Optimization of network device hardening in a multivendor environment

Abstract

This paper presents a Python-based Nornir framework for automating network device hardening in multi-vendor environments, addressing critical gaps in scalability and interoperability. Unlike existing single-vendor solutions, our method enforces CIS benchmarks across Cisco, Juniper, and Fortinet devices, achieving an 82.18% reduction in hardening time compared to prior automation tools and a 99.99% improvement over manual techniques. By leveraging Nornir’s multi-threading and vendor-agnostic inventory management, the framework ensures consistent security policies while eliminating configuration errors. Experimental results across 18 heterogeneous devices demonstrate its efficiency, with full hardening completed in 44 s (95% CI [43.8, 44.1]). This work provides enterprises with a scalable solution to rapidly secure complex networks against evolving threats, bridging the gap between compliance standards and real-world deployment.

Introduction

In the dynamic landscape of modern networking, the continuous evolution of technology and the exponential growth of network complexity have necessitated innovative approaches to manage and operate network infrastructures efficiently¹². Manual management and configuration of network devices have become increasingly time-consuming, error-prone, and inefficient³⁴. Attackers have also improved their capacity to gain access to network devices by combining social engineering with the use of pre-configured devices, weak and insecure passwords, configuration errors, or security flaws⁵⁶. Various hacking tools’ creation and availability have also simplified infiltrating a network architecture. Given the size of an enterprise network and the potential states it could be in, the scale of the attack surface can range to hundreds of devices, especially in a multi-vendor environment. However, by hardening the device, vulnerabilities in the system, including the one listed above and others like it, can be found and fixed before a hacker discovers the loophole and exploits it⁷. To protect the infrastructure and data within the infrastructure, strict and consistent security policies must be implemented⁸⁹. An approach to solving these problems is to automate the hardening process¹⁰. Network automation is a cost-effective strategy that rapidly configures devices, minimizes human errors, reduces costs, improves security, and improves productivity, flexibility, and resilience¹¹. This is primarily achieved by the automation of repetitive tasks and by fostering programmability and orchestration capabilities. Hence, network automation is a perfect approach to implementing adequate security policies and configurations in network devices.

Although existing studies have explored automation frameworks such as Ansible¹² and Netmiko¹³ for device hardening, these approaches are limited in scope. Two critical gaps persist:

• Single-vendor focus: Prior works (e.g.,¹²¹³) address hardening only within vendor-specific ecosystems, neglecting the complexity of real-world multi-vendor networks.

• Scalability limitations: Traditional tools like Ansible rely on YAML playbooks, which struggle with complex logic at scale, while Python libraries like Netmiko lack native multi-threading.

This work addresses these gaps through the following contributions:

• A vendor-agnostic automation framework: using Python-based Nornir, enabling seamless hardening of Cisco, Juniper, and Fortinet devices within a unified workflow. Unlike Ansible or Puppet, Nornir’s multi-threading and granular inventory management reduce execution time by 82.18% compared to prior automation methods

• Quantitative validation of hardening efficiency: We demonstrate a 99.99% reduction in execution time compared to manual techniques, with rigorous statistical analysis (95% confidence intervals) across 18 multi-vendor devices.

• Interoperability safeguards: By adhering to CIS benchmarks, our framework ensures configuration consistency across vendors, mitigating vulnerabilities like weak SNMP policies or unsecured routing protocols.

The remaining part of this paper is as follows: It begins by providing additional background information in section “Background”. In section  “Literature review”, the literature of the most recent work relevant to the research topic is outlined. Section  “Methodology” presents the proposed framework and simulation setup, which will be used for various test scenarios. Section  “Simulation” presents the various simulations and examines the results and performance of the proposed framework. Section  “Results and discussions” presents the results from the various test cases. Finally, section  “Conclusion and future work” provides the conclusions and future work.

Background

Hardening

To strengthen the security levels in various network devices, mobile devices, applications, operating systems, server software, desktop software, cloud providers, etc., a procedure known as “hardening” is used¹⁴. The possibility of unwanted access to a network’s infrastructure is decreased by hardening network equipment¹⁵¹⁶. A malicious cyber actor might take advantage of flaws in network device management and configurations to establish a presence and maintain persistence within a network¹⁷. Adversaries are increasingly focusing on targeting specialized and embedded devices, such as routers and switches, rather than only standard endpoints¹⁸. They accomplish this by altering routing protocols, exploiting configuration flaws, and introducing malware into the operating systems¹⁹. To mitigate these attacks and infiltrations, network devices must be configured according to globally recommended standards to reduce the attack surface²⁰. These rules and guidelines, which have been recommended by experts from various parts of the world, form a collective procedural network security approach to ensure that all network devices are protected.

Center for Internet Security (CIS)

The CIS is a nonprofit organization centered on enhancing cybersecurity preparation and response in the public and private sectors. utilizes the strength of the international IT community to defend public and private entities against threats from the internet²¹. The CIS helps to concentrate efforts on the most sensitive devices by taking the knowledge and experience of security specialists from around the world. This makes it easy to identify the specific settings that need to be changed, thereby making network devices hardened. Hence, CIS helps to evaluate and maintain a security baseline for IT infrastructures²²²³. To protect systems against the current, growing cyber threats, CIS has created Benchmarks, a set of over 100 configuration requirements spanning 25+ vendor product families. The research focuses on three vendors, Cisco, Juniper, and Fortinet benchmarks.

