ACLs, Filtering, NAC, Hardening, and Key Management
Key Takeaways
- ACLs define permitted and denied traffic by source, destination, protocol, and port, usually with first-match logic.
- URL and content filtering reduce exposure by controlling where users and systems can browse or download content.
- NAC uses identity, device posture, and policy to decide network access or assign a VLAN.
- Device hardening removes unnecessary services, changes defaults, secures management, and keeps firmware current.
- Key management protects certificates, private keys, shared secrets, rotation, storage, and revocation.
Policy Enforcement and Hardening
Security controls are strongest when they are specific, documented, and maintained. A router ACL, switch port policy, wireless access rule, NAC policy, or URL filter should describe an intentional business path, not just a collection of inherited exceptions.
ACL Decision Points
An access control list filters traffic by attributes such as source IP, destination IP, protocol, port, interface, and direction. Many ACLs use top-down first-match logic. Rule order matters.
| ACL design item | Practical guidance |
|---|---|
| Source | Use the narrowest realistic source network or host |
| Destination | Match the exact server, subnet, or service zone needed |
| Service | Permit required protocols and ports only |
| Direction | Apply where the platform can enforce the intended path clearly |
| Order | Put specific permits and denies before broad rules |
| Default action | End with an explicit or implicit deny according to platform behavior |
| Logging | Log important denies or high-risk permits without flooding storage |
Example policy: users in the accounting VLAN can reach the accounting application on TCP 443, but they cannot connect directly to the database subnet. The application servers can reach the database on the required database port. Guest devices are denied internal destinations and allowed only Internet-bound traffic through the edge firewall.
URL and Content Filtering
URL filtering controls destinations by category, reputation, domain, or explicit allow and block lists. Content filtering can inspect file types, keywords, malware signatures, data patterns, or application behavior. These controls are common on secure web gateways, NGFWs, proxies, email gateways, and endpoint agents.
| Requirement | Likely control |
|---|---|
| Block known phishing sites | URL filtering with reputation categories |
| Prevent downloads of executable files from untrusted sites | Content filtering or web gateway policy |
| Permit only approved SaaS applications | Allow list policy or CASB-style control |
| Restrict adult, gambling, or malware categories | Category-based URL filtering |
| Inspect uploaded documents for sensitive data patterns | Content inspection with DLP-like policy |
Filtering can create false positives, so organizations usually need an exception process. Exceptions should be approved, time-bounded when possible, and documented.
NAC Decisions
Network access control evaluates who or what is connecting before assigning access. NAC can use 802.1X, certificates, MAC authentication bypass, captive portals, posture checks, directory groups, or device profiling.
| NAC result | Scenario |
|---|---|
| Corporate VLAN | Managed laptop passes certificate and posture checks |
| Remediation VLAN | Device is missing required endpoint protection or updates |
| Guest VLAN | Visitor authenticates through captive portal |
| IoT VLAN | Printer or camera is profiled and restricted |
| Deny access | Unknown device fails policy |
NAC is especially useful when the physical jack or wireless network may be reached by mixed devices. A conference room port should not automatically grant the same access as a managed administrator workstation.
Device Hardening
Hardening reduces attack surface and configuration risk. For routers, switches, wireless controllers, firewalls, and appliances, common steps include:
- Change default credentials and remove unused accounts.
- Disable unused services, ports, interfaces, and management protocols.
- Use SSH, HTTPS, SNMPv3, and secure APIs instead of Telnet, HTTP, and SNMPv1 or SNMPv2c.
- Restrict management access to a management network or jump host.
- Apply role-based access and named accounts.
- Use centralized logging and time synchronization.
- Back up known-good configurations.
- Keep firmware and software current through a controlled change process.
- Disable unused switch ports or place them in an unused VLAN.
- Configure port security, DHCP snooping, dynamic ARP inspection, or similar features when appropriate.
Key Management
Keys and certificates are security dependencies. If a private key, shared secret, pre-shared key, or API token is exposed, encrypted or authenticated systems can become vulnerable even when the protocol is strong.
| Item | Management concern |
|---|---|
| Private key | Store securely, restrict access, rotate after exposure |
| Certificate | Track expiration, subject names, issuing CA, and revocation |
| Wireless PSK | Use strong values, rotate when staff or vendor access changes |
| VPN shared secret | Protect and rotate during vendor or device lifecycle changes |
| API token | Store in a vault or secret manager, avoid scripts and tickets |
| Backup encryption key | Protect separately from the backup data |
Good key management includes generation, storage, distribution, rotation, revocation, expiration tracking, and destruction. The exam may present an outage caused by an expired certificate or a security concern caused by a shared secret stored in a plain-text configuration file.
Common Traps
- A broad permit at the top of an ACL can make later deny rules useless.
- URL filtering does not replace patching, segmentation, or least privilege.
- MAC address filtering alone is weak because addresses can be spoofed.
- Device hardening should include management plane security, not just data plane rules.
- Rotating a certificate without protecting the private key misses the main risk if the key was exposed.
A router ACL has a broad permit-any rule before a specific deny rule for a sensitive subnet. What is the likely result?
Which actions are examples of device hardening? Select three.
Select all that apply
A managed laptop passes certificate authentication and endpoint posture checks, while an unknown device is placed into a guest VLAN. Which control is being described?