)

Answer 18

Can communicate with anything connected to the primary
or secondary VLANs
Host Ports
Isolated Ports (I-Port)
Community Ports (C-Port)

Question 19

Isolated Port (I-Port)

Answer 19

Can communicate upwards to a P-Port and cannot talk

with other I-Ports

Question 20

Community Port (C-Port)

Answer 20

Can communicate with P-Ports and other C-Ports on the

same community VLAN

Question 21

Native VLAN

Answer 21

VLAN where untagged traffic is put once it is received on a trunk port

Question 22

(DAI)

Answer 22

Dynamic ARP Inspection (DAI)
Validates the Address Resolution Protocol (ARP) packets in your network
Ensures only valid ARP requests and responses are relayed across the
network device
Invalid ARP packets are dropped and not forwarded

Question 23

DHCP Snooping

Answer 23

Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table

Question 24

Untrusted Interface

Answer 24

Any interface that is configured to receive messages from outside the
network or firewall

Question 25

Trusted Interface

Answer 25

Any interface that is configured to receive messages only from within the
network
Configure switches and VLANs to allow DHCP snooping

Question 26

(RA-Guard)

Answer 26

IPv6 Router Advertisement Guard (RA-Guard)
Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on

Question 27

(CPP)

Answer 27

Control Plane Policing (CPP)

Configures a QoS filter that manages the traffic flow of control plane

Question 28

SNMP

Answer 28

Allows us to easily gather information from our various network devices
back to a centralized management server
Community strings grant access to portions of the device management
planes
Ensure you are NOT using SNMP v1 or SNMP v2
Combine with whitelisting of the Management Information Base (MIB)
Segregate SNMP traffic onto a separate management network

Question 29

(ACL)

Answer 29

Access Control List (ACL)
A list of permissions associated with a given system or network resource
Block SSH for a single computer based on its IP address
Block any IP using port 110
Block any IP and any port from outside the LAN
Most specific first

Question 30

Explicit Deny

Answer 30

Blocks matching traffic

Question 31

Implicit Deny

Answer 31

Blocks traffic to anything not explicitly specified

Question 32

MAC Filtering

Answer 32

Defines a list of devices and only allows those on your Wi-Fi network
Explicit allow
Implicit allow
Always use explicit allow

Question 33

Wireless Client Isolation

Answer 33

Prevents wireless clients from communicating with one another
Wireless access points begin to operate like a switch using private VLANs

Question 34

Guest Network Isolation

Answer 34

Keeps guests away from your internal network communications

Question 35

Pre-Shared Key (PSK)

Answer 35

Secures wireless networks, including those protected with WEP, WPA,
WPA2, and WPA3
Ensure you choose a long and strong password