Network Hardening Flashcards

1
Q

Hardening

A

Securing a system by reducing its surface of vulnerabilities
o Healthy balance between operations and security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Patch Management

A

o Involves planning, testing, implementing, and auditing of software patches
▪ Provides security
▪ Increases uptime
▪ Ensures compliance
▪ Improves features
o Ensure patches don’t create new problems once installed
▪ Planning
● Tracks available patches and updates and determines how to test
and deploy each patch
▪ Testing
● Tests any patch received from a manufacturer prior to automating
its deployment through the network
● Have a small test network, lab, or machine for testing new
patches before deployment
▪ Implementing/ Implementation
● Deploys the patch to all of the workstations and servers that
require it
● Disable the Windows Update service from running automatically
on the workstation
● Also implement patching through a mobile device manager
(MDM), if needed
▪ Auditing
● Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
● Also conduct firmware management for your network devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Unneeded Services

A

A service is an application that runs in the background of an operating system or
device to perform a specific function
▪ Disable any services that are not needed for business operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

o Least Functionality

A

Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
● AutoSecure CLI command can be used on Cisco devices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Port Security

A

Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Static Configuration

A

Allows an administrator to define the static MAC addresses to use on a
given switchport

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Dynamic Learning

A

Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Private VLAN (Port Isolation)

A

A technique where a VLAN contains switchports that are restricted to
using a single uplink
● Primary
● Secondary isolated
● Secondary community

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Dynamic ARP Inspection (DAI)

A

Validates the Address Resolution Protocol (ARP) packets in your network
▪ Ensures only valid ARP requests and responses are relayed across the
network device
▪ Invalid ARP packets are dropped and not forwarded

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DHCP Snooping

A

Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Untrusted Interface

A

Any interface that is configured to receive messages from outside the
network or firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Trusted Interface

A

▪ Any interface that is configured to receive messages only from within the
network
▪ Configure switches and VLANs to allow DHCP snooping

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

IPv6 Router Advertisement Guard (RA-Guard)

A

Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
▪ Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Control Plane Policing (CPP)

A

▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches
● Data plane
● Management plane
● Control plane
● Service plane

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SNMP

A

▪ Allows us to easily gather information from our various network devices
back to a centralized management server
▪ Community strings grant access to portions of the device management
planes
● Ensure you are NOT using SNMP v1 or SNMP v2
o SNMP v3 uses encoded parameters to provide its
authentication as a part of the SNMP architecture
● Combine with whitelisting of the Management Information Base
(MIB)
● Use authPriv on your devices
● Ensure all SNMP administrative credentials have strong passwords
● Follow the principles of least privilege
o Role separation between polling/receiving traps (for
reading)
● Configuring users or groups (for writing)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access Control List (ACL)

A

A list of permissions associated with a given system or network resource
▪ Block SSH for a single computer based on its IP address
▪ Block any IP using port 110
▪ Block any IP and any port from outside the LAN
▪ Block incoming requests from private loopback and multicast IP ranges
▪ Block incoming requests from protocols that should only be used locally
▪ Block all IPv6 traffic or allow it to only authorized hosts and ports
o Explicit Deny
▪ Blocks matching traffic
o Implicit Deny
▪ Blocks traffic to anything not explicitly specified
o Role-Based Access
▪ Defines the privileges and responsibilities of administrative users who
control firewalls and their ACLs

17
Q

Wireless Security
o MAC Filtering

A

Defines a list of devices and only allows those on your Wi-Fi network
● Explicit allow
● Implicit allow
● Always use explicit allow
● Don’t rely on it as your only wireless network protection

18
Q

Wireless Client Isolation

A

Prevents wireless clients from communicating with one another
▪ Wireless access points begin to operate like a switch using private VLANs

19
Q

Guest Network Isolation

A

Keeps guests away from your internal network communications

20
Q

Pre-Shared Key (PSK)

A

Secures wireless networks, including those protected with WEP, WPA,
WPA2, and WPA3
▪ Ensure you choose a long and strong password

21
Q

Extensible Authentication Protocol (EAP)

A

Acts as a framework and transport for other authentication protocols

22
Q

IoT Considerations

A

o Understand your endpoints
o Track and manage your devices
o Patch vulnerabilities
o Conduct test and evaluation
o Change defaults credentials
o Use encryption protocols
o Segment IoT devices

23
Q
A