In 2023, the average cost of a data breach reached $4.45 million — and in the majority of cases, attackers didn’t break in through exotic zero-day exploits. They walked through unlocked doors: default passwords, unpatched firmware, flat network architectures with no segmentation. Network hardening isn’t glamorous work, but it’s the difference between a breach that never happens and one that makes headlines. This guide gives you a practical, no-nonsense roadmap to securing your network and hardening your infrastructure against real-world threats.

What Is Network Hardening and Why Does It Matter?

Network hardening is the process of reducing your attack surface by eliminating unnecessary services, enforcing strict access controls, and configuring devices to resist exploitation. Think of your network as a building. Hardening means locking every door, removing unused entrances, installing cameras, and making sure only authorised people have keys.

For small businesses especially, hardening is critical because attackers increasingly target smaller organisations — precisely because they assume security controls are weak. You don’t need a six-figure security budget to harden your network effectively. You need discipline, a checklist, and the willingness to act on it.

Start With a Network Audit: Know What You’re Defending

You cannot secure what you don’t know exists. Before making a single configuration change, map your infrastructure completely.

Discover Every Device on Your Network

Use a tool like Nmap or Angry IP Scanner to enumerate every active device — workstations, servers, printers, IP cameras, smart devices, and access points. You’ll almost certainly find devices you forgot about or didn’t know were connected.

• Run a full port scan: nmap -sV -p- 192.168.1.0/24
• Document every device: IP address, MAC address, device type, owner, and purpose
• Flag anything that doesn’t belong or can’t be identified immediately

Identify Open Ports and Running Services

Every open port is a potential entry point. If a service isn’t needed, it shouldn’t be running — and it definitely shouldn’t be exposed. During your audit, look specifically for:

• Telnet (port 23) — unencrypted, should never be open
• FTP (port 21) — replace with SFTP or FTPS
• RDP (port 3389) — if exposed to the internet, you’re asking for trouble
• SMBv1 (port 445) — the protocol behind WannaCry; disable it immediately

Network Hardening Starts at the Perimeter: Lock Down Your Firewall

Your firewall is your first line of defence, and most organisations configure it once and forget it. That’s a problem. Firewall rules accumulate over time — legacy rules for services that no longer exist, overly permissive allow-all outbound policies, and management interfaces exposed to the internet.

Firewall Configuration Best Practices

• Default deny everything: All inbound and outbound traffic should be denied by default. Only explicitly approved traffic should be allowed.
• Block management interfaces from the internet: Your firewall’s admin panel should never be accessible from a public IP address. Use a dedicated management VLAN or VPN.
• Review rules quarterly: Set a calendar reminder. Remove any rule you can’t justify with a documented business reason.
• Enable logging: If you’re not logging firewall events, you’re flying blind. Forward logs to a SIEM or at minimum a centralised syslog server.
• Use geo-blocking where appropriate: If your business only operates in Australia, there’s no reason to accept inbound connections from Eastern Europe or Southeast Asia.

Segment Your Network to Contain the Blast Radius

Flat networks are an attacker’s dream. Once they’re in, they can move laterally to every device without restriction. Network segmentation using VLANs (Virtual Local Area Networks) contains breaches and limits the damage an attacker can do.

How to Structure Your VLANs

Here’s a practical segmentation model for a small to medium business:

• Corporate VLAN: Staff workstations and business applications
• Server VLAN: Internal servers, file shares, and databases — with strict ACLs controlling who can reach them
• Guest VLAN: Visitor Wi-Fi, isolated from all internal resources
• IoT VLAN: Smart TVs, printers, IP cameras, and any device that doesn’t need to communicate with your business systems
• Management VLAN: Network infrastructure devices — switches, routers, access points — accessible only by IT staff

Between each VLAN, apply inter-VLAN routing rules using your firewall or layer 3 switch. The goal is to ensure that a compromised printer on the IoT VLAN cannot reach your finance server on the Server VLAN.

Harden Every Device: From Routers to Workstations

Network hardening isn’t just about the perimeter — every device inside your network needs to be secured individually. This is called defence in depth, and it ensures that even if one layer fails, others remain intact.

Router and Switch Hardening

• Change all default credentials immediately — factory usernames and passwords are publicly documented
• Disable unused management protocols: SNMP v1/v2 (use v3 with authentication), CDP, and LLDP if not needed
• Enable SSH instead of Telnet for all remote management
• Apply firmware updates on a regular schedule — subscribe to your vendor’s security advisory mailing list
• Disable unused physical ports on switches and assign them to a dead VLAN

Wireless Network Security

• Use WPA3 where supported; WPA2-Enterprise if you have a RADIUS server
• Disable WPS (Wi-Fi Protected Setup) — it has known vulnerabilities that allow brute-force attacks
• Use a non-identifiable SSID — don’t broadcast your company name or router model
• Enable client isolation on guest networks so visitors can’t see or communicate with each other’s devices

Endpoint Hardening

• Enforce full disk encryption (BitLocker on Windows, FileVault on macOS)
• Disable USB ports on devices that don’t require them — use Group Policy on Windows environments
• Remove or disable bloatware and unused applications — every installed program is a potential vulnerability
• Apply the principle of least privilege: users should only have the permissions they need to do their job, nothing more

Patch Management: The Most Unglamorous Security Control That Actually Works

Unpatched software is responsible for a staggering number of successful attacks. The WannaCry ransomware attack in 2017 exploited a vulnerability that Microsoft had patched two months earlier. Thousands of organisations were still running unpatched systems.

Establish a formal patch management process:

• Operating systems: Apply critical patches within 72 hours of release; all other patches within 30 days
• Third-party software: Don’t forget browsers, PDF readers, Java, and media players — these are frequently targeted
• Network devices: Routers and switches need firmware updates too — schedule quarterly reviews
• Test before deploying: In production environments, test patches in a staging environment first to avoid operational disruption

Monitor, Detect, and Respond: Don’t Just Set and Forget

Hardening reduces your attack surface — but it doesn’t make you invisible. You need visibility into what’s happening on your network at all times.

• Centralised logging: Aggregate logs from firewalls, switches, servers, and endpoints. Tools like Graylog (free) or Splunk make this manageable.
• Intrusion Detection: Deploy an IDS/IPS — Snort and Suricata are both excellent open-source options
• DNS monitoring: Many malware strains communicate via DNS. Monitor and filter DNS queries using tools like Pi-hole or a commercial DNS security service like Cloudflare Gateway
• Set up alerting: Configure alerts for failed login attempts, new devices joining the network, and large outbound data transfers

Network Hardening Is a Process, Not a Project

Here’s the honest truth about network hardening: it’s never finished. Your infrastructure changes, new vulnerabilities are discovered, new devices are added, and attackers develop new techniques. The organisations that stay secure are the ones that treat hardening as an ongoing discipline rather than a one-time task.

Start with the fundamentals covered in this guide: audit your network, lock down your firewall, segment your VLANs, harden every device, patch consistently, and build monitoring into your routine. These aren’t theoretical best practices — they’re the controls that stop real attacks, every day.

If you’re not sure where to begin, start with your audit. You can’t fix what you can’t see. Once you know what’s on your network and what it’s exposing, everything else follows naturally.

Need help getting started? Explore more practical guides on Techbytes — bite-sized, actionable cybersecurity advice built for real businesses, not enterprise security teams with unlimited budgets.