DEV Community

Mustafa ERBAY
Mustafa ERBAY

Posted on • Originally published at mustafaerbay.com.tr

Why is Network Switch Hardening Often Neglected?

#network #security #switch #hardening

Introduction: The Overlooked Importance of Switch Hardening

This morning, as I sat down at my computer, I found myself pondering why network switch hardening remains such a mystery in most environments. I've been deeply involved in system and network administration for years, yet whenever I bring up this topic, I'm met with the same reactions: "We don't have time to deal with that," or worse, "It's not that critical anyway." Is that really true? Whether I'm managing the ERP system of a manufacturing plant, setting up the infrastructure for an e-commerce site, or even securing my own VPS hosting financial calculators, the security of the most fundamental network devices always ends up being one of the last tasks. It's like checking the window locks instead of the front door lock.

In reality, switch hardening is a critical step to reduce the attack surface, prevent unauthorized access, and enhance overall network security. However, in practice, it's often neglected due to its complexity, time cost, and the fact that it doesn't directly yield a tangible "profit." In this post, I'll explain why switch hardening is generally overlooked, what concrete steps should be taken, and the trade-offs these steps entail, all based on my own field experiences. This isn't just a theoretical guide; it's a summary of a journey I've personally experienced, sometimes making mistakes along the way.

Why is Switch Hardening Overlooked?

When we talk about switch hardening, we generally mean moving away from the "secure by default" principle and making additional configurations to enhance device security. This involves much more than just changing default passwords. For instance, steps like disabling unused ports, restricting SNMP access, disabling insecure protocols like Telnet in favor of SSH, and even more advanced measures like port security and DHCP snooping to control network traffic fall under this umbrella. However, most of these steps don't come to mind during initial setup or routine maintenance.

One of the biggest reasons is the misconception that "if there were a security vulnerability, it would have been noticed." Most administrators, seeing that the network is generally operational, are unaware of the underlying subtle security weaknesses. An attacker could exploit these vulnerabilities to infiltrate the network, steal critical data, disrupt services, or hold systems hostage. Especially in corporate environments, compromising a switch can be a stepping stone to gaining control of the entire network. However, such a scenario is often postponed, deemed "highly unlikely."

Cost and Time Concerns

Another significant factor is the concern over cost and time. Implementing switch hardening, especially in large-scale networks, requires considerable time and effort. Addressing each switch individually, performing the necessary configurations, testing, and documenting them can strain IT departments already burdened with their existing workload. Furthermore, some advanced security features might require more expensive or capable switch models, posing an additional obstacle for organizations with budget constraints.

For example, a few years ago, while revamping the infrastructure of a manufacturing firm, we decided to use next-generation managed switches. Despite having many built-in security features, enabling and testing them fully required additional staff and time. Consequently, we were only able to implement the most critical few features (like changing default passwords and disabling unused ports). Others were shelved with a "we'll look at it later" attitude. Unfortunately, this is a common situation I encounter.

Basic Switch Hardening Steps and Technical Details

The core of switch hardening involves disabling unnecessary features, restricting access, and making network traffic more secure. These steps are typically performed by accessing the switch's operating system (via CLI or Web interface). Here are some of the most basic and effective steps:

  1. Change Default Administrator Passwords: This is the simplest yet most critical step. Most switches come with default usernames and passwords out of the box (e.g., admin/admin, cisco/cisco). These passwords must be changed immediately. If this step is neglected, attackers can easily find default credentials with a simple search and gain access to the device.

    # Example Cisco IOS command
enable
configure terminal
username admin privilege 15 secret <new_strong_password>
line console 0
 password <new_strong_password>
 login
exit
line vty 0 4
 password <new_strong_password>
 login
exit
write memory

    This command sequence sets the password for the global administrator account as well as for console and VTY (telnet/ssh) access. The secret command stores the password in a hashed format, which is more secure.

  2. Disable Unused Ports (Shutdown): Shutting down physical ports on your network that are not actively in use prevents unauthorized devices from physically connecting to your network. This is particularly important in environments with extensive cable clutter or in areas providing guest access.

    # Example Cisco IOS command
configure terminal
interface range GigabitEthernet1/0/5 - 24
 shutdown
exit
write memory

    This command shuts down a specific range of ports. Keeping track of disabled ports is also important, as these ports may need to be re-enabled when a new device is connected.

