4.3 Given a scenario, apply network hardening techniques

0.0(0)
studied byStudied by 0 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/28

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

29 Terms

1
New cards

Secure SNMP

Simple Network Management Protocol
- monitor and control servers, switches, routers, firewalls, and other devices
Different versions through the years.
- SNMPv1 and SNMPv2 do not encrypt network traffic
SNMPv3
- version 3 added encrypted communication
- not all devices support SNMPv3
- use it everywhere you can

2
New cards

Router Advertisement (RA) guard

The ICMP Router Solicitation message is sent from a computer host to any routers on the local area network to request that they advertise their presence on the network

In response, the router sends back a Router Advertisement (RA) back to the computer

Sometimes, hackers could set up a rogue device pretending to be a router and deliver a DDoS, on-path attack, etc

Router Advertisement guard validates every advertisement to make sure it's legit

<p>The ICMP Router Solicitation message is sent from a computer host to any routers on the local area network to request that they advertise their presence on the network<br><br>In response, the router sends back a Router Advertisement (RA) back to the computer<br><br>Sometimes, hackers could set up a rogue device pretending to be a router and deliver a DDoS, on-path attack, etc<br><br>Router Advertisement guard validates every advertisement to make sure it's legit</p>
3
New cards

Port security

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.

4
New cards

Dynamic ARP inspection

A security feature on a switch that monitors ARP messages in order to detect faked ARP messages.

It does this by using DHCP snooping to figure out every device's IP addresses on the network and their corresponding MAC addresses

Invalid IP-to-MAC address bindings are dropped

5
New cards

Control plane policing

On networking devices, there is a control plane and a data plane

Data plane handles forwarding of traffic + operational processes

Control plane controls configuration and management of the device

Control Plane
-very important to secure against DoS

-need to define a QoS filter to protect the control plane
-block all unnecessary control plane traffic types that is not used
-rate limit control plane traffic flow

6
New cards

Private VLANs

• Port isolation
- Restrict access between interfaces
- Even when they're in the same VLAN

• You might already be using private VLANs
- Your home Internet can't directly connect to
another home
- Hotel room access is limited to Internet connectivity

7
New cards

Disable unneeded switchports

A good way to make sure that no one can plug unauthorized cables and devices into
switches, and in turn inject or capture traffic, is to disable unneeded switch ports by
issuing the shutdown command or each individual interface.

• Administratively disable unused ports
- More to maintain, but more secure

• Network Access Control (NAC)
- 802.1X controls
- You can't communicate unless you are authenticated

8
New cards

Disable unneeded network services

• Every open port is a possible entry point
- Close everything except required ports
• Control access with a firewall
- NGFW would be ideal
• Unused or unknown services
- Installed with the OS or from other applications
• Applications with broad port ranges
- Open port 0 through 65,535
• Use Nmap or similar port scanner to verify
- Ongoing monitoring is important

9
New cards

Change default passwords

• Most devices have default usernames and passwords
- Change yours!

• The right credentials provide full control
- Administrator access

10
New cards

Password complexity/length

• Increase password entropy
- No single words, no obvious passwords
- Mix upper and lower case and use special characters
- Don't replace a o with a 0, t with a 7

• Stronger passwords are at least 8 characters
- Consider a phrase or set of words

11
New cards

Enable DHCP snooping

• a security feature that is used to validate DHCP (Dynamic Host Configuration Protocol) messages and prevent unauthorized DHCP servers from providing IP addresses to devices on a network.

• Switch watches for DHCP conversations
- Adds a list of untrusted devices to a table

• Filters invalid IP and DHCP information
- Static IP addresses
- Devices acting as DHCP servers

12
New cards

Change default VLAN

• All access ports (non-trunk ports) are assigned to a VLAN
- Without any additional security (i.e., 802.1X), anyone
connecting will be part of the default VLAN

• The default VLAN might also be used by default for
control plane access/management
- Don't put users on the management VLAN
- Change the management VLAN to something exclusive

• Assign unused interfaces to a specific non-routable, nonforwarding
VLAN
- A "dead-end" or "impasse" VLAN

13
New cards

Patch and firmware management

• Many network devices do not use a traditional
operating system
- All updates are made to firmware

• The potential exists for security vulnerabilities
- Upgrade the firmware to a non-vulnerable version

• Plan for the unexpected
- Always have a rollback plan
- Save those firmware binaries

