Security on SOHO Networks | CompTIA A+ 220-1002 | 2.10

In this video you will learn about security on SOHO wireless & wired networks.

Wireless-Specific Security

In the following sections we are going to discuss wireless-specific security such as: changing the default SSID, setting encryption, disabling SSID broadcast, antenna & access point placement, radio power levels, and WPS.

Changing Default SSID

In WiFi, a service set is a group of wireless network devices which share a service set identifier (SSID), which is essentially the label a user assigns to a network name. All wireless networking devices such as WAPs & wireless routers have a default SSIDs assigned to them by a manufacturer and that information is readily available online for most common device models that will provide the default username and password to gain access to the device. To help secure the SSID for a wireless router or WAP, be sure that the SSID does not include the following:

  • Your name (first or last)
  • Your company name
  • Your location
  • Or any other readily identifiable information

Setting Encryption

Setting encryption for wireless networks, whether they are business networks or SOHO networks, was covered in the section 2.3 titled “Wireless Security Protocols & Authentication“.

Disabling SSID Broadcast

Disabling the SSID broadcast essentially means your WiFi networking devices aren’t advertising the SSID. Meaning, if you are a casual WiFi user looking for a network to connect to, your smartphone or laptop isn’t going to see the name of a disabled SSID. However, just because the SSID is disabled doesn’t mean that it isn’t broadcasting and can’t be located. One way to locate a disabled SSID is to simply know the name of the network to get access to it. Another way is to use a network analyzer tool which can “see” disabled SSIDs. So even though CompTIA suggest that disabling an SSID is a good security measure to prevent a casual user from trying to gain access to a network, disabling the SSID is not going to prevent a hacker from discovering the network’s name to try to gain unauthorized access.

Disabled SSID

Antenna & Access Point Placement

Antenna & access point (AP) placement is very important when it comes to users connecting to a wireless network with a strong signal. The ideal location for an AP to be placed is in a central location, if possible, which would offer the greatest coverage to devices physically in the vicinity of the AP. When it comes to antenna placement on the AP, the antennas should be set at 90-degree angles to one another. To help reduce electrical interference, be sure to keep the AP away from other wireless devices, speakers, or any other device that consumes a lot of electricity.

Radio Power Levels

Wireless routers & access points all have adjustable radio power levels. If the power levels are set too high, devices located outside of the perimeter of the business/home may be able to pick up on the network and attempt to gain access. If the power levels are set too low, devices within the perimeter that should be able to gain access might not be able to locate the network to gain access.

WiFi Protected Setup (WPS)

WiFi Protected Setup is a network security standard to create a secure wireless home network. The point of the WPS protocol is to allow home users who know little of wireless security and may be intimidated by the available security options to set up WiFi Protected Access, as well as making it easy to add new devices to an existing network without entering long passphrases. The two most common ways to configure a network using WPS are by:

  • PIN (default method):  A PIN marked on the router may be entered into each new device added to the network.
  • Push button:  The wireless router or WAP may require devices to physically push a button or push a software button in a setup program to establish a connection.

Change Default Usernames & Passwords

As previously mentioned, default usernames & password for almost all wireless routers & wireless access points can be found online in documentation readily available from the device’s manufacturer. To protect against potential hackers from exploiting your network, it is highly recommended that you change the default username & passwords immediately upon the initial setup of the device/network. Another way to further secure the integrity of your wireless router or WAP, configure the device to where it can only be managed by a wired Ethernet connection only.

Enabling MAC Filtering

Enabling MAC address filtering lets only devices with specific MAC addresses connect to your router. Section 2.2 titled, “Logical Security Concepts” discusses MAC filtering in more detail.

Assign Static IP Addresses

The DHCP (dynamic host configuration protocol) server is a network management protocol used on Internet Protocol (IP) local area networks. With SOHO routers, the DHCP component is built into the device and is responsible for assigning IP addresses to devices trying to connect to the LAN. To restrict access to the LAN by allowing only certain devices to obtain an IP address from the DHCP, the DHCP setting would need to be disabled which would then require the administrator of the network to manually assign static IP addresses to devices trying to connect to the LAN.

Disable DHCP

Firewall Settings

Wireless access points & wireless routers offer firewall settings that include the following:

  • Access logs
  • Filtering of specific types of traffic
  • Enhanced support for VPNs
  • Network Address Translation
    • To prevent Internet traffic from determining private IP addresses of devices used on the network

See the routers manufacturer’s documentation for more information about advanced security features.

Port Forwarding/Mapping

In computer networking, port forwarding (DNAT or destination network address translation) is an application of NAT that redirects a communication request from one address and port number combination to another while the packets are traversing a network gateway, such as a router or firewall. Section 2.3 of the CompTIA 220-1001 exam titled, “Basic Wired/Wireless SOHO Network” discusses port forwarding in more detail.

Disabling Ports

You should always disable unused ports to prevent hackers from exploiting these unused ports to gain access to the network. Blocking TCP & UDP ports can be performed with firewalls apps such as Windows Defender Firewall with Advanced Security.

Content Filtering/Parental Controls

Content filtering is the use of a program to screen and/or exclude access to web pages or email deemed objectionable. Content filtering is used by companies as part of their firewalls, and also by SOHO personal computers. Content filtering works by specifying content patterns, such as text strings or objects within images, that if matched, indicate undesirable content that is to be screened out. A content filter will then block access to this content. Windows Defender is Microsoft’s anti-spyware that includes tools content filtering & parental controls, in addition to other tools such as:

  • Virus & Threat Protection:  Tracking of Windows Defender & 3rd-party antivirus software.
  • Account Protection:  Includes Windows Hello and Dynamic Lock features.
  • Firewall & Network Protection:  Includes access controls rules & other network/domain security settings.
  • App & Browser Control:  Includes filter controls for browsers and apps.
  • Device Security:  Tests device security & sets core security.
  • Device Performance & Health:  Scans devices & apps to report on status.
  • Family Options:  Provides parental controls & family device management options.

Apple’s parental controls in macOS can be found by selecting Apple menu > System Preferences > Parental Controls. Linux distributions do not include parental controls, but parental controls can be added by way of various 3rd-party apps.

Update Firmware

A firmware update is a software program used to update the firmware in a device, such as a WAP and/or wireless router. Firmware updates are available from hardware manufacturers. These updates can help solve a myriad of potential issues with a device to include solving possible operational problems and/or enhancing WiFi features, security, and overall ease of use. To determine if a WAP or wireless router is need of a firmware update, do the following:

  1. Check the device’s configuration information to record the current firmware version.
  2. Check the vendor’s website to see if a firmware update for your device’s particular model is available.
  3. Download the firmware update to a PC that can be connected to the device via an Ethernet cable.
  4. Connect the device to the PC.
  5. Locate the device’s firmware update dialog.
  6. Follow the instructions presented.

Physical Security

Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm. Section 2.1 titled, “Physical Security Measures” discusses physical security in more detail.