Network Mitigation Techniques | CompTIA Network+ N10-007 | 4.6

In this video you will learn about network mitigation techniques such as: signature management, changing native VLANs, switch port protection, network segmentation, privileged user account, file integrity monitoring, role separation, restricting access via ACLs, honeypots & honeynets, and penetration testing.

Signature Management

A signature is a set of rules that an IDS and an IPS use to detect typical intrusive activity, such as DoS attacks.  Signatures can be easily installed using IDS/IPS management software.  Sensors enable you to modify existing signatures  & define new ones.  As sensors scan network packets, they use signatures to detect known attacks and respond with predefined actions.  A malicious packet flow has a specific type of activity and signature, and an IDS or IPS sensor examines the data flow using many different signatures.  When an IDS or IPS sensor matches a signature with a data flow, the sensor takes action, such as logging the event or sending an alarm to IDS or IPS management software.[1]

Change Native VLAN

A native VLAN exists in the case of the 802.1Q encapsulation, which supports untagged traffic.  This makes it possible for your VLAN to support legacy devices that do not tag their traffic like some wireless access points & simple network attached devices.  Traffic that arrives at a trunked port without an existing VLAN tag gets associated with the native VLAN.  When it comes to the management aspect of a native VLAN, it is recommended that a network admin configure the VLAN to another number other than VLAN 1 because typically, VLAN 1 is the default configuration of a Cisco switch for management protocols.  So configuring the native VLAN to be another number other than 1, like VLAN 999, will help to separate user traffic from network management traffic.[2]

Switch Port Protection

  • Spanning Tree Protocol (STP)
    • Spanning Tree Protocol prevents loops from being formed when switches or bridges are interconnected via multiple paths.  To avoid the problems associated with redundant links in a switched LAN, STP is implemented on switches to monitor the network topology.  Every link between switches, and in particular redundant links, are cataloged.  The STP algorithm then blocks forwarding on redundant links by setting up one preferred link between switches in the LAN.  This preferred link is used for all Ethernet frames unless it fails, in which case a non-preferred redundant link is enabled.  When implemented in a network, STP designates one layer-2 switch as a root bridge.  All switches then select their best connection towards the root bridge for forwarding and block other redundant links.  All switches constantly communicate with their neighbors in the LAN using Bridge Protocol Data Units (BDPUs).[3]
  • Flood Guard
    • Flood guards are tools that you can use to prevent DoS attacks.  This technology is typically built into network equipment such as routers and intrusion prevention equipment.  It is designed to detect network floods and then block this traffic.  Flood guards help block malicious traffic from entering a network.[4]
  • BPDU Guard (Bridge Protocol Data Unit)
    • A BPDU is a data message transmitted across a LAN to detect loops in network topologies.  A BPDU contains information regarding ports, switches, port priority, & addresses.  BPDUs contain the information necessary to configure and maintain spanning tree protocol (STP).  They are not forwarded by switches, but the information is used by the switches to calculate their own BPDUs for information passing.[5] 
  • Root Guard
    • Root guards are useful in avoiding Layer 2 loops during network anomalies.  The root guard forces an interface to become a designated port to prevent surrounding switches from becoming a root switch.  In other words, a root guard provides a way to enforce the root bridge placement in the network.  The root guard feature prevents a designated port from becoming a root port.  If a port on which the root guard features receives a superior BPDU, it moves the port into a root-inconsistent state (effectively equal to a listening state), thus maintaining the current root bridge status.[6]
  • DHCP Snooping
    • DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.[7]  DHCP servers allocate IP addresses to clients on a LAN.  DHCP snooping can be configured on LAN switches to exclude rogue DHCP servers and remove malicious or malformed DHCP traffic.  In addition, information on hosts which have successfully completed a DHCP transaction is accrued in a database of bindings which may then be used by other security or accounting features.

Network Segmentation

  • DMZ (Demilitarized Zone)
    • A DMZ (perimeter network or screened subnet) is a physical or logical subnetwork that contains & exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet.  The purpose of a DMZ is to add an additional layer of security to an organization’s LAN to where an external node can access only what is exposed in the DMZ, while the rest of the organization’s network is firewalled.  The DMZ functions as a small, isolated network positioned between the Internet and the private network and, if its design is effective, allows the organization extra time to detect and address breaches before they would further penetrate into the internal networks.
  • VLAN (Virtual LAN)
    • A VLAN is any broadcast domain that is partitioned & isolated in a computer network at the data link layer (OSI Layer 2).  LAN is the abbreviation for local area network and in this context virtual refers to a physical object created and altered by additional logic.  VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks.  In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

Privileged User Account

A privileged user account is an account that has more privileges than ordinary users.  Privileged accounts might be able to install or remove software, upgrade the OS, or modify system or application configurations.  They might also have access to files that are not normally accessible to standard users.  There are many kinds of privileged user accounts such as:

  • Root & administrator (superusers) accounts:  typically used for installing and removing software and changing configurations.
  • Service accounts:  used for running processes, such as web servers, database servers, & application servers.
  • System accounts:  used for running OS components and owning related files.

