Security Hardening and Defense
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing CompTIA Network+ premium course — no separate purchase.
Included in this chapter:
- Device hardening: shrink the attack surface
- Network Access Control: admission and posture
- ACLs, filtering, and trusted zones
- Exam-pattern recognition
Switch-port hardening controls and the attack each stops
| Control | Attack it stops | How it works | Where it acts |
|---|---|---|---|
| DHCP snooping | Rogue DHCP server / DHCP starvation | Only trusted uplink ports may send DHCP server replies; builds a binding table of IP-to-MAC-to-port | Access switch, per VLAN |
| Dynamic ARP inspection (DAI) | ARP poisoning / on-path spoofing | Validates ARP packets against the DHCP snooping binding table and drops forged ones | Access switch, requires DHCP snooping |
| Port security (sticky MAC) | MAC flooding / unauthorized device | Limits the number of MAC addresses per port and learns/pins allowed MACs; violation disables or restricts the port | Individual access port |
| Disable unused ports | Unauthorized physical connection | Administratively shuts down every port not in active use | Every unused access port |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- NIST National Vulnerability Database — CVE vulnerability search
- RFC 3411 — An Architecture for SNMP Management Frameworks (SNMPv3 security subsystem) Whitepaper
- IEEE 802.1X-2020 — Port-Based Network Access Control Whitepaper
- NIST Glossary — Network Access Control (NAC) Whitepaper
- NIST SP 800-41 Rev. 1 — Guidelines on Firewalls and Firewall Policy (deny-by-default, screened subnet/DMZ) Whitepaper