Domain 4 of 5 · Chapter 8 of 8

Security Hardening and Defense

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing CompTIA Network+ premium course — no separate purchase.

Included in this chapter:

  • Device hardening: shrink the attack surface
  • Network Access Control: admission and posture
  • ACLs, filtering, and trusted zones
  • Exam-pattern recognition

Switch-port hardening controls and the attack each stops

ControlAttack it stopsHow it worksWhere it acts
DHCP snoopingRogue DHCP server / DHCP starvationOnly trusted uplink ports may send DHCP server replies; builds a binding table of IP-to-MAC-to-portAccess switch, per VLAN
Dynamic ARP inspection (DAI)ARP poisoning / on-path spoofingValidates ARP packets against the DHCP snooping binding table and drops forged onesAccess switch, requires DHCP snooping
Port security (sticky MAC)MAC flooding / unauthorized deviceLimits the number of MAC addresses per port and learns/pins allowed MACs; violation disables or restricts the portIndividual access port
Disable unused portsUnauthorized physical connectionAdministratively shuts down every port not in active useEvery unused access port

Decision tree

What is the hardening goal?Secure one device?router/switch/APAdmit only healthy?at connect timeFilter traffic?by addr or by sitePublicserver?Disable ports/services,SSH/HTTPS, patchchange default credsNAC posture check802.1X + quarantine VLANACL (IP/port)URL/content filterby addressby websiteScreenedsubnet (DMZ)Always on access ports: DHCP snooping, dynamic ARP inspection,port security (sticky MAC), and disable unused ports

Cheat sheet

  • Hardening means subtracting: change defaults, disable the unused, patch
  • Change default credentials before a device ever goes live
  • Disable unused ports and services so they can't be a way in
  • Patch firmware to close known vulnerabilities
  • Replace Telnet with SSH; the swap, not the toggle, is the answer
  • Use HTTPS for the device GUI, SFTP for file transfer
  • Prefer SNMPv3 because v1/v2c send community strings in cleartext
  • NAC makes an admission decision the moment a device connects
  • A NAC posture check admits only healthy, compliant devices
  • Non-compliant devices are quarantined to a remediation VLAN, not just blocked
  • Agent-based NAC inspects deeply; agentless covers unmanaged devices
  • An ACL is read top-down and stops at the first match
  • Every ACL ends in an implicit deny-all
  • Write ACLs most-specific first and place them near the source
  • Block websites with URL/content filtering, not an IP ACL
  • Trusted and untrusted zones express trust as topology
  • Host public servers in a screened subnet (DMZ) between the zones
  • DHCP snooping blocks rogue DHCP servers and builds the binding table
  • Dynamic ARP inspection stops ARP poisoning using the snooping table
  • Port security limits MACs per port to stop MAC flooding
  • Key management protects the keys the rest of security depends on
  • An IDS only detects and alerts; an IPS sits inline and blocks in real time
  • An inline IPS signature is the compensating control when you cannot patch yet
  • A vulnerability scanner proactively finds known CVE weaknesses, it does not block attacks
  • A firewall enforces access policy by permitting or denying traffic on IP, protocol, and port
  • An inbound ACL on the border router is the fastest way to block a known malicious source range

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST National Vulnerability Database — CVE vulnerability search
  2. RFC 3411 — An Architecture for SNMP Management Frameworks (SNMPv3 security subsystem) Whitepaper
  3. IEEE 802.1X-2020 — Port-Based Network Access Control Whitepaper
  4. NIST Glossary — Network Access Control (NAC) Whitepaper
  5. NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy (deny-by-default, screened subnet/DMZ) Whitepaper