Network+ 10-009 Objective 4.3: Apply Network Security Features, Defense Techniques, and Solutions

Port Security Benefits:

• Attack Surface Reduction: Fewer entry points for attackers
• Resource Conservation: Reduced CPU and memory usage
• Performance Improvement: Better device performance
• Compliance Requirements: Meets security compliance standards
• Vulnerability Mitigation: Reduces potential vulnerabilities
• Maintenance Simplification: Fewer services to maintain

Common Unused Services to Disable:

• Telnet (Port 23): Unencrypted remote access
• HTTP (Port 80): Unencrypted web services
• FTP (Port 21): Unencrypted file transfer
• SNMP v1/v2c: Insecure network management
• CDP/LLDP: Network discovery protocols
• Unused Routing Protocols: RIP, OSPF if not needed
• DHCP Server: If not providing DHCP services
• DNS Server: If not providing DNS services

Service Disablement Process:

• Audit Current Services: Identify running services
• Assess Necessity: Determine which services are needed
• Document Dependencies: Check for service dependencies
• Test in Lab: Test changes in non-production environment
• Implement Gradually: Disable services incrementally
• Monitor Impact: Watch for any negative effects
• Document Changes: Record all modifications
• Regular Review: Periodically review service requirements

Default Password Risks:

• Public Knowledge: Default passwords are widely known
• Automated Attacks: Bots scan for default credentials
• Easy Compromise: Simple to gain unauthorized access
• Compliance Violations: Violates security standards
• Insider Threats: Former employees may know defaults
• Supply Chain Attacks: Compromised during manufacturing

Password Security Best Practices:

• Complex Passwords: Use strong, complex passwords
• Unique Passwords: Different passwords for each device
• Regular Rotation: Change passwords periodically
• Password Managers: Use secure password management
• Multi-Factor Authentication: Implement MFA where possible
• Account Lockout: Implement account lockout policies
• Password History: Prevent password reuse
• Secure Storage: Store passwords securely

Device-Specific Hardening:

• Routers: Disable unnecessary routing protocols
• Switches: Disable unused VLANs and ports
• Firewalls: Remove default allow rules
• Wireless APs: Disable WPS and guest networks if unused
• Servers: Disable unnecessary Windows services
• Network Appliances: Review and disable unused features
• IoT Devices: Disable unnecessary connectivity features
• Printers: Disable unused network services

Port Security Features:

• MAC Address Binding: Bind specific MAC addresses to ports
• Maximum MAC Addresses: Limit number of MAC addresses per port
• Violation Actions: Actions when security is violated
• Sticky Learning: Automatically learn and bind MAC addresses
• Aging: Remove old MAC address bindings
• Secure MAC Addresses: Manually configured secure addresses

Port Security Violation Actions:

• Protect: Drop packets from unauthorized MAC addresses
• Restrict: Drop packets and increment violation counter
• Shutdown: Disable port when violation occurs
• Errdisable: Put port in error-disabled state
• Logging: Log security violations
• SNMP Traps: Send SNMP notifications

Port Security Configuration:

• Enable Port Security: Activate port security on interface
• Set Maximum MACs: Configure maximum allowed MAC addresses
• Configure Violation Action: Set response to violations
• Sticky Learning: Enable automatic MAC learning
• Aging Configuration: Set aging time and type
• Manual Binding: Manually configure secure MAC addresses
• Verification: Verify port security configuration
• Monitoring: Monitor port security status

802.1X Components:

• Supplicant: Client device requesting network access
• Authenticator: Network device (switch/AP) controlling access
• Authentication Server: RADIUS server performing authentication
• EAP: Extensible Authentication Protocol
• RADIUS: Remote Authentication Dial-In User Service
• VLAN Assignment: Dynamic VLAN assignment based on user

802.1X Authentication Process:

• Port Initialization: Port starts in unauthorized state
• EAPOL Start: Supplicant sends EAPOL-Start frame
• Identity Request: Authenticator requests identity
• Identity Response: Supplicant provides identity
• RADIUS Access Request: Authenticator forwards to server
• Authentication Challenge: Server challenges supplicant
• Authentication Response: Supplicant responds to challenge
• Access Decision: Server grants or denies access
• Port Authorization: Port becomes authorized if granted

EAP Methods:

• EAP-TLS: Certificate-based authentication
• EAP-TTLS: Tunneled TLS authentication
• PEAP: Protected EAP with MS-CHAPv2
• EAP-FAST: Flexible Authentication via Secure Tunneling
• EAP-MD5: Message Digest 5 (insecure)
• EAP-SIM: GSM SIM card authentication