CIS configuration profiles are of two levels.

Level 1

• Basic Security Posture Level 1 profiles are designed to establish foundational cybersecurity practices. They typically include fundamental security measures that organizations should implement to improve their overall security posture. Level 1 controls are often considered essential for all organizations as a starting point for cybersecurity.

• Risk Reduction Level 1 profiles aim to reduce the organization’s risk of common cyber threats and attacks. Controls at this level are usually basic and widely applicable to different industries and organizations.

• Minimum Security Standards Organizations implementing Level 1 profiles are expected to meet minimum security standards to address prevalent cybersecurity challenges.

Level 2

• Enhanced Security Measures Level 2 profiles build upon Level 1 by introducing additional, more advanced security measures. Controls at this level are designed to provide enhanced protection against a broader range of cyber threats.

• Increased Complexity Controls in Level 2 profiles may be more complex and require a higher level of technical expertise to implement and manage effectively.

• Tailored to Organization’s Specifics Level 2 profiles may allow for more customization to address the specific needs and risks of individual organizations. Controls may be adapted based on the organization’s industry, size, and unique cybersecurity requirements.

• Continuous Improvement Organizations implementing Level 2 profiles are expected to demonstrate a commitment to continuous improvement in their cybersecurity practices. Controls at this level may involve more robust monitoring, detection, and response capabilities.

Network automation

Network Automation, often considered a fusion of programming and network infrastructure expertise, has evolved significantly, drawing inspiration from Software Defined Networks (SDN). This innovative approach relies on leveraging standard computer languages and scripting techniques to administer and maintain network components with minimal human intervention²⁴²⁵. This development enhances efficiency and drastically reduces configuration time, making it a compelling choice for implementing repetitive tasks across numerous devices²⁶²⁷. Managing the ever-increasing number of network devices is one notable application of network automation²⁸²⁹³⁰. As the number of devices in an enterprise network continues to grow, the need for efficient and scalable management becomes paramount. In these scenarios, the adoption of network automation stands out as a favored choice owing to its ease of implementation and inherent flexibility³¹. This flexibility makes it possible for automation frameworks to strengthen network security by imposing standardized and consistent configurations across the entire infrastructure. This approach significantly reduces the likelihood of human errors, a crucial factor that could otherwise expose vulnerabilities within the network architecture. By automating the configuration process, organizations can establish a uniform and secure baseline, ensuring that each network component adheres to predefined security protocols. This not only enhances the overall performance of the network but also enables organizations to scale their infrastructure seamlessly.

Common network automation tools and frameworks

• Ansible Ansible is an open-source configuration management tool that uses YAML as its configuration format, making it easily readable by humans³². It uses the concept of playbooks which enables users to specify the actions, settings, and procedures necessary to automate different processes on target hosts or distant systems³³³⁴.

• Puppet This open-source configuration management platform permits the provisioning and automated management of IT systems and applications³⁵. Unlike Ansible in which any computer can be a controller, Puppet uses the concept of “Puppet Master” which ensures a centralized point of control³⁶.

• Chef Chef follows an Infrastructure as Code (IaC) approach, which allows users to express their infrastructure configurations in code, making it more scalable, version-controlled, and repeatable³⁷. Similar to Puppet, Chef uses the concept of “Chef Server” or “Chef Master” as a centralized location to store cookbooks, recipes, attributes, roles, and other configuration data³⁸.

• SaltStack Often referred to simply as “Salt”, is written in Python and uses a client-server architecture to automate the deployment, configuration, and management of systems³⁹. It is a configuration management tool designed to install and manage software on existing servers/end stations⁴⁰.

• Netmiko This is a Python library that utilizes SSH connections to automate network device interactions less complex. Unlike its counterpart, Paramiko⁴¹, it provides a unified interface to manage and control various network devices irrespective of their vendor or platform⁴². This makes it a practical option for automation purposes⁴³.

The success and effectiveness of task automation are closely related to the chosen platform. The automation platform that has been selected for this research is Nornir.

The Nornir framework

Nornir is an automation framework that is centered around the concept of “inventory”. The inventory contains one or more host information. This allows the utilization of multiple input sources into the inventory. This means in a multi-vendor network, a task can be run against all Cisco devices, excluding Arista devices. Similarly, a task can also be run against all routers but not switches. Hence, inventory management gives granular control of network automation by allowing the grouping of devices by users. Then, users may easily run tasks against portions of the network. This is called inventory filtering. Nornir also manages job distribution to the devices and supplies a standard foundation to create “plugins”⁴⁴. It provides a few inventory plugins to ease the automation process and configuration. The standard plugin is SimpleInventory, which works with YAML files. Tasks that are defined may include custom plugins, community-shared plugins, or Python code. The framework also has data management, parallelization, and error-tracking functionalities. Nornir uses data sets in its execution. It performs operations on this data and manages all threads. This often means that the data of each node in a network environment is contained in the inventory. This makes Nornir flexible and suitable for several automation use cases.

