Switch Hardening: Always a Necessary Step?

Switch Hardening: A Fundamental Security Layer or an Unnecessary Burden?

When it comes to network security, we often focus on prominent components like firewalls and intrusion detection systems (IDS/IPS). However, the switches that form the backbone of the network can also be attractive targets for attackers. Switch hardening is the practice of enhancing the security of these devices. But is it always necessary? In this post, I will examine what switch hardening is, why it can be important, and when it is truly a necessity, based on my own experiences.

Over the past 10 years, especially in large enterprise networks, the security of switches has become increasingly important. Once viewed as passive devices merely forwarding packets, switches now possess more complex features and present potential attack vectors. As I've encountered in my own projects, a misconfigured switch can jeopardize the security of the entire network. Therefore, understanding the intricacies of switch hardening has become critical.

Why Should We Perform Switch Hardening? Potential Threats and Attack Vectors

To understand why we need switch hardening, we must first look at the threats we face. Attackers can intercept network traffic, alter routing, or even gain access to specific parts of the network by compromising switches. Such attacks are often targeted and aim to find the network's weakest points.

Attacks like DHCP spoofing, ARP poisoning, and VLAN hopping can be easily carried out on improperly configured switches. For instance, an attacker can act as a DHCP server and distribute malicious IP addresses or gateway information to clients. This can lead to them taking control of all network communications. In my own experience, while working with the IT team of a manufacturing plant, we experienced nearly an hour of production loss due to a DHCP spoofing attack that disrupted access to operator screens. The source of the problem was so simple to find and fix that it once again showed me how critical switch hardening is.

ℹ️ What is DHCP Snooping?

DHCP Snooping is a Layer 2 security feature that prevents DHCP spoofing attacks by blocking DHCP server messages from untrusted ports. The switch accepts DHCP offers and responses from trusted ports while rejecting others.

Another common attack vector is VLAN hopping. Attackers can often exploit vulnerabilities in a switch's trunk ports to gain access to a VLAN they would normally not be able to reach. This is particularly used to gain access to VLANs containing sensitive data. In a penetration attempt against the backend of a financial calculator application I developed, we detected that the attacker was trying to infiltrate the network through this method. Fortunately, the attack could not progress further because the access control lists (ACLs) between VLANs were correctly configured.

Fundamental Steps of Switch Hardening: What Should Be Done?

Switch hardening involves a series of configuration steps. These steps can vary depending on the switch model and manufacturer, but the general principles are similar. Firstly, disabling unused ports is the most basic step. Each port is a potential entry point, and closing unused ports eliminates this risk.

In addition, applying specific MAC address filtering to each port enhances security. This ensures that only authorized devices can connect to a particular port. In a project I undertook for my own website, when I implemented this policy on the switches in the network segment where my servers are located, I instantly blocked an unauthorized device's attempt to connect to the network. While this might seem "paranoid," it is necessary, especially in critical infrastructures.

# Cisco IOS example: Disabling ports
Switch(config)# interface range GigabitEthernet1/0/1-24
Switch(config-if-range)# shutdown

# MAC address filtering (with Access Control List)
Switch(config)# mac access-list extended ALLOWED_DEVICES
Switch(config-macl)# permit host 0011.2233.4455 any  # Allowed MAC address
Switch(config-macl)# deny any any log             # Deny and log all other MAC addresses
Switch(config)# interface GigabitEthernet1/0/5
Switch(config-if)# mac access-group ALLOWED_DEVICES in

Features like DHCP snooping, Dynamic ARP Inspection (DAI), and IP Source Guard also significantly strengthen Layer 2 security. DHCP snooping blocks DHCP server messages from untrusted ports, while DAI checks the validity of ARP packets, preventing ARP poisoning attacks. IP Source Guard, on the other hand, checks if traffic coming from a port matches the IP and MAC addresses assigned to that port. These features are vital, especially on access switches where user devices connect.

Managing Unused Ports and Changing Default Settings

One of the most overlooked aspects of switch security is the management of unused ports. Knowing how many ports are actively used in a network and closing unused ports significantly reduces the attack surface. Many administrators leave ports open with the thought of "it might be needed later." However, this creates a potential security vulnerability.

In my own projects, especially when setting up a new network infrastructure or reviewing an existing one, I determine the purpose of each port and shut down unnecessary ones. For example, in a data center, only ports where servers connect are kept active, and ports accessible to users are completely isolated. Even in the network configuration of my own servers in a VPS, I apply this principle by leaving only the necessary ports open.

