Network Hardening

Network hardening converts a flat, trusting network into a segmented, monitored, and access-controlled environment. The goal: reduce attack surface, detect intrusions early, contain blast radius when something inevitably slips through.

Core Principles

Principle	What it means
Implicit deny	Everything not explicitly allowed is blocked - default-deny, not default-permit
Least privilege	Devices and users get only the access they need
Network segmentation	Separate traffic by function; failures in one zone don’t propagate
Layered defence	No single control is complete; combine firewall + IDS + segmentation + monitoring
Baseline + anomaly detection	Know what normal traffic looks like to recognise abnormal

Layer 2 Switch Hardening

Enterprise switches can enforce security at the data-link layer - attacks like ARP poisoning and rogue DHCP servers are completely invisible to a firewall unless handled at the switch.

DHCP Snooping

Attack without it: An attacker on the same VLAN runs a rogue DHCP server that hands out leases pointing to their device as the default gateway → full MitM from day one.

Normal:                  Rogue DHCP attack:
Client → DHCP Request    Client → DHCP Request
          ↓                        ↓           ↓
     Legit DHCP Server       Legit DHCP   Rogue DHCP
     (assigns real GW)       (ignored)    (assigns attacker as GW → MitM)

DHCP Snooping classifies switch ports as trusted (uplink to real DHCP server) or untrusted (everything else):

DHCP responses from untrusted ports are dropped
Builds a binding table: IP ↔ MAC ↔ switch port ↔ VLAN

Binding Table (built by DHCP snooping):
  Port 1  │ 192.168.1.10  │ AA:BB:CC:DD:EE:01  │ VLAN 10
  Port 2  │ 192.168.1.11  │ AA:BB:CC:DD:EE:02  │ VLAN 10
  Port 24 │ (uplink)      │ (trusted - no filter)

This binding table is then used by DAI and IPSG below.

Dynamic ARP Inspection (DAI)

Attack without it: An attacker sends gratuitous ARP replies (unsolicited ARP announcements):

Attacker broadcasts:
  "192.168.1.1 is at AA:BB:CC:DD:EE:FF (attacker's MAC)"

Every host caches this. All traffic destined for the gateway
now goes to the attacker's machine instead. Classic ARP poison.

DAI uses the DHCP snooping binding table to validate ARP packets:

Checks that the IP-MAC mapping in each ARP packet matches the binding table
Drops ARP packets that don’t match (gratuitous ARP spoofing eliminated)
Enforces ARP rate-limiting per port to prevent ARP scanning

Without DAI:              With DAI:
ARP spoof → accepted      ARP spoof → checked against binding table
                                     ↓
                                  MISMATCH → dropped + logged

IP Source Guard (IPSG)

Attack without it: An attacker manually configures their NIC with a different IP address (IP spoofing) to impersonate another host or launch attacks from a spoofed source.

IPSG creates per-port ACLs dynamically from the DHCP snooping binding table:

Only permits traffic from the IP address assigned to that port
All other source IPs are dropped at the switch - before the packet hits the network

Chain of protection:
DHCP Snooping → builds binding table
DAI           → validates ARP using binding table
IPSG          → validates IP source using binding table

Together, these three controls make the following attacks impossible at Layer 2:

Rogue DHCP servers
ARP poisoning (MitM)
IP spoofing

802.1X Port Authentication on Switches

The same 802.1X standard used for Wi-Fi applies to wired switches. No authentication = no network access, even with a physical cable plugged in.

Unauthenticated state:    Port only passes EAPOL (authentication traffic)
Authenticated state:      Full network access based on authorised VLAN assignment

Used with a RADIUS server, 802.1X on switches can:

Assign different VLANs based on user identity (employee → VLAN 10, contractor → VLAN 20)
Quarantine non-compliant devices to a remediation VLAN
Log all authentication events centrally

Network Segmentation (VLANs)

Without segmentation: A single flat network means that a compromised printer or IoT device immediately has Layer 2 access to every server, workstation, and file share.

