CompTIA® Network+ Exam Notes : Network Device Hardening

4. Network Security

4.5 Network device hardening

There are three basic ways of hardening.

1. Operating system hardening: Here the operating system is hardened (making tough to intrude). Few points that would help in hardening an operating system:

  • Changing default administrator account names, and passwords
  • Using file access and user access permissions
  • Applying any OS hot fixes as and when they are available

2. Network hardening: This involve the following

  • Restricting access to network shares
  • Disabling/removing protocols and services that are not required.
  • Applying Firewalls such as CheckPoint FireWall or NAT (Network Address Translation)
  • Restricting wireless access where it may lead to vulnerability

3. Application Hardening: Applications such as DNS servers, Web server, Mail servers, File and print servers can be hardened by the following means:

  • Applying latest patches and hotfixes
  • Installing anti-virus software where applicable, such as mail server
  • Changing the default user names and passwords that the applications use.

All Microsoft Windows operating systems Windows 95 and above contain built in support for File and Printer Sharing. This networking feature is useful on home networks but can be a security concern on public networks. It is preferred to disable this feature if connected to the Internet.

Disabling Unused ports: Disable Unused Ports. A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports.

Network hardening techniques:

Captive Portal: A captive portal is a Web page that the user of a public-access network is obligated to view and interact with before access is granted. Another way of describing a captive portal, is that a captive portal turns a Web browser into an authentication device. Schools, hospitals, and many different types of business enterprises use captive portal as a means for authenticating individual users on a wireless network. When a user connects to a wireless network and then opens their web browser, a specific page will appear asking the user for specific login information. When this is originally set up, usually there is an option to allow almost any user to instantly register with their own personal information (such as name, phone number, and email) or they must enter a specific login name and password

Port security: The purpose of port security is to prevent access to the LAN from un-authorized hosts. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port.

Dynamic routing, also called adaptive routing, is a process where a router can forward data via a different route for a given destination based on the current conditions of the communication circuits within a system.

MAC Filtering: In computer networking, Media Access Control MAC Filtering (or EUI filtering, or layer 2 address filtering) refers to a security access control method whereby the 48-bit address assigned to each network card is used to determine access to the network.

Network scan allows you to determine all active devices on your network.

Active vs Passive scanning: Active scanners directly interact with endpoints by querying them with test traffic packets and reviewing each response to find vulnerabilities. Active scanning is when the tool sends a ping to each device on the network and awaits a response. The scanner then looks at the responses it gets to see if there are inconsistencies or vulnerabilities. Passive scanners "silently" glean network data to detect weaknesses without actively interacting with endpoints.

Penetration testing: Penetration Testing also called pen testing is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit.

Examples of Penetration Testing Tools: There is a wide variety of tools that are used in penetration testing and the important tools are

1. NMap- This tool is used to do port scanning, OS identification, Trace the route and for Vulnerability scanning.

2. Nessus- This is traditional network-based vulnerabilities tool.

3. Pass-The-Hash - This tool is mainly used for password cracking.

4. Traceroute can be used in conjunction with nMap to find open ports.

DHCP snooping mitigates the security risks posed by denial-of-service from rogue DHCP servers, which disrupt networks as they compete with legitimate DHCP servers that configure hosts on the network for communication.

Network hardening: This involve the following

  • Restricting access to network shares:
  • Disabling/removing protocols and services that are not required.
  • Applying Firewalls such as CheckPoint FireWall or NAT (Network Address Translation)
  • Restricting wireless access where it may lead to vulnerability

Spanning Tree Protocol (STP): STP is a Layer 2 protocol that runs on bridges and switches. The specification for STP is IEEE 802.1D. The main purpose of STP is to ensure that you do not create loops when you have redundant paths in your network. Loops are deadly to a network. During the process of Spanning-Tree Algorithm execution, some redundant ports need to be blocked. This is required to avoid bridging loops.

VLAN hopping: VLAN hopping is a computer security exploit. Here the attacker is able to send traffic from one VLAN into another.

Port Mirroring: Port mirroring also known as SPAN (Switched Port Analyzer), is a method of monitoring network traffic. With port mirroring enabled, the switch sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet can be analyzed.

Previous   Contents   Next

Network+ Cram Notes Contents
certexams ad

simulationexams ad