Study Hardening, NAC, ACLs & Defensive Controls for Network+ (N10-009)
Apply device hardening, NAC, key management, ACLs, trust zones, filtering, and screened-subnet logic to network-defense questions.
Hardening questions are usually boundary questions. CompTIA is testing whether you can place the control at the correct layer and reduce exposure without overcomplicating the answer. The wrong option often sounds “more secure” in the abstract but protects the wrong place in the path.
Screened subnet: A network segment placed between trusted and untrusted zones to host exposed services more safely.
NAC: Network access control, using identity, posture, or policy checks to decide whether a device should be admitted to the network.
What CompTIA is really testing
The strongest answers usually depend on one of these choices:
- admission control versus traffic filtering
- segmentation versus device hardening
- exposed-service placement versus internal-service placement
- broad access versus narrowly scoped access
Keep these controls distinct
| Control | Strongest use |
|---|---|
| hardening | reduce unnecessary services, defaults, and attack surface on the device itself |
| NAC | decide whether a device should join the network or be restricted |
| ACL | allow or deny traffic based on defined rules |
| screened subnet | host externally reachable services without exposing the internal network directly |
The control-placement question
CompTIA often hides the real answer inside this question:
“At what boundary should this control act?”
- if the issue is device admission, NAC is stronger than an ACL alone
- if the issue is traffic restriction between segments, ACLs or policy boundaries fit better
- if the issue is a vulnerable exposed service, screened-subnet logic matters more than a generic “more firewall” answer
Small design example
1Internet -> screened subnet -> web server
2Internal network -> separate trusted zone
3Admin access -> restricted management path
What to notice:
- the exposed service is reachable where it needs to be
- the internal network is still behind another boundary
- this is stronger than placing the public service directly on the internal segment
Common traps
- using an ACL where NAC is the real requirement
- assuming hardening and segmentation are interchangeable
- putting an internet-facing service directly inside the trusted network
- choosing the most complex control even when a simpler boundary control is the better fit
What strong answers usually do
- identify whether the problem is device admission, path restriction, or service exposure
- narrow access at the earliest sensible boundary
- keep internet-facing services away from trusted internal segments
- remember that hardening reduces device attack surface but does not replace segmentation
Quiz
Harder scenario question
A company hosts a public web service and wants to reduce exposure to the internal network. It also wants to block unmanaged employee devices from joining the production LAN in the first place. Which pair of controls is the strongest fit?
A. ACL for device admission and DNS filtering for the web server
B. NAC for device admission and a screened subnet for the public web service
C. PAT for device admission and RADIUS for public web hosting
D. MTU tuning for device admission and a larger VLAN for the server
Best answer: B
Why: The scenario contains two different boundaries. Device admission is an identity or posture question, which points to NAC. Public service placement is an exposure-boundary question, which points to a screened subnet rather than to a generic access list alone.
Continue with 5. Network Troubleshooting when the security-control boundaries feel clear.