Network device hardening is the process of securing a device by reducing its attack surface, disabling unnecessary services, and implementing strong access controls. For the N10-009 exam, you must know specific hardening techniques for routers, switches, firewalls, and other infrastructure devices. This chapter covers essential hardening measures, common pitfalls, and exactly what the exam will test.
Jump to a section
Imagine you are a medieval lord responsible for a castle that guards a vital trade route. Your castle has multiple entry points: a main gate, postern doors, windows, and even a well that could be used for infiltration. To protect against invaders, you don't just rely on the castle walls—you actively harden every point of entry. You install portcullises, reinforce doors, post guards, limit who can enter, change locks regularly, and remove unused passages. You also train your guards to recognize suspicious behavior and have a plan for when attackers breach the outer wall. In the same way, network device hardening involves systematically securing every access point (ports, services, user accounts) on routers, switches, firewalls, and other devices. Just as a castle's security is only as strong as its weakest door, a network device is only as secure as its least hardened component. The CompTIA Network+ N10-009 exam expects you to know the specific hardening techniques—like disabling unused ports, using strong passwords, enabling SSH instead of Telnet, and implementing ACLs—that turn a vulnerable device into a fortified stronghold.
What Is Network Device Hardening?
Network device hardening refers to the set of security practices that reduce the vulnerability of network devices such as routers, switches, firewalls, and wireless access points. The goal is to eliminate unnecessary services, close unused ports, enforce strong authentication, and apply security patches. Hardening is a foundational step in defense-in-depth, ensuring that even if an attacker gains network access, individual devices remain difficult to compromise. CompTIA Network+ N10-009 objective 4.2 specifically covers "Given a scenario, apply network security features, defense, and controls." Hardening is a key subset of that objective.
Key Hardening Techniques
Disable Unused Ports and Services – Every open port or running service is a potential entry point. On switches, disable unused switchports and place them in a separate VLAN (often called a "black hole" VLAN). On routers and firewalls, turn off services like HTTP, SNMP (if not needed), and discovery protocols (CDP, LLDP). The exam often tests that disabling unused services reduces the attack surface.
Change Default Credentials – Many devices ship with default usernames and passwords (e.g., admin/admin). Always change these immediately. Use strong, complex passwords or, better yet, implement multi-factor authentication (MFA) where possible. The exam may present a scenario where a device is compromised because default credentials were left unchanged.
Enable Secure Management Protocols – Instead of Telnet (which sends data in plaintext), use SSH for remote CLI access. For web-based management, use HTTPS. For SNMP, use version 3 which provides encryption and authentication. The N10-009 exam expects you to know that SSH and SNMPv3 are secure alternatives.
Implement Access Control Lists (ACLs) – ACLs filter traffic based on source/destination IP, port, or protocol. They can be used to restrict management access to specific administrative IPs, limit SNMP queries, or block unwanted traffic. The exam may ask you to interpret an ACL or identify where one should be applied.
Keep Firmware/Software Updated – Vendors release patches to fix security vulnerabilities. Regularly update device firmware and apply security patches. The exam might present a scenario where an outdated firmware leads to a known exploit.
Use Port Security – On switches, port security limits the number of MAC addresses allowed on a port, preventing MAC flooding and unauthorized device connections. You can configure sticky MAC addresses or limit by number. The exam tests that port security helps prevent CAM table overflow attacks.
Disable Unused Network Services – Services like DHCP, DNS, or routing protocols should only run on devices that need them. For example, disable DHCP on switches that are not acting as DHCP servers. The exam may ask which services to disable on a given device.
Logging and Monitoring – Enable logging to capture security events (e.g., failed login attempts, configuration changes). Send logs to a centralized syslog server. The exam emphasizes that logging is critical for incident response and auditing.
N10-009 Specific Details
For the exam, remember that hardening is often tested in scenario-based questions. You might be asked: "A network administrator wants to secure remote management of a router. Which protocol should be used?" Answer: SSH. Or: "Which feature prevents unauthorized devices from connecting to a switch port?" Answer: Port security. Also know that disabling CDP/LLDP on edge devices prevents information leakage about the network topology. Another common trap: thinking that a firewall alone is sufficient for device security—hardening all devices is necessary.
In enterprise environments, network device hardening is a standard practice governed by security policies and frameworks like CIS Benchmarks or NIST SP 800-53. For example, a company deploys hundreds of switches across multiple floors. The network team creates a baseline configuration that includes disabling unused ports, setting a banner warning against unauthorized access, enabling SSH, and configuring port security with sticky MAC addresses. They also use a tool like SolarWinds or Ansible to automate the deployment of these configurations. When a new switch is added, it automatically receives the hardened baseline. Incident response teams rely on logs from hardened devices to investigate breaches. In one real-world case, a healthcare organization avoided a ransomware attack because they had disabled Telnet and used SNMPv3, preventing attackers from intercepting management traffic. Hardening is not a one-time task; it requires continuous monitoring and updates as new vulnerabilities are discovered. For the Network+ exam, understand that hardening is a proactive measure that significantly reduces risk.
The N10-009 exam tests hardening in the context of network security features and controls. Expect multiple-choice questions that ask you to identify the correct hardening technique for a given scenario. Common traps include: confusing SSH with Telnet (SSH is secure), thinking that disabling all services is good (some services are necessary—know which ones), or assuming that a firewall eliminates the need for device hardening. Key terms to memorize: SSH, SNMPv3, port security, ACL, default credentials, disable unused ports, firmware updates, logging, CDP/LLDP disable. The exam may also test that hardening is part of "defense in depth" and that it applies to all network devices, not just firewalls. Another trap: selecting "enable Telnet" as a hardening step—Telnet is insecure. Also, remember that port security can be configured to allow only one MAC address per port (for security) or multiple (for a hub). Know the difference between sticky MAC and dynamic MAC learning.
Network device hardening reduces the attack surface by disabling unused ports, services, and protocols.
Always change default credentials and use secure management protocols like SSH and SNMPv3.
Implement port security on switches to control MAC address learning and prevent unauthorized devices.
Keep firmware updated and enable logging to detect and respond to security events.
Hardening is a continuous process and a key component of defense in depth.
Mistake
Hardening a network device means turning off all unnecessary services, so the device becomes less functional.
Correct
Hardening disables only services that are not needed for the device's role. For example, a router still needs routing protocols, but it doesn't need HTTP management if SSH is used. Functionality is preserved while security is improved.
Mistake
Once a device is hardened, it doesn't need any further updates or monitoring.
Correct
Hardening is an ongoing process. New vulnerabilities are discovered, and patches must be applied. Logging and monitoring are essential to detect attacks even on hardened devices.
Mistake
Only routers and firewalls need to be hardened; switches are less critical.
Correct
Switches are prime targets for attacks like VLAN hopping, MAC flooding, and DHCP snooping. They must be hardened by disabling unused ports, using port security, and implementing spanning tree protections.
The first step is to take an inventory of all services and ports running on the device, then disable any that are not required for its function. Also, change default credentials immediately.
Telnet transmits data, including login credentials, in plaintext. An attacker on the same network can capture this information using a packet sniffer. SSH encrypts the entire session, making it secure.
Port security restricts the number of MAC addresses allowed on a switch port. It can also be configured to learn MAC addresses dynamically (sticky) and shut down the port if an unauthorized device attempts to connect. This prevents MAC flooding and unauthorized access.
CDP and LLDP are discovery protocols that share device information. On internal networks, they can be useful for management. However, on edge devices facing untrusted networks, they should be disabled to prevent information leakage about the network topology.
You've just covered Network Device Hardening — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?