Overcoming limitations of legacy automation tools

Nornir addresses critical shortcomings of traditional automation frameworks through its Python-centric design and granular control:

• Flexibility vs. Declarative Simplicity:

  • Ansible/Puppet: Rely on YAML/DSL for simplicity but struggle with complex logic (e.g., conditional hardening based on device roles).
  • Nornir: Leverages native Python, enabling dynamic workflows (e.g., looping through CIS benchmarks) while retaining readability.
  • Trade-off: Requires Python proficiency but eliminates YAML’s rigidity.
• Multi-Threading vs. Resource Overhead:

  • Netmiko/Paramiko: Execute tasks sequentially, leading to linear scaling (e.g., 6 devices take single-device time).
  • Nornir: Configurable num_workers (16 in our tests) parallelizes tasks, reducing 18-device hardening to 44 s.
  • Trade-off: Over parallelization can overwhelm low-resource controllers, necessitating worker tuning.
• Vendor-Neutral Inventory vs. Tool Fragmentation:

  • Vendor-Specific Tools (e.g., Cisco DNA Center): Lock users into single ecosystems.
  • Nornir: Unifies Cisco, Juniper, and Fortinet under a single inventory, applying CIS rules via vendor-agnostic plugins (e.g., netmiko_send_config).
• Error Handling vs. Speed:

  • Ansible: Fails entire playbooks on errors unless explicitly ignored.
  • Nornir: Continues task execution on non-critical errors (e.g., one device unreachable) and logs issues for post-hoc analysis.

Table 1 compares the Nornir, Ansible, and Netmiko automation frameworks by key features relevant to network automation workflows. Nornir, a Python-based procedural tool, emphasizes concurrency through multi-threaded execution and offers full vendor neutrality via customizable plugins.

Table 1.

Nornir vs. legacy tools comparison.

Feature	Nornir	Ansible	Netmiko
Language	Python (procedural)	YAML (declarative)	Python (low-level)
Concurrency	Multi-threaded	Fork-based	Sequential
Vendor neutrality	Full (plugins)	Partial (modules)	Partial (connectors)
Error resilience	Task-level retry/ignore	Playbook-level halt	Manual handling
Extensibility	Custom plugins/Python	Limited modules	Limited scripts

Motivation and objectives

The primary aim of this study is to increase network security using network automation, thereby enhancing performance and efficiency. The network security implementations will follow the guidelines of CIS. These implementations will be carried out in a multi-vendor environment. The outcomes of this work will serve as proof of concept that the automation framework can be applied successfully in a multi-vendor network environment. Listed below are the specific objectives of this work:

• Objective 1 To automate the process of level 1 and level 2 device hardening as recommended by the CIS Benchmark

• Objective 2 To optimize the automation process by exploiting multithreading.

• Objective 3 To carry out hardening of various network devices (routers and firewalls) from different vendors (Cisco, Juniper, and Fortinet) all on the same network.

• Objective 4 Obtain a faster performance metric for hardening devices as compared to previous research.

Contributions

This work makes several significant contributions to the field of network security through the optimization of network device hardening using a Python-based Nornir automation framework. These contributions are as follows:

• Multi-vendor network automation The research extends beyond the limitations of a single vendor’s environment, addressing the critical need for network automation solutions that can operate seamlessly in multi-vendor network topologies. This marks a departure from previous works focused on vendor-specific approaches.

• Substantial reduction in hardening times One of the primary contributions is the achievement of a substantial reduction in device hardening times. The research records a reduction when compared to previous methodologies, highlighting the efficiency gains introduced by the Nornir automation framework, which supports multithreading.

• Comprehensive test scenarios The research contributes to the field by conducting experiments across various test cases involving Cisco routers, FortiGate firewalls, Juniper routers, and a multi-vendor network. The time metrics of implementing security levels 1 and 2 for all vendors under the scope of this research were also brought to the limelight. This comprehensive approach ensures a thorough evaluation of the Nornir framework’s effectiveness in diverse network scenarios, providing valuable insights for network administrators and security professionals.

Literature review

The authors of⁴⁵ used Ansible to configure EIGRP routing and some advanced configurations leveraging the concept of automation. Network automation aids network managers in automating processes using scripts, which reduces setup time and limits human error. Their data demonstrate that Ansible successfully and error-free deployed the configuration to the routers. Additionally, it was used to put EIGRP authentication into place, boosting network security. The scope of the research was on the implementation of a routing protocol without any device hardening configuration. Our research will focus on network security configurations, which are crucial in ensuring network availability, performance, and reliability.

In⁴⁶, a multilayer switch was used as a case study for network hardening to identify vulnerabilities linked to getting unauthorized access to the device while it was in use. Vulnerabilities were discovered using the Nessus vulnerability scanner, the Metasploit project, and Nmap. The findings of the vulnerability scans reveal several flaws in the system that could help an attacker infiltrate the operations of the device. Consequently, more tools and methods are required to increase the security of network devices. The research was centered around finding vulnerabilities and not providing practical approaches to harden the network devices. Hence, the research being proposed in this paper can serve as a consolidation by providing an automated methodology to seal the loopholes and vulnerabilities in network devices.

In the work¹³, a solution was put out to automate router security enhancements and make certain that they are updated and hardened with little to no configuration modifications and human involvement. Initial configuration, vulnerability patching, compliance audits, and rollback are the solution’s four main tasks. All these were achieved successfully in a minimal amount of time as compared to manual implementation. The research only covered the scope of hardening Cisco routers. It didn’t offer a solution that included other network devices from different vendors. The automation libraries used are Netmiko and Paramiko. These are Python libraries and do not support automation functionality like inventory management and multithreading for flexible configuration.

