7.04 Configure appropriate security settings on (SOHO) wireless and wired networks
Introduction
Imagine your home is a castle, and you want to keep it safe from intruders. In the digital world, your home network is your castle, and your router is the main gate. Just like you’d put up fences, locks, and cameras around your home, your router and network need proper security settings to protect against hackers, malware, and unauthorized access. Learning how to configure security settings for your Small Office/Home Office (SOHO) network will help you solve problems, protect your data, and even help others by ensuring they can secure their networks too. Whether it’s setting up a firewall, updating firmware, or managing Wi-Fi channels, these tools will help you become the guardian of your digital space.
Home Router Setup
A Small Office Home Office (SOHO) network uses one device to manage all connections. This device combines the functions of a router, modem, Ethernet switch, and Wi-Fi access point. It is often called a home router, SOHO router, or wireless router.
Physical Placement and Security
Securing the Router
The router should ideally be placed in a secure location to avoid tampering or accidental damage.
Accidental Damage: Someone might unplug or accidentally power off the device.
Malicious Activity: Someone could try to reset the router to factory settings, change the configuration, or connect unauthorized devices.
Home Setup Challenges
In home networks, routers need to be placed near the entry point where the service provider's cable connects. This limits where you can place the router, making it harder to hide or secure the device. If the router also controls Wi-Fi, locking it in a cabinet may reduce the Wi-Fi signal strength.
Steps to Set Up a Home Router
1. Connecting to Provider Cabling
WAN Port: Connect the router to the service provider's cabling through the WAN port. The type of WAN port depends on the connection:
Full fiber: Use a WAN RJ45 port.
DSL: Use a WAN RJ11 port.
Cable: Use an F-connector coax port.
Some routers connect through an external digital modem using a dual-purpose RJ45 WAN/LAN port.
2. Powering on the Router
Power on the router and connect your computer to one of the router's LAN ports (usually color-coded yellow).
Ensure your computer is set to obtain an IP address automatically using the DHCP (Dynamic Host Configuration Protocol) server on the router. This will provide the computer with a valid IP address.
3. Accessing the Router’s Management Page
Open a web browser and enter the router’s management URL. This could be an IP address like http://192.168.0.1 or a domain name like http://www.routerlogin.com.
The connection might use HTTPS instead of HTTP for security. If you can't connect, check that your computer’s IP address is in the same range as the router.
4. Changing Default Settings
Password: The first time you log in, change the default administrator password to a strong password with at least 12 characters. This helps secure your network from unauthorized access.
Username: If possible, change the default username for added security.
Internet Access and WAN IP Setup
1. Using the Internet Setup Wizard:
Most routers have a wizard to help you set up the Internet connection through the service provider's network.
The router will typically configure the WAN link parameters (fiber, DSL, or cable) automatically. You might need to enter a username and password provided by your Internet Service Provider (ISP).
2. Obtaining a Public IP Address:
The router’s public interface (WAN) IPv4 address is usually assigned automatically by the ISP using DHCP. This IP address must be from a valid public range.
3. Static IP Setup:
Some ISPs assign a static IP address, or you can pay for this option. If manual configuration is required, follow the instructions provided by your ISP to set up the static IP on the router’s WAN interface.
4. Verifying the Connection:
Once the Internet interface is set up, check the router’s status page to confirm that the Internet link is active and working properly.
Firmware Update
Keeping your home router’s firmware up to date is important to ensure security and access to the latest features, like WPA3. Firmware updates help fix security vulnerabilities and improve performance.
Steps to Perform a Firmware Update
1. Download the Firmware
Go to the vendor’s website and find the latest firmware update for your specific router model. Make sure you download the correct firmware for your device’s make and model.
4. Avoid Interruptions
It is critical to ensure that power is not interrupted during the update process. A power outage or disruption can cause serious issues, potentially rendering the router unusable.
2. Access the Router’s Management App
Log into your router’s management app (accessed through your browser using the router’s IP address). Look for the Firmware Upgrade option in the settings menu.
3. Upload the Firmware
Select the Firmware Upgrade option. Browse for the file you downloaded from the vendor’s website, and then upload it to the router.
Home Router LAN and WLAN Configuration
A home router offers a complete solution for setting up a local network. It provides Internet access through its WAN port, and devices can connect via RJ45 LAN ports or through the router’s Wi-Fi access point functionality.
Service Set ID (SSID)
The Service Set ID (SSID) is the name users see when they want to connect to your Wi-Fi network.
The default SSID is usually based on the router’s brand or model.
You should change the default SSID to something your users will recognize, but avoid including personal information like an address or name. For example, in a business setting, an SSID like "Accounts" could become a target for an evil twin attack.
Disabling SSID Broadcast
Disabling SSID broadcast means your network won’t show up in the list of available networks for devices. This can give some privacy, but it also makes the setup more complicated.
