Network Hardening Flashcards
(35 cards)
Hardening
Securing a system by reducing its surface of vulnerabilities
Healthy balance between operations and security
Patch Management
Involves planning, testing, implementing, and auditing of software patches
Provides security
Increases uptime
Ensures compliance
Improves features
Ensure patches don’t create new problems once installed
Planning
Tracks available patches and updates and determines how to test
and deploy each patch
Testing
Tests any patch received from a manufacturer prior to automating
its deployment through the network
Have a small test network, lab, or machine for testing new
patches before deployment
Implementing/ Implementation
Deploys the patch to all of the workstations and servers that
require it
Disable the Windows Update service from running automatically
on the workstation
Also implement patching through a mobile device manager
(MDM), if needed
Auditing
Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
Also conduct firmware management for your network devices
Password Policy
Specifies minimum password length, complexity, periodic changes, and
limits on password reuse
Strong Password
Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
Long vs Complex
Passwords should be up to 64 ASCII characters long
Password aging policies should not be enforced
Change default passwords
Unneeded Services
A service is an application that runs in the background of an operating system or
device to perform a specific function
Disable any services that are not needed for business operations
Least Functionality
Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
AutoSecure CLI command can be used on Cisco devices
Port Security
Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed
Static Configuration Switch
Allows an administrator to define the static MAC addresses to use on a
given switchport
Dynamic Learning
Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list
Private VLAN (Port Isolation)
A technique where a VLAN contains switchports that are restricted to using a single uplink Primary Secondary isolated Secondary community
Primary VLAN
Forwards frames downstream to all of the secondary VLANs
Isolated VLAN
Includes switchports that can reach the primary VLAN but no other
secondary VLANs
Community VLAN
Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs
Default VLAN is known as VLAN 1
Promiscuous Port (P-Port)
Can communicate with anything connected to the primary or secondary VLANs Host Ports Isolated Ports (I-Port) Community Ports (C-Port)
Isolated Port (I-Port)
Can communicate upwards to a P-Port and cannot talk
with other I-Ports
Community Port (C-Port)
Can communicate with P-Ports and other C-Ports on the
same community VLAN
Native VLAN
VLAN where untagged traffic is put once it is received on a trunk port
(DAI)
Dynamic ARP Inspection (DAI)
Validates the Address Resolution Protocol (ARP) packets in your network
Ensures only valid ARP requests and responses are relayed across the
network device
Invalid ARP packets are dropped and not forwarded
DHCP Snooping
Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table
Untrusted Interface
Any interface that is configured to receive messages from outside the
network or firewall
