WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 3:  Infrastructure Security (Domain 3.0; 20%)
      9  3.5  Security Baselines
           9  3.5.2  Network Hardening
                9  3.5.2.2  Configuration

Previous Topic/Section
3.5.2.2  Configuration
Previous Page
Pages in Current Topic/Section
1
Next Page
 3.5.2.2.2  Access Control Lists
Next Topic/Section

3.5.2.2.1  Enabling and Disabling Services and Protocols

As stated above when discussing OS hardening, TURN OFF anything you’re not using. This can take the form of turning off services at the server (as discussed in the previous section), or establishing filtering rules (on your routers or the servers themselves) to completely allow or disallow inbound or outbound connections to certain ports. IE, in effect, this “turns the port off.”

We’ve said it a few times already and we’ll say it again: if you don’t absolutely require SNMP access to a network device, disable it. SNMP has a variety of security issues. If you absolutely must have it, SNMP v3 includes enhancements to authentication that make it a better network resident, so look for support for it on your devices and servers, and use it rather than v1 or v2, if possible.

Do you have a whiz-bang multi-protocol router? And do you have a network that only uses TCP/IP (as many do, these days)? If you don’t need to pass IPX and AppleTalk packets through a router, turn off its ability to do so.

Not using the IMAP protocol outside your internal network? Don’t allow traffic on port 143 through your firewalls and routers. Someone installed a UNIX IRC server “just for test purposes” to see if it enhanced internal communication, and left it running, forgotten, after the test was complete? Get rid of it. Don’t need the ability for outside machines to “ping” your inside machines? Disable ICMP protocol packets inbound from the Internet to your internal network.

Network/Hardware Hardening

One step to take when hardening network devices is to turn off any services and protocols you’re not using.


The next step in hardening a network device is to exert a finer-grained degree of control over what traffic you allow through the router. Instead of just allowing or disallowing based on type of network-layer protocol or service, you can examine a packet’s specific origins. That is discussed in the next section on Access Control Lists.


Previous Topic/Section
3.5.2.2  Configuration
Previous Page
Pages in Current Topic/Section
1
Next Page
 3.5.2.2.2  Access Control Lists
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.