2.10 - Securing a SOHO Network

Wireless Devices: Default Settings and Security Best Practices

  • Default Username and Password

    • Wireless routers and SOHO devices come with a default admin username and password for initial access.

    • It is essential to change these defaults after the first login to prevent unauthorized access.

    • Having an unchanged default login allows full control of the device and network.

  • Common Knowledge of Default Logins

    • Default credentials are publicly accessible online, e.g., through sites like routerpasswords.com.

Security Features in SOHO Devices

  • Content Filtering

    • Mechanism to restrict which websites can be visited.

    • Types of filters:

      • Allow List: Only sites on the list can be accessed.

      • Deny List: All except specified sites are accessible.

    • Content filters can control the transfer of sensitive data.

    • For example, restricting access to file sharing sites to protect sensitive company data.

  • IP Address Filtering

    • Restrictions based on specific IP addresses allowed or blocked from accessing the network.

  • Firmware Updates

    • SOHO devices run on firmware, which is their operating system.

    • Regular updates (though less frequent than systems like Windows) provide bug fixes, new features, and security patches.

    • Maintain up-to-date firmware for routers, firewalls, switches, and other devices to ensure security.

Network Device Configuration Challenges

  • Single Device Functionality

    • Often, a single SOHO device can function as a router, wireless access point, switch, content filter, and firewall.

    • Ideal placement is close to the internet service provider (ISP) connection for efficiency.

  • Device Management

    • Management can be a challenge without an IT technician on hand.

    • Universal Plug and Play (UPnP) helps configure routers via software without direct login.

    • This feature, however, poses security risks and is often disabled by default.

Network Security Configurations

  • Demilitarized Zone (DMZ)

    • A screened subnet connected to a firewall to manage inbound traffic separate from the internal network.

    • This allows public services to be accessible while keeping internal data secure.

  • Access Control Measures

    • Change default logins and implement strong passwords for additional security.

    • Implement multi-factor authentication if supported, for added security.

    • Some devices support IP address controls, defining which IPs can manage the device.

    • As a best practice, remote management should be disabled to restrict access to the local network only.

Wireless Network Names and Security

  • Service Set Identifier (SSID)

    • The SSID is the name of the wireless network.

    • Best practice: change the SSID to a less obvious name to enhance security.

    • SSID broadcasting can be disabled, though this is not a true security measure.

  • Network Authentication Types

    • Open Network: No password required, often seen in public spaces (e.g., cafes).

    • WPA2 or WPA3: Encrypts connection and requires a password for authentication.

    • Pre-Shared Key (PSK): Common in home networks, everyone uses the same password to connect.

    • For enterprise networks, consider separate credentials via WPA2/WPA3 Enterprise or 802.1X.

Access Point Configuration and Management

  • Channel Selection

    • Access points may automatically select the best channel based on interference from nearby networks, adjusting accordingly for optimal performance.

  • Guest Networking

    • Guest networks allow separate access without exposing the main network.

    • Ideal for IoT devices or lab networks, ensuring safety while providing internet access.

  • Security Protocols

    • Always enable security protocols minimum WPA2, ideally WPA3 for both home and business networks.

Network Access Control and Configuration

  • RJ45 Jack Access

    • Ensure any inactive ports are disabled to prevent unauthorized access to the local network.

    • 802.1X can be implemented for network access control, requiring credentials before access.

  • Port Forwarding

    • Enables external internet devices to access internal services by mapping external ports to internal IP addresses.

    • Key components for configuring port forwarding include:

    • Private IP address of the internal server.

    • Public port number accessible from outside.

    • An internal port number to communicate with the server.

    • Example:

    • Public IP 66.20.1.14 translates to internal IP 192.168.3.22.

    • Keep in mind, port forwards are always active unless disabled, impacting overall network security.

Conclusion: SOHO Network Management Best Practices

  • Maintain strong security practices including changing default settings, utilizing strong passwords, updating firmware regularly, and carefully configuring features to enhance the security posture.