Comptia core 2 2.9 Scenario, configure appropriate security settings on small office/home office (SOHO) Wireless and wired networks

change default passwords

Routers and modems come with default usernames and passwords, these are usually "admin" and "password", or in some cases "admin" and "admin". Make sure to change it so that unauthorized users do not have the ability to access the routers or modems.

IP filtering

IP filtering can control which devices are allowed to connect to a network based on their IP address. The user can create an access control list (ACL) to permit or deny traffic from specific IP addresses or ranges.

Firmware updates

Regularly updates to the firmware of the routers, switches, and other network devices to patch security vulnerabilities and improve performance.
Enable automatic firmware updates, if possible, or regularly check for updates manually.

Content filtering

Use content filtering to block access to malicious websites, inappropriate content, or specific categories of websites (Like gambling or adult content). This can help prevent users from inadvertently accessing harmful or distracting content.

Physical placement/secure locations

The user should place their networking equipment in secure locations to prevent unauthorized access. For example, keep routers and switches in locked cabinets or rooms to prevent physical tampering or theft.

Dynamic host configuration protocol (DHCP) reservations

Assign static IP addresses to specific devices on the users network using DHCP reservations. Ensures that critical devices always receive the same IP address, making them easier to manage and allows specific security rules to be applied to them.

Static wide-area network (WAN) IP

If the user's network uses a static WAN IP address, ensure that it is properly configured and protected.
Make sure to regularly monitor for any unauthorized changes to the WAN IP address or settings.

Universal plug and play (UPnP)

Keep UPnP disabled unless absolutely necessary. UPnP can introduce security vulnerabilities by automatically configuring port forwarding and opening firewall ports without user intervention.
Manually configure port forwarding rules instead, if needed, to ensure better control over network access.

Screened subnet

Implement a screened subnet architecture to separate your internal network from external threats. This can be achieved by using a firewall or router with multiple interfaces to create a demilitarized zone (DMZ) where public-facing servers or services are located, while keeping internal resources protected behind another layer of security.

Changing the service set identifier (SSID)

The user should change the default SSID of the wireless network to a unique name that does not reveal any personal information. Avoid using easily guessable names or anything that identifies business or location.

Disabling SSID broadcast

The user should disable the broadcasting of their SSID to prevent it from being easily discovered by unauthorized users.
This doesn't completely hide the network, but it adds another layer of obscurity and may deter casual attackers.

Encryption settings

The users should enable strong encryption protocols such as WPA2 (wifi protected access 2) or, ideally, WPA3 if it is supported by their devices. Use a strong passphrase or network key that is difficult to guess.
Avoid using outdated encryption standards like WEP (wired equivalent privacy) as they are vulnerable to attacks.

Disabling guest access

If the user does not require guest access to their network, they should disable this feature on the router.
Guest networks pose security risks if not properly configured and monitored.

Changing channels

The user should adjust the wireless channel settings on their router to minimize interference from neighboring networks.
Tools like WiFi analyzers to identify the least congested channels in the users area and switch to them for optimal performance and reduced interference.

Disabling unused ports

If the users wireless router has ethernet ports, disable the ports that are not in use to prevent unauthorized access through wired connections,

Port forwarding/mapping

This should only be enabled for services that require external access, like a web server or remote desktop application.
Avoid forwarding unnecessary ports as they can expose your network to potential security risks. Regularly review and update your port forwarding rules to ensure they are still necessary and secure.