CompTIA N10-009 Hardening, NAC, and ACLs Guide

Hardening questions are usually boundary questions. CompTIA is testing whether you can place the control at the correct layer and reduce exposure without overcomplicating the answer. The wrong option often sounds “more secure” in the abstract but protects the wrong place in the path.

Screened subnet: A network segment placed between trusted and untrusted zones to host exposed services more safely.

NAC: Network access control, using identity, posture, or policy checks to decide whether a device should be admitted to the network.

What CompTIA is really testing

The strongest answers usually depend on one of these choices:

• admission control versus traffic filtering
• segmentation versus device hardening
• exposed-service placement versus internal-service placement
• broad access versus narrowly scoped access

Keep these controls distinct

The control-placement question

CompTIA often hides the real answer inside this question:

“At what boundary should this control act?”

• if the issue is device admission, NAC is stronger than an ACL alone
• if the issue is traffic restriction between segments, ACLs or policy boundaries fit better
• if the issue is a vulnerable exposed service, screened-subnet logic matters more than a generic “more firewall” answer

Small design example

1Internet -> screened subnet -> web server
2Internal network -> separate trusted zone
3Admin access -> restricted management path

What to notice:

• the exposed service is reachable where it needs to be
• the internal network is still behind another boundary
• this is stronger than placing the public service directly on the internal segment

Common traps

• using an ACL where NAC is the real requirement
• assuming hardening and segmentation are interchangeable
• putting an internet-facing service directly inside the trusted network
• choosing the most complex control even when a simpler boundary control is the better fit

What strong answers usually do

• identify whether the problem is device admission, path restriction, or service exposure
• narrow access at the earliest sensible boundary
• keep internet-facing services away from trusted internal segments
• remember that hardening reduces device attack surface but does not replace segmentation

Decision order that usually wins

Separate admission from exposure reduction. If the question is about whether a device should be allowed onto the network at all, think NAC. If the question is about reducing unnecessary services or defaults on a system, think hardening. If the question is about safely placing exposed services, think screened subnet or other boundary design. Network+ often places those ideas together to see whether you can keep the control roles straight.

Quiz

Harder scenario question

A company hosts a public web service and wants to reduce exposure to the internal network. It also wants to block unmanaged employee devices from joining the production LAN in the first place. Which pair of controls is the strongest fit?

A. ACL for device admission and DNS filtering for the web server B. NAC for device admission and a screened subnet for the public web service C. PAT for device admission and RADIUS for public web hosting D. MTU tuning for device admission and a larger VLAN for the server

Best answer: B

Why: The scenario contains two different boundaries. Device admission is an identity or posture question, which points to NAC. Public service placement is an exposure-boundary question, which points to a screened subnet rather than to a generic access list alone.

Continue with 5. Troubleshooting when the security-control boundaries feel clear.