Episode 61: Secure Routing and Switching
Welcome to The Bare Metal Cyber CISSP Prepcast. This series helps you prepare for the ISC squared CISSP exam with focused explanations and practical context.
In this episode, we’ll focus on Secure Routing and Switching. These are foundational technologies in every modern network, and understanding how to secure them is essential to maintaining network integrity, data confidentiality, and availability. While these may sound like basic infrastructure topics, poorly secured routing and switching devices are often the target of sophisticated attackers, who look for weaknesses to exploit in order to reroute traffic, spy on data, or bring down services.
Let’s begin by discussing why secure routing and switching are so critical. Routers and switches control how and where your data flows across networks. Routers direct traffic between networks by determining the best path for data packets to travel. Switches operate within networks, enabling communication between local devices like servers, workstations, and printers.
If an attacker can compromise a router, they may be able to change the destination of sensitive data—redirecting it through systems they control, in a form of attack known as route hijacking. If they target switches, they could gain unauthorized access to internal traffic, steal credentials, or cause network outages.
When routing and switching are secured properly, they ensure data goes where it’s supposed to go, remains protected along the way, and cannot be accessed or manipulated by unauthorized parties. This is essential for operational stability, regulatory compliance, and maintaining the trust of your users, customers, and partners.
Let’s now take a closer look at secure routing. At its core, secure routing ensures that the decisions made by routing devices about where to send data are valid, reliable, and trustworthy. The goal is to prevent attackers from manipulating routing tables or injecting malicious information into the routing process.
One common attack against routing is route hijacking. This is when an attacker sends out false routing updates, tricking routers into sending traffic through an unintended or malicious path. Another risk is routing spoofing, where a malicious actor pretends to be a trusted router and advertises fake routes.
To mitigate these threats, organizations should use routing protocols that support authentication. For example, the Open Shortest Path First protocol, also known as O S P F, can be configured to require password authentication for route updates. Border Gateway Protocol, or B G P, which is used for routing between large networks such as internet service providers, also supports route validation techniques such as Resource Public Key Infrastructure, or R P K I.
It is also important to monitor routing tables for unexpected changes. Sudden additions or removals of routes, especially those leading to sensitive systems, should be investigated immediately. Logging and alerting systems can notify administrators of anomalies in real time.
Now let’s turn to secure switching. Switches are responsible for directing traffic between devices within a local area network. If left unsecured, switches can be exploited through techniques such as media access control address spoofing, address resolution protocol poisoning, or virtual L A N hopping.
One major concern is media access control spoofing. In this attack, an adversary sends packets with the media access control address of another device in order to intercept or impersonate traffic. To defend against this, port security can be enabled on switches. Port security restricts which devices can connect to a specific switch port based on their media access control address.
Another concern is virtual L A N hopping, where an attacker attempts to break out of their assigned V L A N and gain access to other segments of the network. Preventing this requires disabling auto trunking, enforcing tagging rules, and ensuring V L A N boundaries are enforced at both the switch and firewall levels.
Address resolution protocol spoofing is yet another technique, where an attacker responds to address resolution protocol requests with false information, redirecting traffic to themselves. To defend against this, dynamic address resolution protocol inspection can be used to validate responses and block malicious ones.
In short, secure switching practices involve creating strict controls around how devices communicate, who is allowed on the network, and how local data flows are handled.
For more cyber-related content and books, please visit cyberauthor dot me. You’ll find best-selling books, training tools, and resources tailored specifically for cybersecurity professionals. You can also visit baremetalcyber.com for more podcast episodes and support in your CISSP preparation.
Let’s move on to how to implement effective secure routing and switching in a real-world environment.
Start by documenting everything. Your routing and switching architecture should be clearly defined in network diagrams, configuration files, and policies. Make sure you know which devices are responsible for which segments, which protocols are being used, and what rules govern routing and switching behavior.
All routing and switching devices should be kept up to date with the latest firmware and software patches. Outdated firmware is a major vulnerability and has been exploited in numerous attacks, especially on edge devices like routers.
For remote management, use secure protocols. Secure Shell, or S S H, should replace protocols like Telnet, which send information in plain text. For network monitoring, use version three of the Simple Network Management Protocol, or S N M P V three, which adds encryption and authentication.
All administrative access to routers and switches must be tightly controlled. Multi-factor authentication should be enforced, and access should be restricted to authorized personnel only. Use role-based access controls to ensure that users can only perform actions appropriate to their responsibilities.
Conduct regular vulnerability assessments and penetration tests. Test whether rogue routing announcements can be injected. Try to spoof address resolution protocol messages or bypass V L A N boundaries. The goal is not just to find problems, but to validate that your defenses are working as intended.
Switch and router logs should be actively monitored. Logs can reveal attempts to reconfigure devices, unexpected connections, or patterns that may indicate reconnaissance activity.
Now let’s turn our attention to continuous improvement in routing and switching security.
Your first step is to regularly review your architecture in light of evolving threats and technologies. As your organization grows, your network architecture must evolve to accommodate new systems, users, and threat vectors. That includes adding segmentation, enhancing monitoring, and upgrading equipment.
Analyze any incidents that occur. If a misconfiguration led to a data leak or an outage, perform a root cause analysis and make the necessary changes to your configurations and policies.
Audit your routers and switches. Are default passwords still in place? Are unused ports still open? Are unused interfaces still enabled? Removing these weak points reduces your attack surface.
Collaborate with your security, operations, and compliance teams. Routing and switching security touches every part of the organization, from the people responsible for uptime to those ensuring legal and regulatory obligations are met.
Provide ongoing training to network engineers, administrators, and security analysts. Topics should include secure configuration techniques, protocol hardening, and monitoring best practices. Encourage your team to stay current with industry guidance and vendor security advisories.
Finally, consider how new technologies such as software-defined networking and zero-trust architectures might affect your routing and switching practices. These paradigms offer opportunities for better control and automation, but they also require changes in how security is applied. Stay adaptive and forward-looking in your approach.
Thank you for tuning into the CISSP Prepcast by Bare Metal Cyber. Visit baremetalcyber.com for additional episodes, comprehensive CISSP study resources, and personalized certification support. Strengthen your understanding of Secure Routing and Switching, and we'll consistently support your journey toward CISSP certification success.
