Chapter 4 - section 4.3 - Given a scenario, apply network security features, defense techniques, and solutions

section 4.3

Objective – Network Security Hardening

• Device hardening
▸ Disable unused ports and services
▸ Change default passwords
• Network access control (NAC)
▸ Port security
▸ 802.1X
▸ MAC filtering
• Key management
• Security rules
▸ Access control list (ACL)
▸ Uniform Resource Locator (URL) filtering
▸ Content filtering
• Zones
▸ Trusted vs. untrusted
▸ Screened subnet

Device Hardening

• Process of securing network devices
• Reduces attack surface
• Applies to routers, switches, servers, firewalls
• Core security best practice (exam critical)

Disable Unused Ports and Services

• Shuts down unnecessary interfaces
• Prevents unauthorized access
• Reduces vulnerabilities
• Common switch hardening step

Change Default Passwords

• Default credentials are publicly known
• High risk if unchanged
• Applies to all network devices
• Exam tip: first hardening step

Network Access Control (NAC)

• Controls who can access the network
• Enforces security policies
• Can restrict devices and users
• Often integrated with authentication systems

Port Security

• Switch feature limiting MAC addresses per port
• Prevents unauthorized devices
• Protects against MAC flooding
• Layer 2 security control

802.1X

• Port-based network access control
• Requires authentication before access
• Uses RADIUS server
• Common in enterprise networks (exam critical)

MAC Filtering

• Allows or blocks devices by MAC address
• Simple but not very secure
• MAC addresses can be spoofed
• Often used in small networks

Key Management

• Secure handling of encryption keys
• Includes generation, storage, rotation
• Prevents unauthorized decryption
• Important for encrypted communications

Security Rules

• Define what traffic is allowed or denied
• Implemented on firewalls and routers
• Enforce organizational security policies

Access Control List (ACL)

• Rule set controlling network traffic
• Based on IP, protocol, port
• Can be permit or deny
• Stateless filtering method

URL Filtering

• Blocks access to specific websites
• Based on URL or domain
• Used for security and productivity
• Common on firewalls and proxies

Content Filtering

• Controls types of content allowed
• Blocks malware, adult, or unsafe content
• Often used with URL filtering
• Policy-based control

Security Zones

• Logical separation of network areas
• Controls trust levels
• Limits attack spread
• Exam critical concept

Trusted vs. Untrusted Zones

• Trusted: internal, secure network
• Untrusted: external networks (internet)
• Traffic between zones is filtered
• Firewall-enforced separation

Screened Subnet

• Also known as DMZ
• Isolated network segment
• Hosts public-facing services
• Protects internal trusted network

sample question

• Q: Which security practice reduces the attack surface of a network device?

▸ A: Device hardening

• Q: What switch feature limits the number of MAC addresses per port?

▸ A: Port security

• Q: Which protocol provides port-based authentication using a RADIUS server?

▸ A: 802.1X

• Q: Why is MAC filtering considered weak security?

▸ A: MAC addresses can be spoofed

• Q: Which security control filters traffic based on IP address and port?

▸ A: Access Control List (ACL)

• Q: What security zone is also known as a DMZ?

▸ A: Screened subnet

• Q: What is the first recommended step when securing a new network device?

▸ A: Change default passwords