Topic 7C: Configure SOHO Router Security
What is the purpose of a home router?
- An internet appliance that provides connectivity for a small office home office (SOHO) LAN. - Combines the functions of an Internet router, DSL/cable modem, Ethernet switch, and Wi-Fi access point, allowing multiple devices to connect to the Internet and communicate with each other within the local network.
How can you secure the administrator account when setting up a home router?
- Change the default password to a strong password consisting of at least 12 characters. - If the option to change the default username of the administrator account is available, you should also change it to enhance security further.
What factors should be considered when physically placing a home router?
- Ideally be placed in a secure location to prevent accidental damage or tampering by unauthorized individuals. - However, in a home environment, the router typically needs to be placed near the service provider's cabling point of entry, which may limit the flexibility in choosing a location. - As the router also functions as a Wi-Fi access point, it should not be locked in a cabinet, as this would negatively impact signal strength for wireless clients.
What is port forwarding, and why is it used in a home router?
- Process that allows Internet hosts to connect to computers on the local network, - works by forwarding a request from an Internet host for a particular service to a designated host on the LAN, potentially mapping the request to a different port.
How can UPnP be enabled on a home router?
- To enable UPnP on a home router, locate the UPnP settings in the router's management interface and check the box to enable the feature.
Why is it important to keep the firmware and driver for a home router up to date?
- allows you to fix security holes and support the latest security standards, such as WPA3.
How can changing the operating channel on a home router be beneficial?
- allows you to select a less congested channel, which can improve the performance of your wireless network. -While the access point may initially auto-detect the least congested channel, the environment may change, and manual channel selection can optimize network performance.
What is a screened subnet and what is its purpose?
- also known as a demilitarized zone (DMZ), is a separate network segment with a different IP subnet address range used to establish a more secure configuration - used to protect the local network by placing some hosts in this separate segment and applying separate rules and filters for traffic between the screened subnet and the Internet, between the Internet and the LAN, and between the LAN and the screened subnet.
How is a screened subnet typically configured in an enterprise network?
- configured using either two firewalls or a single firewall that can route between at least three interfaces.
What is the purpose of using static IP addresses or DHCP reservations in port forwarding configuration?
- consistently identify the destination computer by its IP address - DHCP reservations ensure that the DHCP server always assigns the same IP address to a particular host, making it easier to manage port forwarding rules
What should be done to maintain security when using UPnP?
- ensure that the router does not accept UPnP configuration requests from the external (Internet) interface, disable UPnP on client devices unless the implementation is confirmed to be secure
When should UPnP be disabled on a home router?
- if it is not required for any specific applications or devices, or if the potential security risks outweigh the convenience it provides.
Why might you want to disable guest access on a home router?
- if you don't want unauthorized users to connect to your network and access the Internet, even if the guest network is usually isolated from other local devices.
What is the purpose of disabling the SSID broadcast on a home router?
- prevents any stations not manually configured to connect to the specified name from seeing the network. - This his provides a margin of privacy at the expense of configuration complexity. However, hiding the SSID does not secure the network.
What is port forwarding in the context of a home router firewall?
- process of configuring exceptions to the default inbound port block. It allows specific remote hosts to connect to given TCP/UDP ports on internal hosts.
What is the purpose of Universal Plug-and-Play (UPnP) in home routers?
- to simplify the configuration of services that require complex firewall settings, such as port forwarding and port triggering -It allows client devices to automatically configure the firewall, opening the necessary IP addresses and ports for online gaming or VoIP calls.
What is the purpose of DHCP in the context of a home router setup?
-Automatically allocate IP addresses to devices connected to the local network. - When a computer or device connects to the router, the DHCP server running on the router assigns a valid IP address to it, allowing the device to communicate with other devices on the network and access the Internet.
How does content filtering work on a home router firewall?
-involves downloading curated reputation databases that associate IP address ranges, FQDNs, and URL web addresses with sites known to host various categories of content or those associated with malware, spam, or other threats.- filters can also block URLs or search terms using keywords and phrases. -separate blacklists for different types of content that users might want to block.
Service Set Identifier (SSID)
A network name that wireless routers use to identify themselves.
You have selected a secure location for a new home router, changed the default password, and verified the WAN IP address and Internet link. What next step should you perform before configuring wireless settings?