File Integrity Monitoring

File integrity monitoring is an internal control or process that performs the act of validating the integrity of OS and application software files using a verification method between the current file state and a known, good baseline.  This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing it with the calculated checksum of the current state of the file.[8]  Other file attributes can also be used to monitor integrity.  Generally, the act of performing file integrity monitoring is automated using internal controls such as an application or process.  Such monitoring can be performed randomly, at defined polling intervals, or in real-time.  Changes to configurations, files and file attributes across the IT infrastructure are common, but hidden within a large volume of daily changes can be the few that impact file or configuration integrity.  These changes can also reduce security posture and in some cases may be leading indicators of a breach in progress.  Values monitored for unexpected changes to files or configuration items include:

  • Credentials
  • Privileges and security settings
  • Content
  • Core attributes and size
  • Hash values
  • Configuration values

Role Separation

Role separation (separation of privileges) is an IT best practice applied to organizations to broadly separate users and processes based on different levels of trust, needs, and privilege requirements.  Separation of privileges refers to both the:

  1. Segmentation of user privileges across various, separate users and accounts
  2. Compartmentalization of privileges across various application or system subcomponents, tasks, and processes.

Similar to the concept of network segmentation, role separation essentially creates barriers around specific parts of an IT environment.  It helps contain intruders close to the point of compromise and restrict lateral movement, while also ensuring that employees, applications, and system processes do not have access to more data than they need.  Segmenting privileges and the tasks associated with them also provides the benefit of a cleaner audit trail and simplifying compliance.[9]

Restricting Access via ACLs

An ACL is a set of rules that is usually used to filter network traffic.  ACLs can be configured on network devices with packet filtering capabilities, such as routers & firewalls.  ACLs contain a list of conditions that categorize packets and help determine when to allow or deny network traffic.  They are applied on the interface basis to packets leaving or entering an interface.  ACLs also can list permissions associated with a system resource (object).  These types of ACLs specify which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[10]


Honeypots are a type of deception technology that allows network & system administrators to understand attacker behavior patterns.  Security teams can use honeypots to investigate cybersecurity breaches to collect intel on how cybercriminals operate.  They also reduce the risk of false positives, when compared to traditional cybersecurity measures, because they are unlikely to attract legitimate activity.  A honeynet is a decoy network that contains one or more honeypots.  It looks like a real network and contains multiple systems but is hosted on one or only a few servers, each representing one environment.  For example, a Windows honeypot machine, a Mac honeypot machine and a Linux honeypot machine.  A “honeywall” monitors the traffic going in and out of the network and directs it to the honeypot instances.  There, vulnerabilities can be injected into the honeynet to make it easy for an attacker to access the trap.[11]

Penetration Testing

A penetration test (pen test or ethical hacking) is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system, this is not to be confused with a vulnerability assessment.[12]  The test is performed to identify weaknesses (also known as vulnerabilities), including the potential for unauthorized parties to gain access to the system’s features and data, as well as strengths, enabling a full risk assessment to be completed.[13]  The process typically identifies the target systems and a particular goal, then reviews available information and undertakes various means to attain that goal.  A penetration test target may be a white box (about which background and system information are provided in advance to the tester) or a black box (about which only basic information, if any, other than the company name is provided).  A gray box penetration test is a combination of the two (where limited knowledge of the target is shared with the auditor).[14]  A penetration test can help identify a system’s vulnerabilities to attack and estimate how vulnerable it is.


  1. Network Security Using Cisco IOS IPS. Cisco.
  2. Default VLAN vs Native VLAN. IP With Ease.
  3. CCNA Certification All-In-One For Dummies. John Wiley & Sons.
  4. CompTIA Security+ Rapid Review:  Network Security. Pearson.
  5. Bridge Protocol Data Unit (BPDU). Technopedia.
  6. BPDU Guard, BPDU Filter, Root Guard, Loop Guard & UDLD. World of Networking.
  7. Five Things To Know About DHCP Snooping. Packet Pushers.
  8. File Integrity Monitoring. Ionx.
  9. How Separation of Privilege Improves IT Security. BeyondTrust.
  10. Access Control List (ACL). Imperva.
  11. Honeypot. Imperva.
  12. Penetration Testing. U.S. Department of Labor.
  13. Krutz & Vines. The CISSP and CAP Prep Guide.
  14. Penetration Testing. National Cyber Security Centre.
  15. Privileged Account. SSH.