Menu
Welcome to Exam Notes by CertBlaster! This Free Study Guide for Network Plus 4.6 addresses the topics covered in CompTIA’s Network+ Exam Objective 4.6 “Explain common mitigation techniques and their purposes.”
An IDS (Intrusion Detection System) is a software program or device that detects network anomalies and sends an alert. The IDS detects statistical anomalies by comparing a network sample to a stored baseline. The IDS can also use identifiable code signatures in order to detect patterns from known malicious code and send an alert. The code signatures must be checked regularly. The effectiveness of the device depends on having its signatures up-to-date. This update is known as signature management.
Generally, a network will also have an IPS (Intrusion Prevention System) which follows the same principles of detection as the IDS. The IPS also has the added capability of blocking suspicious traffic.
The HIDS (Host-based intrusion detection system) is also available which checks all the traffic to a specific host. The HIDS may have the ability to use FIM (file integrity monitoring). In this case, an alert is triggered when unexpected changes are made to a file. Lastly, the NIDS (network-based intrusion detection system) can be used to protect the entire network. Often, a SIEM (Security Information and Event Management) console can help manage possible intrusions or attempts.
Restricting access via ACLs
ACLs (Access Control Lists) are used to permit or deny inbound and outbound traffic. The data is examined and if it passes all the parameters from the list, the data will pass through. An ACL can have many rules and the packet must pass them all or otherwise be denied.
All network devices come configured with default settings. Be sure that none of the network devices are using the default settings. The items covered in the test objectives are presented here.
Each switch has a default interface configured to accept traffic not assigned to a specific VLAN. This is the default VLAN. Each trunk will have its own native (not default) VLAN, typically VLAN 1. Some management protocols are also configured to use VLAN 1, creating a mix of management data and other traffic on the link. In this case, move this native VLAN to another unused number. Now, the management protocols will use VLAN 1 while other untagged traffic will use the new native VLAN number.
The STP (Spanning Tree Protocol) prevents traffic loops on switched networks by discovering the best path for the traffic and briefly blocking any redundant paths. The switches communicate STP data using BPDUs (Bridge Port Protocol Data Units). The integrity of the STP data requires some additional safeguards. BPDU guards prevent servers and host devices from being considered as valid paths by the switch.
Root guards prevent any switches, beyond the port perimeter, from becoming the root bridge.
DHCP snooping is operating system security technology, built into switches, that allows the switch to drop unacceptable traffic. This can occur when a rogue DHCP server offers addresses on the network. The switch will only accept packets from trusted DHCP servers.
Network segmentation is used to improve network performance and enhance security. One common implementation of network segmentation is the DMZ, a place where an externally available host on the network between the Internet and the firewall is placed. This host will be available to external users and the firewall will block unwanted traffic onto the network, allowing the internal network to operate normally. The DMZ can also contain an intentionally vulnerable honeypot or honeynet intended to attract hackers and capture their intrusion methods.
By default, privileged user accounts have the highest level of permission. These accounts have specific guidelines for use. The privileged user account should only be used when necessary and should be protected by complex passwords.
A lower-level user account should be used for regular tasks. These lower-level accounts can be created and modified to suit the user’s tasks. It is possible to configure the privileged user account to only be available from a certain location or for a specific duration. Since these privileged user accounts are so powerful, they receive a high level of monitoring and scrutiny.
When an account is created, it should only give the user the minimum privileges and permissions necessary to perform their duties. RBAC (role-based access control) can be used to create user groups with specific capabilities. A user can be assigned to one or more groups as needed unless role separation is enforced. Role separation restricts users to only one group. If a user belongs to more than one group, they will not be able to perform the tasks of any of their groups.
Since network security is the primary concern, it is important to know the network’s weaknesses. Hacker tools are available to anyone and it’s a good idea to examine the network regularly. First, simulate an attack on yourself. A port scanner is a good start. Next, a vulnerability assessment will look for weaknesses and report them. The vulnerability assessment does not exploit any weaknesses found.
Penetration testing works the same as a vulnerability assessment, however, the test then attempts to exploit the discovered weaknesses. Penetration testing can be performed in-house or by an outside consultant.
That’s all for objective 4.6 and with that, we are concluding the whole Main Domain 4.0! Congratulations! See you in Main Domain 5.0! You will be glad to learn (if you didn’t already know) that 5.0 is the last of the Network+ domains.
By continuing to browse this site, you accept the use of cookies and similar technologies that will allow the use of your data by CertBlaster in order to produce audience statistics- see our privacy policy.