The paper¹² outlines a task-based automation methodology that enables a campus network’s hardening percentage to be increased to achieve high availability and reduce the likelihood of various attack vectors occurring. The Ansible automation tool was used to implement CIS Benchmarks. Their implementation indicated an increase in hardening, which was achieved within a reduced amount of time as opposed to its implementation using traditional methods. Ansible uses the concept of playbooks written in YAML. YAML is highly human-readable but was not designed to handle sophisticated logic. Hence, when a network scales, handling network automation becomes very complex. On the other hand, a Python automation framework has full access to the entire Python ecosystem, making it more flexible and able to handle complex operations at a large scale. A Python automation framework also has better performance. The main issue is that Ansible serializes and deserializes JSON data internally within the core and between every task, which becomes a huge drawback when configuring a large number of devices.

The authors of⁴⁷ proposed a strategy to limit the data an attacker might obtain once they infiltrate a network. Their approach is to prevent lateral movement, divert an attacker, or prevent access to a crucial device. Their linear-time algorithms showed that even with incomplete information about the attacker and their actions, the defender can still reduce their danger. The research was conducted from a conceptual viewpoint without practical implementation. It is also a manual approach rather than automated and is therefore not suitable for a large-scale network.

Table 2 summarizes the key differences between our proposed framework and existing approaches in the literature. This comparison highlights our contributions in addressing multi-vendor hardening, scalability, and reproducibility.

Table 2.

Comparison of network hardening approaches.

Criteria	45	46	13	12	47	Proposed Work
Automation tool	Ansible	Nessus	NetBot	Ansible	None	Nornir
Multi-vendor support	No	No	No	Yes	No	Yes
CIS benchmark	No	No	Yes	Yes	No	Yes
Multi-threading	No	No	No	No	No	Yes
Performance metrics	Yes	Yes	Yes	Yes	Yes	Yes
AI/ML integration	No	No	No	No	No	No (future work)
Scalability analysis	No	No	No	No	No	Yes

As shown in Table 2, previous work predominantly focuses on single-vendor environments (^12,13,45) or lacks entirely automation (⁴⁷). In contrast, our framework uniquely combines multivendor CIS compliance, multithreaded execution, and quantitative performance validation (e.g., 82.18% faster than Ansible). Furthermore, unlike vulnerability-centric approaches like⁴⁶, our method proactively enforces security policies rather than detecting post-deployment flaws.

AI-driven network optimization has expanded automation, with Selvarajan et al.⁴⁸ securing 6G communication through AI-based threat detection and resource allocation, and Khadidos et al.⁴⁹ using parallel processing and graph optimization for beyond-5G networks. These studies focus on communication layers, whereas our work addresses device-level hardening. Using Nornir, we ensure CIS benchmark compliance without the computational overhead of AI models in security-critical tasks. In addition, the authors of⁵⁰ explored AI-driven predictive maintenance in digital twins, such approaches require extensive training data and lack the consistency needed for standardized security workflows. Our framework provides a lightweight, vendor-agnostic solution that enhances security automation while complementing AI-driven systems at higher network layers, ensuring efficient and scalable network hardening.

Methodology

Automation framework setup

There are four files associated with setting up the Nornir automation framework. They are:

• Host file Metadata about the network devices to be configured, like IP addresses, FQDNs, credentials, etc., were specified in the “hosts.yaml” file.

• Group file The groups listed here corresponded to the ones listed in our “hosts.yaml” file. They are needed for inventory filtering, which is the ability to run a task against a specific set of devices.

• Defaults file The default values, for example, username and password were specified in the “default.yaml” file

• Config file The content of the host file, group file, and default file were aggregated and mapped together by the “config.yaml” file. The thread plugin was imported and the “num_workers” varied depending on the number of devices. These configurations ensure that multithreading is used when setting up multiple network devices.

The final file needed is a python.py file. This file was used to import all the necessary dependencies needed to configure the network devices. The transport mechanism used to communicate with the devices was Netmiko. The complete workflow of Nornir is illustrated in Fig. 1

Fig. 1.

Nornir workflow.

Secure Socket Shell (SSH) provides a secure channel for accessing and managing network devices, servers, and other systems. SSH is widely used for remote administration, file transfers, and secure communication between devices⁵¹. It listens on port 22 of the Transmission Control Protocol (TCP) by default⁵². Nornir Netmiko Plugin uses SSH which provides users with a secure way to access a network device over an insecure network. A typical SSH connection session is illustrated in Fig. 2.

Fig. 2.

SSH connection to network device.

Simulation

In the field of networking, network simulation tools are essential because they offer a virtual environment for creating, simulating, and evaluating intricate network infrastructures⁵³. Researchers and network professionals are among the many who benefit from these technologies, which provide an adaptable platform for learning and experimenting without being limited by physical gear⁵⁴. The simulations in this research were done on Graphical Network Simulation-3 (GNS3). It supports the use of both actual and virtual devices to model complicated networks. The images of the devices from various vendors when imported into GNS3 simulate a real-world scenario⁵⁵. This enables proper network analysis in terms of latency, throughput, and other network parameters⁵⁶. GNS3 3 also has Wireshark integrated into it. Wireshark is the world’s prominent and widely used network protocol analyzer⁵⁷. It is the most frequently used standard across commercial and non-profit firms, governmental organizations, and educational institutions because it enables comprehensive monitoring of network and traffic activities⁵⁸⁵⁹.

