Security Hardening Principles

Before performing security hardening on switches, get familiar with the following information to well understand security hardening policies in this document.

Security must be hardened continuously and can never be achieved once and forever. Any attempt to achieve permanent security using a single policy or through one-off security hardening configuration will fail.

Before carrying out security hardening, perform the following operations:

• Fully understand service requirements: Security is always service-oriented. An appropriate security hardening policy can be developed only after the security protection requirements of the service system are clearly understood.
• Evaluate risks comprehensively: Analyze security threats to the service system, identify weak points of the service system, balance the service system value against security hardening costs, and comprehensively evaluate security risks. Provide defense measures against unacceptable security risks. Treat acceptable risks as remaining risks, and periodically review them throughout the service system lifecycle to determine whether to reevaluate their risk levels.
• Design a security hardening solution: Based on the comprehensive risk evaluation, design a solution that meets service requirements. Security is ensured by design, but not configuration. Every security hardening engineer should adequately understand this principle.
• Implement security hardening policies: Before the implementation, evaluate the policy impact on services to prevent service loss.

After security hardening is complete, continuous monitoring and maintenance on the service system are required, which can help locate faults promptly, adjust security hardening policies, and ensure that the policies have taken effect as expected. To sum up, security hardening is a process requiring continuous improvement.