Important: Disabling SSID broadcast does not secure the network. Encryption is still necessary, as the SSID can still be discovered using packet sniffing tools.
Encryption Settings
To secure your Wi-Fi network, you must configure the encryption settings properly.
WPA3 is the most secure option and should be chosen if supported by all your devices.
If needed, you can enable WPA2 compatibility (AES/CCMP) or even WPA2 (TKIP), but remember that this weakens security.
If using personal authentication, choose a strong passphrase (at least 12–16 characters) to generate the network key.
Disabling Guest Access
Many home routers enable a guest wireless network by default. This network allows visitors to access the Internet without needing a passphrase, but isolates them from other devices on the network.
If guest access is not needed, it’s recommended to disable this feature to prevent unauthorized access.
Changing Wi-Fi Channels
Each frequency band (2.4 GHz, 5 GHz, or 6 GHz) used by Wi-Fi has multiple channels. Your router can be set to auto-select a channel or you can pick one manually.
On auto-detect, the router will choose the least congested channel at the time it boots up.
If your network experiences interference, use a Wi-Fi analyzer to find the least crowded channel and manually select it in the router settings.
By following these steps, you’ll ensure that your home router is securely configured and optimized for performance.
Home Router Firewall Configuration
Home routers come with a built-in firewall that provides at least basic protection for your network. Some routers offer more advanced filtering options. A firewall works by filtering network traffic in two main ways:
Inbound and Outbound Filtering
1. Inbound Filtering:
Purpose: Controls whether external (remote) devices can connect to certain TCP/UDP ports on internal devices within your home network.
Default Setting: All inbound traffic is blocked on a home router unless specific exceptions are created using port forwarding.
2. Outbound Filtering:
Purpose: Controls which hosts or websites your devices on the home network are allowed to access on the Internet.
Default Setting: Outbound traffic is allowed by default, but you can use content filtering to restrict access to specific sites or services.
IP Address Filtering vs. Content Filtering
IP Address Filtering:
A packet-filtering firewall can allow or block traffic based on source and destination IP addresses. However, managing and updating IP address lists can be complicated.
Content Filtering:
Most home routers use content filtering instead of IP filtering. This involves the firewall downloading and using reputation databases that group websites and IP ranges based on categories like:
Malware
Spam
Malicious content
Inappropriate content (for parental controls)
Content filters can also block websites based on keywords, search terms, or specific URLs. Different types of content can be blocked using blacklists tailored to specific categories.
Example of Parental Controls
Many home routers, like TP-Link models, allow parental control settings. You can use content filtering to restrict:
When certain devices can access the Internet.
Which websites or content types are accessible.
The parental controls setting helps manage when devices can access the network.
Time-Based Filtering
Another useful feature of content filtering is the ability to limit Internet access times. You can set up time-based restrictions, typically provided through services offered by your Internet Service Provider (ISP). This can be helpful for managing when different devices or users can connect to the Internet.
Port Forwarding used to host online games.
Understanding Home Router Port Forwarding
Port Forwarding Basics Port forwarding allows external devices (like those on the Internet) to connect to a computer or service on your home network. This is commonly used for hosting online games, accessing home computers remotely, or running web servers from home.
Assigning Static IP Addresses and Using DHCP Reservations
Why a Static IP or DHCP Reservation Is Needed For port forwarding to work, the router needs to send incoming requests to the correct local device. If the device’s IP address changes (as it might with dynamic IP assignment through DHCP), port forwarding will break. You can resolve this by either:
Assigning a Static IP Address: Manually configure the device to always use the same IP.
Using a DHCP Reservation: Configure the router to always assign the same IP to a specific device based on its MAC address.
Setting Up Port-Forwarding and Port-Triggering Rules
How Port Forwarding Works When a device on the Internet tries to connect to your home network, it can only see the router’s WAN interface and public IP address. Your router’s firewall blocks direct access to local devices. To allow access, you must set up a port forwarding rule, which forwards the external request to the appropriate device on your local network.
Example: If you are hosting a Minecraft server, you would forward port 25565 to the local device running the game server. The router directs the external request to the correct device, allowing the game to be played online.
Enhancing Security by Disabling Unused Ports
Why Disabling Unused Ports Is Important Unused ports present a security risk. If you no longer need a port forwarding rule, it should be disabled or deleted to prevent unauthorized access.
Routine Security Check To maintain a secure network, review your router’s configuration regularly (at least once a month) to ensure that only necessary ports are open.
Port Triggering for Advanced Applications Some applications, like FTP servers, require multiple ports to function. Port triggering allows the router to open inbound ports dynamically when it detects specific outbound traffic.
For example, if the router sees traffic on port A, it will temporarily open port B for incoming connections from the same source.
