Lesson 7 C Configure SOHO Router Security Flashcards

1
Q

Small office home office (SOHO)

A

A small office home office (SOHO) LAN uses a single Internet appliance to provide connectivity. This appliance combines the functions of Internet router, DSL/cable modem, Ethernet switch, and Wi-Fi access point. It can variously be described as a wireless router, SOHO router, or home router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Physical Placement/Secure Locations

A

Ideally, any router or network appliance should be placed in a secure location. A non-malicious threat actor could damage or power off an appliance by accident. A malicious threat actor could use physical access to tamper with an appliance or attach unauthorized devices to network or USB ports or use the factory reset mechanism and log on with the default password. On an enterprise network, such appliances are deployed in a locked equipment room and may also be protected by lockable cabinets.

In a home environment, however, the router must be placed near the minimum point of entry for the service provider’s cabling. There is not always a great deal of flexibility for choosing a location that will make the router physically inaccessible to anyone other than the administrator. The home router will also usually implement the wireless network and therefore cannot be locked in a cabinet because clients would suffer from reduced signal strength.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Home Router Setup

A

To set up a new home router, first connect it to the provider cabling using its WAN port. This will be a WAN labelled RJ45 port for a full fiber connection, an RJ11 port for DSL, or an F-connector coax port for cable. Alternatively, the home router might need to be connected to an external digital modem. This connection will use a dual-purpose RJ45 port on the router labeled WAN/LAN.

Power on the router. Connect a computer to an RJ45 LAN port to start the home router setup process. LAN ports on a home router are usually color-coded yellow. Make sure the computer is set to obtain an IP address automatically. Wait for the Dynamic Host Configuration Protocol (DHCP) server running on the router to allocate a valid IP address to the computer.

Use a browser to open the device’s management URL, as listed in the documentation. This could be an IP address or a host/domain name, such as http://192.168.0.1 or http://www.routerlogin.com

It might use HTTPS rather than unencrypted HTTP. If you cannot connect, check that the computer’s IP address is in the same range as the device IP.

The home router management software will prompt you to change the default password to secure the administrator account. Enter the default password (as listed in the documentation or printed on a sticker accompanying the router/modem). Choose a new, strong password of 12 characters or more. If there is also an option to change the default username of the administrator account, this is also a little bit more secure than leaving the default configured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Internet Access and Static Wide Area Network IP

A

Most routers will use a wizard-based setup to connect to the Internet via the service provider’s network. The WAN link parameters (full fiber, DSL, or cable) are normally self-configuring. You might need to supply a username and password. If manual configuration is required, obtain the settings from your ISP.

The router’s public interface IPv4 address is determined by the ISP. This must be an address from a valid public range. This is normally auto-configured by the ISP’s DHCP service.

Some Internet access packages assign a static IP or offer an option to pay for a static address. A static address might also be auto-configured as a DHCP reservation, but if manual configuration is required, follow the service provider’s instructions to configure the correct address on the router’s WAN interface.

When the Internet interface is fully configured, use the router’s status page to verify that the Internet link is up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

firmware

A

You should keep the firmware and driver for the home router up to date with the latest patches. This is important because it allows you to fix security holes and support the latest security standards, such as WPA3. To perform a firmware update, download the update from the vendor’s website, taking care to select the correct patch for your device make and model. In the management app, select the Firmware Upgrade option and browse for the firmware file you downloaded.

Make sure that power to the device is not interrupted during the update process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A home router provides a

A

A home router provides a one-box solution for networking. The WAN port facilitates Internet access. Client devices can connect to the local network via the RJ45 LAN ports or via the appliance’s access point functionality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Service Set ID

A

The service set ID (SSID) is a simple, case-sensitive name by which users identify the WLAN. The factory configuration uses a default SSID that is typically based on the device brand or model. You should change it to something that your users will recognize and not confuse with nearby networks. Given that, on a residential network, you should not use an SSID that reveals personal information, such as an address or surname. Similarly, on a business network, you may not want to use a meaningful name. For example, an SSID such as “Accounts” could be a tempting target for an evil twin attack.

Disabling broadcast of the SSID prevents any stations not manually configured to connect to the name you specify from seeing the network. This provides a margin of privacy at the expense of configuration complexity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Disabling Guest Access

A

Most home routers automatically configure and enable a guest wireless network. Clients can connect to this and access the Internet without a passphrase. The guest network is usually isolated from the other local devices though. Use the option to disable guest access if appropriate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Encryption Settings

A

The encryption or security option allows you to set the authentication mode. You should set the highest standard supported by the client devices that need to connect.