⚠️ Default Passwords and Management Interfaces

Running switches with default passwords from the manufacturer is one of the biggest security mistakes. Strong and unique passwords should be used for access to management interfaces (CLI, Web UI, SNMP), and a separate VLAN should be created for management traffic, with access to this VLAN restricted.

Changing default management passwords is also a must. Most switches come with factory default passwords that are easily found online. Immediately changing these passwords is the first step to preventing unauthorized access. Furthermore, it is recommended to use more secure versions like SNMP v3 instead of old and insecure protocols like SNMP v1/v2c, or to disable SNMP entirely if not needed.

Port Security: MAC Address Filtering and Port-Based Security

Port security is one of the most fundamental security features of switches. It involves controlling how many MAC addresses can connect to a port and which MAC addresses are permitted. One of the most common techniques is to limit the maximum number of MAC addresses allowed on a port. For example, by allowing only one MAC address to connect to a user port, you can prevent a user from connecting multiple devices to the network.

# Cisco IOS example: Port security - single MAC address allowed
Switch(config)# interface GigabitEthernet1/0/10
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security violation shutdown  # Shut down port on violation
Switch(config-if)# switchport port-security mac-address sticky # Save learned MAC

The "sticky MAC" feature learns the first MAC address that connects to a port and saves this MAC address to the configuration. Later, if traffic arrives from this port with a different MAC address, the switch detects this as a violation. This feature is particularly effective in environments where physical access is restricted. In a customer project, when we activated this feature on switches in an office segment, we saw that an employee's attempt to connect their personal laptop to the network was blocked. This was important for ensuring compliance with company policies.

Features like DAI and IP Source Guard take port security to the next level. DAI validates ARP packets to prevent ARP spoofing. IP Source Guard, on the other hand, checks if IP packets arriving from a port are consistent with the IP and MAC addresses assigned to that port. This dual protection is highly effective against common attacks like ARP poisoning. Enabling these features is a strong step towards ensuring the overall security of the network.

Secure Use of VLANs and Measures Against VLAN Hopping

VLANs are used to segment the network logically, providing segmentation and enhancing security. However, if VLANs are not configured correctly, they can become vulnerable to VLAN hopping attacks. VLAN hopping allows attackers to transition to a VLAN they would normally not have access to. This usually occurs through vulnerabilities or misconfigurations in a switch's trunk ports.

To prevent such attacks, only necessary VLANs should be allowed on a switch's trunk ports. The transit of unnecessary VLANs on trunks should be blocked. Additionally, the switch's management interface should only be accessible from specific and secure VLANs. In the network segment where the backend servers for a mobile application I developed are located, I had separated servers with different functionalities into separate VLANs. In this segmentation, I ensured that only authorized management devices could access these VLANs. This way, in case of a potential breach, an attacker would be prevented from accessing all servers.

💡 What is Native VLAN?

The Native VLAN is the VLAN to which untagged traffic is carried on 802.1Q trunk ports. By default, it is usually VLAN 1. For security purposes, it is recommended to set the native VLAN to a value different from the default and to use this VLAN only for necessary traffic.

Another important measure is the secure management of the native VLAN. The native VLAN represents traffic that is transmitted untagged on trunk ports. If the native VLAN is the default VLAN 1 and sensitive devices are present in this VLAN, it can pose a security risk. Therefore, it is important to set the native VLAN to a value different from the default and to manage this VLAN securely as well.

Conclusion: Is Switch Hardening Always Necessary?

Switch hardening is an important part of network security and is definitely necessary in many scenarios. Especially in situations where sensitive data is processed, high security requirements exist, or we want to minimize the attack surface, taking these steps is of great importance. Attacks like DHCP spoofing, ARP poisoning, and VLAN hopping can be easily carried out on improperly configured switches and can lead to serious consequences.

However, not every network may require equally complex hardening steps. For small office networks or less critical infrastructures, basic security measures (changing default passwords, closing unused ports) may suffice. Activating all features can sometimes increase system complexity and make management difficult. Understanding the trade-offs is important: more security often means more management complexity.

Based on my own experiences, I can say that it is always best to perform a risk assessment and determine the most appropriate level of security for the network's requirements. Switch hardening is less of a "to-do list" and more of a security culture that needs continuous review. Adapting these steps according to your network's size, the data it hosts, and the threats it might face will be the most effective approach.