Advanced Security: Outbound Filtering
Blocking Unnecessary Outbound Connections For an added layer of security, some home routers allow you to block all outgoing connections by default and permit only certain ports. This ensures that only specific, trusted services can send data to the Internet. However, this setup can be complex and is typically used in more advanced configurations.
Universal Plug-and-Play (UPnP)
Overview of UPnP Configuring port forwarding or port triggering can be difficult for many users. Often, users may disable their firewall altogether to make applications work, which introduces serious security risks. To help solve this, Universal Plug-and-Play (UPnP) was developed. This framework allows certain devices to automatically configure the firewall, opening necessary ports and IP addresses without user intervention.
How UPnP Works
When UPnP is enabled on your firewall, devices such as gaming consoles (like Xbox or PlayStation) or voice-over-IP (VoIP) handsets can automatically send commands to configure the firewall for the necessary network access. This simplifies the process for users by eliminating the need to manually configure port forwarding.
Example: When you enable UPnP, an Xbox can automatically open the required ports for online gaming, or a VoIP handset can configure the network for making and receiving calls without further action from the user.
Enabling UPnP on the Router
To enable UPnP, simply check the box in the router’s UPnP settings page.
Once UPnP is enabled, any device that uses UPnP will configure the necessary firewall rules automatically.
Note: Although UPnP simplifies network configurations, it also lists the rules configured by devices in the firewall’s service list.
UPnP Security Risks
Security Concerns with UPnP While UPnP makes networking easier, it comes with significant security vulnerabilities. UPnP does not require authentication, meaning it can be exploited by malicious actors or malware to open ports for attacks. To avoid these risks:
Disable UPnP if it's not needed. UPnP should not be enabled unless absolutely required.
Never accept UPnP configuration requests from external (Internet) interfaces. Ensure that the router is only accepting UPnP requests from trusted devices within your local network.
Update Firmware Regularly: Keeping up with security patches and firmware updates from the router manufacturer is crucial to closing any potential vulnerabilities in UPnP.
Disabling UPnP on Client Devices
In addition to disabling UPnP on the router, make sure that UPnP is also disabled on client devices (like printers, webcams, and other smart devices) unless you have verified that the UPnP implementation on those devices is secure.
Vulnerable Devices:
Devices like printers, webcams, and other IoT devices have been found to contain vulnerabilities that can be exploited through UPnP, potentially allowing attackers to take control of those devices or use them to launch network attacks.
Screened Subnets: Enhancing Network Security
When making a server accessible on the Internet, it's essential to think about the security of the local network. If a server that is the target of a port-forwarding rule gets compromised, the attacker could potentially exploit other devices on the local network or monitor local network traffic.
What is a Screened Subnet?
In enterprise networks, a screened subnet offers a more secure way to manage this situation. Also referred to as a demilitarized zone (DMZ) (though this term is now considered outdated), a screened subnet isolates certain hosts by placing them in a separate network segment with a distinct IP subnet address range.
This configuration involves:
Two firewalls or
A firewall with at least three interfaces capable of routing traffic between different segments.
Each section of the network is governed by separate security rules:
Between the screened subnet and the Internet.
Between the Internet and the LAN.
Between the LAN and the screened subnet.
Screened Subnet using dual firewall devices
Why Use a Screened Subnet?
A screened subnet keeps critical servers, such as web servers or other externally accessible resources, separate from the internal LAN. If an attacker compromises one of the hosts in the screened subnet, it minimizes the risk of them accessing the local network or attacking other internal devices.
Typical Home Router Functionality
Most home routers only have basic firewall functions and don’t provide the full features of a screened subnet. They typically protect the local network from external threats but don’t offer the option to establish a fully isolated screened subnet.
Home Router "DMZ" vs. True Screened Subnet
Some home routers use the term "DMZ" differently. In this case, a DMZ host refers to a computer on the local network (LAN) that can receive communications from any ports not forwarded to other hosts. Essentially, a DMZ host is not protected by the firewall and is fully accessible to external Internet hosts. While this setup may be convenient, it exposes the DMZ host to greater security risks, making it important to use a host firewall to add a layer of protection.
Configuring DMZ on Home Routers
To configure a DMZ host on a home router:
Access the router's DMZ settings.
Designate a specific IP address on the LAN to be the DMZ host.
Be aware that this host will be exposed to the Internet without firewall protection.
Example of Home Router DMZ Configuration
For example, if the IP address 192.168.1.202 is designated as a DMZ host. This means it will not be protected by the router's firewall and will be fully accessible to the Internet.
Summary
Great work! You've learned a lot about setting up and securing a home or small office network. From placing and securing your router, configuring internet access, updating firmware, and setting up encryption and SSIDs, to understanding firewalls, port forwarding, and the risks of using DMZ or UPnP, you now have a solid foundation. Remember, keeping your network secure involves regular updates and monitoring, so stay proactive. Your dedication to learning these critical steps will help ensure your network stays safe and efficient! Keep it up!