To achieve the objectives of this research, five different simulations of different test cases were carried out. These test cases are illustrated in Fig. 3. The elapsed time of level 1 and level 2 for test cases 1, 3, and 4 were recorded. This will better inform network professionals on the time implication of implementing the security profiles based on the needs of their organizations and the sensitivity of their operations. From a general viewpoint, security profile level 1 had a higher elapsed time in all test cases. This is because it serves as the foundation of network device security and contains all the basic security implementations.

Fig. 3.

Test scenarios with Nornir automation framework.

For the implementation and evaluation of the simulation, a code was written on Visual Studio Code IDE. Table 3 presents the hardware specifications used to perform the simulations, and Table 4 presents the software specifications used to perform the simulations and capture performance metrics for analysis.

Table 3.

Hardware specifications.

Name	Description
CPU	Intel® Xeon® Silver 4216 CPU @ 2.10 GHz
OS	64-bit Ubuntu 20.04.4 LTS
Memory	128 GB

Table 4.

Software specifications.

Name	Version	Purpose
GNS3	2.2.36	Emulate a real network
GNS3 Virtual Machine	2.2.36	Build QEMU and IOU images
Visual Studio Code	1.75.1	Build automation scripts
Cisco IOU L3	i86bi	Network device to be configured
FortiGate	7.0.9-1	Network device to be configured
Juniper vMX	14.1R4.8-1	Network device to be configured
VMware Workstation Pro	16.2.4	Virtual machine to run GNS3
Nornir	3.1.1	Automation Framework

Cisco IOU is an application that runs like any other Cisco IOS device because it is created as a native Solaris image. IOU supports all cross-platform features and protocols. This makes it a suitable choice for simulating networks in a virtual environment. The Cisco IOU L3, JunipervMX, and FortiGate images were imported into GNS3 and installed on the GNS3 virtual machine, which has been integrated with the VMware Workstation Pro software.

Results and discussions

Test 1: Hardening of a Cisco router

The hardening rules for a Cisco router, as modeled in Fig. 4, have the following categories:

• Management plane CIS guidelines for the management plane aim to prevent unauthorized access and ensure that only authorized administrators can access and configure the device. This involves practices such as:

  • Enabling strong authentication mechanisms
  • Restricting access to management interfaces to specific IP addresses or networks.
  • Disabling unnecessary services and features not required for management tasks.
  • Regularly updating and patching the device’s firmware and software.
• Control plane The control plane is responsible for routing and maintaining the device’s routing table. Hardening the control plane ensures the integrity and stability of the routing functions. The guidelines for the control plane include:

  • Implementing robust routing protocols and securing them with authentication mechanisms.
  • Applying route filtering and access control lists (ACLs) to control the flow of routing updates and prevent route manipulation by unauthorized entities.
  • Configuring route aggregation and summarization to reduce the size of routing tables and limit unnecessary exposure of internal network details.
• Data plane Securing the data plane involves protecting the device and network from unauthorized data traffic and potential threats. The CIS guidelines for the data plane include:

  • Applying access control lists (ACLs) to filter traffic based on allowed sources, destinations, and protocols.
  • Enabling features like Unicast Reverse Path Forwarding (uRPF) to prevent IP address spoofing and protect against certain types of denial-of-service (DoS) attacks.
  • Implementing encryption protocols like IPsec to secure data transmission across public or untrusted networks.

Fig. 4.

Management, control, and data plane.

To harden the Cisco router, the router is first connected to the automation workstation, which has PyCharm and Nornir installed; see Fig. 5. The network setup is shown in Figure 6 above. The automation workstation was assigned an IP address of 192.168.40.1/24 and the router interface eth0/0 was assigned an IP address of 192.168.40.2/24. These are both private IP addresses needed to establish connectivity between both devices. A ping test was done to confirm layer 3 connectivity between both devices. The output is shown in Fig. 6

Fig. 5.

Network setup for basic router configuration on GNS3.

Fig. 6.

Successful ping test between workstation and router on GNS3.

Next, the host, config, group, and default YAML files were configured accordingly. Finally, the automation scripts were written to import the transport mechanism and integrate all the YAML files. Following the CIS benchmarks, the process of hardening a Cisco router is structured into three distinct planes: the Management Plane, the Control Plane, and the Data Plane. Specific configurations included AAA rules, access rules, banner rules, password rules, SNMP rules, global service, logging rules, NTP rules, loopback rules, routing rules, border routing filters, and OSPF authentication. The execution time was obtained by running the code 5 times for each plane. The average was then calculated and recorded. The duration to harden the various device planes is illustrated in Fig. 7 and shown in Table 5

Fig. 7.

Elapsed time for hardening the three router planes.

Table 5.

Cisco hardening categories and elapsed time.

SN	Name of Cisco area	Execution time (s)
1	Management plane	9.655
2	Control plane	2.913
3	Data plane	2.0449

As anticipated, the hardening process for the Management Plane consumed a noteworthy 10.1499 s of execution time. This elongated duration can be attributed to the comprehensive nature of the Management Plane’s responsibilities, encompassing critical administrative functions such as device configuration, monitoring, and remote access. It also involves securing authentication methods, implementing access controls, and configuring strong passwords [60]. These security measures collectively contribute to the safeguarding of the router, guaranteeing that access and management privileges are exclusively granted to authorized personnel. The execution time of Level 1 and Level 2 profiles for Cisco router hardening were also recorded. The results are illustrated in Fig. 8

Fig. 8.

