Network Hardening (4.3)

Question 1

Hardening

Answer 1

o Securing a system by reducing its surface of vulnerabilities
o Healthy balance between operations and security

Question 2

Patch Management

Answer 2

o Involves planning, testing, implementing, and auditing of software patches
▪ Provides security
▪ Increases uptime
▪ Ensures compliance
▪ Improves features
o Ensure patches don’t create new problems once installed

Question 3

Planning

Answer 3

● Tracks available patches and updates and determines how to test
and deploy each patch

Question 4

Testing

Answer 4

● Tests any patch received from a manufacturer prior to automating
its deployment through the network
● Have a small test network, lab, or machine for testing new patches before deployment

Question 5

Implementing/ Implementation

Answer 5

● Deploys the patch to all of the workstations and servers that
require it
● Disable the Windows Update service from running automatically
on the workstation
● Also implement patching through a mobile device manager
(MDM), if needed

Question 6

Auditing

Answer 6

● Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
● Also conduct firmware management for your network devices

Question 7

Password Policy

Answer 7

▪ Specifies minimum password length, complexity, periodic changes, and
limits on password reuse

Question 8

Strong Password

Answer 8

▪ Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
● Long vs Complex
● Passwords should be up to 64 ASCII characters long
● Password aging policies should not be enforced
● Change default passwords

Question 9

Unneeded Services

Answer 9

o A service is an application that runs in the background of an operating system or
device to perform a specific function
▪ Disable any services that are not needed for business operations

Question 10

Least Functionality

Answer 10

▪ Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
● AutoSecure CLI command can be used on Cisco devices

Question 11

Port Security

Answer 11

▪ Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed

Question 12

Static Configuration

Answer 12

▪ Allows an administrator to define the static MAC addresses to use on a
given switchport

Question 13

Dynamic Learning

Answer 13

▪ Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list

Question 14

Private VLAN (Port Isolation)

Answer 14

▪ A technique where a VLAN contains switchports that are restricted to
using a single uplink
● Primary
● Secondary isolated
● Secondary community

Question 15

Primary VLAN

Answer 15

▪ Forwards frames downstream to all of the secondary VLANs

Question 16

Isolated VLAN

Answer 16

▪ Includes switchports that can reach the primary VLAN but not other
secondary VLANs

Question 17

Community VLAN

Answer 17

▪ Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs

Question 18

Promiscuous Port (P-Port)

Answer 18

o Can communicate with anything connected to the primary
or secondary VLANs
▪ Host Ports
▪ Isolated Ports (I-Port)
▪ Community Ports (C-Port) df

Question 19

Isolated Port (I-Port)

Answer 19

o Can communicate upwards to a P-Port and cannot talk

with other I-Ports

Question 20

Community Port (C-Port)

Answer 20

o Can communicate with P-Ports and other C-Ports on the
same community VLAN
▪ Default VLAN is known as VLAN 1

Question 21

Native VLAN

Answer 21

▪ VLAN where untagged traffic is put once it is received on a trunk port

Question 22

Dynamic ARP Inspection (DAI)

Answer 22

▪ Validates the Address Resolution Protocol (ARP) packets in your network
▪ Ensures only valid ARP requests and responses are relayed across the
network device
▪ Invalid ARP packets are dropped and not forwarded

Question 23

DHCP Snooping

Answer 23

▪ Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table

Question 24

Untrusted Interface

Answer 24

▪ Any interface that is configured to receive messages from outside the
network or firewall

Question 25

Trusted Interface

Answer 25

▪ Any interface that is configured to receive messages only from within the
network
▪ Configure switches and VLANs to allow DHCP snooping

Question 26

IPv6 Router Advertisement Guard (RA-Guard)

Answer 26

▪ Mitigates attack vectors based on forged ICMPv6 router advertisement
messages
▪ Operates at Layer 2 of the OSI model for IPv6 networks to specify which
interfaces are not allows to have router advertisements on

Question 27

Control Plane Policing (CPP)

Answer 27

▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches
● Data plane
● Management plane
● Control plane
● Service plane

Question 28

Control Plane Policing (CPP)

Answer 28

▪ Configures a QoS filter that manages the traffic flow of control plane
packets to protect the control plane of Cisco IOS routers and switches

Question 29

SNMP

Answer 29

▪ Allows us to easily gather information from our various network devices
back to a centralized management server
▪ Community strings grant access to portions of the device management
planes
● Ensure you are NOT using SNMP v1 or SNMP v2
o SNMP v3 uses encoded parameters to provide its
authentication as a part of the SNMP architecture
● Combine with whitelisting of the Management Information Base
(MIB)
● Use authPriv on your devices
● Ensure all SNMP administrative credentials have strong passwords
● Follow the principles of least privilege
o Role separation between polling/receiving traps (for
reading)
● Configuring users or groups (for writing)
● Apply and extend access control lists to block unauthorized access
● Keep system images and software up-to-date
● Segregate SNMP traffic onto a separate management network

Question 30

Access Control List (ACL)

Answer 30

o A list of permissions associated with a given system or network resource
▪ Block SSH for a single computer based on its IP address
▪ Block any IP using port 110
▪ Block any IP and any port from outside the LAN
▪ Block incoming requests from private loopback and multicast IP ranges
▪ Block incoming requests from protocols that should only be used locally
▪ Block all IPv6 traffic or allow it to only authorized hosts and ports

Question 31

Explicit Deny

Answer 31

▪ Blocks matching traffic

Question 32

Implicit Deny

Answer 32

▪ Blocks traffic to anything not explicitly specified

Question 33

Role-Based Access

Answer 33

▪ Defines the privileges and responsibilities of administrative users who
control firewalls and their ACLs

Question 34

MAC Filtering

Answer 34

▪ Defines a list of devices and only allows those on your Wi-Fi network
● Explicit allow
● Implicit allow
● Always use explicit allow
● Don’t rely on it as your only wireless network protection

Question 35

Wireless Client Isolation

Answer 35

▪ Prevents wireless clients from communicating with one another
▪ Wireless access points begin to operate like a switch using private VLANs

Question 36

Guest Network Isolation

Answer 36

▪ Keeps guests away from your internal network communications

Question 37

Pre-Shared Key (PSK)

Answer 37

▪ Secures wireless networks, including those protected with WEP, WPA,
WPA2, and WPA3
▪ Ensure you choose a long and strong password

Question 38

Extensible Authentication Protocol (EAP)

Answer 38

▪ Acts as a framework and transport for other authentication protocols

Question 39

Geofencing

Answer 39

▪ A virtual fence created within a certain location

Question 40

Captive Portal

Answer 40

▪ A web page displayed to newly connected Wi-Fi users before being
granted broader access to network resources

Question 41

IoT Considerations

Answer 41

o Understand your endpoints
o Track and manage your devices
o Patch vulnerabilities
o Conduct test and evaluation
o Change defaults credentials
o Use encryption protocols
o Segment IoT devices