PracticeStudy GuidesBlogFlashcardsEspañol

5.6 Network Security Best Practices and Hardening

Key Takeaways

  • Disable unused interfaces with the 'shutdown' command to prevent unauthorized access.
  • Use SSH instead of Telnet for all remote management — Telnet is unencrypted.
  • Create a banner message (MOTD) for legal notice before login.
  • Disable HTTP server and enable HTTPS for secure web-based management.
  • Implement port security, DHCP snooping, and DAI on all access switches as a baseline.
Last updated: March 2026

Network Security Best Practices and Hardening

Device hardening is the process of securing network devices by eliminating unnecessary services and applying security controls. A hardened device presents fewer attack surfaces.

Device Hardening Checklist

1. Secure Passwords

Router(config)# enable secret StrongP@ssw0rd!        ! Strong enable password (Type 5/9)
Router(config)# service password-encryption            ! Encrypt Type 0 passwords
Router(config)# security passwords min-length 10      ! Minimum password length
Router(config)# login block-for 120 attempts 3 within 60  ! Lock after 3 failed attempts

2. Secure Management Access

Router(config)# no ip http server                     ! Disable HTTP (unencrypted)
Router(config)# ip http secure-server                 ! Enable HTTPS
Router(config)# ip ssh version 2                      ! Require SSHv2

Router(config)# line vty 0 15
Router(config-line)# transport input ssh              ! SSH only
Router(config-line)# exec-timeout 5 0                 ! 5-minute idle timeout
Router(config-line)# login local                      ! Local user authentication

Router(config)# line console 0
Router(config-line)# exec-timeout 5 0                 ! Timeout on console too
Router(config-line)# login local

3. Disable Unused Services

Router(config)# no ip source-route                    ! Prevent source routing attacks
Router(config)# no service finger                     ! Disable finger service
Router(config)# no service pad                        ! Disable PAD service
Router(config)# no ip bootp server                    ! Disable BOOTP server
Router(config)# no ip domain-lookup                   ! Prevent CLI from trying DNS on typos
Router(config)# no cdp run                            ! Disable CDP globally (if not needed)

4. Shut Down Unused Interfaces

Switch(config)# interface range GigabitEthernet0/13 - 24
Switch(config-if-range)# shutdown                     ! Disable unused ports
Switch(config-if-range)# switchport mode access       ! Prevent DTP negotiation
Switch(config-if-range)# switchport access vlan 999   ! Assign to unused VLAN

5. Configure Banner Messages

Router(config)# banner motd #
WARNING: Authorized access only.
All activity is monitored and logged.
Unauthorized access is prohibited and will be prosecuted.
#

Why banners matter: In many legal jurisdictions, a warning banner is required before you can prosecute unauthorized access. Without a banner, an intruder might claim they didn't know access was unauthorized.

6. Enable Logging

Router(config)# logging host 10.0.0.200              ! Send logs to syslog server
Router(config)# logging trap informational            ! Log levels 0-6
Router(config)# service timestamps log datetime msec localtime  ! Timestamp all logs
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging enable     ! Log all config changes

Switch-Specific Hardening

ActionCommandPurpose
Disable DTPswitchport nonegotiatePrevent trunk negotiation attacks
Change native VLANswitchport trunk native vlan 999Prevent VLAN hopping
Enable DHCP snoopingip dhcp snoopingBlock rogue DHCP servers
Enable DAIip arp inspection vlan <id>Prevent ARP spoofing
Enable port securityswitchport port-securityLimit MAC addresses per port
Enable BPDU Guardspanning-tree bpduguard enablePrevent rogue switches
Enable storm controlstorm-control broadcast level 20Prevent broadcast storms

Ongoing Security Maintenance

  • Keep firmware updated — patch known vulnerabilities
  • Review ACLs regularly — remove obsolete rules
  • Monitor logs — look for anomalies and unauthorized access attempts
  • Test backups — ensure configuration backups are current and restorable
  • Conduct security audits — periodic review of device configurations
  • Review user accounts — remove inactive accounts, rotate passwords

On the Exam: Know the hardening steps and their purposes. A common scenario: "Which of the following would improve security on this switch?" The answer will involve disabling unused ports, enabling DHCP snooping, configuring SSH instead of Telnet, or setting up port security.

Test Your Knowledge

What should be done with unused switch ports to improve security?

A
B
C
D
Test Your Knowledge

Why is it important to configure a login banner (MOTD) on network devices?

A
B
C
D
Test Your Knowledge

Which command disables the unencrypted HTTP server on a Cisco device?

A
B
C
D
Up Next

5.7 Threat Mitigation and Incident Response

Continue learning