  3. Use Secure Management Protocols: Using SSH instead of unencrypted protocols like Telnet is mandatory. SSH encrypts all administrative traffic, preventing eavesdropping. Furthermore, using SNMPv3 instead of SNMPv1/v2c ensures that community strings are encrypted and authentication mechanisms are utilized.

    # Example Cisco IOS command (Enabling SSH)
configure terminal
ip domain-name yourdomain.local
crypto key generate rsa modulus 2048
line vty 0 4
 transport input ssh
exit
ip ssh version 2
write memory

    These settings enable SSHv2 and generate the necessary keys. SNMPv3 configuration is more detailed and requires parameters such as username, authentication protocol (MD5/SHA), and encryption protocol (DES/AES).

ℹ️ SNMPv3 Configuration

SNMPv3 configuration offers user-based access control. For example, you can create a group with the command snmp-server group SNMP_GROUP v3 priv, and then add users to this group with commands like snmp-server user USERNAME SNMP_GROUP v3 auth md5 PASSWORD auth shav2 PASSWORD priv des56 PASSWORD priv aes128 PASSWORD. This ensures that only authorized individuals or systems can retrieve information from network devices.

Advanced Switch Hardening Techniques

Beyond the basic steps, various advanced techniques can further enhance switch security. These techniques help to more effectively close potential attack vectors on the network.

Port Security

Port security is used to limit the MAC addresses that can be connected to a switch port. This prevents an unauthorized user from connecting their device to your network and engaging in malicious activities. It has two primary modes:

  • Sticky MAC: Learns the MAC address of the first device connected to the port and blocks all traffic from other MAC addresses.
  • Static MAC: Allows MAC addresses manually defined by the administrator. 
# Example Cisco IOS command (Port security with Sticky MAC)
configure terminal
interface GigabitEthernet1/0/1
 switchport mode access
 switchport port-security
 switchport port-security maximum 1  # Only one MAC address
 switchport port-security mac-address sticky
 switchport port-security violation shutdown # Shut down port on violation
 exit
write memory
Enter fullscreen mode Exit fullscreen mode

This configuration learns the MAC address of the first device connected to the port and only allows that device. If another device attempts to connect (a violation), the port is automatically shut down. This is particularly effective in preventing users from connecting their own computers or "evil twin" APs.

DHCP Snooping

DHCP snooping prevents a switch from accepting responses from untrusted DHCP servers. It verifies the identity of the DHCP server that assigns IP addresses to devices on the network, preventing rogue servers from providing services to the network. This is a crucial defense against IP spoofing attacks.

For DHCP snooping to function correctly, a port typically needs to be configured as "trusted." This port is usually connected to the official DHCP server on the network. All other ports are marked as "untrusted."

# Example Cisco IOS command (DHCP Snooping)
configure terminal
ip dhcp snooping
ip dhcp snooping vlan 10,20  # VLANs where DHCP snooping will be enabled
interface GigabitEthernet1/0/1  # Port connected to the DHCP server
 ip dhcp snooping trust
 exit
interface GigabitEthernet1/0/2  # Port connected to user devices
 ip dhcp snooping limit rate 15 # Allow 15 DHCP packets per second (rate limiting)
 exit
write memory
Enter fullscreen mode Exit fullscreen mode

With this configuration, DHCP snooping is enabled on VLANs 10 and 20. Port 1/0/1 is set as "trusted" as it's connected to the trusted DHCP server. On other ports, the packet rate is limited to prevent malicious DHCP flood attacks.

⚠️ DHCP Snooping and Rate Limiting

When configuring DHCP snooping, it's important to limit the packet rate using the limit rate command. However, setting this value too low can cause legitimate clients to fail to obtain an IP address during periods of network congestion. This value should be adjusted based on your network's typical DHCP traffic. For instance, 15 packets/second is generally a reasonable starting point.

Network Segmentation and VLAN Security

Network segmentation is the process of dividing a network into smaller, more manageable, and secure segments. VLANs (Virtual Local Area Networks) are the most common way to achieve this segmentation without altering physical cabling. Each VLAN has its own broadcast domain and, by default, cannot communicate with other VLANs. This prevents a security issue in one segment from spreading to others.

However, VLANs alone do not provide complete security. If inter-VLAN routing is not configured correctly, vulnerabilities can emerge. Controlling traffic between VLANs through firewalls or L3 switches to enforce security policies is critically important.

VLAN Hopping Attacks and Countermeasures

VLAN hopping is a type of attack where attackers attempt to move from one VLAN to another to gain unauthorized access. There are two main types: Switch Spoofing and Double Tagging.

