Network Hardening

Question 1

Patch Management

Answer 1

Planning, testing, implementing, & auditing of software patches
(Security, increases uptime, ensures compliance, improves features)

Planning - Track available patches to determine how to test/deploy

Testing - Test patches prior to deployment (use a test network/lab)

Implementing - Disable Windows Update from running automatically before deployment

Auditing - Scans the network to determine if patch was installed (also firmware management)

Question 2

Least Functionality

Answer 2

Process of configuring a device/server/workstation to only provide essential services required by user

Cisco devices = AutoSecure CLI command

Question 3

Port Security

Answer 3

Prevents unauthorized access to a switchport by identifying/limiting the MAC addresses of hosts that are allowed

Question 4

Port Security: Dynamic Learning

Answer 4

Defines a max number of MACs for a port & blocks new devices not on learned list

Question 5

Private VLAN (Port Isolation)

Answer 5

A technique where a VLAN contains switchports that are restricted to a single uplink
(Primary, secondary isolated, secondary community)

Question 6

Primary VLAN

Answer 6

Forwards frames downstream to all of the secondary VLANs

Question 7

Isolated VLAN

Answer 7

Includes switchports that can reach the primary VLAN but not other secondary VLANs

Question 8

Community VLAN

Answer 8

Includes switchports that can communicate with each other & the primary VLAN but not other secondary VLANs

Default VLAN = VLAN1

Question 9

Community VLAN: P-Port

Answer 9

Promiscuous Port:
Can communicate with anything connected to the primary/secondary VLANs

Host ports, isolated ports, community ports

Question 10

Community VLAN: I-Port

Answer 10

Isolated Port:

Can communicate upwards to a P-Port, cannot talk with other I-Ports

Question 11

Community VLAN: C-Port

Answer 11

Community Port:

Can communicate with P-Ports & other C-Ports on the same community VLAN

Question 12

Native VLAN

Answer 12

VLAN where untagged traffic is put once it is received on a trunk port

Question 13

DAI

Answer 13

Dynamic ARP Inspection:
Validates the ARP packets in your network
Ensures only valid ARP requests/responses are relayed across network device
Invalid ARP packets = dropped

Question 14

DHCP Snooping

Answer 14

Provides security by inspecting DHCP traffic, filtering untrusted DHCP messages, & building/maintaining a DHCP snooping binding table

Question 15

Untrusted Interface

Answer 15

Any interface that is configured to receive messages from outside the network/firewall

Question 16

Trusted Interface

Answer 16

Any interface configured to receive messages only from within the network

Configure switches/VLANs to allow DHCP snooping

Question 17

RA-Guard

Answer 17

IPv6 Router Advertisement Guard:
Mitigates attack vectors based on forged ICMPv6 router advertisements

(Layer 2) - To specify which interfaces are not allowed to have RAs

Question 18

CPP

Answer 18

Control Plane Policing:
Configures a QoS filter that manages the traffic flow of control plane packets to protect the control plane of Cisco IOS routers/switches

Data plane, management plane, control plane, service plane

Question 19

ACL: Explicit Deny

Answer 19

Blocks matching traffic

Question 20

ACL: Implicit Deny

Answer 20

Blocks traffic to anything not explicitly specified

Question 21

ACL: Role-Based Access

Answer 21

Defines the privileges & responsibilities of administrative users who control firewalls & their ACLs

Question 22

Wireless Client Isolation

Answer 22

Prevents wireless clients from communicating with one another
WAPs begin to operate like a switch using private VLANs

Question 23

Guest Network Isolation

Answer 23

Keeps guests away from your internal network communications