802.1X Benefits:

• User Authentication: Authenticate users, not just devices
• Dynamic VLAN Assignment: Assign VLANs based on user role
• Centralized Management: Centralized authentication policy
• Audit Trail: Complete authentication logging
• Guest Access Control: Controlled guest network access
• Compliance: Meets regulatory compliance requirements
• Scalability: Scales to large enterprise networks
• Integration: Integrates with existing directory services

MAC Filtering Types:

• Allow List: Only specified MAC addresses allowed
• Deny List: Specified MAC addresses blocked
• Static Filtering: Manually configured MAC addresses
• Dynamic Filtering: Automatically learned MAC addresses
• Time-Based Filtering: MAC filtering with time restrictions
• Role-Based Filtering: MAC filtering based on user roles

MAC Filtering Limitations:

• MAC Spoofing: MAC addresses can be easily spoofed
• Administrative Overhead: High maintenance requirements
• Scalability Issues: Difficult to manage in large networks
• Device Replacement: New devices require manual configuration
• Guest Access: Difficult to provide temporary access
• Mobile Devices: Challenging with frequently changing devices
• No User Authentication: Doesn't authenticate actual users
• Bypass Methods: Can be bypassed with MAC address changes

MAC Filtering Best Practices:

• Combine with Other Controls: Use with 802.1X or other methods
• Regular Updates: Keep MAC address lists current
• Documentation: Document all MAC address assignments
• Monitoring: Monitor for MAC address changes
• Backup Lists: Maintain backup of MAC address lists
• Testing: Test MAC filtering effectiveness
• Exception Handling: Have process for temporary access
• Security Awareness: Educate users about MAC filtering

Key Management Lifecycle:

• Key Generation: Create cryptographically strong keys
• Key Distribution: Securely distribute keys to authorized parties
• Key Storage: Store keys securely with appropriate protection
• Key Usage: Use keys according to security policies
• Key Rotation: Regularly replace keys with new ones
• Key Revocation: Invalidate compromised or expired keys
• Key Destruction: Securely destroy keys when no longer needed
• Key Recovery: Recover keys when necessary and authorized

Key Management Best Practices:

• Strong Key Generation: Use cryptographically secure random number generators
• Appropriate Key Length: Use keys of sufficient length for security
• Secure Distribution: Use secure channels for key distribution
• Hardware Security Modules: Use HSMs for key storage
• Key Separation: Use different keys for different purposes
• Regular Rotation: Implement regular key rotation policies
• Backup and Recovery: Implement key backup and recovery procedures
• Audit and Monitoring: Monitor key usage and access

Key Management Systems:

• PKI (Public Key Infrastructure): Manages public/private key pairs
• KMS (Key Management Service): Cloud-based key management
• HSM (Hardware Security Module): Hardware-based key storage
• Key Escrow: Third-party key storage for recovery
• Key Derivation: Generate keys from master keys
• Key Wrapping: Encrypt keys for secure storage
• Key Splitting: Split keys across multiple parties
• Threshold Cryptography: Require multiple parties for key operations

ACL Types:

• Standard ACLs: Filter based on source IP address only
• Extended ACLs: Filter based on multiple criteria
• Named ACLs: ACLs identified by descriptive names
• Numbered ACLs: ACLs identified by numbers
• Time-Based ACLs: ACLs with time restrictions
• Reflexive ACLs: Dynamic ACLs for return traffic
• Dynamic ACLs: ACLs that change based on authentication
• Context-Based ACLs: ACLs based on application context

ACL Components:

• Sequence Numbers: Order of ACL entries
• Action: Permit or deny traffic
• Protocol: IP, TCP, UDP, ICMP, etc.
• Source Address: Source IP address or network
• Destination Address: Destination IP address or network
• Source Port: Source port number or range
• Destination Port: Destination port number or range
• Options: Additional filtering criteria

ACL Best Practices:

• Implicit Deny: Remember implicit deny at end of ACL
• Order Matters: Place specific rules before general rules
• Documentation: Document purpose of each ACL entry
• Testing: Test ACLs in lab environment first
• Regular Review: Periodically review and update ACLs
• Monitoring: Monitor ACL hit counts and performance
• Backup: Backup ACL configurations
• Change Management: Use change management for ACL updates

URL Filtering Methods:

• Category-Based Filtering: Filter by website categories
• Keyword Filtering: Filter based on URL keywords
• Domain Filtering: Allow or block specific domains
• IP Address Filtering: Filter based on destination IP
• Pattern Matching: Use regex patterns for filtering
• Reputation-Based: Filter based on site reputation
• Time-Based Filtering: Apply filters during specific times
• User-Based Filtering: Different filters for different users

