Lesson 7 C Configure SOHO Router Security Flashcards
Small office home office (SOHO)
A small office home office (SOHO) LAN uses a single Internet appliance to provide connectivity. This appliance combines the functions of Internet router, DSL/cable modem, Ethernet switch, and Wi-Fi access point. It can variously be described as a wireless router, SOHO router, or home router.
Physical Placement/Secure Locations
Ideally, any router or network appliance should be placed in a secure location. A non-malicious threat actor could damage or power off an appliance by accident. A malicious threat actor could use physical access to tamper with an appliance or attach unauthorized devices to network or USB ports or use the factory reset mechanism and log on with the default password. On an enterprise network, such appliances are deployed in a locked equipment room and may also be protected by lockable cabinets.
In a home environment, however, the router must be placed near the minimum point of entry for the service provider’s cabling. There is not always a great deal of flexibility for choosing a location that will make the router physically inaccessible to anyone other than the administrator. The home router will also usually implement the wireless network and therefore cannot be locked in a cabinet because clients would suffer from reduced signal strength.
Home Router Setup
To set up a new home router, first connect it to the provider cabling using its WAN port. This will be a WAN labelled RJ45 port for a full fiber connection, an RJ11 port for DSL, or an F-connector coax port for cable. Alternatively, the home router might need to be connected to an external digital modem. This connection will use a dual-purpose RJ45 port on the router labeled WAN/LAN.
Power on the router. Connect a computer to an RJ45 LAN port to start the home router setup process. LAN ports on a home router are usually color-coded yellow. Make sure the computer is set to obtain an IP address automatically. Wait for the Dynamic Host Configuration Protocol (DHCP) server running on the router to allocate a valid IP address to the computer.
Use a browser to open the device’s management URL, as listed in the documentation. This could be an IP address or a host/domain name, such as http://192.168.0.1 or http://www.routerlogin.com
It might use HTTPS rather than unencrypted HTTP. If you cannot connect, check that the computer’s IP address is in the same range as the device IP.
The home router management software will prompt you to change the default password to secure the administrator account. Enter the default password (as listed in the documentation or printed on a sticker accompanying the router/modem). Choose a new, strong password of 12 characters or more. If there is also an option to change the default username of the administrator account, this is also a little bit more secure than leaving the default configured.
Internet Access and Static Wide Area Network IP
Most routers will use a wizard-based setup to connect to the Internet via the service provider’s network. The WAN link parameters (full fiber, DSL, or cable) are normally self-configuring. You might need to supply a username and password. If manual configuration is required, obtain the settings from your ISP.
The router’s public interface IPv4 address is determined by the ISP. This must be an address from a valid public range. This is normally auto-configured by the ISP’s DHCP service.
Some Internet access packages assign a static IP or offer an option to pay for a static address. A static address might also be auto-configured as a DHCP reservation, but if manual configuration is required, follow the service provider’s instructions to configure the correct address on the router’s WAN interface.
When the Internet interface is fully configured, use the router’s status page to verify that the Internet link is up.
firmware
You should keep the firmware and driver for the home router up to date with the latest patches. This is important because it allows you to fix security holes and support the latest security standards, such as WPA3. To perform a firmware update, download the update from the vendor’s website, taking care to select the correct patch for your device make and model. In the management app, select the Firmware Upgrade option and browse for the firmware file you downloaded.
Make sure that power to the device is not interrupted during the update process.
A home router provides a
A home router provides a one-box solution for networking. The WAN port facilitates Internet access. Client devices can connect to the local network via the RJ45 LAN ports or via the appliance’s access point functionality.
Service Set ID
The service set ID (SSID) is a simple, case-sensitive name by which users identify the WLAN. The factory configuration uses a default SSID that is typically based on the device brand or model. You should change it to something that your users will recognize and not confuse with nearby networks. Given that, on a residential network, you should not use an SSID that reveals personal information, such as an address or surname. Similarly, on a business network, you may not want to use a meaningful name. For example, an SSID such as “Accounts” could be a tempting target for an evil twin attack.
Disabling broadcast of the SSID prevents any stations not manually configured to connect to the name you specify from seeing the network. This provides a margin of privacy at the expense of configuration complexity.
Disabling Guest Access
Most home routers automatically configure and enable a guest wireless network. Clients can connect to this and access the Internet without a passphrase. The guest network is usually isolated from the other local devices though. Use the option to disable guest access if appropriate.
Encryption Settings
The encryption or security option allows you to set the authentication mode. You should set the highest standard supported by the client devices that need to connect.
- Ideally, select WPA3. If necessary, enable compatibility support for WPA2 (AES/CCMP) or even WPA2 (TKIP). Remember that enabling compatibility weakens the security because it allows malicious stations to request a downgraded security type.
- Assuming personal authentication, enter a strong passphrase to use to generate the network key.
Changing Channels
For each radio frequency band (2.4 GHz, 5 GHz, and 6 GHz), there will be an option to autoconfigure or select the operating channel. If set to auto-detect, the access point will select the channel that seems least congested at boot time. As the environment changes, you may find that this channel selection is not the optimum one. You can use a Wi-Fi analyzer to identify which channel within the access point’s range is least congested.
All home routers come with at least a basic firewall, and some allow advanced filtering rules. Any firewall operates two types of filtering:
- Inbound filtering determines whether remote hosts can connect to given TCP/UDP ports on internal hosts. On a home router, all inbound ports are blocked by default. Exceptions to this default block are configured via port forwarding.
- Outbound filtering determines the hosts and sites on the Internet that internal hosts are permitted to connect to. On a home router, outbound connections are allowed by default but can be selectively restricted via a content filter.
content filtering
Content filtering means that the firewall downloads curated reputation databases that associate IP address ranges, FQDNs, and URL web addresses with sites known to host various categories of content and those associated with malware, spam, or other threats. The filters can also block URLs or search terms using keywords and phrases. There will be separate blocklists for different types of content that users might want to block.
Another content-filtering option is to restrict the times at which the Internet is accessible. These are configured in conjunction with services offered by the ISP.
Static IP Addresses and DHCP Reservations
To create a port-forwarding rule, you must identify the destination computer by IP address. This is not easy if the computer obtains its IP configuration via a normal DHCP lease. You could configure the host to use static addressing, but this can be difficult to manage. Another option is to create a reservation (DHCP) for the device on the DHCP server. This means that the DHCP server always assigns the same IP address to the host. You can usually choose which IP address this should be. You need to input the MAC address of the computer in the reservation so that the DHCP server can recognize the host when it connects.
Configuring Port-Forwarding and Port-Triggering Rules
Hosts on the Internet can only “see” the router’s WAN interface and its public IP address. Hosts on the local network are protected by the default block rule on the firewall. If you want to run some sort of server application from your network and make it accessible to the Internet, you must configure a port forwarding rule.
Port forwarding means that the router takes a request from an Internet host for a particular service (for example, the TCP port 25565 associated with a Minecraft server) and sends the request to a designated host on the LAN. The request could also be sent to a different port, so this feature is often also called port mapping . For example, the Internet host could request Minecraft on port 25565, but the LAN server might run its Minecraft server on port 8181.
Port triggering
is used to set up applications that require more than one port, such as file transfer protocol (FTP) servers. Basically, when the firewall detects activity on outbound port A destined for a given external IP address, it opens inbound access for the external IP address on port B for a set period.