Flat network (bad):
Printers ──┐
Cameras ───┤── All on same L2 broadcast domain ── All see each other
Laptops ───┤
Servers ───┘

Segmented with VLANs (good):
VLAN 10: Servers
VLAN 20: Workstations
VLAN 30: Printers / IoT
VLAN 40: Guest Wi-Fi
VLAN 99: Management

Firewall/L3 switch enforces INTER-VLAN routing rules

Segmentation benefits:

Limits lateral movement after a compromise
Isolates broadcast storms to one VLAN
Simplifies monitoring (unusual inter-VLAN traffic = alert)
Reduces scope for compliance audits (PCI DSS, HIPAA)

Network Software Hardening

Firewalls

Type	Where	Protects against
Perimeter (stateful)	Edge router/appliance	External threats entering the network
Host-based	Each endpoint (iptables, nftables, Windows Firewall)	Threats from other internal hosts, east-west traffic
Web Application Firewall (WAF)	In front of web apps	L7 attacks: SQLi, XSS, path traversal
Next-gen (NGFW)	Perimeter + internal segments	Deep packet inspection, app awareness, IPS integration

# Basic iptables host firewall - drop everything, allow specific
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT    # SSH
iptables -A INPUT -p tcp --dport 443 -j ACCEPT   # HTTPS

# Save rules (Debian/Ubuntu)
iptables-save > /etc/iptables/rules.v4

Proxies

Type	Role
Forward proxy	Sits between internal clients and the internet - filters, logs, caches. Users are aware of it.
Transparent proxy	Same as above but clients are unaware - traffic intercepted at network level
Reverse proxy	Sits in front of servers - load balancing, TLS termination, WAF, rate limiting. External clients are unaware of backend topology.

Forward proxy:    Client → [Proxy] → Internet
Reverse proxy:    Internet → [Proxy] → Backend Servers

Popular implementations: HAProxy, Nginx, Squid (forward), Apache (reverse).

VPNs

Use case	Protocol	Notes
Remote access (client-to-site)	IPsec IKEv2, WireGuard, OpenVPN	Encrypts tunnel from device to corporate network
Site-to-site	IPsec, GRE over IPsec	Connects two offices permanently
Zero-trust alternative	WireGuard + identity-aware proxy	Better auditing; no broad network access

IPsec modes:

Transport mode:  Encrypts payload only. IP header visible.
                 Used between two hosts.

Tunnel mode:     Encrypts entire original packet, wraps in new IP header.
                 Used for site-to-site VPNs.

Flood Guards

Flood guards protect availability against DoS attacks - a feature on enterprise firewalls and routers.

How it works:

Monitor packet rates per source/protocol (SYN/UDP/ICMP)
Alert threshold: logs and alerts when rate exceeds X packets/second
Activation threshold: blocks that source automatically for a configurable duration

# fail2ban - open-source flood guard for individual services
[sshd]
enabled = true
maxretry = 3
findtime = 600
bantime = 3600

# View banned IPs
fail2ban-client status sshd

# Manually unban
fail2ban-client set sshd unbanip 192.168.1.100

SYN cookies (kernel-level SYN flood protection):

# Enable SYN cookies (Linux) - prevents SYN flood from exhausting connection table
sysctl -w net.ipv4.tcp_syncookies=1

# Make permanent
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/99-hardening.conf
sysctl -p /etc/sysctl.d/99-hardening.conf

Packet Capture & Traffic Analysis

Promiscuous Mode vs Monitor Mode

Mode	Layer	What you see
Normal	L2	Only packets addressed to your MAC
Promiscuous	L2	All packets on the same collision domain (useful on hubs; limited on switches)
Port mirroring (SPAN)	Switch	All traffic on specified ports/VLANs mirrored to your port
Monitor mode (wireless)	L1/L2	All 802.11 frames in range, on any SSID or channel

# Enable promiscuous mode
ip link set eth0 promisc on

# Configure port mirroring (Cisco IOS syntax - run on the switch)
monitor session 1 source interface Gi0/1
monitor session 1 destination interface Gi0/2

# Wireless monitor mode
sudo airmon-ng start wlan0           # creates wlan0mon interface

tcpdump - Practical Reference

# Capture all traffic on eth0
tcpdump -i eth0

# Write to file (for Wireshark analysis)
tcpdump -i eth0 -w /tmp/capture.pcap

# Read back + show ASCII payload
tcpdump -r /tmp/capture.pcap -A

# Filter: only HTTP traffic (port 80)
tcpdump -i eth0 port 80

# Filter: traffic to/from a specific host
tcpdump -i eth0 host 192.168.1.100

# Filter: SYN packets only (detect SYN scan/flood)
tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0 and tcp[tcpflags] & (tcp-ack) == 0'

# DNS queries
tcpdump -i eth0 port 53

# Capture without name resolution (faster, raw IPs)
tcpdump -n -i eth0

# Show timestamps in absolute time
tcpdump -tttt -i eth0

Wireshark - Key Features

Deep protocol dissection: decodes 1000+ protocols; understands fields within fields
Display filters: http.request.method == "POST", ip.addr == 10.0.0.1, tcp.analysis.flags
Follow stream: reassemble and display full TCP/UDP/TLS conversation
Decrypt TLS: provide pre-master secret log file or session keys from browser
Export objects: extract files transferred over HTTP, SMB, etc.

