2.3 - Configuring a SOHO Firewall

Question 1

Firewall and DMZ ports

Answer 1

• Every SOHO router is also a firewall
• No external device can directly access the internal
network
• This normally can’t be disabled
• DMZ ports can be configured to
allow unrestricted access
• This is almost always a bad idea
• Consider creating more specific port forwarding rules
• Or perhaps don’t allow any access

Question 2

NAT (Network Address Translation)

Answer 2

• It is estimated that there are over 20 billion devices
connected to the Internet (and growing)
• IPv4 supports around 4.29 billion addresses
• The address space for IPv4 is exhausted
• There are no available addresses to assign
• How does it all work?
• Network Address Translation
• This isn’t the only use of NAT
• NAT is handy in many situations

Question 3

Configuring NAT

Answer 3

• For SOHO devices, this is automatic
• Source NAT, also called PAT (Port Address Translation)
• All internal devices are translated to
a single external address

Question 4

Port forwarding

Answer 4

• 24x7 access to a service hosted internally
• Web server, gaming server, security system, etc.
• External IP/port number maps to an internal IP/port
• Does not have to be the same port number
• Also called Destination NAT or Static NAT
• Destination address is translated from a
public IP to a private IP
• Does not expire or timeout
• Port forwarding

Question 5

UPnP (Universal Plug and Play

Answer 5

• Allows network devices to automatically
configure and find other network devices
• Zero-configuration
• Applications on the internal network can
open inbound ports using UPnP
• No approval needed
• Used for many peer-to-peer (P2P) applications
• Best practice would be to disable UPnP
• Only enable if the application requires it
• And maybe not even then

Question 6

Whitelist/blacklist

Answer 6

• Content filtering, IP address ranges
• Or a combination
• Whitelisting
• Nothing pass through the firewall unless it’s approved
• Very restrictive
• Blacklisting
• Nothing on the “bad list” is allowed
• Specific URLs
• Domains
• IP addresses

Question 7

MAC filtering

Answer 7

• Media Access Control
• The “hardware” address
• Limit access through the physical hardware address
• Keeps the neighbors out
• Additional administration with visitors
• Easy to find working MAC addresses
through wireless LAN analysis
• MAC addresses can be spoofed
• Free open-source software
• Security through obscurity

Question 8

Wireless channels and encryption

Answer 8

• Configure for the highest encryption possible
• WPA2-AES
• Choose WPA2 over WPA
• WEP is not an appropriate option
• Check your devices
• Not all of them may allow for the highest encryption
• Use an open frequency
• Some access points will
automatically find good frequencies

Question 9

Managing Qos (Quality of Service)

Answer 9

• Change the priority of your traffic
• Voice is high, World of Warcraft is low
• Or vice-versa
• Prioritize applications, ports, or MAC addresses
• A feature of high-end SOHO routers
• Be careful
• You could accidentally cause applications to slow down