SecurityNetwork+

Network Hardening for CompTIA Network+ N10-009

Network hardening reduces attack surface by eliminating vulnerabilities and unnecessary services from network infrastructure. CompTIA Network+ N10-009 tests hardening concepts in the Security domain at a deeper level than the Implementation domain basics. This includes disabling legacy protocols, securing management planes, implementing data plane controls, and applying CIS Benchmarks or DISA STIGs.

7 min

3 sections · 7 exam key points

1 practice questions

Protocol Security

Replace insecure protocols: Telnet → SSH. SNMPv1/v2c → SNMPv3. HTTP management → HTTPS. FTP → SFTP or SCP. TFTP → SCP for sensitive transfers. Rlogin/RSH → SSH. NTP: use authenticated NTP (NTPv4 with keys or NTS) to prevent NTP spoofing (which can manipulate timestamps and affect certificate validation and log correlation).

Disable unused protocols and features: CDP (Cisco Discovery Protocol) — disclose device type, IOS version on external ports. LLDP — similar to CDP, disable on external-facing interfaces. Unused routing protocols (RIP if OSPF is deployed). IP source routing — allows packets to specify their own route, exploited in attacks. Proxy ARP — can enable unauthorized traffic forwarding. Directed broadcasts — used in Smurf DDoS amplification attacks.

Management Plane Hardening

Control plane policing (CoPP): rate-limits traffic sent to the router/switch CPU, protecting against CPU exhaustion attacks. Without CoPP, a flood of routing protocol packets or management traffic can overwhelm the CPU and cause the device to stop forwarding. CoPP is implemented as QoS policies on the control plane interface.

Secure management access: use SSH v2 with strong key algorithms (RSA 4096 or ECDSA). Configure login retry limits and lockout. Use privilege levels and role-based access control (RBAC) — not all administrators need full access. Time-out idle sessions. Use OOB management network. AAA with TACACS+ for command logging.

Login banners: configure legal warning banners on all devices. Banners state that unauthorized access is prohibited and may be logged. Without a legal warning banner, prosecution of unauthorized access may be more difficult in some jurisdictions.

Data Plane Hardening

Port security: limits MAC addresses per switch port — prevents MAC flooding and unauthorized device connection. BPDU Guard: protects STP from rogue switches on access ports. Root Guard: prevents unauthorized root bridge election. Loop Guard: prevents forwarding loops if a port stops receiving BPDUs. Storm control: limits broadcast, multicast, or unicast flooding to a defined threshold — prevents broadcast storms from overwhelming links.

Private VLANs (PVLANs): prevent communication between ports in the same VLAN. Community ports can communicate with each other and the promiscuous port (uplink). Isolated ports can only communicate with the promiscuous port. Used in hosting environments where customer VMs in the same VLAN shouldn't communicate with each other.

Key exam facts — Network+

Disable CDP/LLDP on external-facing interfaces — prevent information disclosure
CoPP protects router/switch CPU from being overwhelmed
SSH v2 replaces Telnet; SNMPv3 replaces v1/v2c; HTTPS replaces HTTP
Disable IP-directed broadcasts (prevents Smurf attacks)
Disable IP source routing — attackers use it to bypass ACLs
Storm control: limits flooding rate — prevents broadcast storms
Private VLANs: isolate hosts in same VLAN from communicating

Common exam traps

CDP is only a security risk on internet-facing interfaces

CDP should be disabled on any interface that connects to untrusted devices — not just internet connections. Access ports connecting to untrusted user devices and conference room connections should also disable CDP to prevent information disclosure

Practice questions — Network Hardening

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.Which feature limits the rate of packets sent to the router's CPU to prevent CPU exhaustion from flooding attacks?

A.Storm control

B.Control Plane Policing (CoPP)

C.Port security

D.BPDU Guard

Explanation: Control Plane Policing (CoPP) rate-limits traffic destined for the router/switch CPU (the control plane). Without CoPP, attacks that flood the device with management traffic, routing protocol packets, or specially crafted packets can exhaust CPU resources and cause the device to stop forwarding traffic. Storm control limits flooding on data-plane interfaces. Port security limits MAC addresses. BPDU Guard protects STP.

Frequently asked questions — Network Hardening

What are CIS Benchmarks and DISA STIGs?

CIS (Center for Internet Security) Benchmarks: community-developed configuration hardening guides for specific devices and OS types (Cisco IOS, Windows Server, Linux). Provide step-by-step hardening recommendations. DISA STIGs (Security Technical Implementation Guides): US Department of Defense hardening standards for government systems — mandatory for DoD, used as a rigorous baseline by others. Both provide prescriptive checklists for securing network devices.

Practice this topic

Network+practice questions

Test yourself on Network Hardening

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime