Network Hardening (4.3) Flashcards
Hardening
o Securing a system by reducing its surface of vulnerabilities
o Healthy balance between operations and security
Patch Management
o Involves planning, testing, implementing, and auditing of software patches
▪ Provides security
▪ Increases uptime
▪ Ensures compliance
▪ Improves features
o Ensure patches don’t create new problems once installed
Planning
● Tracks available patches and updates and determines how to test
and deploy each patch
Testing
● Tests any patch received from a manufacturer prior to automating
its deployment through the network
● Have a small test network, lab, or machine for testing new patches before deployment
Implementing/ Implementation
● Deploys the patch to all of the workstations and servers that
require it
● Disable the Windows Update service from running automatically
on the workstation
● Also implement patching through a mobile device manager
(MDM), if needed
Auditing
● Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
● Also conduct firmware management for your network devices
Password Policy
▪ Specifies minimum password length, complexity, periodic changes, and
limits on password reuse
Strong Password
▪ Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
● Long vs Complex
● Passwords should be up to 64 ASCII characters long
● Password aging policies should not be enforced
● Change default passwords
Unneeded Services
o A service is an application that runs in the background of an operating system or
device to perform a specific function
▪ Disable any services that are not needed for business operations
Least Functionality
▪ Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
● AutoSecure CLI command can be used on Cisco devices
Port Security
▪ Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed
Static Configuration
▪ Allows an administrator to define the static MAC addresses to use on a
given switchport
Dynamic Learning
▪ Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list
Private VLAN (Port Isolation)
▪ A technique where a VLAN contains switchports that are restricted to using a single uplink ● Primary ● Secondary isolated ● Secondary community
Primary VLAN
▪ Forwards frames downstream to all of the secondary VLANs
Isolated VLAN
▪ Includes switchports that can reach the primary VLAN but not other
secondary VLANs
Community VLAN
▪ Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs
Promiscuous Port (P-Port)
o Can communicate with anything connected to the primary or secondary VLANs ▪ Host Ports ▪ Isolated Ports (I-Port) ▪ Community Ports (C-Port) df
Isolated Port (I-Port)
o Can communicate upwards to a P-Port and cannot talk
with other I-Ports
Community Port (C-Port)
o Can communicate with P-Ports and other C-Ports on the
same community VLAN
▪ Default VLAN is known as VLAN 1
Native VLAN
▪ VLAN where untagged traffic is put once it is received on a trunk port
Dynamic ARP Inspection (DAI)
▪ Validates the Address Resolution Protocol (ARP) packets in your network
▪ Ensures only valid ARP requests and responses are relayed across the
network device
▪ Invalid ARP packets are dropped and not forwarded
DHCP Snooping
▪ Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table
Untrusted Interface
▪ Any interface that is configured to receive messages from outside the
network or firewall
Trusted Interface
▪ Any interface that is configured to receive messages only from within the
network
▪ Configure switches and VLANs to allow DHCP snooping
IPv6 Router Advertisement Guard (RA-Guard)
▪ Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
▪ Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on
Control Plane Policing (CPP)
▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches
● Data plane
● Management plane
● Control plane
● Service plane
Control Plane Policing (CPP)
▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches
SNMP
▪ Allows us to easily gather information from our various network devices
back to a centralized management server
▪ Community strings grant access to portions of the device management
planes
● Ensure you are NOT using SNMP v1 or SNMP v2
o SNMP v3 uses encoded parameters to provide its
authentication as a part of the SNMP architecture
● Combine with whitelisting of the Management Information Base
(MIB)
● Use authPriv on your devices
● Ensure all SNMP administrative credentials have strong passwords
● Follow the principles of least privilege
o Role separation between polling/receiving traps (for
reading)
● Configuring users or groups (for writing)
● Apply and extend access control lists to block unauthorized access
● Keep system images and software up-to-date
● Segregate SNMP traffic onto a separate management network
Access Control List (ACL)
o A list of permissions associated with a given system or network resource
▪ Block SSH for a single computer based on its IP address
▪ Block any IP using port 110
▪ Block any IP and any port from outside the LAN
▪ Block incoming requests from private loopback and multicast IP ranges
▪ Block incoming requests from protocols that should only be used locally
▪ Block all IPv6 traffic or allow it to only authorized hosts and ports
Explicit Deny
▪ Blocks matching traffic
Implicit Deny
▪ Blocks traffic to anything not explicitly specified
Role-Based Access
▪ Defines the privileges and responsibilities of administrative users who
control firewalls and their ACLs
MAC Filtering
▪ Defines a list of devices and only allows those on your Wi-Fi network
● Explicit allow
● Implicit allow
● Always use explicit allow
● Don’t rely on it as your only wireless network protection
Wireless Client Isolation
▪ Prevents wireless clients from communicating with one another
▪ Wireless access points begin to operate like a switch using private VLANs
Guest Network Isolation
▪ Keeps guests away from your internal network communications
Pre-Shared Key (PSK)
▪ Secures wireless networks, including those protected with WEP, WPA,
WPA2, and WPA3
▪ Ensure you choose a long and strong password
Extensible Authentication Protocol (EAP)
▪ Acts as a framework and transport for other authentication protocols
Geofencing
▪ A virtual fence created within a certain location
Captive Portal
▪ A web page displayed to newly connected Wi-Fi users before being
granted broader access to network resources
IoT Considerations
o Understand your endpoints o Track and manage your devices o Patch vulnerabilities o Conduct test and evaluation o Change defaults credentials o Use encryption protocols o Segment IoT devices