# Capture with tcpdump → analyse with Wireshark
tcpdump -i eth0 -w capture.pcap
wireshark capture.pcap &

# Or capture directly in Wireshark on the CLI
tshark -i eth0 -f "port 443" -w tls_traffic.pcap
tshark -r tls_traffic.pcap -Y "tls.handshake.type == 1"   # filter ClientHellos

IDS / IPS

	IDS (Detection)	IPS (Prevention)
Position	Passive - receives copy of traffic (via SPAN port)	Inline - traffic flows through it
Action	Logs + alerts only	Logs + alerts + blocks/drops malicious traffic
Risk of false positive	Low (no blocking)	High - can disrupt legitimate traffic
Host-based (HIDS/HIPS)	Monitors OS logs, files, processes	Blocks at OS/application level
Network-based (NIDS/NIPS)	Monitors network segments	Sits inline between segments

Detection Methods

Method	How it works	Strength	Weakness
Signature-based	Compares traffic against library of known attack patterns	Fast, low false-positive	Can’t detect novel/zero-day attacks
Anomaly-based	Builds baseline → alerts on statistical deviations	Detects unknowns	High false-positive rate
Heuristic/behavioral	Analyses sequences of events, not individual packets	Catches advanced attacks	Requires tuning; can be slow

Snort - Open Source NIDS/NIPS

# Install Snort
apt install snort

# Run in IDS mode (NIDS - reads from interface, writes alerts to log)
snort -i eth0 -c /etc/snort/snort.conf -l /var/log/snort/

# Test a rule file
snort -T -c /etc/snort/snort.conf

# Example Snort rule: alert on SSH brute force (10 attempts in 60s)
# /etc/snort/rules/local.rules
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force"; \
  flags:S; threshold:type threshold, track by_src, count 10, seconds 60; \
  sid:9000001; rev:1;)

Unified Threat Management (UTM)

A UTM appliance consolidates multiple security functions into a single managed device.

UTM Components

Component	What it does
Firewall	Stateful packet inspection, zone-based rules
IDS/IPS	Signature + anomaly detection and/or inline blocking
Antivirus/Anti-malware	Scans file transfers; stream or proxy inspection
Web filter	Blocks categories of URLs; DNS filtering
Spam gateway	Filters inbound email before it reaches the mail server
DLP	Detects sensitive data leaving the network (PCI, PII, PHI)
VPN	Terminates IPsec/SSL VPN tunnels

Inspection Methods

Method	Speed	Thoroughness
Stream-based (flow-based)	Fast - inspects samples as data flows	⚠️ May miss threats split across packets
Proxy-based	Slow - reassembles full files before inspecting	✅ More thorough; catches evasion techniques

UTM Trade-offs

Pro	Con
Unified management console	Single point of failure
Lower cost than individual tools	May be overkill for small networks
Centralised logging and reporting	Vendor lock-in
Easier compliance reporting	Proxy inspection adds latency

Hardening Checklist

Control	Priority
Enable DHCP snooping on all access switches	🔴 High
Enable DAI on all access switches	🔴 High
Enable IPSG on access ports	🔴 High
Configure 802.1X port auth (or at minimum MAC auth)	🔴 High
VLAN segmentation (servers / users / IoT / guest / management)	🔴 High
Host-based firewalls on all endpoints (default deny inbound)	🔴 High
Enable SYN cookies on all Linux servers	🟡 Medium
Deploy NIDS (Snort/Suricata) on critical network segments	🟡 Medium
Centralise and normalise logs (SIEM)	🟡 Medium
Deploy flood guards / rate limiting at perimeter	🟡 Medium
Regular firewall rule audits (remove stale rules)	🟡 Medium
Port mirroring configured for NIDS	🟡 Medium