Switch Hardening: A Time Waste for Side Projects, or Smart…

Introduction: What Should Be the Security Level in Side Projects?

Your own projects, hobbies, or small systems developed for learning purposes... We all have side projects like these in our lives. We often leave security settings at the most basic level, thinking, "No one is using it anyway" or "It's just something I use." I worked with this philosophy for many years. But at some point, especially when a side project unexpectedly reaches a wider audience or starts to contain sensitive data, I realized how risky this approach could be. While topics like switch hardening have become standard in corporate environments, why are they overlooked in our own small worlds? In this post, I will explain the situations I encountered in my side projects and whether switch hardening is truly a waste of time, based on my own experiences.

This situation is largely an extension of the "maximum benefit with minimum effort" principle. When managing a production ERP or a large corporate network infrastructure, security breaches can lead to millions of dollars in losses. Therefore, all kinds of security measures are seen as an investment against potential risks. However, putting in the same level of effort for a web application running on a small server in my own home might seem unnecessary at first glance. But lo and behold, these "small" worlds can also grow over time and open up to the outside world. And that's when the small details we overlook can open the door to big problems.

Switch Hardening: Its Place in the Corporate World and its Perception in Side Projects

In corporate networks, when we talk about switch hardening, the first things that come to mind are Layer 2 security measures like DHCP Snooping, Dynamic ARP Inspection (DAI), and IP Source Guard. These measures prevent unauthorized devices on the network from impersonating other devices, stop rogue DHCP servers, and prevent MAC/IP address spoofing. Implementing these is critical for the stable and secure operation of the network. When setting up these kinds of structures in my own projects, it used to take days to make these adjustments initially. Especially when vendor-specific CLI command sets and complex configurations came into play, this effort increased even further.

However, most of my side projects were network setups in my home or on a small VPS. In these environments, there was usually a single managed switch (or sometimes no switch at all, directly connected to the router). In this case, what did "switch hardening" mean? Was it really sensible to spend hours on that single device? Most of the time, the thought, "It's not worth the effort, I'm the only one using it anyway," prevailed. This perception directly affected the security approach in side projects. It was common to focus more on application-level security measures and assume the basic layers of the network were somewhat "trustworthy."

ℹ️ A Note from My Experience

Once, in a small lab environment I set up, a piece of malware infected one of my servers. At first, I thought it was an application-level vulnerability. After days of debugging, it turned out that the malware had infiltrated the network through a port I had inadvertently left open. However, this could have been prevented with a simple DHCP Snooping and DAI configuration. This incident reminded me once again how fundamental network security is.

A Real Case: An Unwanted Guest in a System "Used Only By Me"

A few years ago, I developed a simple web application to track and analyze my personal financial data. This application ran on a mini PC in my home, on several containers managed by Docker Compose. My network setup was quite simple: my home modem and a single managed switch directly connected to it. My mini PC and other devices were connected through this switch. I had set up DynDNS and port forwarding to make the application accessible from the outside. The application itself used an SSL certificate, meaning it was accessed via HTTPS. "At least it has HTTPS," I told myself to feel at ease.

Everything went well for about six months. Then one day, I noticed that my server's CPU usage had suddenly spiked to 100%. When I checked the logs, I saw a web service that was constantly receiving meaningless requests. These requests were not directly related to my application, but they were drastically increasing network traffic. When I quickly reviewed the access logs, I saw an incredible number of queries coming to the IP address where the application was running. These appeared to be mostly brute-force attempts or bots scanning for known vulnerabilities. While my application itself was relatively resistant to such attacks, it was seriously affecting the overall performance of the server.

⚠️ Things to Consider

This situation could have affected the performance of other devices on the same network, not just my application. If this attack had been directed at another device on the network, the consequences could have been much more severe. At that moment, I understood that even a system "used only by me" can become a target as long as it is open to the outside. And the methods used to reach these targets are not always at the application level.

Why Switch Hardening Becomes Important in Side Projects

The case above shows why switch hardening is becoming important not only for corporate networks but also for personal projects. Here are a few key reasons:

1. Expansion of Attack Vectors: Attackers don't just target application vulnerabilities. They can also exploit weaknesses in the network itself. For example, if a device on the network has a weak password or a port is left open, this can open a door for an attacker to infiltrate the network. Measures like DHCP Snooping prevent unauthorized devices from connecting to the network and engaging in malicious activities.
2. DDoS and Botnet Impact: Situations like the one I experienced can lead to your side project unknowingly becoming part of a DDoS attack. If a device on your network is compromised, it can be used as part of a botnet to attack other systems. Switch hardening reduces this risk by preventing such unauthorized access and misuse of network resources.
3. Data Privacy and Integrity: If your side project contains personal or sensitive data (financial data, personal information, etc.), it is your responsibility to protect the privacy and integrity of that data. Weaknesses at the network layer can lead to unauthorized access to this data. For example, network traffic can be monitored through attacks like ARP spoofing.
4. Learning and Development Opportunity: Your own projects are a great opportunity to test and learn security configurations that you might not have the chance to try in corporate environments. Switch hardening is a great area to deepen your knowledge of network security.

