Configure SOHO Router Security Flashcards
lesson 16C (30 cards)
Upgrading device firmware on a TP-LINK home router. (Screenshot courtesy of TP-Link.)
Configuring security settings on a TP-LINK home router. This configuration allows WPA compatibility mode, which is less secure. (Screenshot courtesy of TP-Link.)
Configuring parental control content-filtering to restrict when certain devices can access the
network on a TP-LINK home router.
Configuring port forwarding for FTP on a TP-LINK home router via its Virtual Servers feature.
There is nothing to configure when enabling UPnP, but when client devices use the service, the rules
they have configured on the firewall are shown in the service list.
A screened subnet topology. (Images © 123RF.com.)
Configuring a home-router version of a DMZ—the host 192.168.1.202 will not be protected
by the firewall.
(small office home office)
SOHO LAN
relies on a single internet appliance, known as a wireless router, SOHO router, or home router, which integrates the functions of an internet router, DSL/cable modem, Ethernet switch, and Wi-Fi access point.
router physical placement
Routers should be placed in secure locations to prevent unauthorized physical access, accidental tampering, or security breaches. In enterprises, they are stored in locked equipment rooms or cabinets, while home routers must be near service entry points and remain accessible for optimal wireless coverage.
To set up a home router
connect it to the provider’s cabling via the appropriate WAN port (RJ45 for fiber, RJ11 for DSL, or F-connector for cable) or to an external modem using the WAN/LAN port. Power it on, connect a computer to an RJ45 LAN port, ensure DHCP is enabled, and wait for an IP address allocation. Access the router’s management interface through its documented URL and update the default administrator password to a strong, unique one for security.
router setup
Most routers use a wizard-based setup for internet access, with the ISP assigning the router’s public IPv4 address, typically via DHCP. Some plans offer static IPs, which may require manual configuration based on ISP instructions. Once set up, the router’s status page confirms the connection is active.
home router’s firmware updated
is crucial for security and compatibility with the latest standards like WPA3. Download the correct update (latest patches) from the vendor’s website.
service set ID (SSID)
is a case-sensitive identifier for a WLAN, typically set to a default name based on the router’s brand or model. Changing it to a recognizable but non-personal name helps prevent confusion and security risks, avoiding SSIDs that reveal sensitive information or attract malicious attacks.
Disabling SSID broadcast
hides the network from automatic discovery, enhancing privacy but requiring manual configuration for devices to connect.
For encryption settings,
choose the highest authentication standard your client devices support—ideally WPA3. If needed, enable WPA2 (AES/CCMP) or WPA2 (TKIP) for compatibility, though this weakens security by allowing downgrade attacks. When using personal authentication, set a strong passphrase to generate the network key.
disable guest access
Most home routers enable a guest network by default, allowing clients to connect to the internet without a passphrase. While this network is usually isolated from local devices, you should disable guest access if security concerns outweigh the convenience.
Changing Channels
Each Wi-Fi frequency band (2.4 GHz, 5 GHz, and 6 GHz) allows manual or automatic channel selection.
When set to auto-detect, the access point selects the least congested channel at startup, but environmental changes may affect performance. Using a Wi-Fi analyzer helps identify the optimal channel for better connectivity.
content filtering
Home router firewalls provide inbound filtering (blocking remote connections by default, with exceptions via port forwarding) and outbound filtering (allowing internet access but enabling selective content restrictions). Instead of manual IP filtering, most home routers use reputation-based content filtering, blocking malicious or unwanted sites based on curated databases of IP ranges, domain names, and URLs, with customizable blacklists for different content categories.
Port forwarding
enables Internet hosts to connect to local network devices, allowing users to support online gaming, remote access to home computers, or even host a web server. Unlike content filtering, which restricts outgoing connections, port forwarding selectively permits inbound traffic by mapping external requests to specific local devices and services.
DHCP reservation
the destination computer needs a consistent IP address. While static addressing is an option, managing it can be complex. A better approach is setting a DHCP reservation, ensuring the DHCP server always assigns the same IP to the device based on its MAC address. This simplifies network management while maintaining flexibility.
DHCP reservation aka
IP reservation aka MAC binding,
is a feature of Dynamic Host Configuration Protocol (DHCP) that allows a network administrator to assign a specific IP address to a device based on its MAC address.
Port forwarding
allows Internet hosts to access local network services by directing requests from the router’s WAN interface to a designated internal device.
This process, also known as port mapping, enables services like game servers to be reachable externally while running on different internal ports.
port triggering
Port forwarding opens specific ports permanently, while port triggering opens ports only when an outgoing connection from the same device is made.
File Transfer Protocol (ftp)
is a standard network protocol used to transfer files between computers.