2.9 - Securing a SOHO Network

Question 1

Change default passwords

Answer 1

• All access points have default usernames and passwords
  – Change yours!
• The right credentials provide full control
  – Administrator access
• Very easy to find the defaults for your
  access point or router
  – https://www.routerpasswords.com

Question 2

Firmware updates

Answer 2

• Small office / home office appliances
  – Appliance are usually a closed architecture
  – Updates are provided by the manufacturer
• Updates may address different requirements
  – Bug fixes
  – New features
  – Security patches
• Install the latest software
  – Update and upgrade the firmware
  – Firewalls, routers, switches, etc.

Question 3

IP address filtering

Answer 3

• Content filtering, IP address ranges
  – Or a combination
• Allow list
  – Nothing pass through the firewall unless it’s approved
  – Very restrictive
• Deny list
  – Nothing on the “bad list” is allowed
  – Specific URLs
  – Domains
  – IP addresses

Question 4

Content filtering

Answer 4

• Control traffic based on data within the content
  – URL filtering, website category filtering
• Corporate control of outbound and inbound data
  – Sensitive materials
• Control of inappropriate content
  – Not safe for work
  – Parental controls
• Protection against evil
  – Anti-virus, anti-malware

Question 5

Physical placement

Answer 5

• Often a single device
  – Router, switch, access point, firewall, etc.
• Location may be restricted to a secure room
  – Prevent access to servers and network devices
  – For wireless, location becomes more important
  – Above ceiling tiles or another high point
  – This may cause problems for power cycling
• Plan before the installation
  – May require additional setup time

Question 6

IP addressing

Answer 6

• DHCP (automatic) IP addressing vs.
  manual IP addressing
• IP addresses are easy to see in
  an unencrypted network
• If the encryption is broken, the IP addresses
  will be obvious
• Configuring a static IP address is not
  a security technique
  – Security through obscurity

Question 7

DHCP reservations

Answer 7

• Address reservation
  – Administratively configured
• Table of MAC addresses
  – Each MAC address has a matching IP address
• Other names
  – Static DHCP Assignment
  – Static DHCP
  – Static Assignment
  – IP Reservation

Question 8

Static WAN IP

Answer 8

• Wide area network / Internet link
  – External IP address
• Many ISPs dynamically allocate WAN addresses
  – The default for most ISPs
• It’s easier to manage if the IP address is static
  – The IT team always knows the IP address
  – A SOHO might provide a service
• This may be an additional cost
  – Contact the ISP for options

Question 9

UPnP (Universal Plug and Play)

Answer 9

• Allows network devices to automatically configure
  and find other network devices
  – Zero-configuration
• Applications on the internal network can open
  inbound ports using UPnP
  – No approval needed
  – Used for many peer-to-peer (P2P) applications
• Best practice would be to disable UPnP
  – Only enable if the application requires it
  – And maybe not even then

Question 10

Screened subnet

Answer 10

• Previously known as the demilitarized zone (DMZ)
  – An additional layer of security between
  the Internet and you
  – Public access to public resources

Question 11

SSID management

Answer 11

• Service Set Identifier
  – Name of the wireless network
  – LINKSYS, DEFAULT, NETGEAR
• Change the SSID to something not-so obvious
• Disable SSID broadcasting?
  – SSID is easily determined through wireless
  network analysis
  – Security through obscurity

Question 12

Wireless channels and encryption

Answer 12

• Open System
  – No authentication password is required
• WPA/2/3-Personal / WPA/2/3-PSK
  – WPA2 or WPA3 with a pre-shared key
  – Everyone uses the same 256-bit key
• WPA/2/3-Enterprise / WPA/2/3-802.1X
  – Authenticates users individually with an
  authentication server (i.e., RADIUS, LDAP, etc.)
• Use an open frequency
  – Some access points will automatically find
  good frequencies

Question 13

Disable guest networks

Answer 13

• Limit access to outsiders
  – Guest networks are often enabled by default
• Some guest networks can be used for other
  connections
  – Internet of Things
  – Lab networks
• Don’t enable without security
  – WPA2 or WPA3

Question 14

Disabling ports

Answer 14

• Enabled physical ports
  – Conference rooms
  – Break rooms
• Administratively disable unused ports
  – More to maintain, but more secure
• Network Access Control (NAC)
  – 802.1X controls
  – You can’t communicate unless you are authenticated

Question 15

Port forwarding

Answer 15

• 24x7 access to a service hosted internally
  – Web server, gaming server, security system, etc.
• External IP/port number maps to an internal IP/port
  – Does not have to be the same port number
• Also called Destination NAT or Static NAT
  – Destination address is translated from a public IP to
  a private IP
  – Does not expire or timeout