Securing a SOHO Network – CompTIA A+ 220-1102 – 2.9

A SOHO network should be as secure as the largest corporate data centers. In this video, you’ll learn about default password management, firmware updates, SSID management, port forwarding, and more.

If you’re installing a router or access point into a small office or home office, a SoHo, then you want to be sure that you’re not using the default username and password for that device. When these devices ship from the manufacturer, they all have a standard set of usernames and passwords. For example on the WRT54G from Linksys, the default username is admin and the default password is admin.

You certainly don’t want to leave those default credentials because anyone who comes along and tries that combination will have complete access to your router. This is a good best practice for any device or operating system that you’re installing in your office or your home, is that all of these default credentials need to be changed from the default. This is a very easy step for the attacker because all of this information is documented online.

You can visit and list out all of the different default credentials for everything that’s on your network. The routers and switches that we use on our small office or a home office are usually purpose built appliances that have their own operating system, and all of the software in that device is maintained by the manufacturer. If there are any updates for this device, they’ll be provided by the manufacturer as a firmware update.

This new firmware may have bug fixes, security patches, or new features available in the operating system of the device. As a general rule, you’ll want to make sure that you always maintain the latest version of software for these devices. Each time a security patch is updated, it’s pushed down as one of these firmware updates, and you want to be sure that your system always has the latest set of security patches installed.

There may be content filtering built in to your SoHo router in the form of IP address filtering or content filtering. You may be able to create an allowed list on this router that would block all traffic through the router except the traffic destined for certain IP addresses or fully qualified domain names. This is obviously a very restrictive form of security, and it requires that you as the administrator always keep that list up to date.

A different philosophy on filtering is to create a denial list where everything is allowed through the router except for access to very specific IP addresses or sites. This might be a list of IP addresses, domain names, or URLs that is filtered in your device, and no one will be able to access that device from your SoHo router.

This content filtering provides an additional layer of security that you don’t normally get from the firewall. This allows you to really focus on allowing or disallowing access to certain locations. In a corporate environment, this may be implemented to allow or disallow access of sensitive information. You may be restricted from visiting certain sites because those sites may be inherently insecure. Or this remote site might have content on it that’s not appropriate for work.

If you’re using this at home, you might want to use this type of filtering as a parental filter to limit what websites are available to other people in the home. And in some cases, these filters can prevent someone from being infected with malware. These are known bad sites, and by filtering them out of your router you can prevent someone from accessing a site that could be potentially dangerous.

The devices we would use in a SoHo environment are usually all in one devices. That means they are a router, a switch, a firewall a content filter, and many other functions all combined in the same piece of hardware. If this is in an office, you might find that the access point is behind a locked door or locked cabinet to keep everything safe and secure.

But if this is an access point, you may find that it needs to be mounted somewhere high like the ceiling so that everyone would have the best possible reception to that antenna. For safety, you may have to put this access point in a certain area or use a particular mounting bracket. There may be many options for installing this access point. So make sure you do plenty of planning before the installation.

It’s become almost expected that we would connect our device to a network and automatically receive an IP address using the Dynamic Host Configuration Protocol, or DHCP. But in some networks, they don’t use DHCP, and instead prefer to statically assign IP addresses on all of the devices on the network. This would probably be difficult to manage in a large corporate environment.

But in a SoHo environment where there are a much smaller number of devices, this might be more reasonable. If the network is not encrypted, you’ll be able to see all of the IP addresses that are being used on the network at any particular time. And if an attacker is able to get into the encrypted side of the network, they would certainly be able to see the IP addresses.

Some might think that statically assigning an IP address would somehow make it more difficult for someone to gain access to the network. But in reality, it’s relatively easy to determine what IP addresses are used by a network, and you shouldn’t use that as any type of security mechanism. We often refer to this as security through obscurity, which means if you know the security method that’s being used, it’s very, very trivial to be able to circumvent it.

Configuring everyone’s IP address on a DHCP server is relatively easy because you make all of those configuration changes in one place. And when people connect to the network, they automatically receive an IP address. You don’t have to visit every single device on the network to make sure that IP addresses are properly assigned. But there may be times when you would like to make sure that everybody has exactly the same IP address every time they connect to the network.

