Network Hardening Flashcards
Patch Management
Planning, testing, implementing, & auditing of software patches
(Security, increases uptime, ensures compliance, improves features)
Planning - Track available patches to determine how to test/deploy
Testing - Test patches prior to deployment (use a test network/lab)
Implementing - Disable Windows Update from running automatically before deployment
Auditing - Scans the network to determine if patch was installed (also firmware management)
Least Functionality
Process of configuring a device/server/workstation to only provide essential services required by user
Cisco devices = AutoSecure CLI command
Port Security
Prevents unauthorized access to a switchport by identifying/limiting the MAC addresses of hosts that are allowed
Port Security: Dynamic Learning
Defines a max number of MACs for a port & blocks new devices not on learned list
Private VLAN (Port Isolation)
A technique where a VLAN contains switchports that are restricted to a single uplink
(Primary, secondary isolated, secondary community)
Primary VLAN
Forwards frames downstream to all of the secondary VLANs
Isolated VLAN
Includes switchports that can reach the primary VLAN but not other secondary VLANs
Community VLAN
Includes switchports that can communicate with each other & the primary VLAN but not other secondary VLANs
Default VLAN = VLAN1
Community VLAN: P-Port
Promiscuous Port:
Can communicate with anything connected to the primary/secondary VLANs
Host ports, isolated ports, community ports
Community VLAN: I-Port
Isolated Port:
Can communicate upwards to a P-Port, cannot talk with other I-Ports
Community VLAN: C-Port
Community Port:
Can communicate with P-Ports & other C-Ports on the same community VLAN
Native VLAN
VLAN where untagged traffic is put once it is received on a trunk port
DAI
Dynamic ARP Inspection:
Validates the ARP packets in your network
Ensures only valid ARP requests/responses are relayed across network device
Invalid ARP packets = dropped
DHCP Snooping
Provides security by inspecting DHCP traffic, filtering untrusted DHCP messages, & building/maintaining a DHCP snooping binding table
Untrusted Interface
Any interface that is configured to receive messages from outside the network/firewall
Trusted Interface
Any interface configured to receive messages only from within the network
Configure switches/VLANs to allow DHCP snooping
RA-Guard
IPv6 Router Advertisement Guard:
Mitigates attack vectors based on forged ICMPv6 router advertisements
(Layer 2) - To specify which interfaces are not allowed to have RAs
CPP
Control Plane Policing:
Configures a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers/switches
Data plane, management plane, control plane, service plane
ACL: Explicit Deny
Blocks matching traffic
ACL: Implicit Deny
Blocks traffic to anything not explicitly specified
ACL: Role-Based Access
Defines the privileges & responsibilities of administrative users who control firewalls & their ACLs
Wireless Client Isolation
Prevents wireless clients from communicating with one another
WAPs begin to operate like a switch using private VLANs
Guest Network Isolation
Keeps guests away from your internal network communications