Hi all. Beyond port security configurations... I always thought it was important to update firmwares and (now) would enable MFA to access switches. I also improved physical security so that random people couldn't walk up and plug into ports.
What do you do?
I use and sell Meraki equipment, and disable the local management. Then I use 2FA on the Meraki site. There is zero attack footprint on the local LAN. Firmware updating is a breeze and can be across an entire network, or staged across multiple switches. It does not matter where the switches are or where you are! If for some reason a firmware update breaks the switch, the switch will reboot into the old firmware by itself.
If you wonder about Meraki's commitment to security, check out:
We just revamped our internal network structure to be more secure by default. We have keystones around the office, we don't want them open for guests to use, so we're going to be disabling the associated switch port. I'll be intrigued to see what our staffs reaction is. Very very few use a hard wired connection anymore, and we've identified them so they'll remain online but you never know.
We've also rebuilt our VLANs so that we have an "IoT" network that is specific to anything that has potential vulnerabilities (looking at you printers & chromecasts). This is also the only network allowed to talk between our corporate network and our guest network, and even then only certain types of traffic are allowed.
We took the default network and put firewall rules in place so that it can't access the WAN nor can it talk to any of the other VLANs. This way if we mess up and leave a port open, it won't be able to actually do anything without our IT staff knowing about it.
As for local threat points, only our Jr. SysAdmin and myself can access any of the local management ports & interfaces. We have it filtered by MAC address and you have to be connected to a specific port (Jr. SysAdmin and myself have switches at our desk for ease of troubleshooting).
Honestly I didn't even think about it, but our Jr. SysAdmin focused on networking while in college, so he had some great ideas and a lot of knowledge about the inner working of it. I don't like networking, so he's been a great asset.