Mitigation techniques

Mitigation Techniques - CCNA Security Fundamentals Guide

Why Mitigation Techniques Are Important

Mitigation techniques are critical defensive measures that protect network infrastructure from various security threats. In today's interconnected world, networks face constant attacks including malware, unauthorized access, denial-of-service attacks, and data breaches. Understanding mitigation techniques is essential for any network professional because they form the foundation of a secure network architecture. For the CCNA exam, this topic tests your ability to implement practical security solutions that protect enterprise networks.

What Are Mitigation Techniques?

Mitigation techniques are security controls and countermeasures implemented to reduce the risk and impact of network security threats. These techniques work at various layers of the network and include:

Access Control Lists (ACLs) - Filter traffic based on source/destination IP addresses, ports, and protocols. Standard ACLs filter by source IP only, while Extended ACLs provide granular control using multiple criteria.

Port Security - Limits the number of MAC addresses allowed on a switch port and can specify which MAC addresses are permitted. Violation modes include protect, restrict, and shutdown.

DHCP Snooping - Prevents rogue DHCP servers by creating a binding table of legitimate DHCP transactions and filtering untrusted DHCP messages.

Dynamic ARP Inspection (DAI) - Validates ARP packets against the DHCP snooping binding table to prevent ARP spoofing attacks.

802.1X Authentication - Provides port-based network access control, requiring users to authenticate before gaining network access.

Private VLANs - Isolate traffic between hosts on the same VLAN, preventing lateral movement within a network segment.

Control Plane Policing (CoPP) - Protects the router's CPU from being overwhelmed by rate-limiting traffic destined to the control plane.

How Mitigation Techniques Work

These techniques operate through a layered defense approach:

1. Prevention Layer - ACLs and firewalls block malicious traffic before it enters the network

2. Detection Layer - IDS/IPS systems identify suspicious activity and alert administrators or take automated action

3. Response Layer - Port security violations trigger automatic responses like shutting down ports

4. Verification Layer - DHCP snooping and DAI validate the legitimacy of network protocol operations

Common Attack Types and Their Mitigations

- MAC Flooding Attack → Port Security
- DHCP Starvation/Spoofing → DHCP Snooping
- ARP Spoofing/Poisoning → Dynamic ARP Inspection
- VLAN Hopping → Proper trunk configuration, native VLAN changes
- Unauthorized Access → 802.1X, ACLs
- Man-in-the-Middle → DAI, DHCP Snooping, encryption

Exam Tips: Answering Questions on Mitigation Techniques

1. Match the attack to the solution - Know which mitigation technique addresses each specific attack type. This is commonly tested.

2. Understand the dependencies - Remember that DAI requires DHCP snooping to be enabled first, as it uses the binding table.

3. Know your ACL placement - Standard ACLs should be placed close to the destination; Extended ACLs should be placed close to the source.

4. Port Security defaults - Default violation mode is shutdown, default maximum MAC addresses is 1.

5. Trusted vs Untrusted ports - In DHCP snooping, uplinks to DHCP servers should be trusted; access ports should be untrusted.

6. Read scenarios carefully - Questions often describe symptoms of an attack. Identify the attack type first, then select the appropriate mitigation.

7. Configuration commands - Be familiar with basic commands like switchport port-security, ip dhcp snooping, and ip arp inspection.

8. Layer awareness - Know at which OSI layer each technique operates (Layer 2 for port security, Layer 3 for ACLs).

9. Eliminate wrong answers - If a question asks about Layer 2 attacks, eliminate Layer 3 solutions and vice versa.