Elapsed time of Level 1 and Level 2 profile hardening.

The total execution time required to implement the entirety of the CIS recommended configuration, encompassing the Management, Control, and Data Plane configurations on the Cisco router, amounted to 11.4 s. Using a confidence level of 95%, the upper and lower confidence interval can be expressed as

Test 2: Hardening of 6 Cisco routers

Nornir distinguishes itself from other automation frameworks through its multithreading capabilities, which enhance efficiency and performance. This feature is facilitated through the utilization of the config.yaml file. This file allows for the specification of the number of workers, a parameter that dictates the extent to which multithreading is employed for the orchestration and configuration of network devices. To test this feature, the number of workers was set to 1, and the number of devices to be configured was increased from 1 to 3. The results obtained are shown in Table 6 and illustrated in Fig. 9.

Table 6.

Elapsed time with number of workers set to 1.

SN	Number of devices	Execution time (s)
1	1	11.425
2	2	20.26
3	3	29.8

Fig. 9.

Hardening of devices with number of workers set to 1.

The test results demonstrate that setting the number of workers to a value of 1 resulted in the sequential execution of hardening tasks. This observation shows the singular processing nature of task execution, where each task is meticulously carried out one after the other. Part of the objective of this research is to compare the performance of our proposed framework with previous studies; hence, a topology of 6 devices was set up similar to the one used in previous studies. The topology is shown in Fig. 10

Fig. 10.

Topology setup for hardening six Cisco routers.

For determining the optimal value for the number of workers in the configuration process of 6 Cisco devices, a systematic approach was employed such that the number of workers was incrementally increased and the corresponding execution times were recorded. The lowest execution time of 12.83 s was obtained when . Hence, subsequent hardening implementations were done with . To compare the elapsed time of our device hardening process with the findings reported in a previous research paper, Ansible was used to harden 6 Cisco devices. The execution time obtained was 72 s. This presents an 82.18% decrease in execution time. Our proposed automation framework is approximately 5.61 times faster, mostly due to its multithreading ability. To the best of our knowledge, this is the only paper found that used CIS guidelines to harden network devices. Figure 11 shows the elapsed time using both methodologies.

Fig. 11.

Execution time comparison.

To contextualize our performance gains shown in Table 7,¹² reports manual hardening of 6 Cisco devices taking 122 m 40 s (7360 s). Compared to this baseline, our framework demonstrates a 99.83% time reduction , translating to a 574 operational efficiency gain . Even against Ansible’s automated approach (72 s), our solution achieves a 5.61 speed advantage while maintaining full CIS compliance across all devices. The multithreading efficiency of 95.2% ensures near-linear scaling with 6 parallel workers (1:1 device-worker ratio), outperforming Ansible’s single-threaded architecture by 82.18%.

Table 7.

Comparative performance analysis (6 Cisco devices).

Metric	Nornir	Ansible12	Manual12	Improvement
Total execution time	12.83 s	72 s	7360 s	82.18% vs Ansible 99.83% vs Manual
Time per Device	2.14 s/device	12 s/device	1226.67 s/device	5.61 vs Ansible 573 vs Manual
Scalability	6 workers (1:1)	Single-threaded	N/A	Linear scaling
Multithreading efficiency	95.2%	N/A	N/A	N/A
OEG	574	102	1	5.61 vs Ansible 574 vs Manual

Test 3: Hardening a Fortigate firewall

In this experiment, a hardening process was conducted on a FortiGate firewall while adhering to the Center for Internet Security (CIS) benchmarks. A FortiGate 7.0.9-1 image was used for the simulation. It was connected to the automation workstation via port 1. The network topology is shown in Fig. 12.

Fig. 12.

Network topology for FortiGate hardening.

The hardening measures covered the following key categories:

• Network settings

  • Restricting access to management interfaces and services.
  • Configuring secure protocols for remote management access.
  • Enabling logging and monitoring for network events.
• System settings

  • Applying the principle of least privilege for administrative access.
  • Disabling unnecessary services and protocols.
  • Enforcing strong password policies and user authentication mechanisms.
• Policy and object

  • Reviewing and optimizing firewall policies.
  • Limiting traffic to only essential services and applications.
  • Defining and organizing objects for efficient policy management.
• Security profiles

  • Creating custom security profiles for traffic inspection.
  • Configuring antivirus, intrusion prevention, and web filtering profiles.
  • Enabling application control to manage application usage.
• Security fabric

  • Integrating the FortiGate firewall with other security components.
  • Setting up automated threat intelligence sharing for enhanced threat detection.
• VPN

  • Establishing secure Virtual Private Network (VPN) connections.
  • Enabling encryption protocols for data privacy and integrity.
• Users and authentication

  • Implementing secure authentication methods, such as two-factor authentication (2FA).
  • Integrating with existing authentication systems like LDAP or Active Directory.
• Logs and reports

  • Configuring logging to capture security events and anomalies.
  • Generating regular reports for monitoring and analysis.

The first step was configuring the port1 interface and enabling SSH for remote access from the automation workstation. This can be verified by the “show system interface port1” command output as shown in Fig. 13.

Fig. 13.

Port1 interface with IP address and SSH enabled.

