Network Hardening Flashcards
Hardening
Securing a system by reducing its surface of vulnerabilities
o Healthy balance between operations and security
Patch Management
o Involves planning, testing, implementing, and auditing of software patches
▪ Provides security
▪ Increases uptime
▪ Ensures compliance
▪ Improves features
o Ensure patches don’t create new problems once installed
▪ Planning
● Tracks available patches and updates and determines how to test
and deploy each patch
▪ Testing
● Tests any patch received from a manufacturer prior to automating
its deployment through the network
● Have a small test network, lab, or machine for testing new
patches before deployment
▪ Implementing/ Implementation
● Deploys the patch to all of the workstations and servers that
require it
● Disable the Windows Update service from running automatically
on the workstation
● Also implement patching through a mobile device manager
(MDM), if needed
▪ Auditing
● Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
● Also conduct firmware management for your network devices
Unneeded Services
A service is an application that runs in the background of an operating system or
device to perform a specific function
▪ Disable any services that are not needed for business operations
o Least Functionality
Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
● AutoSecure CLI command can be used on Cisco devices
Port Security
Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed
Static Configuration
Allows an administrator to define the static MAC addresses to use on a
given switchport
Dynamic Learning
Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list
Private VLAN (Port Isolation)
A technique where a VLAN contains switchports that are restricted to
using a single uplink
● Primary
● Secondary isolated
● Secondary community
Dynamic ARP Inspection (DAI)
Validates the Address Resolution Protocol (ARP) packets in your network
▪ Ensures only valid ARP requests and responses are relayed across the
network device
▪ Invalid ARP packets are dropped and not forwarded
DHCP Snooping
Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table
Untrusted Interface
Any interface that is configured to receive messages from outside the
network or firewall
Trusted Interface
▪ Any interface that is configured to receive messages only from within the
network
▪ Configure switches and VLANs to allow DHCP snooping
IPv6 Router Advertisement Guard (RA-Guard)
Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
▪ Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on
Control Plane Policing (CPP)
▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches
● Data plane
● Management plane
● Control plane
● Service plane
SNMP
▪ Allows us to easily gather information from our various network devices
back to a centralized management server
▪ Community strings grant access to portions of the device management
planes
● Ensure you are NOT using SNMP v1 or SNMP v2
o SNMP v3 uses encoded parameters to provide its
authentication as a part of the SNMP architecture
● Combine with whitelisting of the Management Information Base
(MIB)
● Use authPriv on your devices
● Ensure all SNMP administrative credentials have strong passwords
● Follow the principles of least privilege
o Role separation between polling/receiving traps (for
reading)
● Configuring users or groups (for writing)