One way to accomplish this is by using DHCP, but configuring DHCP to provide IP address reservations. To preserve an IP address, you would define the MAC addresses of the devices that are on your network, and you would associate each one of those MAC addresses with an assigned IP address. This means each time someone connects to the network, their MAC address is compared to the table of addresses that you’ve created. And if any of those match, they’ll be assigned the IP address associated with that MAC address.

If you look in your SoHo router, you may see this defined as a static DHCP assignment, static DHCP, a static assignment, or simply an IP reservation. Here’s the DHCP reservation screen on my SoHo router. You can see there is a list of MAC addresses. There are IP addresses associated with those MAC addresses. And in this case, we can also associate a host name so that it’s something we can easily recognize when we’re making these configurations in our SoHo router.

Not only do we have to manage the IP addresses on the inside of our network, we also have to think about the IP addresses that are being used on the outside of our network or the internet side. We often refer to this as the WAN IP address for wide area network, and it’s often associated with the internet connection for our facility. If you’re using a router at home, this IP address on the WAN is usually dynamically assigned by your internet service provider.

And if you were to power off your router and power it back on, you could receive a different IP address when that device reboots. For a company or large organization, however, you might want to have exactly the same IP address every time this device boots up. If that’s the case, you’ll want to first coordinate that process with your ISP and then configure your router to always associate a static IP address and subnet mask with your internet connection.

This would ensure that any previous configurations that used that external IP address would always be able to connect to your location and that IP address would never change. In some cases, there’s an additional cost associated with having a static wide area network IP address, so you’ll need to contact your internet service provider to see what options might be available for you.

Here’s the IP address setting from my wide area network router. You can see that it’s configured with a dynamic IP address. There is an option in here to define a static IP address, but you can see on my router that is not configured as one of the options. I could certainly call my ISP have them add a static IP address and bill me monthly for the additional IP.

Many of the Soho routers we use today include a function known as UPnP. That stands for universal plug and play. This is a way to have the router automatically configure itself when certain applications are being used on the network. We sometimes refer to this as zero configuration.

When you start an application that uses UPnP, it will communicate to the router, and tell the router to create a port forward from the outside to be able to allow access to the application service. This means that while this application is active, anyone is able to communicate through your firewall and talk directly to this application service.

You might already be thinking that having an application make configuration changes to a router that allows access from the internet could possibly be a security issue, and you’d be correct. The best practice would be to completely disable universal plug and play. And if somebody does need access to a service that’s on your network, it might be a better idea to use a screen subnet.

A screen subnet is what we used to call a demilitarized zone or DMZ. It’s a section of the network that is on the firewall but is not connected to your internal network. It’s a perfect place to put resources that need to be accessed from the internet but still need to be limited from the rest of your network. If you need to build out a service and have someone access that service from anywhere in the world, you’ll probably want to install that on a screened subnet.

When you first turn on a SoHo router, it will have a particular wireless name associated with the access point. That wireless name is called a service set identifier, or SSID. And the defaults for many access points are SSIDs by the name of Linksys, default, Netgear, and others.

It’s usually not a good idea to use the name or manufacturer of the device as the SSID. This would make it very easy for someone to look up what the default credentials for this device might be. And if there are any known vulnerabilities, they’d be able to easily find them, based on the manufacturer’s name.

You may also notice an option within your Soho router called Enable or Disable the SSID broadcast. This is the message that is sent out to all of your devices that populates the list of the wireless networks that are in your area. And if you disable that SSID broadcast, it won’t show up on any of those lists.

However, removing the name from a list doesn’t somehow make the network secure. If somebody knows the name of the wireless network, they can still connect to it. And if someone’s using Wireshark or any network analysis tool, it will be very easy to determine the SSID for this network, even if the SSID broadcast is not enabled.

If you’re using a wireless network in a coffee shop or a hotel, you may find that there’s no password associated with connecting to that SSID. We refer to these as open systems, because you don’t require any special pass phrases. There’s no authentication, and anyone would have access to that wireless network.

