5.6 Network Security Best Practices and Hardening
Key Takeaways
- Replace Telnet with SSHv2 everywhere; disable the clear-text HTTP server and enable HTTPS for web management.
- Shut down unused ports, set them to access mode, and park them in an unused VLAN to shrink the attack surface.
- Configure a legal MOTD banner — many jurisdictions require it before unauthorized access can be prosecuted.
- Harden trunks: disable DTP with 'switchport nonegotiate' and change the native VLAN away from VLAN 1 to prevent VLAN hopping.
- Send timestamped logs to a syslog server and keep firmware patched as ongoing maintenance.
What Hardening Means
Device hardening is the practice of shrinking a device's attack surface by removing unnecessary services and tightening the rest. A hardened router or switch offers fewer ways in. The exam phrases this as "which of the following would improve security on this device?" — so internalize the checklist below as a set of correct answers.
1. Strong Passwords and Login Throttling
Router(config)# enable secret StrongP@ss123 ! Type 5/8/9 hash
Router(config)# service password-encryption ! Mask leftover Type 0
Router(config)# security passwords min-length 10
Router(config)# login block-for 120 attempts 3 within 60 ! Slow brute force
The login block-for line blocks all logins for 120 seconds after 3 failures within 60 seconds.
2. Secure Management Plane
Router(config)# no ip http server ! Kill clear-text web mgmt
Router(config)# ip http secure-server ! HTTPS only
Router(config)# ip ssh version 2
Router(config)# line vty 0 15
Router(config-line)# transport input ssh ! No Telnet
Router(config-line)# login local
Router(config-line)# exec-timeout 5 0
Running HTTP or Telnet is a classic finding: both send credentials in clear text that anyone sniffing the segment can capture. SSH and HTTPS encrypt the session.
3. Disable Unused Services
Router(config)# no ip source-route ! Block source-routing attacks
Router(config)# no service finger
Router(config)# no service pad
Router(config)# no ip bootp server
Router(config)# no ip domain-lookup ! Stop DNS lag on CLI typos
Router(config)# no cdp run ! Disable CDP if not needed (or per-interface)
CDP advertises model, IOS version, and IP — useful internally but a reconnaissance gift to an attacker, so disable it on edge/untrusted ports.
4. Shut Down Unused Interfaces
Switch(config)# interface range Gig0/13 - 24
Switch(config-if-range)# switchport mode access ! Stop DTP trunk negotiation
Switch(config-if-range)# switchport access vlan 999 ! Park in unused VLAN
Switch(config-if-range)# shutdown
An idle, enabled port in the default VLAN is an open door. Disabling it and assigning an unused VLAN denies a plugged-in rogue device any useful access.
5. Legal Banner
Router(config)# banner motd #
WARNING: Authorized access only. All activity is monitored
and logged. Unauthorized access is prohibited and may be
prosecuted.
#
Why it matters: in many jurisdictions a warning banner is legally required before unauthorized access can be prosecuted — without it, an intruder may claim they did not know access was restricted. Never put "Welcome" on a banner; it can be argued as an invitation.
6. Logging
Router(config)# logging host 10.0.0.200
Router(config)# logging trap informational ! Severity 0-6
Router(config)# service timestamps log datetime msec localtime
Timestamped logs sent to a central syslog server give you the forensic trail you need when something goes wrong.
Switch-Specific Hardening
| Action | Command | Purpose |
|---|---|---|
| Disable DTP | switchport nonegotiate | Stop trunk-negotiation/VLAN-hop attacks |
| Change native VLAN | switchport trunk native vlan 999 | Prevent double-tag VLAN hopping |
| Enable DHCP snooping | ip dhcp snooping | Block rogue DHCP servers |
| Enable DAI | ip arp inspection vlan <id> | Stop ARP spoofing |
| Enable port security | switchport port-security | Limit MACs per port |
| Enable BPDU Guard | spanning-tree bpduguard enable | Err-disable rogue switches on access ports |
| Storm control | storm-control broadcast level 20 | Cap broadcast/multicast floods |
The two VLAN-hopping defenses are exam favorites: never leave VLAN 1 as the data or native VLAN, and disable DTP so an attacker cannot negotiate a trunk and reach other VLANs via double-tagging.
Ongoing Maintenance
- Patch firmware to close known vulnerabilities.
- Review ACLs and remove obsolete rules.
- Monitor logs for anomalies and failed-login spikes.
- Test backups so configs are restorable.
- Audit accounts — delete inactive users, rotate credentials.
Banner Types You Should Know
IOS offers several banner types and the exam expects you to know which appears when. The MOTD (message of the day) banner shows before login on every connection. The login banner appears after the MOTD but before the username/password prompt. The exec banner appears only after a successful login, when the EXEC session starts. For legal deterrence, the warning belongs on the MOTD or login banner so it is seen before authentication.
Router(config)# banner login #Authorized users only.#
Router(config)# banner exec #You are now in privileged mode. Log all changes.#
NTP, SNMP, and Time Hygiene
Reliable security forensics depend on accurate, synchronized clocks. Configure NTP (Network Time Protocol) so every device timestamps logs against the same reference; correlating an attack across devices is impossible if their clocks disagree. For monitoring, prefer SNMPv3, which adds authentication and encryption, over the older SNMPv1/v2c, whose community strings travel in clear text:
Router(config)# ntp server 10.0.0.1
Router(config)# snmp-server group SECURE v3 priv ! authPriv = auth + encryption
A Defense-in-Depth Hardening Summary
Think of hardening as closing doors at every layer: the management plane (SSH/HTTPS, ACL-restricted VTY, login throttling), the control plane (disable unneeded routing services and CDP at the edge), and the data plane (port security, DHCP snooping, DAI, BPDU Guard, storm control). A switch that passes all three planes leaves an attacker very little to work with, and that layered thinking is exactly how exam scenarios expect you to reason about "which change improves security."
On the Exam: When asked to improve a device's security, the right answers cluster around: shut unused ports, SSH instead of Telnet, disable HTTP for HTTPS, enable port security/DHCP snooping/DAI, turn off DTP, and move off VLAN 1. Recognize Telnet and HTTP as clear-text liabilities.
A switch has many unused, active access ports sitting in the default VLAN. Which action BEST hardens these ports?
Which command disables the unencrypted web-management server on a Cisco device?
To defend against VLAN-hopping attacks on a trunk link, which two hardening steps apply?
Why does a security policy require a warning banner (MOTD) before login rather than a friendly 'Welcome' message?