Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.
Training Camp • Cybersecurity Glossary
Systematically reducing a network's attack surface by securing device configs, segmenting traffic, disabling unused services, and patching.
Network Hardening Definition: Systematically reducing a network's attack surface by securing device configs, segmenting traffic, disabling unused services, and patching.
Network hardening is the systematic process of reducing a network's attack surface by securing the configuration of its devices and architecture. It covers tightening router, switch, and firewall settings, disabling unused services and ports, enforcing strong authentication, segmenting traffic, encrypting management, and applying patches so attackers have fewer footholds to exploit.
In practice, hardening follows recognized baselines such as CIS Benchmarks, DISA STIGs, and guidance in NIST SP 800-53. Typical measures include replacing default credentials and SNMP community strings, disabling Telnet and HTTP in favor of SSH and HTTPS, shutting unused switchports and placing them in an unused VLAN, applying ACLs and management-plane protection, enabling port security and DHCP snooping against Layer 2 attacks, segmenting with VLANs and firewalls, deploying IDS/IPS, centralizing logging, and keeping device firmware current.
This matters because networks ship with insecure defaults and broad connectivity that adversaries probe immediately. An unpatched edge device, an open management interface, or a flat network with no segmentation lets a single compromise spread laterally to critical assets. Hardening enforces least functionality and least privilege at the infrastructure layer, shrinking what an attacker can reach and slowing lateral movement, which is essential for limiting ransomware blast radius and meeting compliance mandates.
For example, after a security review a team finds its core switches still accept Telnet, run default SNMP strings, and place all hosts in one broadcast domain. They migrate management to SSH with key-based access, replace SNMP strings and restrict access by ACL, segment users, servers, and IoT devices into separate VLANs with inter-VLAN firewall rules, disable unused ports, and enroll the devices in automated patching, measurably cutting the exploitable attack surface.
Turn knowledge into credentials with our instructor-led cybersecurity boot camps.
View All Courses →