All of the information sent over an open system is not encrypted. So if you’re installing a SoHo router into a home or an office, you’ll probably want to configure one of these options for encryption. If this is at home, you’ll probably use something called WPA2 or WPA3 Personal. Sometimes this is called WPA2 or WPA3 PSK, which stands for pre-shared key.

This is a single key that you would hand out to anyone who needs access to the network. They would type that key in to gain access. And then anyone who has that key can now communicate on that wireless network.

In an office environment, however, it may not be appropriate to use a pre-shared key. If someone leaves the organization, you’d have to change the pre-shared key on all of your wireless access points. Instead, in a work environment, you’re probably using WPA2 or WPA3 enterprise. Sometimes, you hear this referred to as 802.1X. This is an authentication method that uses a centralized authentication server.

So the username and password that you would normally use to log into Windows is the same username and password you would use to connect to the wireless network. And if someone does leave the organization, their account is disabled. But everybody else continues to use their private authentication.

If you’re in an office building where there are many different organizations, you may find that there’s a lot of wireless networks in use. So you may have to find a series of frequencies that are open or available to avoid any interference with those other networks. Some access points have the ability to automatically monitor these frequencies, and they’ll find the frequency that has the least amount of traffic and use that one for your network.

Many access points allow you to configure a guest wireless network. This is very similar to a screen subnet, where you might have a separate wireless network that has access to the internet. But that wireless network does not have access to your internal private network.

And although this is a guest network, you can still assign a security level for encryption and specify the encryption key. I’ve configured a wireless guest network on my access points at home. But instead of using that for guests, I use it for all of my Internet of Things devices. This gives them access to the internet but prevents them from having any direct access to my internal network.

You can also do similar things if you have a lab setup, so that anything you do in the lab can communicate to the internet, but it can’t disrupt or cause problems with anything else on your internal network.

Regardless of the network type, you always want to turn on encryption if you’re using a wireless network. So configure WPA2 or WPA3 in your access point and ensure that everyone has the appropriate credentials to be able to use that wireless network.

If your office has a break room or conference room, you may notice on the wall that there are probably ethernet connections that could possibly be used. This is very common in a place of work, especially if you need to be able to connect to a network very quickly.

But if any of these interfaces are not going to be used, they should be administratively disabled on the switch. This requires a bit more work to administer this and maintain that list. But it ensures that nobody can walk into an empty conference room, plug into the network, and have full access to your internal network.

In many corporate environments, these are often configured with network access control, or NAC. This uses a 802.1X to require authentication before anyone is able to communicate on the network. So even if there is an open port in the conference room and someone plugs in, they would still have to authenticate to gain access to the rest of the network.

There may be times when you have a service that’s running on your internal network and you would like to provide access from the internet on very specific ports, communicating to very specific IP addresses on your network. One way to configure this on your Soho router is to turn on port forwarding. This takes traffic that’s inbound to your Soho router, determines which port is in use, and redirects that traffic to a device that’s on the inside of your network.

This effectively translates an external IP address and port number to a different IP address and port number that’s on the inside of your network. This is sometimes called a destination network address translation or a static NAT.

Once you configure this, it’s permanently available on the network. And the only way to disable it is to go back into the configuration and administratively turn off that access.

Let’s say that we have a server on the inside of our network that manages the connection to all of our security cameras. We might want to have someone on the outside be able to connect to that server so that they can monitor those cameras.

So we’ll configure our Soho router with a port forward that takes any inbound traffic to our external or WAN IP address and translates that to our internal device of Now, when someone communicates to our device directly, that conversion table is referenced. The change to the IP address is made. And then that traffic is able to move to the internal part of our network and communicate to that server.

On the router itself, we would make these configuration changes by specifying a name for this rule. We would specify the name of the device that we would like people to be able to connect to and the IP address of that device. We would then specify the port number that needs to be accessed on the outside of our network, and then specify what the port number should be when it moves to the inside of our network.

These port numbers can be identical. Or in some cases, we can change the port number. Because everything is translated by the Soho router.

Not only have I created a number of static port forwards inside of my Soho router, you can see that this router also has universal plug and play still enabled. And when I look at the rules, I can see that there is a rule currently active, because there’s a gaming device on this network that is communicating to the rest of the internet, using port forwarding that is created dynamically using UPnP.