14
New cards

Access control list

A list of permissions associated with a given system or network resource

▪ Block SSH for a single computer based on its IP address
▪ Block any IP using port 110
▪ Block any IP and any port from outside the LAN
▪ Block incoming requests from private loopback and multicast IP ranges
▪ Block incoming requests from protocols that should only be used locally
▪ Block all IPv6 traffic or allow it to only authorized hosts and ports

15
New cards

Role-based access

• Not everyone connecting to a switch or router needs
the same level of access
- Administrators, help desk, management, API access

• Many devices allow the configuration of specific roles
- Rights and permissions are based on the role
- Administrators can configure and reboot the device
- Help desk can view statistics
- API access can't interactively login/SSH

16
New cards

Firewall rules

• Manage access from the firewall
- Additional security options - Username, VPN, MFA

• Most firewall rules include an implicit deny
- If there's no explicit rule, then traffic is blocked
- These implicit deny rules aren't usually logged

• Some firewall administrators will add explicit deny rules
- Anything denied by a rule is logged by default
- Can be useful for identifying reconnaissance
or access attempts

17
New cards

Explicit deny

When an administrator sets a rule that denies a specific type of traffic access through a firewall, often within an ACL (access control list)

An explicit deny statement drops packets meeting certain criteria, including source
IP address, destination IP address, protocol, and port

18
New cards

Implicit deny

A rule in an ACL that blocks all traffic that hasn't been explicitly allowed. The implicit deny rule is the last rule in an ACL.

19
New cards

Wireless security

Any method of securing your WLAN network to prevent unauthorized network access and network data theft while ensuring that authorized users can connect to the network.

20
New cards

MAC filtering

• Limit access through the physical hardware address
- Keeps the neighbors out
- Additional administration with visitors

• Easy to find working MAC addresses through
wireless LAN analysis
- MAC addresses can be spoofed. For example, you can scan all the MAC addresses on a network, and when one disconnects, you can copy their MAC address and re-join

-Not a foolproof method; not really a true security measure

21
New cards

Antenna placement

Place antennas so it covers only inside your building

Helps prevent people outside your area to try to access the network

22
New cards

Power levels

To measure power levels, manuacturers use scales called received signal strength
indication (RSSI) to show the signal between a WAP and a receiver.

23
New cards

Wireless client isolation

• Wireless client isolation
- Wireless devices on an access point can't
communicate with each other
- Useful in a hotel or public area
- May not be useful at work with peer-to-peer
applications

24
New cards

Guest network isolation

- The guest network does not have access to the
internal private network

- This is almost always the right configuration

25
New cards

Preshared keys (PSKs)

• Configure the authentication on your
access point / wireless router

• Open System - No authentication
password is required

• WPA2/3-Personal / WPA-PSK
- WPA2 or WPA3 with a pre-shared key
- Everyone uses the same 256-bit key

• WPA2/3-Enterprise / WPA2/3-802.1X
- Authenticates users individually with an
authentication server (i.e., RADIUS, LDAP)

26
New cards

EAP

▪ Allows for numerous different mechanisms of authentication

● EAP-MD5
o Utilizes simple passwords and the challenge handshake authentication process to provide remote access authentication

● EAP-TLS
o Uses public key infrastructure with a digital certificate being installed on both the client and the server
● EAP-TTLS
o Requires a digital certificate on the server and a password on the client for its authentication

● EAP Flexible Authentication via Secure Tunneling (EAP-FAST)
o Uses a protected access credential to establish mutual authentication between devices

● Protected EAP (PEAP)
o Uses server certificates and Microsoft's Active Directory databases to authenticate a client's password

● Lightweight EAP (LEAP)
o A proprietary protocol that only works on Cisco-based devices

27
New cards

Geofencing

The use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area.

-restrict or allow features when the device is in a particular area

-only allow logins when the device is in a particular area

28
New cards

Captive portal

A technical solution that forces wireless clients using web browsers to complete a process before accessing a network. It is often used to ensure users agree to an acceptable use policy or pay for access.

29
New cards

IoT Security

IoT security
• Internet of Things devices
- Smart devices, appliances, garage doors, door locks,
lights, etc.
• Security is probably not the primary focus
- In some cases, it's not a consideration at all
• IoT devices should be segmented from the private network
- Keep your personal devices and storage systems away
from IoT devices
- If an IoT device is breached, your personal data is
not accessible
• Use a separate VLAN
- Many home access points provide a "guest" network
- This is different than the DMZ or screened-subnet