2.4 Configure and verify network infrastructure security methods
📘CompTIA Security+ (SY0-701)
1. What Is Device Hardening?
Device hardening means configuring network devices securely so that attackers cannot easily misuse them.
Network infrastructure devices include:
- Routers
- Switches
- Firewalls
- Wireless controllers
- VPN devices
These devices are critical because if they are compromised, the entire network becomes insecure.
Device hardening focuses on:
- Reducing unnecessary features
- Securing access
- Protecting device resources
- Preventing misuse and attacks
2. Why Device Hardening Is Important (Exam Point)
Without proper hardening:
- Attackers can control traffic
- Configuration can be changed
- Sensitive data can be leaked
- Network availability can be disrupted
Cisco exam expects you to understand:
- Why hardening is required
- How it is applied to different device planes
- Common security controls for each plane
3. Three Planes of a Network Device
Cisco divides device operations into three logical planes:
| Plane | Purpose |
|---|---|
| Control Plane | Makes traffic decisions |
| Data Plane | Forwards actual traffic |
| Management Plane | Used to configure and monitor devices |
Each plane must be secured separately.
4. Control Plane Hardening
4.1 What Is the Control Plane?
The control plane is responsible for:
- Routing decisions
- Network intelligence
- Exchange of control information
Examples of control plane traffic:
- Routing protocols (OSPF, EIGRP, BGP)
- ARP
- ICMP
- STP
- Keepalives
If the control plane is attacked, the device may:
- Stop routing
- Lose network topology
- Become unstable
4.2 Control Plane Attacks (Exam Focus)
Common attacks targeting the control plane:
- Routing protocol flooding
- CPU exhaustion attacks
- Malformed packets
- DoS attacks targeting routing processes
4.3 Control Plane Hardening Techniques
1. Control Plane Policing (CoPP)
CoPP limits traffic sent to the control plane.
- Only trusted traffic is allowed
- Unwanted traffic is dropped or rate-limited
- Protects CPU and memory
Example IT use:
- Allow OSPF packets only from known routers
- Drop excessive ICMP requests
Exam keyword: Protects control plane from DoS attacks
2. Routing Protocol Authentication
Used to prevent fake routing updates.
- Uses passwords or cryptographic keys
- Ensures routing updates come from trusted devices
Example:
- OSPF authentication
- BGP authentication
3. Disable Unused Protocols
- Turn off routing protocols not in use
- Disable legacy or unused services
Why:
- Reduces attack surface
- Prevents unnecessary CPU usage
4. Rate Limiting Control Traffic
- Limits the number of control packets processed
- Prevents CPU overload
5. Secure Neighbor Relationships
- Define trusted neighbors
- Prevent unauthorized devices from participating in routing
Control Plane – Exam Summary
✔ Protect routing and control processes
✔ Use CoPP
✔ Authenticate routing protocols
✔ Limit and filter control traffic
5. Data Plane Hardening
5.1 What Is the Data Plane?
The data plane handles:
- Actual user traffic
- Packet forwarding
- Switching and routing of data
Examples:
- User browsing traffic
- Application traffic
- File transfers
5.2 Data Plane Threats
Common data plane attacks:
- Packet flooding
- IP spoofing
- MAC spoofing
- Malicious traffic forwarding
- Unauthorized traffic flows
5.3 Data Plane Hardening Techniques
1. Access Control Lists (ACLs)
ACLs control which traffic is allowed or denied.
Uses:
- Block unauthorized IP addresses
- Restrict unnecessary protocols
- Limit traffic between network segments
Example:
- Allow internal traffic
- Block unknown external traffic
2. Anti-Spoofing Protection
Prevents attackers from using fake IP or MAC addresses.
Methods:
- ACLs
- Source address validation
- Port security
3. Disable Unnecessary Forwarding Features
- Disable unused switching features
- Turn off unused VLANs and ports
Why:
- Prevents misuse
- Reduces attack points
4. Traffic Rate Limiting and Storm Control
- Limits broadcast, multicast, and unknown unicast traffic
- Prevents network congestion and crashes
5. Secure Packet Forwarding Path
- Ensure traffic follows defined paths
- Prevent unauthorized redirection
Data Plane – Exam Summary
✔ Protect traffic forwarding
✔ Use ACLs and filtering
✔ Prevent spoofing
✔ Limit traffic rates
6. Management Plane Hardening
6.1 What Is the Management Plane?
The management plane allows administrators to:
- Configure devices
- Monitor status
- Collect logs
- Perform updates
Examples:
- SSH access
- Web-based management
- SNMP
- Syslog
- NetFlow
6.2 Management Plane Threats
If compromised, attackers can:
- Change configurations
- Disable security features
- Steal credentials
- Take full control of devices
6.3 Management Plane Hardening Techniques
1. Secure Management Access
Use secure protocols only:
- SSH instead of Telnet
- HTTPS instead of HTTP
Why:
- Encrypts login credentials
- Prevents eavesdropping
2. Role-Based Access Control (RBAC)
- Assign roles with limited permissions
- Prevent full access for all users
Example:
- Read-only users
- Configuration-only users
- Full admin users
3. Authentication, Authorization, and Accounting (AAA)
AAA ensures:
- Authentication – who you are
- Authorization – what you can do
- Accounting – what you did
Often integrated with:
- RADIUS
- TACACS+
4. Management Access Restrictions
- Allow management access only from trusted IPs
- Use management VLANs or dedicated interfaces
5. Logging and Monitoring
Enable:
- Syslog
- SNMP traps
- NetFlow
Purpose:
- Detect attacks
- Track configuration changes
- Monitor device health
6. Disable Unused Management Services
- Disable HTTP, FTP, or SNMP if not required
- Remove default accounts
7. Secure Device Credentials
- Strong passwords
- Password encryption
- Regular password updates
Management Plane – Exam Summary
✔ Secure management protocols
✔ Use AAA and RBAC
✔ Restrict management access
✔ Enable logging and monitoring
7. General Device Hardening Best Practices (Exam Relevant)
These apply to all planes:
- Use latest firmware and patches
- Disable unused ports and services
- Back up configurations securely
- Use secure boot and image verification
- Apply least privilege principle
- Monitor continuously
8. Comparison of the Three Planes (Important for Exam)
| Plane | Focus | Main Protection Goal |
|---|---|---|
| Control Plane | Routing & control | Protect CPU and routing processes |
| Data Plane | Traffic forwarding | Secure user and application traffic |
| Management Plane | Device access | Prevent unauthorized configuration |
9. Key Exam Takeaways (Must Remember)
✔ Device hardening is critical for infrastructure security
✔ Cisco devices have three planes
✔ Each plane has different threats and protections
✔ CoPP is used for control plane protection
✔ ACLs protect the data plane
✔ SSH, AAA, and RBAC protect the management plane
Final Exam Tip
If a question mentions:
- Routing attacks or CPU protection → Control Plane
- Traffic filtering or forwarding → Data Plane
- Device login or configuration → Management Plane