URL Filtering Categories:

• Malware Sites: Block known malicious websites
• Phishing Sites: Block phishing and fraud sites
• Adult Content: Block adult and inappropriate content
• Social Media: Control access to social media sites
• Streaming Media: Control video and audio streaming
• Gaming: Control access to gaming websites
• File Sharing: Block peer-to-peer file sharing
• Proxy Sites: Block proxy and anonymizer sites

URL Filtering Implementation:

• Proxy Servers: Implement URL filtering on proxy servers
• Firewalls: Use next-generation firewalls with URL filtering
• DNS Filtering: Filter at DNS level
• Cloud Services: Use cloud-based URL filtering services
• Endpoint Agents: Deploy filtering agents on endpoints
• Network Appliances: Dedicated URL filtering appliances
• Router Integration: URL filtering on routers
• SD-WAN Integration: URL filtering in SD-WAN solutions

Content Filtering Types:

• Web Content Filtering: Filter web page content
• Email Content Filtering: Filter email content and attachments
• File Content Filtering: Filter file content and types
• Application Content Filtering: Filter application data
• Deep Packet Inspection: Inspect packet payload content
• Data Loss Prevention: Prevent sensitive data exfiltration
• Malware Scanning: Scan content for malware
• Spam Filtering: Filter spam and unwanted messages

Content Filtering Techniques:

• Signature-Based: Match against known patterns
• Heuristic Analysis: Analyze behavior and characteristics
• Machine Learning: Use AI for content classification
• Sandboxing: Execute content in isolated environment
• Reputation Analysis: Check content source reputation
• Behavioral Analysis: Analyze content behavior
• Statistical Analysis: Use statistical methods for detection
• Hybrid Approaches: Combine multiple techniques

Content Filtering Benefits:

• Malware Protection: Block malicious content
• Productivity Improvement: Reduce non-work related browsing
• Bandwidth Optimization: Reduce unnecessary bandwidth usage
• Compliance: Meet regulatory compliance requirements
• Legal Protection: Protect against legal liability
• Security Enhancement: Improve overall security posture
• Policy Enforcement: Enforce organizational policies
• Audit Trail: Provide detailed access logs

Trusted Zone Characteristics:

• Internal Networks: Corporate internal networks
• High Trust Level: Assumed to be secure and trusted
• Minimal Restrictions: Fewer security controls
• Authenticated Users: Known and authenticated users
• Managed Devices: Corporate-managed devices
• Encrypted Communications: May use less encryption
• Direct Access: Direct access to internal resources
• Monitoring: Less intensive monitoring

Untrusted Zone Characteristics:

• Internet: Public internet connections
• Low Trust Level: Assumed to be insecure
• High Restrictions: Strict security controls
• Unknown Users: Unauthenticated or unknown users
• Unmanaged Devices: Personal or unmanaged devices
• Strong Encryption: Strong encryption required
• Limited Access: Restricted access to internal resources
• Intensive Monitoring: Heavy monitoring and logging

Zone Security Controls:

• Firewalls: Control traffic between zones
• Intrusion Detection: Monitor for suspicious activity
• Access Control: Restrict access based on zone trust
• Encryption: Encrypt traffic between zones
• Authentication: Strong authentication for zone access
• Monitoring: Continuous monitoring of zone activity
• Logging: Comprehensive logging of zone interactions
• Incident Response: Rapid response to zone security events

DMZ Characteristics:

• Intermediate Zone: Between trusted and untrusted zones
• Public Services: Hosts public-facing services
• Limited Trust: Moderate trust level
• Controlled Access: Controlled access to internal networks
• Isolation: Isolated from internal networks
• Monitoring: Heavily monitored for security
• Hardening: Hardened against attacks
• Backup Systems: Separate backup and recovery systems

DMZ Services:

• Web Servers: Public web applications
• Email Servers: Public email services
• DNS Servers: Public DNS services
• FTP Servers: File transfer services
• Proxy Servers: Web proxy services
• VPN Gateways: Remote access services
• Application Servers: Public application services
• Media Servers: Streaming and media services

DMZ Security Considerations:

• Firewall Rules: Strict firewall rules for DMZ access
• Network Segmentation: Separate DMZ from internal networks
• Access Control: Limited access to internal resources
• Monitoring: Continuous monitoring of DMZ activity
• Patch Management: Regular patching of DMZ systems
• Backup and Recovery: Separate backup procedures
• Incident Response: Specialized incident response procedures
• Compliance: Meet compliance requirements for public services