  1. Ideally, select WPA3. If necessary, enable compatibility support for WPA2 (AES/CCMP) or even WPA2 (TKIP). Remember that enabling compatibility weakens the security because it allows malicious stations to request a downgraded security type.
  2. Assuming personal authentication, enter a strong passphrase to use to generate the network key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Changing Channels

A

For each radio frequency band (2.4 GHz, 5 GHz, and 6 GHz), there will be an option to autoconfigure or select the operating channel. If set to auto-detect, the access point will select the channel that seems least congested at boot time. As the environment changes, you may find that this channel selection is not the optimum one. You can use a Wi-Fi analyzer to identify which channel within the access point’s range is least congested.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

All home routers come with at least a basic firewall, and some allow advanced filtering rules. Any firewall operates two types of filtering:

A
  • Inbound filtering determines whether remote hosts can connect to given TCP/UDP ports on internal hosts. On a home router, all inbound ports are blocked by default. Exceptions to this default block are configured via port forwarding.
  • Outbound filtering determines the hosts and sites on the Internet that internal hosts are permitted to connect to. On a home router, outbound connections are allowed by default but can be selectively restricted via a content filter.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

content filtering

A

Content filtering means that the firewall downloads curated reputation databases that associate IP address ranges, FQDNs, and URL web addresses with sites known to host various categories of content and those associated with malware, spam, or other threats. The filters can also block URLs or search terms using keywords and phrases. There will be separate blocklists for different types of content that users might want to block.
Another content-filtering option is to restrict the times at which the Internet is accessible. These are configured in conjunction with services offered by the ISP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Static IP Addresses and DHCP Reservations

A

To create a port-forwarding rule, you must identify the destination computer by IP address. This is not easy if the computer obtains its IP configuration via a normal DHCP lease. You could configure the host to use static addressing, but this can be difficult to manage. Another option is to create a reservation (DHCP) for the device on the DHCP server. This means that the DHCP server always assigns the same IP address to the host. You can usually choose which IP address this should be. You need to input the MAC address of the computer in the reservation so that the DHCP server can recognize the host when it connects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Configuring Port-Forwarding and Port-Triggering Rules

A

Hosts on the Internet can only “see” the router’s WAN interface and its public IP address. Hosts on the local network are protected by the default block rule on the firewall. If you want to run some sort of server application from your network and make it accessible to the Internet, you must configure a port forwarding rule.

Port forwarding means that the router takes a request from an Internet host for a particular service (for example, the TCP port 25565 associated with a Minecraft server) and sends the request to a designated host on the LAN. The request could also be sent to a different port, so this feature is often also called port mapping . For example, the Internet host could request Minecraft on port 25565, but the LAN server might run its Minecraft server on port 8181.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Port triggering

A

is used to set up applications that require more than one port, such as file transfer protocol (FTP) servers. Basically, when the firewall detects activity on outbound port A destined for a given external IP address, it opens inbound access for the external IP address on port B for a set period.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Disabling Unused Ports

A

One of the basic principles of hardened configuration is only to enable services that must be enabled. If a service is unused, then it should not be accessible in any way.

A home router operates a default block that stops any Internet host from opening a connection to a local port. Exceptions to this default block are configured as port-forwarding exceptions. If a port-forwarding rule is no longer required, it should either be disabled or deleted completely.

Some of the worst security vulnerabilities are caused by simple oversights. For example, you might enable a rule for a particular situation and then forget about it. Make sure you review the configuration of a home router every month.

If supported by the home router, the outbound link can be made more secure by changing to a default block and allowing only a limited selection of ports. This involves considerable configuration complexity, however.

16
Q

Universal Plug-and-Play

A

Port forwarding/port triggering is challenging for end users to configure correctly. Many users would simply resort to turning the firewall off to get a particular application to work. As a means of mitigating this attitude, services that require complex firewall configuration can use the Universal Plug-and-Play (UPnP) framework to send instructions to the firewall with the correct configuration parameters.

On the firewall, check the box to enable UPnP. A client UPnP device, such as an Xbox, PlayStation, or voice-over-IP handset, will be able to configure the firewall automatically to open the IP addresses and ports necessary to play an online game or place and receive VoIP calls.
UPnP is associated with many security vulnerabilities and is best disabled if not required. You should ensure that the router does not accept UPnP configuration requests from the external (Internet) interface. If using UPnP, keep up to date with any security advisories or firmware updates from the router manufacturer.

17
Q

screened subnet i

A

When making a server accessible on the Internet, careful thought needs to be given to the security of the local network. If the server target of a port-forwarding rule is compromised, because it is on the local network there is the possibility that other LAN hosts can be attacked from it or that the attacker could examine traffic passing over the LAN.

In an enterprise network, a screened subnet is a means of establishing a more secure configuration. A screened subnet can also be referred to by the deprecated terminology demilitarized zone (DMZ). The idea of a screened subnet is that some hosts are placed in a separate network segment with a different IP subnet address range than the rest of the LAN. This configuration uses either two firewalls or a firewall that can route between at least three interfaces. Separate rules and filters apply to traffic between the screened subnet and the Internet, between the Internet and the LAN, and between the LAN and the screened subnet.
Most home routers come with only basic firewall functionality. The firewall in a typical home router screens the local network rather than establishing a screened subnet.

18
Q

DMZ host

A

However, you should be aware of the way that many home router vendors use the term DMZ. On a home router, a “DMZ” or “DMZ host” configuration is likely to refer to a computer on the LAN that is configured to receive communications for any ports that have not been forwarded to other hosts. When DMZ is used in this sense, it means “not protected by the firewall” as the host is fully accessible to other Internet hosts (though it could be installed with a host firewall instead).

19
Q
A