CompTIA® Network+ Exam Notes : Common Mitigation Techniques And Their Purpose

4. Network Security

4.6 Common mitigation techniques and their purpose

Network Segmentation:

The following are the advantage of network segmentation:

Extending the network - When the maximum physical limitations of a network has been reached, routers may be added to create new segments to allow additional hosts onto the LAN.

Reduce Congestion - As the number of hosts on a single network increases, the bandwidth required also increases. By segmenting the LAN, you can reduce the number of hosts per network. If traffic consists of communications between hosts on the same segment, then bandwidth usage is substantially reduced.

Isolate network problems - By dividing the network into smaller segments, you reduce the overflow of problems from one segment to the next. Hardware and software failures are some of the problems that can be reduced to affect smaller portions of the network.

Improve Security - By utilizing segments, a network administrator can ensure that the internal structure of the network will not be visible from an outside source. Privileged packets will only be broadcast on the subnet it originated from, not throughout the network.

VLANs - LAN switches can group individual ports into logical switched workgroups called VLANs, thereby restricting the broadcast domain to designated VLAN member ports.


A broadcast storm means that your network is overwhelmed with constant broadcast or multicast traffic. Segmentation of network may not help in the event of broadcast storm.

DMZ: DMZ stands for DeMilitarized Zone. Normally, resources that are intended to be accessible over the Internet are prone for hacking or abuse. By separating these resources that are intended to be accessed over the Internet, it is possible to improve the security of internal private network. In a DMZ, you place all the resources accessible over the Internet through a FireWall. The FireWall separates the DMZ from the internal network.

Your network has 100 nodes on a single broadcast domain. You have implemented VLANs and segmented the network to have 2 VLANs of 50 nodes each. The resulting broadcast traffic effectively decreases by half.

By implementing VLANs

1. The effective broadcast traffic decreases, since VLANs do not forward the broadcast traffic from one VLAN to another.

2. The security can be improved by implementing a router (A layer 3 device) to route the packets among VLANs.

Honeypot: Honeypots are designed such that they appear to be real targets to hackers. That is a hacker can not distinguish between a real system and a decoy. This enables lawful action to be taken against the hacker, and securing the systems at the same time.

Penetration testing: Penetration Testing also called pen testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Switch port protection:

Spanning Tree Protocol (STP) is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network.

During the process of Spanning-Tree Algorithm execution, some redundant ports need to be blocked. This is required to avoid bridging loops. To choose which port to use for forwarding frames, and which port to block, the following three components are used by the Spanning-Tree Protocol:

1. Path Cost: The port with lowest path cost is placed in the forwarding mode. Other ports are placed in blocking mode.

2. Bridge ID: If the path costs are equal, then the bridge ID is used to determine which port should forward. The port with the lowest Bridge ID is elected to forward, and all other ports are blocked

3. Port ID: If the path cost and bridge ID are equal, the Port ID is used to elect the forwarding port. The lowest port ID is chosen to forward. This type of situation may arise when there are parallel links, used for redundancy.

BPDU guard: Here if any BPDU (superior or not) is received on a port configured with BPDU guard, the port is immediately put into errdisable state. The port is effectively shutdown and it must either be enabled manually or by use of a timeout function. By default, it is disabled on all ports.

Root guard : When configured at the interface level, BPDU Guard shuts the port down as soon as the port receives a superior BPDU. By default, it is disabled on all switch ports.

Flood guard: A flood guard protects against Denial of Service (DOS) flooding attacks. A SYN attack or a SYN flood is one example of a DOS flooding attack. ARP spoofing is falsifying ARP responses, typically used to perform a localized man-in-the-middle attack, not a flood. DNS poisoning is used to falsify the IP address received when a fully qualified domain name (FQDN) is resolved. Domain Name System (DNS) poisoning is used in pharming attacks as well as man-in-the-middle attacks, not flooding. MAC hijacking occurs when an attacks spoofs their MAC address as that of someone else, this is not a flooding attack.

DHCP snooping: DHCP snooping is a layer 2 security technology built into the operating system of a capable network switch that drops DHCP traffic determined to be unacceptable. The fundamental use case for DHCP snooping is to prevent unauthorized (rogue) DHCP servers offering IP addresses to DHCP clients.


Shortest Path Bridging (SPB) is specified by the IEEE 802.1aq standard and is intended to simplify the creation of robust networks by enabling multipath routing.

Rapid Spanning Tree does addition to or removal of Layer 2 links in the network.

Previous   Contents   Next

Network+ Cram Notes Contents ad