Network Hardening (4.3) Flashcards
(41 cards)
Hardening
o Securing a system by reducing its surface of vulnerabilities
o Healthy balance between operations and security
Patch Management
o Involves planning, testing, implementing, and auditing of software patches
▪ Provides security
▪ Increases uptime
▪ Ensures compliance
▪ Improves features
o Ensure patches don’t create new problems once installed
Planning
● Tracks available patches and updates and determines how to test
and deploy each patch
Testing
● Tests any patch received from a manufacturer prior to automating
its deployment through the network
● Have a small test network, lab, or machine for testing new patches before deployment
Implementing/ Implementation
● Deploys the patch to all of the workstations and servers that
require it
● Disable the Windows Update service from running automatically
on the workstation
● Also implement patching through a mobile device manager
(MDM), if needed
Auditing
● Scans the network and determines if the patch was installed
properly and if there are any unexpected failures that may have
occurred
● Also conduct firmware management for your network devices
Password Policy
▪ Specifies minimum password length, complexity, periodic changes, and
limits on password reuse
Strong Password
▪ Sufficiently long and complex which creates lots of possible combinations
for brute force attacks to be completed in time
● Long vs Complex
● Passwords should be up to 64 ASCII characters long
● Password aging policies should not be enforced
● Change default passwords
Unneeded Services
o A service is an application that runs in the background of an operating system or
device to perform a specific function
▪ Disable any services that are not needed for business operations
Least Functionality
▪ Process of configuring a device, a server, or a workstation to only provide
essential services required by the user
● AutoSecure CLI command can be used on Cisco devices
Port Security
▪ Prevents unauthorized access to a switchport by identifying and limiting
the MAC addresses of the hosts that are allowed
Static Configuration
▪ Allows an administrator to define the static MAC addresses to use on a
given switchport
Dynamic Learning
▪ Defines a maximum number of MAC addresses for a port and blocks new
devices that are not on the learned list
Private VLAN (Port Isolation)
▪ A technique where a VLAN contains switchports that are restricted to using a single uplink ● Primary ● Secondary isolated ● Secondary community
Primary VLAN
▪ Forwards frames downstream to all of the secondary VLANs
Isolated VLAN
▪ Includes switchports that can reach the primary VLAN but not other
secondary VLANs
Community VLAN
▪ Includes switchports that can communicate with each other and the
primary VLAN but not other secondary VLANs
Promiscuous Port (P-Port)
o Can communicate with anything connected to the primary or secondary VLANs ▪ Host Ports ▪ Isolated Ports (I-Port) ▪ Community Ports (C-Port) df
Isolated Port (I-Port)
o Can communicate upwards to a P-Port and cannot talk
with other I-Ports
Community Port (C-Port)
o Can communicate with P-Ports and other C-Ports on the
same community VLAN
▪ Default VLAN is known as VLAN 1
Native VLAN
▪ VLAN where untagged traffic is put once it is received on a trunk port
Dynamic ARP Inspection (DAI)
▪ Validates the Address Resolution Protocol (ARP) packets in your network
▪ Ensures only valid ARP requests and responses are relayed across the
network device
▪ Invalid ARP packets are dropped and not forwarded
DHCP Snooping
▪ Provides security by inspecting DHCP traffic, filtering untrusted DHCP
messages, and building and maintaining a DHCP snooping binding table
Untrusted Interface
▪ Any interface that is configured to receive messages from outside the
network or firewall
