2.9 - Securing a SOHO Network Flashcards
1
Q
Change default passwords
A
- All access points have default usernames and passwords
– Change yours! - The right credentials provide full control
– Administrator access - Very easy to find the defaults for your
access point or router
– https://www.routerpasswords.com
2
Q
Firmware updates
A
- Small office / home office appliances
– Appliance are usually a closed architecture
– Updates are provided by the manufacturer - Updates may address different requirements
– Bug fixes
– New features
– Security patches - Install the latest software
– Update and upgrade the firmware
– Firewalls, routers, switches, etc.
3
Q
IP address filtering
A
- Content filtering, IP address ranges
– Or a combination - Allow list
– Nothing pass through the firewall unless it’s approved
– Very restrictive - Deny list
– Nothing on the “bad list” is allowed
– Specific URLs
– Domains
– IP addresses
4
Q
Content filtering
A
- Control traffic based on data within the content
– URL filtering, website category filtering - Corporate control of outbound and inbound data
– Sensitive materials - Control of inappropriate content
– Not safe for work
– Parental controls - Protection against evil
– Anti-virus, anti-malware
5
Q
Physical placement
A
- Often a single device
– Router, switch, access point, firewall, etc. - Location may be restricted to a secure room
– Prevent access to servers and network devices
– For wireless, location becomes more important
– Above ceiling tiles or another high point
– This may cause problems for power cycling - Plan before the installation
– May require additional setup time
6
Q
IP addressing
A
- DHCP (automatic) IP addressing vs.
manual IP addressing - IP addresses are easy to see in
an unencrypted network - If the encryption is broken, the IP addresses
will be obvious - Configuring a static IP address is not
a security technique
– Security through obscurity
7
Q
DHCP reservations
A
- Address reservation
– Administratively configured - Table of MAC addresses
– Each MAC address has a matching IP address - Other names
– Static DHCP Assignment
– Static DHCP
– Static Assignment
– IP Reservation
8
Q
Static WAN IP
A
- Wide area network / Internet link
– External IP address - Many ISPs dynamically allocate WAN addresses
– The default for most ISPs - It’s easier to manage if the IP address is static
– The IT team always knows the IP address
– A SOHO might provide a service - This may be an additional cost
– Contact the ISP for options
9
Q
UPnP (Universal Plug and Play)
A
- Allows network devices to automatically configure
and find other network devices
– Zero-configuration - Applications on the internal network can open
inbound ports using UPnP
– No approval needed
– Used for many peer-to-peer (P2P) applications - Best practice would be to disable UPnP
– Only enable if the application requires it
– And maybe not even then
10
Q
Screened subnet
A
- Previously known as the demilitarized zone (DMZ)
– An additional layer of security between
the Internet and you
– Public access to public resources
11
Q
SSID management
A
- Service Set Identifier
– Name of the wireless network
– LINKSYS, DEFAULT, NETGEAR - Change the SSID to something not-so obvious
- Disable SSID broadcasting?
– SSID is easily determined through wireless
network analysis
– Security through obscurity
12
Q
Wireless channels and encryption
A
- Open System
– No authentication password is required - WPA/2/3-Personal / WPA/2/3-PSK
– WPA2 or WPA3 with a pre-shared key
– Everyone uses the same 256-bit key - WPA/2/3-Enterprise / WPA/2/3-802.1X
– Authenticates users individually with an
authentication server (i.e., RADIUS, LDAP, etc.) - Use an open frequency
– Some access points will automatically find
good frequencies
13
Q
Disable guest networks
A
- Limit access to outsiders
– Guest networks are often enabled by default - Some guest networks can be used for other
connections
– Internet of Things
– Lab networks - Don’t enable without security
– WPA2 or WPA3
14
Q
Disabling ports
A
- Enabled physical ports
– Conference rooms
– Break rooms - Administratively disable unused ports
– More to maintain, but more secure - Network Access Control (NAC)
– 802.1X controls
– You can’t communicate unless you are authenticated
15
Q
Port forwarding
A
- 24x7 access to a service hosted internally
– Web server, gaming server, security system, etc. - External IP/port number maps to an internal IP/port
– Does not have to be the same port number - Also called Destination NAT or Static NAT
– Destination address is translated from a public IP to
a private IP
– Does not expire or timeout