Network Hardening is the process of securing a system by reducing its “surface area” of vulnerability. On a network switch, every unused port and every default setting is a potential entrance for an attacker.
Here are the four essential hardenin techniques we should know for the Network+ and our daily life as IT associates.
1. Port Security: Identifying the Guest
By default, a switch port will talk to anyone who plugs in. Port Security Changes that. You can configure a port to only allow specific MAC Addresses.
- Static: You manually type in the MAC address of the authorized computer.
- Sticky: The switch “learns” the first MAC address that plugs in and saves it to the configuration.
- Violation Actions: If an unknown device (like an employees personal laptop) plugs into a “hardened” port, you can tell the switch to Shutdown the port immediately and send an alert to your office.
2. DHCP Snooping: Stopping the Rogue Router
The Scenario: An employee brings in an old wireless router from home and plugs it into the wall to get better Wi-Fi in their office. Suddenly, half the building loses internet because that home router is handing out wrong IP addresses.
- The Fix: DHCP Snooping. You tell the switch which port the real DHCP server is on (the “Trusted” port). If the switch sees a DHCP response coming from any other port (an “Untrusted” port), it drops it immediately.
3. Disabling Unused Ports
This is the simplest and most effective hardening step. If a wall jack in a hallway or a vacant office isn’t being used, shut the port down at the switch.
- Why? It prevents an intruder from walking into a quiet room, plugging in a rogue device, and gaining access to the internal network. If the port is “Administratively Down,” they get nothing.
4. Securing the Management Plane
How do you log into your switches? If you are using Telnet, you are sending your admin password in plain text over the wire.
- The Hardening Step: Disable Telnet and HTTP. Enable SSH (Secure Shell) and HTTPS.
- Console Security: Put a password on the physical console port. If someone breaks into your wiring closet, they shouldn’t be able to just plug in a laptop and have full control of the switch.
5. The “Support Associate” Reality: VLAN Pruning
We talked about Trunking last week, By default, a trunk carries traffic for every VLAN.
- Hardening Tip: Use VLAN Pruning to only allow the specific VLANs that are needed on that link. If Building B only needs the “Student” and “Staff” VLANs, don’t let the “Security Camera” or “Admin” Traffic travel across that wire.
๐งช The “Exam Tip” for Network+
From our studying I have learned that CompTIA loves to ask about Dynamic ARP Inspection (DAI). This works alongside DHCP Snooping. It prevents “ARP Spoofing” (where a hacker pretends to be the Default Gateway) by checking every ARP packet against the list of known, valid IP-to-MAC bindings.
What’s Next?
The switches are locked down, but what about the airwaves? Tomorrow, we move into Wireless Security. We’ll talk about the evolution from WEP to WPA3, the power of Captive Portals, and how to secure a guest network.
๐ Sources & Further Reading.
- CompTIA Network+ N10-009: Objective 4.3 – Given a scenario, implement network hardening techniques.
- The Cyber Ledger: Physical Security & Social Engineering
- Professor Messer: Device Security
This article is an independent summary of my learning journey. All trademarks and copyrighted materials belong to their respective owners.