Secure Routing, Switching, and Network Services: Hardening the Core

Hook / Why this matters

CISSP Lens: Pick answers that align business risk, governance intent, and practical control execution.

Routing, switching, DNS, DHCP, and other core services are the circulatory system of your network. If attackers can tamper with them, they can redirect, intercept, or disrupt almost any communication. Yet these components are often treated as performance or reliability concerns rather than security priorities.

Core concept explained simply

Secure routing and switching ensure that traffic flows where it should and nowhere else. Secure network services such as DNS, DHCP, and NTP ensure that devices can find each other and keep time accurately without exposing unnecessary risk.

Routing basics and risks

Routing determines how packets move between networks.

• Static routing uses fixed routes configured by administrators.
• Dynamic routing uses protocols such as OSPF, EIGRP, or BGP to exchange route information between routers.

Risks include:

• Misconfigurations that create black holes or unintended paths.
• Route hijacking, where false routes are advertised to redirect traffic.

Inside an enterprise, misconfiguration is the main risk. On the public internet, BGP hijacking can affect traffic between networks globally.

Securing routing protocols

Many routing protocols support authentication and integrity checks.

• OSPF authentication can prevent unauthorized routers from injecting routes.
• BGP security features and best practices, while complex on the global internet, can still be applied in controlled environments.

Enabling authentication for internal dynamic routing reduces the risk of rogue devices participating in routing decisions.

Switching features relevant to security

Switches operate at Layer 2 but offer features that impact security:

• VLANs separate broadcast domains and support segmentation.
• Trunk ports carry multiple VLANs between switches and must be configured carefully.
• Port security limits which MAC addresses can connect on a port.
• Spanning Tree Protocol (STP) prevents loops but can be abused if not secured.

Misconfigured trunks can expose sensitive VLANs on ports where they are not needed. Unrestricted access ports make it easier for attackers to connect rogue devices.

DNS and DHCP as critical services

DNS and DHCP underpin basic connectivity:

• DNS (Domain Name System) translates names to IP addresses.
• DHCP (Dynamic Host Configuration Protocol) assigns IP addresses and related settings to devices.

Attacks on these services can:

• Redirect users to malicious sites through DNS poisoning or spoofing.
• Provide rogue DHCP leases that point devices at attacker controlled gateways or DNS servers.

Hardening DNS, DHCP, and NTP

Good practices for core services include:

• DNS limit recursion to trusted clients, restrict zone transfers, secure administrative access, and log queries and responses.
• DNSSEC adds cryptographic integrity to DNS responses for supported domains.
• DHCP implement DHCP snooping on switches to prevent rogue servers, and restrict which ports can send DHCP offers.
• NTP (Network Time Protocol) use trusted, authenticated time sources and ensure redundancy, since accurate time is critical for logs and cryptography.

Secure, redundant services reduce both security and availability risks.

CISSP lens

For Domain 4, you should be able to:

• Recognize routing and switching as part of the security surface. They are not just performance or availability concerns.
• Understand DNS and DHCP poisoning risks. Compromising these services can have widespread impact.
• Identify protocol security features. Many core protocols include optional authentication and integrity controls that should be enabled.
• Value redundancy and monitoring. Failures in core services can become security incidents if they force unplanned workarounds.

Exam questions may describe symptoms such as misdirected traffic, unexpected IP assignments, or intermittent failures. Think about whether routing, switching, or core services are being abused or misconfigured.

Real-world scenario

A regional ISP misconfigured BGP announcements, accidentally advertising routes for a large enterprise's IP ranges as its own. Upstream providers accepted these announcements.

As a result:

• A significant portion of the enterprise's incoming traffic was routed to the wrong place.
• Users experienced outages and intermittent connectivity.
• Some traffic was effectively blackholed, while other flows took suboptimal paths.

This was not a targeted attack but a reminder that routing errors, whether malicious or accidental, can have large effects.

Within the enterprise's internal network, a separate issue arose. A misconfigured switch allowed a rogue DHCP server to run on a user VLAN, handing out addresses that pointed clients to an attacker controlled DNS server. This allowed targeted phishing and credential harvesting.

The organization responded by:

• Reviewing BGP arrangements with carriers and ensuring appropriate filters and route validation were in place where feasible.
• Implementing DHCP snooping and port security on access switches.
• Hardening internal DNS servers, restricting who could perform zone transfers and limiting recursion.
• Ensuring critical services like DNS and NTP ran on redundant, monitored servers.

These changes did not eliminate all routing risks, especially on the public internet, but they greatly improved internal resilience and control.

Common mistakes and misconceptions

Frequent issues include:

• Leaving dynamic routing protocols unauthenticated. This allows any device on the network to participate in routing if misconnected.
• Ignoring DNS hygiene. Open resolvers, lack of logging, and poor access control make DNS a soft target.
• Allowing rogue DHCP servers. Without DHCP snooping or equivalent controls, anyone can plug in a device and assign addresses.
• Misconfiguring VLAN trunks. Trunks that carry too many VLANs can expose sensitive networks unnecessarily.
• Running critical services without redundancy. Single points of failure in DNS or NTP can cause wide outages and ad hoc workarounds that bypass controls.

A CISSP should encourage using built in security features and designing for both resilience and security.

Actionable checklist

To harden routing, switching, and core services:

• Confirm that internal dynamic routing protocols use authentication where supported, and review which routers are allowed to participate.
• Harden internal DNS servers by limiting recursion to internal clients, restricting zone transfers to authorized secondary servers, and enabling detailed logging.
• Enable DHCP snooping and port security on access switches to prevent rogue DHCP servers and unauthorized devices.
• Review VLAN trunk configurations and prune unused VLANs from trunks to reduce unnecessary exposure.
• Ensure that DNS, DHCP, and NTP services are redundant, monitored, and subject to change management.
• Document core network service architectures and test recovery procedures for failures or compromises.

Key takeaways

• Routing, switching, DNS, DHCP, and NTP are critical security components as well as availability components.
• Many core protocols include optional security features that are often left disabled.
• DNS and DHCP are frequent targets because they influence how devices find each other and where they send traffic.
• Redundancy and monitoring for core services support both resilience and security.
• Good configuration hygiene at the network core significantly reduces the attack surface.

Optional exam-style reflection question

Why is it important to enable authentication on internal dynamic routing protocols like OSPF, and what risk does this reduce?

Answer: Authentication prevents unauthorized devices from participating in the routing protocol. Without it, an attacker on the internal network could inject false routes, redirecting traffic through their device or blackholing it. Authenticating routing updates reduces the risk of route manipulation and traffic interception.