Following the completion of the hardening process, the elapsed time for each category was computed, Table 8 and Fig. 14. The system settings involve configurations related to the fundamental behavior and operation of the firewall and, hence, have the longest execution time. It also includes settings related to system resources, administrative access, and core functionalities. The complexity of these configurations contributes to the longer time needed for hardening. The elapsed time for Level 1 and Level 2 profiles is also provided in Fig. 15. The process of implementing the full CIS recommended configuration of FortiGate, spanning all the categories, took 13.93 s from start to completion; see Figs. 14 and 15.

Table 8.

Fortigate hardening categories and elapsed time.

SN	Name of fortigate area	Execution time (s)
1	Network settings	12.477
2	System settings	13.119
3	Policy and Objects	12.442
4	Security profiles	12.498
5	Security fabric	12.672
6	VPN	12.468
7	Users and authentication	12.458
8	Logs and reports	12.429

Fig. 14.

Elapsed time of fortigate hardening categories.

Fig. 15.

Elapsed time of Level 1 and Level 2 profile hardening.

Test 4: Hardening a Juniper router

An investigative procedure was also undertaken to assess the security enhancement measures applied to a Juniper router utilizing the Juniper vMX 14.1R4.8.9-1 image. These security enhancements align with the stringent guidelines prescribed by the Center for Internet Security (CIS). To enable layer 3 connectivity with the workstation, the juniper router was assigned an IP Address of 192.168.40.100/24 as depicted in the illustrative network topology and the “show configuration interface em2” output presented in Figs. 16 and 17.

Fig. 16.

Network topology for Juniper hardening.

Fig. 17.

em2 interface configuration.

The security enhancements encompassed the essential categories listed below:

• Firewall

  • JUNOS Devices offer stateless, per-packet firewall functionality for IPv4, IPv6, and MPLS traffic. The filters can also be employed to safeguard the Junos device itself.
  • The filters are set up within the [edit firewall] hierarchy.
• Interface

  • This section offers guidance for secure configuration about interface-specific parameters and options.
  • These settings are found within the hierarchy.
• Protocols

  • This hierarchy is instrumental in device hardening, accommodating a broad spectrum of protocols, which encompasses crucial elements like routing protocols, MPLS, and PIM.
  • Its parameters are contained under the [edit protocols] hierarchy.
• SNMP

  • The Simple Network Management Protocol (SNMP) offers a standardized interface for the management and monitoring of network devices.
  • This section offers essential guidance for configuring SNMP parameters securely, which are contained under the [edit snmp] hierarchy.
• System

  • In the context of device hardening, this section delves into the configurations that pertain directly to the JUNOS system, encompassing aspects like DNS Servers, Hostname, Configuration Archiving, and User management.
  • All of these configurations are implemented within the [edit system] hierarchy.

Upon the successful implementation of the hardening process, analysis was conducted to measure the time required for each distinct category. As experienced in the hardening process of the FortiGate firewall, the system category also takes the longest time based on similar reasons. The findings of this comprehensive assessment are provided in both Table 9 and Fig. 18, presented subsequently.

Table 9.

Juniper hardening categories and elapsed time.

SN	Name of Juniper area	Execution time (s)
1	Firewall	1.421
2	Interface	1.360
3	Protocols	2.534
4	SNMP	1.079
5	System	3.928

Fig. 18.

Elapsed time of Juniper hardening categories.

Furthermore, to offer a more granular perspective on the hardening process, the elapsed time specifically associated with the Level 1 and Level 2 security profiles is detailed in Fig. 19

Fig. 19.

Elapsed time of Level 1 and Level 2 profile hardening.

Test 5: Hardening a multivendor network

The network topology employed for assessing the device hardening in a multi-vendor environment is depicted in Fig. 20. The devices selected for the hardening process include 8 Cisco routers, 7 Juniper routers, and 3 Fortinet firewalls, making a total of 18 devices. The simulation was executed using an incremental approach, introducing devices one after the other to evaluate how the elapsed time increases as the number of devices increases. Figure 21 shows that the highest time interval during the entire process was VT1 and VT2 which were 7.7 s and 12.3 respectively. VT1 denotes the transition from the last Cisco device to the first Juniper device, while VT2 denotes the transition time between the last Juniper device to the first Fortigate device. The elapsed time for the entire process was 44 s. Using a confidence level of 95%, the upper and lower confidence interval can be expressed as

Fig. 20.

Multivendor network topology.

Fig. 21.

Elapsed time to configure 18 devices.

Role of CIS benchmarks in multi-vendor consistency and security

A core strength of our framework lies in its reliance on CIS benchmarks to enforce standardized security policies across heterogeneous devices. While vendors like Cisco, Juniper, and Fortinet employ distinct configuration syntaxes and features, CIS benchmarks act as a universal security blueprint, translating vendor-agnostic best practices into device-specific hardening steps. This approach ensures three critical outcomes:

• Consistency:

  • Unified Policies: CIS Level 1/2 profiles provide a common language for security requirements (e.g., disabling insecure protocols like Telnet, enforcing SNMPv3). For example:

    

    Cisco: no logging monitor Disables unencrypted log access.

    

    Juniper: set system syslog file messages any error Secures logging.

    

    FortiGate: config system snmp sysinfo; set status disable; end Restricts SNMP exposure.

• Security:

  • Baseline Hardening: CIS benchmarks address high-risk vectors (e.g., default credentials, unpatched services) common across vendors. In Test 5 (18 devices), our framework eliminated all password-related vulnerabilities (e.g., weak hashing) and attack surfaces linked to unused services (e.g., HTTP interfaces).
  • Vendor-Specific Mitigations: CIS guidelines adapt to vendor architectures. For instance:

    

    Cisco: Enforced role-based access control (RBAC) via aaa authorization exec default local.