💡 Pragmatic Approach Recommendation

You don't have to do everything at the highest level. For your own side projects, prioritize. If your project is exposed to the internet and potentially contains sensitive data, it's beneficial to implement at least basic L2 security measures like DHCP Snooping, DAI, and IP Source Guard. This can often be handled with a few commands on next-generation managed switches.

Realistic Steps for Switch Hardening in Side Projects

So, how can we make switch hardening more manageable in our side projects? Here are some steps I've taken and recommend:

1. Choosing the Right Device: Managed Switches

First and foremost, using a "managed" switch in your home network or for small projects is the first step towards switch hardening. These devices are generally inexpensive and suitable for entry-level use. For example, models like TP-Link's JetStream series or Ubiquiti's UniFi switches offer basic L2 security features. The interfaces of these devices are usually web-based and offer configuration capabilities that do not require command-line (CLI) knowledge. By using these types of devices in my own projects, I was able to apply the settings I was familiar with from corporate networks more easily.

# Example: Enabling DHCP Snooping via TP-Link CLI
switch# configure terminal
switch(config)# ip dhcp snooping
switch(config)# ip dhcp snooping vlan 1,10,20 # Enable for relevant VLANs
switch(config)# interface gigabitethernet 1/0/1 # Port-based configuration
switch(config-if)# ip dhcp snooping trust # Trusted port
switch(config-if)# exit
switch(config)# interface gigabitethernet 1/0/2 # Another port
switch(config-if)# ip dhcp snooping # Untrust by default
switch(config-if)# exit
switch(config)# end
switch# write memory # Save configuration

While commands like these might seem a bit intimidating at first, the basic commands for most managed switches are similar. Most manufacturers provide detailed documentation and configuration examples for these commands.

2. Basic L2 Security Measures: DHCP Snooping and DAI

DHCP Snooping ensures that devices connecting to the network receive an IP address from a valid DHCP server. This prevents attempts to manipulate network traffic by setting up rogue DHCP servers. DAI (Dynamic ARP Inspection) verifies ARP packets. It blocks ARP packets that attempt to impersonate a device's MAC and IP address. These two measures are the most basic and effective ways to prevent "man-in-the-middle" attacks on the network.

In the problem I experienced with my financial tracking application, if DHCP Snooping had been enabled, it would have prevented the malware or bot that infiltrated the network from setting itself up as the network's main gateway by establishing a DHCP server. DAI, on the other hand, would have rejected the request if the malware had tried to impersonate the MAC address of a device on the network. These two steps actually provide a significant security increase with very little effort.

3. IP Source Guard and Port Security

IP Source Guard ensures that traffic coming from a port matches the IP and MAC address assigned to that port. This prevents IP address spoofing attacks. Port Security limits the number of MAC addresses that can connect to a port and blocks MAC addresses that exceed this limit. These two features offer an additional layer of protection, especially in wireless networks or environments where physical access might be easier.

In my home network, I also used these features when separating my guest network from my main network. By applying more restrictive IP Source Guard and Port Security rules to the ports on my guest network, I prevented guests from accessing my main network devices or misusing network resources. This protected both the privacy of my guests and the security of my devices.

Trade-offs and Realistic Expectations

There are some trade-offs to consider when performing switch hardening. These are important for those considering these steps in their side projects:

• Complexity: Even in corporate environments, correctly configuring switch hardening can be time-consuming and complex. Instead of going into such depth for your side projects, you might prefer to take simple precautions based on your project's sensitivity.
• Cost: Managed switches are more expensive than unmanaged switches. However, nowadays, the prices of entry-level managed switches have become quite reasonable. For your own projects, especially if you have systems exposed to the internet, you can consider this cost as an investment.
• Performance: Incorrectly configured security measures can degrade network performance. However, basic L2 security measures like DHCP Snooping and DAI generally have minimal impact on performance on modern switches. The important thing is to configure and test them correctly.

ℹ️ A Conclusion from My Own Experience

Last month, I experienced a performance drop on the VPS hosting my blog. At first, I thought it was due to the web server or database resources. However, after detailed investigations, I noticed that the server's network interface card (NIC) was using more CPU than expected. The cause was a simple broadcast storm on the network. If my switch had port isolation or stricter broadcast storm control settings, this problem would not have occurred. This incident reminded me that the network is not just about device connectivity but also a critical component of performance.

Conclusion: Give Up, or Approach Smartly?

Performing switch hardening on your side projects might seem like a "waste of time" at first glance, especially if you operate with the "no one is using it" mentality. However, my experiences have shown that even these "small" worlds can grow over time, open up to the outside world, and face unexpected security risks. Therefore, instead of completely ignoring switch hardening, it is best to adopt a pragmatic approach based on your project's needs and risk tolerance.

With basic L2 security measures (DHCP Snooping, DAI) and the right device selection, you can significantly enhance the security of your side projects. These steps generally don't require a huge effort but provide you with significant protection against potential security breaches. Remember, security is a process, and small measures taken at every layer strengthen your overall security. Taking these steps in your own projects offers a learning opportunity and allows you to prevent potential problems from the outset. Therefore, instead of calling it a "waste of time," it's more accurate to call it a "smart investment."