  • Switch Spoofing: The attacker impersonates a switch to try and traverse trunk ports.
  • Double Tagging: The attacker adds a double VLAN tag to direct traffic to the target VLAN. This attack is usually successful if the switch's trunk port is in the same untagged VLAN as the target VLAN.

To prevent these attacks, the following measures should be taken:

  1. Change the Default VLAN: Move the "native VLAN," which is sent untagged on trunk ports, from the default VLAN 1 to a different VLAN.
  2. Disable Unused Trunk Ports: Configure only ports that truly require trunk connectivity as trunk ports.
  3. Port Security and DHCP Snooping: These previously mentioned features indirectly protect against switch spoofing.
  4. Restrict VLANs: Assign only the necessary VLANs to each port, preventing access to unnecessary VLANs. 
# Example Cisco IOS command (Changing Native VLAN)
configure terminal
interface GigabitEthernet1/0/24  # Trunk port
 switchport mode trunk
 switchport trunk native vlan 99  # Use VLAN 99 instead of default VLAN 1
 switchport trunk allowed vlan 10,20,30,99 # Specify only allowed VLANs
 exit
write memory
Enter fullscreen mode Exit fullscreen mode

With this configuration, the native VLAN of the trunk port is set to 99, and only VLANs 10, 20, 30, and 99 are allowed. This makes double-tagging attacks more difficult and cleans up VLAN management on the network.

Protocol Restrictions and Service Management

The services and protocols running on switches also pose potential security risks. For example, protocols like CDP (Cisco Discovery Protocol) or LLDP (Link Layer Discovery Protocol) can leak information about other devices on the network. If this information falls into the hands of attackers, it can aid in understanding the network topology.

Disabling CDP/LLDP and Other Unnecessary Protocols

If you are not using these protocols on your network, disabling them strengthens your security posture.

# Example Cisco IOS command (Disabling CDP)
configure terminal
no cdp run
write memory
Enter fullscreen mode Exit fullscreen mode

This simple command disables CDP globally. Similarly, LLDP can also be disabled.

Additionally, services like network boot (PXE boot) and TFTP should only be run when necessary and in controlled environments. These services can be used by a malicious user to download malware onto your network or reconfigure systems.

Real-World Scenario: E-commerce Site Switch Security

A few years ago, I was involved in a project to revamp the infrastructure of a large Turkish e-commerce site. As part of this project, we reviewed the security of hundreds of switches in the data center and office networks. The situation I encountered was, unfortunately, as expected: most switches still had default passwords, unused ports were open, and access was provided via SNMPv1/v2c.

💡 Field Experience

In this project, we first targeted the most critical data center switches. We changed the default passwords on approximately 150 switches, enabled SSH, and disabled SNMPv1/v2c. This process took about 3 days using automation scripts. Then, we moved on to the switches in the office networks. Here, we also started implementing more advanced configurations like port security and DHCP snooping. During this process, we noticed that some office printers or IP phones had issues obtaining DHCP. We resolved these issues by marking the relevant ports as "trusted" or adjusting DHCP packet limits.

This experience taught me one thing: switch hardening is not a "one-and-done" task; it's an ongoing process. As new devices are added and the network structure changes, these security measures must also be updated and audited. Even the simplest steps can significantly improve the overall security posture.

Trade-offs and Looking Ahead

The biggest trade-off encountered when performing switch hardening is finding the balance between security and operational ease. Overly strict security measures can complicate network management and lead to unexpected problems. For instance, excessively restricting port security can prevent a new device from connecting to the network and slow down emergency response.

Another trade-off is cost. Switches with more advanced security features are more expensive. However, the cost of a security breach can be much higher than the cost of such devices. Therefore, organizations need to find the right balance based on their risk tolerance.

In the future, network devices coming with "security by default" will become even more important. Approaches like Zero Trust architecture require ensuring that every device and every connection is secure. This will make fundamental security practices like switch hardening even more critical. Even on my own VPS, I always review my basic network configurations. Even a simple Linux server comes with its own network interfaces, and ensuring the security of these interfaces is necessary.

In conclusion, the primary reasons for neglecting network switch hardening are time, cost, and a lack of security awareness. However, taking these steps will be a critical investment for our network security in the long run. As I've seen in my own projects, even the simplest steps can make a big difference. Therefore, we must give switch hardening the place it deserves in our network security strategies.

Top comments (0)