ACLs, Filtering, NAC, Hardening, and Key Management
Key Takeaways
- ACLs define permitted and denied traffic by source, destination, protocol, and port, usually with first-match logic.
- URL and content filtering reduce exposure by controlling where users and systems browse or download content.
- NAC uses identity, device posture, and policy to decide network access or assign a VLAN.
- Device hardening removes unnecessary services, changes defaults, secures management, and keeps firmware current.
- Key management protects certificates, private keys, shared secrets, rotation, storage, and revocation.
Policy Enforcement and Hardening
Security controls are strongest when they are specific, documented, and maintained. A router ACL, switch port policy, wireless access rule, NAC policy, or URL filter should describe an intentional business path, not a collection of inherited exceptions.
ACL Decision Points
An access control list (ACL) filters traffic by source IP, destination IP, protocol, port, interface, and direction. Many ACLs use top-down first-match logic, so rule order matters.
| ACL design item | Practical guidance |
|---|---|
| Source | Use the narrowest realistic source network or host |
| Destination | Match the exact server, subnet, or service zone needed |
| Service | Permit required protocols and ports only |
| Direction | Apply where the platform enforces the intended path clearly |
| Order | Put specific permits and denies before broad rules |
| Default action | End with an explicit or implicit deny per platform behavior |
| Logging | Log important denies or high-risk permits without flooding storage |
Example policy: users in the accounting VLAN can reach the accounting application on TCP 443 but cannot connect directly to the database subnet. The application servers can reach the database on the required port. Guest devices are denied internal destinations and allowed only Internet-bound traffic through the edge firewall.
URL and Content Filtering
URL filtering controls destinations by category, reputation, domain, or explicit allow/block lists. Content filtering can inspect file types, keywords, malware signatures, data patterns, or application behavior. These controls live on secure web gateways, NGFWs, proxies, email gateways, and endpoint agents.
| Requirement | Likely control |
|---|---|
| Block known phishing sites | URL filtering with reputation categories |
| Prevent executable downloads from untrusted sites | Content filtering or web gateway policy |
| Permit only approved SaaS applications | Allow-list policy or CASB-style control |
| Restrict adult, gambling, or malware categories | Category-based URL filtering |
| Inspect uploaded documents for sensitive data | Content inspection with DLP-like policy |
Filtering creates false positives, so organizations need an exception process. Exceptions should be approved, time-bounded when possible, and documented.
NAC Decisions
Network access control (NAC) evaluates who or what is connecting before assigning access. NAC can use 802.1X, certificates, MAC authentication bypass, captive portals, posture checks, directory groups, or device profiling.
| NAC result | Scenario |
|---|---|
| Corporate VLAN | Managed laptop passes certificate and posture checks |
| Remediation VLAN | Device is missing required endpoint protection or updates |
| Guest VLAN | Visitor authenticates through a captive portal |
| IoT VLAN | Printer or camera is profiled and restricted |
| Deny access | Unknown device fails policy |
NAC matters most when a physical jack or wireless SSID can be reached by mixed devices. A conference-room port should not automatically grant the same access as a managed administrator workstation.
Device Hardening
Hardening reduces attack surface. For routers, switches, wireless controllers, firewalls, and appliances:
- Change default credentials and remove unused accounts.
- Disable unused services, ports, interfaces, and management protocols.
- Use SSH, HTTPS, SNMPv3, and secure APIs instead of Telnet, HTTP, and SNMPv1/v2c.
- Restrict management access to a management network or jump host.
- Apply role-based access and named accounts.
- Use centralized logging and time synchronization.
- Back up known-good configurations.
- Keep firmware and software current through controlled change management.
- Disable unused switch ports or place them in an unused VLAN.
- Configure port security, DHCP snooping, and dynamic ARP inspection when appropriate.
Key Management
Keys and certificates are security dependencies. If a private key, shared secret, pre-shared key, or API token is exposed, encrypted or authenticated systems become vulnerable even when the protocol itself is strong.
| Item | Management concern |
|---|---|
| Private key | Store securely, restrict access, rotate after exposure |
| Certificate | Track expiration, subject names, issuing CA, revocation |
| Wireless PSK | Use strong values, rotate when staff or vendor access changes |
| VPN shared secret | Protect and rotate during vendor or device lifecycle changes |
| API token | Store in a vault or secret manager, not scripts or tickets |
| Backup encryption key | Protect separately from the backup data |
Good key management includes generation, storage, distribution, rotation, revocation, expiration tracking, and destruction. The exam may show an outage caused by an expired certificate or a risk caused by a shared secret stored in a plain-text configuration file.
Common Traps
- A broad permit at the top of an ACL can make later deny rules useless.
- URL filtering does not replace patching, segmentation, or least privilege.
- MAC address filtering alone is weak because addresses can be spoofed.
- Hardening must include the management plane, not just data-plane rules.
- Rotating a certificate without protecting the private key misses the main risk if the key was exposed.
Worked Scenario
Users suddenly cannot log in to the internal portal and browsers show a certificate warning. The administrator checks the certificate and finds the validity period ended yesterday. The fix is not to disable HTTPS or tell users to click through the warning — it is to issue and install a new certificate, confirm the new expiration date, and add the expiration to a tracked renewal calendar or automated monitor so it does not recur.
If the question instead says a private key was found in a public code repository, rotation alone is insufficient: you must revoke the old certificate (publish to a CRL or OCSP responder), reissue with a freshly generated key pair, and audit for misuse. Distinguishing an expiration outage from a key-compromise incident is a common exam discriminator. Secure protocols also recur: a switch reachable only over Telnet on TCP 23 should be migrated to SSH on TCP 22, and SNMPv1/v2c community strings should be replaced with SNMPv3, which adds authentication and encryption.
The pattern across hardening and key management is the same — replace plaintext, default, or expired credentials and protocols with authenticated, encrypted, and tracked equivalents.
A router ACL has a broad permit-any rule before a specific deny rule for a sensitive subnet. What is the likely result?
Which actions are examples of device hardening? Select three.
Select all that apply
A managed laptop passes certificate authentication and endpoint posture checks, while an unknown device is placed into a guest VLAN. Which control is being described?