Check for a firmware update.
You are reviewing a secure deployment checklist for home router wireless configuration. Following the CompTIA A+ objectives, what additional setting should be considered along with the following four settings? Changing the service set identifier (SSID) Disabling SSID broadcast Encryption settings Changing channels
Disabling guest access.
What is the difference between a dynamic and static IP address for a home router's public interface?
Dynamic IP address for a home router's public interface is assigned automatically by the Internet Service Provider (ISP) and may change periodically Static IP address: remains constant and does not change over time. - Some Internet access packages provide a static IP address or offer an option to pay for one. A static IP address can be beneficial for certain applications, such as hosting a website or running a server.
What precautions should be taken during the firmware update process?
Make sure that power to the device is not interrupted during the update process, as this could cause issues with the router's functionality.
What is the default setting for inbound and outbound filtering on a home router firewall?
On a home router firewall, all inbound ports are blocked by default, while outbound connections are allowed by default.
Port forwarding vs Port triggering
Port forwarding is a static rule that forwards incoming traffic on a specific port to a designated device or service on the network. Once you configure the port forwarding rule, it stays in place until you change or remove it. Port triggering, on the other hand, is a dynamic rule that activates only when a certain activity is detected on the network. When the activity is detected, the inbound port is opened for a certain period of time to allow incoming traffic. Once the period of time has elapsed and there has been no further activity on the specified port, the inbound port is closed again.
How is port triggering different from port forwarding?
Port triggering is used for applications that require more than one port, such as FTP servers. - It works by opening inbound access on a specified port (port B) for a given external IP address when the firewall detects activity on an outbound port (port A) destined for that external IP address. This is done for a set period, unlike port forwarding, which is a more static configuration. ** when we detect activity from our outbound port that wants to go to 192.232.122.1 that will trigger us to open our inbound port B that is assigined to the same IP address
Why is UPnP associated with security vulnerabilities?
UPnP is associated with security vulnerabilities because it allows devices to automatically configure the firewall, potentially opening ports and exposing the network to threats. Furthermore, some implementations of UPnP on client devices, such as printers and webcams, have been found to have vulnerabilities.
Why should you change the default SSID on a home router?
You should change the default SSID on a home router to a unique name that users can recognize and not confuse with nearby networks. This helps maintain privacy and makes it harder for attackers to target your network based on default settings.
How do some home router vendors use the term "DMZ" or "DMZ host"?
a "DMZ" or "DMZ host" typically refers to a computer on the LAN configured to receive communications for any ports not forwarded to other hosts. This means that the host is fully accessible to other Internet hosts and is not protected by the firewall, though it could have a host firewall installed for protection. ** a computer configured to be open and take the brunt of everything
What is the purpose of time-based restrictions in a home router firewall?
allow users to control when the Internet is accessible, providing an additional layer of control over Internet usage.
How can you perform a firmware update on a home router?
download the update from the vendor's website, making sure to select the correct patch for your device make and model. In the management app, select the Firmware Upgrade option and browse for the firmware file you downloaded.
What is the basic principle of hardened configuration?
enable only the necessary services and disable any unused services, reducing the attack surface and potential security vulnerabilities.
Why is it important to review the configuration of a home router periodically?
ensure that any unused or outdated port-forwarding rules are disabled or deleted, maintaining a secure environment.
What are the potential security risks of using a DMZ host configuration on a home router?
exposes the designated host to other Internet hosts, making it more vulnerable to attacks and potentially compromising the security of the local network if the DMZ host is compromised.
What are the two types of filtering that a home router firewall operates?
inbound filtering, which determines whether remote hosts can connect to given TCP/UDP ports on internal hosts outbound filtering, which determines the hosts and sites on the Internet that internal hosts are permitted to connect to.
How does a typical home router's firewall function differ from a screened subnet?
primarily screens the local network, providing basic protection without establishing a separate screened subnet.
What should be considered when selecting an authentication mode for a home router?
set the highest standard supported by the client devices that need to connect - Ideally, choose WPA3, but if necessary, enable compatibility support for WPA2 (AES/CCMP) or WPA2 (TKIP). Keep in mind that enabling compatibility weakens security.