NetworkingNetwork+

Network Hardening Basics for CompTIA Network+ N10-009

Network hardening involves securing network devices and infrastructure against attack. CompTIA Network+ N10-009 includes basic hardening concepts in the Implementation domain as part of deploying secure networks. You must understand port security, disabling unused services, securing management interfaces, and fundamental switch/router security practices that reduce attack surface without requiring deep security expertise.

8 min

3 sections · 7 exam key points

1 practice questions

Switch Security Hardening

Port security: limits which MAC addresses can connect to a switch port. Configure the maximum number of MAC addresses allowed, and specify the action when a violation occurs: Shutdown (most common — port goes err-disabled), Restrict (log and discard violating frames), or Protect (silently discard). Use sticky learning to automatically add current MAC addresses to the secure list without manual entry.

Disable unused ports: configure unused switch ports in a 'parking' VLAN (unused VLAN not routed anywhere) and administratively shut them down. This prevents unauthorized devices from plugging into empty ports and gaining network access.

BPDU Guard and Root Guard: BPDU Guard disables ports that receive unexpected STP BPDUs (protects against rogue switches). Root Guard prevents external switches from becoming the STP root bridge. Both are hardening controls for the spanning tree process.

Disable DTP (Dynamic Trunking Protocol): automatically negotiates trunk ports — an attacker can exploit this to create unauthorized trunks. Disable DTP on all access ports by setting them explicitly to access mode and disabling negotiation.

Router and Device Hardening

Change default credentials: all network devices ship with default usernames and passwords — always change them on first deployment. Weak or default credentials are responsible for a large percentage of unauthorized access incidents.

Disable unused services and protocols: Telnet (use SSH instead), HTTP management (use HTTPS), CDP/LLDP (disable on external-facing interfaces), unnecessary routing protocols (disable RIP if using OSPF), and unused physical interfaces.

Secure management interfaces: configure management access through a dedicated out-of-band (OOB) management network or a management VLAN. Restrict management access by source IP using ACLs — only allow SSH/HTTPS from the management workstation subnet. Use SNMPv3 (with authentication and encryption) instead of SNMPv1/v2 (no encryption).

Firmware/IOS updates: keep network device firmware and OS current. Manufacturers regularly release security patches for vulnerabilities. Establish a patch management process for network infrastructure.

Network Access Control (NAC)

NAC (Network Access Control) evaluates endpoints before allowing network access. Policy enforcement: check if the connecting device has current AV signatures, OS patches, and is compliant with security policies before granting access. Non-compliant devices are quarantined to a remediation VLAN. 802.1X port-based authentication integrates with NAC — authenticate users and devices before granting switch port or wireless access.

802.1X components: Supplicant (the client device with 802.1X software), Authenticator (the switch or WAP that controls access), Authentication Server (RADIUS server that validates credentials). The authenticator acts as a proxy between the supplicant and RADIUS server.

Key exam facts — Network+

Port security: limits MAC addresses per port; violation actions: shutdown, restrict, protect
Disable unused switch ports — place in unused VLAN and shut down
Replace Telnet with SSH; HTTP management with HTTPS
SNMPv3 adds authentication and encryption (v1/v2 have no encryption)
802.1X: Supplicant (client) + Authenticator (switch/AP) + RADIUS server
BPDU Guard disables ports receiving unexpected STP BPDUs
Change all default credentials on first deployment

Common exam traps

Disabling unused switch ports is unnecessary

Unused active switch ports allow unauthorized devices to plug in and gain network access. Disabling and placing them in an isolated VLAN prevents this — it is a fundamental hardening step

SNMPv2c is secure enough for monitoring

SNMPv1 and v2c use community strings (essentially plain-text passwords) transmitted unencrypted. SNMPv3 adds user authentication (MD5/SHA) and encryption (DES/AES) — always use SNMPv3 for network monitoring

Practice questions — Network Hardening Basics

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator wants to ensure that only a single MAC address can connect to each office switch port and that the port automatically shuts down if another device is plugged in. Which feature should be configured?

A.BPDU Guard

B.Port security with violation mode shutdown

C.802.1X with RADIUS

D.Dynamic ARP Inspection

Explanation: Port security with a maximum of 1 MAC address and violation mode 'shutdown' places the port into err-disabled state if a second MAC address is detected. This prevents unauthorized device swaps. BPDU Guard protects against rogue switches. 802.1X authenticates users but doesn't directly limit MAC addresses. Dynamic ARP Inspection prevents ARP spoofing.

Frequently asked questions — Network Hardening Basics

What is 802.1X and how does it work?

802.1X is a port-based network access control standard that authenticates devices before allowing network access. The supplicant (client) connects to an authenticator (switch/AP port). The authenticator blocks all traffic except EAP (authentication) messages. EAP is forwarded to a RADIUS authentication server. If authentication succeeds, the RADIUS server tells the authenticator to open the port. The client can now access the network. This prevents unauthorized devices from connecting to switch ports.

Practice this topic

Network+practice questions

Test yourself on Network Hardening Basics

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime