A misconfigured SOHO firewall could be a significant security concern. In this video, you’ll learn about network address translation, DMZ ports, port forwarding, universal plug and play, and much more.
<< Previous Video: Installing a SOHO Network Next: 802.11 Wireless Standards>>
There are many options available when configuring a small office or home office router. And in this video, we’ll go through some of the more common configuration settings.
Inside of your SOHO router is a very capable firewall. It allows you to have access to the internet. But it prevents anyone from the internet from accessing any resources on your internal network. This is not generally a feature you can disable. If you’re using a SOHO router then you’re using this firewall.
The firewall in some SOHO routers allows you to configure an IP address that’s on your internal network or configure a physical port on your router to be the DMZ. This stands for demilitarized zone. This military term is the midpoint between two sides. So this would allow people to access a device that would not allow them access to the internal network. But they would still be able to access those resources from the internet.
On my SOHO router there’s an option to configure a default DMZ server. And then you can add the IP address of the device that would have access from the internet. On most SOHO routers there’s no additional configuration that’s needed. If you’re enabling the DMZ function, you’re effectively opening up that device to the internet. And that may not be the security feature you need. What you may want to do is configure specific port forwarding rules that we’ll talk about later in this video.
Worldwide, there are over 20 billion devices that are connected to the internet. And this number is constantly growing. IPv4 supports a total of just over 4 billion addresses. You can see that we have many more devices connected to the internet than we have IP addresses. As you can imagine, the address space for IPv4 is completely exhausted. We don’t have any additional IP addresses that we can assign to individuals.
The way that we’re able to get these 20 billion devices communicating on a network that can only support just over 4 billion devices is a technology called Network Address Translation, or NAT. And this is an always-on functionality that’s configured inside of your SOHO router. There are many different implementations of NAT. We’ll look at a couple of uses of Network Address Translation in this video.
The Network Address Translation functionality that is always on inside of our SOHO routers can be called Source Network Address Translation. You might also hear it called PAT, for Port Address Translation. This functionality translates all of your internal IP addresses to appear as one single IP address on the internet. This means that you’re able to have tens, hundreds, or even thousands of devices on your internal network. But to the internet it all looks like one device.
Your devices internally don’t have to do anything to take advantage of this NAT. For example, at this device, at 192.168.3.22 we’re communicating out to the internet. When it hit your SOHO router, that router would translate your internal address to look like an external address, such as 66.20.1.12. And any device that receives this traffic on the internet sees the source IP address as this external NATed address instead of your internal IP address.
This network address translation works great if you’re sending traffic out to the internet. But what if you’d like to create a service on the inside of your network and perform a network address translation in the other direction? We call this type of Network Address Translation port forwarding. This allows you to configure your SOHO router so an internal device is now available externally.
Here’s a port forwarding rule that I have configured in my SOHO router. This is my security role. And if any device accesses my external IP address over ports 8088, it will translate those ports to port 80 on the inside and send that traffic to 10.1.10.221.
You might also hear port forwarding referred to as Destination NAT, or static NAT, because we’re changing the destination IP address for this inbound traffic. This is a rule that, once it’s set up, doesn’t expire and it doesn’t time out. Anyone who accesses that port number and IP address from the outside will always have access to that particular server on the inside of my network.
Here’s an example of port forwarding. We have our internal network on the left side. And our Network Address Translation is being done by our SOHO router. We also have devices out here on the internet. There’s a 64.223.53.7 who needs to communicate to one of my internal servers. So I’ve configured a port forwarding rule that says if any traffic is inbound to 66.20.1.14, translate that destination to 192.168.3.22, which would be my server.
That means if a device on the internet sends traffic inbound to my SOHO router, when it hits my router it will look at the configuration and see the Destination NAT conversion table, or the port forwarding table, that I’ve configured inside of that SOHO router. The router then changes the destination IP address. And that traffic makes its way to my internal server.
Many SOHO routers allow you to make dynamic configuration changes using UPnP. This is Universal Plug and Play. This means that other devices on your network can automatically configure your SOHO router and make changes to the configuration at any time.
We sometimes refer to this as zero configuration. This means that instead of you manually creating port forwarding rules, you can have applications communicate directly to your router to enable or disable the access for certain port numbers. There’s no additional configurations or approvals needed for this. Those changes are simply sent to the router. And those firewall updates are made in real time.
One advantage to using UPnP is that these ports are only open when you’re using that particular application. And when you close the application those particular ports are disabled on the router. But this could also be a security concern, since you don’t have any direct control as to when certain ports are open and when certain ports are not open. And in those cases, a best practice might be to disable the Universal Plug and Play feature and have all of your configurations done manually through port forwarding.
Many SOHO routers allow you to perform content filtering inside of the router. So any communication out to the internet can be filtered by URL or can be filtered by a name that’s in that URL.
There are two common philosophies when configuring content filtering. One of these is to enable whitelisting. This means that no traffic is allowed through the firewall unless you specifically add the sites that are allowed. The other philosophy would be to blacklist traffic. That means that all traffic would be allowed through the firewall except for specific blocked sites, URLs, domain names, and IP addresses that are configured in the firewall.
Every device that connects to your network has a unique address called the Media Access Control address, or the MAC address. This allows you to configure your firewall to allow or disallow access for particular MAC addresses on your network. This is a common filtering technique that allows your network administrator to control exactly what devices are able to communicate through your router.
There’s obviously additional administration that’s required for this, because the administrator would have to add all of the MAC addresses that are allowed through your particular router. And although this can be used to limit some devices, all MAC addresses are viewable by capturing packets that may be going across your network. So as a security technique, this is not a very good way to prevent someone from gaining access to your network.
MAC addresses can be easily spoofed, which means someone can change a MAC address to get through the filter that’s in your router. Because this process of circumventing a MAC filter is obvious if you know how to do it, we don’t consider this a security technique. Instead this is called security through obscurity, which in reality is no security at all.
If your SOHO router includes wireless connectivity, then you’ll want to configure the wireless settings to have the highest possible encryption. That way, any traffic sent over the wireless network would be completely protected. On most modern routers you’ll want to configure WPA2 encryption, which is an AES type of encryption. You may also see options for WPA. But you’ll want to choose WPA2 for the best possible encryption.
Older wireless routers might even give you the option for WEP, Wired Equivalent Privacy. This is an older encryption mechanism that has a number of vulnerabilities. So you want to be sure not to use WEP on any of your devices. If you have more than one wireless access point, you may want to check and make sure that it’s using the highest level of encryption. You don’t want to use WEP or WPA. You want to make sure all of your devices are using WPA2.
And if you’re in an area with a number of different wireless access points, you may want to check the frequency settings and make sure it’s not conflicting with other devices in your area. Some devices allow you to specify the channel manually or to configure an automatic function, where the router finds the best possible frequencies for your area.
Not all SOHO routers support Quality of Service configurations. But those that do give you a lot of control over what applications are prioritized on your network. For example, if you have Voice over IP communication on your network you may want to prioritize voice communication as the highest priority and all other applications as lower priorities.
Many QoS configurations allow you to set priorities based on the type of application, the port numbers in use, IP addresses, and other settings. But you’ll want to be very careful when making these QoS settings. It can be very easy to choose the incorrect application. And you end up slowing down the applications that really need the highest priority.