site_logo

Previous Next


  1. Network+ Practice Tests
  2. Network+ Lab Simulator
  3. Network+ LabSim w/ ExamSim
  4. Network+ Cram Notes

4.0 Network+ Certification Cram Notes : Network Security

4.2 Compare and contrast the following common types of attacks

Explain the following Human and environmental based attacks:

Human and environmental based attacks are a type of attack that exploits the human factor to gain unauthorized access to a system or network. These attacks typically involve tricking the user into giving up their confidential information or credentials, or using physical access to gain entry into a secure area.

1. Social Engineering: This is a type of attack that exploits the human trust factor to gain access to sensitive information or resources. Social engineers use tactics such as impersonation, pretexting, or baiting to trick people into revealing confidential information.

2. Phishing: This is a type of social engineering attack that is used to trick people into providing sensitive information, such as usernames, passwords, or credit card details, by pretending to be a trustworthy entity in an email, text message, or online form.

3. Tailgating: This is a type of physical security attack that involves following someone who has authorized access into a secure area, such as a building or a data center.

4. Piggybacking: This is a type of physical security attack that involves sneaking in behind someone who has authorized access into a secure area, such as a building or a data center, without going through the proper authentication process.

5. Shoulder Surfing: This is a type of attack that involves looking over someone's shoulder to view sensitive information, such as passwords or PIN numbers, that are being entered on a keyboard or displayed on a screen.

4.3 Explain the following network hardening best practices.

1. Secure SNMP: Simple Network Management Protocol (SNMP) is a widely used protocol for managing and monitoring network devices. However, if not properly secured, SNMP can also be a security risk. To harden SNMP, best practices include:

  • Restricting SNMP access to only authorized systems and devices

  • Changing the default SNMP community strings to complex, secure strings

  • Implementing encryption for SNMP messages

  • Disabling SNMPv1 and using only SNMPv3, which has stronger security features.

2. Router Advertisement (RA) Guard: Router Advertisement (RA) Guard is a security measure that helps prevent rogue routers from advertising themselves as default gateways on a network. It works by only allowing authorized routers to send RA messages and blocking rogue RA messages from other devices. This helps prevent network misconfiguration, which can cause network downtime or security breaches.

3. Port security: Port security is a security measure that helps protect switches from unauthorized access. It restricts access to a switch port by only allowing specific MAC addresses to access the network. If an unauthorized device tries to access the network, the switch will disable the port, preventing access. This helps prevent unauthorized access and potential security breaches.

  • Dynamic ARP inspection: Dynamic ARP inspection is a security feature that helps prevent ARP spoofing attacks by examining ARP packets in a network. It is performed by comparing the ARP requests and responses with a trusted ARP cache and discarding the ones that do not match. This helps prevent attackers from mapping the IP addresses to their own MAC addresses and performing ARP spoofing attacks.

  • Control Plane Policing: Control Plane Policing (CoPP) is a security feature that helps protect the control plane of a network device by defining and enforcing policies for incoming control plane traffic. The control plane is responsible for managing the device's forwarding and routing tables, and if it becomes overwhelmed or compromised, it can result in network instability or service interruption. By implementing CoPP, network administrators can define which types of control plane traffic are allowed and prioritize their processing, helping to prevent DoS attacks and other types of malicious traffic from affecting the control plane.

  • Private VLANs: Private VLANs (PVLANs) are a security feature that allows for the creation of isolated subnets within a single VLAN. This helps prevent communication between different subnets within the same VLAN, helping to increase security and reduce the risk of broadcast-based attacks. PVLANs can also be used to isolate different types of network traffic, such as guest or management traffic, from the main network.

  • Disable Unneeded Switchports: Disabling unneeded switchports helps reduce the attack surface of a network by limiting the number of active interfaces that can be targeted by attackers. By disabling switchports that are not in use, network administrators can help prevent unauthorized access and reduce the risk of rogue devices being attached to the network.

  • Disable Unneeded Network Services: Disabling unneeded network services helps reduce the attack surface of a network by reducing the number of services that can be targeted by attackers. Common network services that can be disabled include Telnet, FTP, and HTTP, which are often used for remote management and are therefore more vulnerable to attack. By disabling these services, network administrators can help prevent unauthorized access and reduce the risk of compromise.

Explain the following network hardening practices

1. Change default passwords: Changing the default passwords on all devices in a network, including switches, routers, firewalls, etc. is a critical step in hardening a network. This helps prevent unauthorized access to the network by attackers who are familiar with the default passwords.

2. Password complexity/length: To further strengthen network security, it's recommended to use strong passwords that contain a mix of upper-case and lower-case letters, numbers, and symbols. The password length should be at least 8 characters or more.

3. Enable DHCP snooping: DHCP snooping helps protect against DHCP spoofing attacks by validating DHCP messages received on a network. DHCP snooping is a feature that can be enabled on switches to validate DHCP packets and prevent unauthorized DHCP servers from assigning IP addresses to devices on the network.

4. Change default VLAN: Changing the default VLAN for a network helps prevent unauthorized access to the network by attackers who are familiar with the default VLAN. By changing the default VLAN, network administrators can ensure that devices on the network are only able to communicate with authorized devices and are not exposed to threats from other devices on the same VLAN.

Patch and firmware management: This involves regularly updating software and firmware on network devices to address known vulnerabilities and improve the security posture. It is important to keep the software and firmware up to date as vendors often release patches for known security vulnerabilities.

5. Access control list: Access control lists (ACLs) are used to define the type of traffic that is permitted or denied on a network. These lists can be configured on routers, switches, firewalls, and other network devices to control the flow of traffic based on source and destination IP addresses, protocols, and port numbers.

6. Role-based access: This type of access control is based on the role of the user within an organization. Access is granted based on the user's role and job responsibilities, rather than their individual identity. This helps to enforce the principle of least privilege and reduces the risk of unauthorized access to sensitive information.

Firewall rules can be divided into two types:

1. Explicit Deny: This type of firewall rule is set by the administrator with the intention of explicitly denying access for a user or group. This type of rule takes precedence over all other settings that allow access.

2. Implicit Deny: This type of firewall rule states that any traffic that does not match a specified rule will be denied access by default. This acts as a security measure in case there is no specific rule defined to allow or deny traffic.


Previous Next



simulationexams.com ad

certexams.com ad