LogoفارسیFA

Part of the series

Introduction to Computer Networking, Architectures, and Topologies

~2 min read • Updated Aug 4, 2025

1. Secure SNMP Protocol


  • Use only SNMPv3 (older versions are vulnerable to interception)
  • Enable authentication and encryption using TSM or USM models

2. Protect IPv6 Advertisements with RA Guard


  • Use RA Guard to filter spoofed Router Advertisement messages
  • Allow only valid RA messages to reach the network

3. Port Security


  • Restrict access based on approved MAC addresses
  • Disable unused switch ports to block rogue devices

4. Detect and Block Spoofed ARP with DAI


  • Enable DHCP Snooping and Dynamic ARP Inspection (DAI)
  • Validate IP-to-MAC bindings and drop fraudulent ARP frames

5. Private VLANs


  • Use "Community" and "Isolated" VLANs to logically separate devices
  • Limit traffic visibility among hosts within the same subnet

6. Disable Unused Ports and Services


  • Turn off unnecessary ports and protocols (e.g., Telnet, SNMPv1/v2)
  • Reduce surface area for attacks and misconfigurations

7. Password and Default Account Management


  • Rename or disable default accounts
  • Enforce strong password policies (minimum 8 characters with complexity)

8. Perform Security Audits


  • Conduct walk-throughs, inspect physical spaces, and train users
  • Identify deviations from policy and correct vulnerabilities

9. Enable DHCP Snooping


  • Prevent rogue DHCP servers by establishing trusted ports
  • Build binding tables to validate legitimate DHCP traffic

10. Change Default VLAN


  • Assign switch ports to non-default VLANs (e.g., VLAN10)
  • Avoid misuse of default VLAN1 for production systems

11. Patch Firmware and Drivers Regularly


  • Install updates on a regular schedule
  • Test updates in a staging environment before deployment

12. Apply ACLs and Role-Based Access Control (RBAC)


  • Use Access Control Lists to permit/deny traffic based on IP
  • Define roles and assign limited privileges to job-specific groups

13. Harden Firewall Rules


  • Apply implicit deny: only allow explicitly authorized traffic
  • Ensure firewall rules are precise and validated

14. Wireless Network Security


  • Use MAC filtering for small networks
  • Isolate guest and client devices from the main network
  • Lower AP transmit power and use directional antennas
  • Deploy strong PSK or EAP-TLS with digital certificates and RADIUS server

15. IoT Security Best Practices


  • Place IoT devices in separate VLANs
  • Enable IDS/IPS for monitoring and blocking IoT-based botnets or exploits

📋 Hardening Quick Reference Table


TechniqueMain ObjectiveSuggested Actions
SNMPv3Secure management trafficEnable TSM/USM encryption & auth
RA GuardBlock spoofed IPv6 adsFilter invalid RA messages
Port SecurityRestrict switch port accessMAC locking, disable unused ports
ARP InspectionPrevent ARP spoofingEnable DHCP Snooping + DAI
Private VLANsLogical device isolationConfigure Community/Isolated VLANs
DHCP SnoopingBlock rogue DHCP serversTrusted ports + binding table
ACL / RBACTraffic and access controlIP ACLs and role-based privileges
Wireless SecurityProtect wireless connectivityStrong PSK, EAP, isolation, MAC filters
IoT SecuritySegmentation and monitoringDedicated VLAN, enable IDS/IPS

Written & researched by Dr. Shahin Siami

Next SubArticle