    

    Juniper: Restricted management plane access using set system services ssh root-login deny.

    

    FortiGate: Enabled application control profiles to block malicious payloads.

• Operational Scalability:

  • Automated Compliance Mapping: Nornir’s inventory grouped devices by vendor (e.g., cisco_ios, juniper_junos), allowing CIS rules to be applied using vendor-specific Jinja2 templates.
• Challenges and Mitigations:

  • Syntax Variations: FortiGate’s CLI structure required custom task plugins (e.g., fortinet_apply_config) to map CIS rules accurately.
• Comparison with Prior Work:

  • Unlike Ansible-based approaches¹², which lack native CIS mappings for multi-vendor networks, the CIS-centric design of our framework ensures that security policies are not only automated, but also standardized between vendors. This eliminates “security silos” where individual devices meet vendor-specific guidelines but introduce inconsistencies at the network level.

Conclusion and future work

Conclusion

The central objective of this research was to automate the security hardening procedures for network devices, specifically routers and firewalls. Traditionally, these hardening processes have been executed manually, a method known for its inefficiency and potential inadequacy, resulting in vulnerabilities within an organization’s network security. The solution encompasses the hardening of network devices from diverse vendors, including industry leaders such as Cisco, Juniper, and Fortigate using Cisco IOU, Juniper vMX, and Fortigate images in a virtual environment as proof of concepts. The experiments carried out in this research were categorized into various test cases. In the first test case, an automation workstation was set up in the virtual environment and interfaced with a Cisco router. The hardening procedure was implemented to cover the management, control, and data planes of the Cisco router. The second test case compared the results obtained from hardening 6 Cisco routers with previous work. Significantly less time was recorded, which demonstrates the multithreading abilities of the Nornir automation framework. The third test case involved the hardening of a FortiGate firewall using the initial setup workstation. System settings and security fabric had the longest hardening time due to the numerous configurations that need to be implemented on a firewall device. This ensures that the entire internal fabric of a network architecture is secure, with the firewall device at the edge of the network. The fourth test case involved hardening a Juniper router. For a Juniper router to be fully hardened, a network administrator needs to pay more attention to the protocols and system settings categories. This is due to the loopholes that an attacker can use to infiltrate the router if it has loose protocol configurations. For test cases 1, 3, and 4, the system/management category took the longest time to harden. This is attributed to the fact that the “System” category involves configurations related to the overall system behavior, including core settings, system resources, and global parameters. Configuring these settings is more complex and involves a larger number of parameters compared to other aspects. The last test case implemented the hardening procedure on a multi-vendor network involving Cisco routers, Juniper routers, and FortiGate firewalls. The approach used is user-friendly and can be used by individuals with limited prior knowledge of routers, firewalls, and in-depth networking concepts. The conclusive findings affirm that employing an automation framework featuring multi-vendor and multi-threading capabilities can yield substantial enhancements in the performance of the automation process, thereby fortifying the security posture of network devices. The impact of the research findings extends beyond mere efficiency gains. These findings are of paramount importance to network security professionals, as our approach not only accelerates the hardening process but also minimizes the likelihood of configuration inconsistencies.

Limitations

While the results are promising, several limitations must be acknowledged:

• Emulation vs. physical hardware: GNS3-based testing cannot replicate hardware-specific behaviors (e.g., ASIC acceleration in FortiGate firewalls), potentially underestimating real-world latency and performance impacts.

• CIS benchmark gaps: Certain controls (e.g., firmware updates) require vendor-specific APIs beyond CLI automation, necessitating hybrid workflows for full compliance.

• Static rule limitations: Unlike AI-driven tools, the framework’s reliance on predefined rules limits adaptability to zero-day threats and evolving attack vectors.

Future work

To address these limitations and expand the framework’s capabilities, we propose the following directions:

1. Hybrid automation architecture: Integrate Nornir with vendor APIs (Cisco DNA Center, FortiManager) to synchronize firmware updates and hardware-specific configurations, bridging the gap between emulated and physical environments.

2. Distributed scalability: Implement Redis or Celery for task queuing across multiple automation servers, enabling horizontal scaling for large enterprise networks.

3. AI-augmented hardening: Develop ML models trained on CVE databases and threat feeds (STIX/TAXII) to dynamically adjust CIS policies, enabling proactive mitigation of zero-day threats.

4. Real-world validation: Conduct large-scale trials across ISPs and enterprise networks, benchmarking performance against commercial tools like Ansible and SolarWinds.

5. Behavioral analytics integration: Incorporate user/entity behavior analytics (UEBA) to detect insider threats through anomaly detection in administrative access patterns.

These advancements will transform the framework from a hardening tool into an adaptive, self-learning security ecosystem, capable of addressing both current infrastructure challenges and emerging cyber threats. Future efforts will prioritize collaboration with network vendors and open-source communities to ensure interoperability and real-world relevance.

Funding

This research did not receive funding from any party.

Data availability

The datasets used and/or analyzed during the current study are available from the corresponding author on reasonable request.

Declarations

Competing Interests

The authors declare no competing interests.

Ethical approval and consent to participate

This study did not involve any human participants, human data, or human tissue.