Network Hardening

CompTIA+ Network Learning

Network hardening

The process of securing a system by reducing its attack surface or vulnerabilities.

Patch management

The planning, testing, implementing, and auditing of software patches to fix bugs and improve security in network devices, servers, and clients.

Attack surface

The areas or points in a network that can be exploited by attackers to gain unauthorized access or cause harm.

Vulnerabilities

Weaknesses or flaws in a system that can be exploited by attackers to compromise its security.

Port security

A network hardening technique that involves blocking traffic on specific ports to prevent unauthorized access or data breaches.

VLANs

Virtual Local Area Networks that separate and isolate network traffic to enhance security and network performance.

Access control lists (ACLs)

Rules or filters that determine what network traffic is allowed or denied based on specific criteria, such as source IP address or port number.

SNMP

Simple Network Management Protocol, a protocol used to manage and monitor network devices.

Internet of Things (IoT)

A network of interconnected devices that can communicate and exchange data with each other.

Compliance

The adherence to rules, regulations, and standards set by regulatory bodies or industry best practices to ensure the security and privacy of data.

Firmware Management

The process of centralizing the management of resources and devices, as well as conducting firmware updates for server network interfaces and server devices.

Password Policy

A policy document that promotes strong passwords by specifying a minimum password length, requiring complex passwords, requiring periodic password changes, and placing limits on password reuse.

Two-Factor Authentication

A security measure that requires users to provide two forms of identification, typically a password and a second factor such as a fingerprint or a code from a mobile device, to gain access to a system.

Brute Force Attack

An attack method where an attacker tries all possible combinations of characters to guess a password, making it difficult to crack if the password is long and complex.

Default Password

The initial username and password set by the manufacturer for a device or system, which should be changed to enhance security.

Least Functionality

The process of configuring a device, server, or workstation to only provide essential services required by the user, reducing the attack surface and potential vulnerabilities.

Auto Secure

A command line interface command provided by Cisco Network Devices that disables unnecessary services while enabling necessary security services on network devices.

Switch Port

A physical interface on a switch or router that connects networking devices, which should be disabled if nothing is connected to it to enhance security.

Port Security

A feature that restricts access to a switchport by limiting the MAC addresses of authorized hosts that can connect to it.

Dynamic Learning

A method of creating a list of authorized MAC addresses on a switchport by allowing the switch to learn and add MAC addresses dynamically.

Private VLANs

A technique that divides a primary VLAN into secondary VLANs, restricting communication between hosts in different secondary VLANs.

Promiscuous Ports (P-Ports)

Switchports that connect to routers, firewalls, or gateway devices and can communicate with any port in the VLAN.

Isolated Ports (I-Ports)

Switchports used to connect regular hosts in an isolated VLAN, which can only communicate with Promiscuous Ports.

Community Ports (C-Ports)

Switchports used to connect regular hosts in a community VLAN, which can communicate with other Community Ports and Promiscuous Ports.

Default VLAN

The VLAN to which unassigned switchports are assigned by default, often VLAN 1.

Native VLAN

The VLAN to which untagged traffic is sent on a trunk port, typically the same as the default VLAN.

Dynamic ARP Inspection (DAI)

A security feature that validates ARP packets by checking MAC address to IP address bindings, dropping invalid packets.

DHCP Snooping

A DHCP security feature that inspects and filters DHCP traffic, maintaining a binding table of trusted interfaces and their corresponding MAC and IP addresses.

DHCP Snooping

A feature that allows differentiation between untrusted and trusted interfaces connected to a device, such as a DHCP server or switch.

Router Advertisement Guard (RA-Guard)

A mechanism used to mitigate attack vectors based on forged ICMPv6 router advertisement messages in IPv6 networks.

Control Plane Policing (CPP)

A feature that allows users to configure a quality of service filter to manage the traffic flow of control plane packets in order to protect the control plane of Cisco iOS routers and switches against denial of service and reconnaissance attacks.

Simple Network Management Protocol (SNMP)

A protocol used for gathering information from network devices back to a centralized management server.

Access Control List (ACL)

A list of permissions associated with a system or network resource that can be applied to packet filtering devices, such as routers, switches, or firewalls.

Access Control List (ACL)

A list of rules that determines what network traffic is allowed or denied on a firewall or router.

Device Agnostic

Refers to the ability of a system or exam to work with different types of devices, regardless of the manufacturer or brand.

Permit Statement

A rule in an ACL that allows specific network traffic to pass through based on defined criteria.

Implicit Deny

A default rule in an ACL that denies any network traffic that is not explicitly permitted by previous rules.

Wildcard Mask

A subnet mask used in ACLs to define a range of IP addresses that will be matched.

Equal (eq)

An operator used in ACLs to specify a specific value or condition that must be met for the traffic to be allowed.

Reverse Wildcard Mask

A specific format used in Cisco ACLs where zeros (0) are treated as 255 and vice versa.

White List

A type of access control mechanism that only allows specific items or actions that are explicitly permitted.

Explicit Allow

A rule in an ACL that explicitly allows specific network traffic to pass through based on defined criteria.

Implicit Allow

A default rule in an ACL that allows any network traffic that is not explicitly denied by previous rules.

Role-Based Access

A method of granting permissions and privileges to users based on their roles or job functions.

MAC Filtering

A security feature that allows or blocks devices from connecting to a wireless network based on their MAC addresses.

Explicit Allow List

A list of MAC addresses that are allowed to connect to a wireless network.

Implicit Allow List

A list of MAC addresses that are not allowed to connect to a wireless network.

Antenna Placement

The strategic positioning of wireless access points to ensure optimal coverage and security within a given area.

Signal Strength

The strength of the wireless signal, indicated by colors such as green, yellow, and red.

Antenna Placement

The strategic positioning of antennas and wireless access points to ensure proper coverage and prevent unauthorized access.

Wireless Client Isolation

A security feature that prevents wireless clients from communicating with each other, ensuring network privacy and security.

Guest Network Isolation

A type of isolation that keeps guest devices separate from the internal network, protecting sensitive data.

Pre-Shared Keys (PSKs)

Shared secrets used to secure wireless networks, such as WEP, WPA, WPA2, and WPA3, that must be shared ahead of time for authentication.

Extensible Authentication Protocol (EAP)

A protocol that acts as a framework for other authentication protocols, providing higher levels of security than pre-shared keys.

Geofencing

Creating a virtual fence within a physical location to restrict wireless network access to specific geographic areas.

Captive Portals

Webpages displayed to newly-connected users of a wireless network before granting them broader access, often used for authentication or consent.

IoT Device Security

Measures to secure Internet of Things (IoT) devices, including understanding vulnerabilities, tracking and managing devices, patching vulnerabilities, conducting testing and evaluation, changing default credentials, using encryption protocols, and segmenting IoT devices.