Our SOHO routers include a myriad of settings, configuration options, and network selections. In this video, you’ll learn about options like MAC address filtering, wireless encryption options, port forwarding and port triggering, SSID, IP address management, DMZ ports, WPS, and quality of service configurations.
<< Previous Video: Wireless Encryption StandardsNext: Internet Connection Types >>
If you’ve ever gone through the process of configuring a small office or home office wireless router, you know there are a lot of options available. Let’s step through some of the most important configuration settings that you should look at when you’re configuring your SOHO wireless router.
One option in the configuration of your router is something called a MAC address filter. This MAC address stands for Media Access Control and it’s the hardware address, the physical address, that’s on these wireless devices that are connecting to your network. A MAC address filter allows you to limit the access of who can even communicate into your wireless network.
So if you don’t want people randomly connecting to your network and you don’t want neighbors or people around you having access to your access point or your router, this is a very, very good way to keep them out of the network. Unfortunately, it’s very easy to find the MAC addresses that are being used in your wireless network with some very simple and very free programs that you can download from the internet and immediately see what’s going on. That means that people would be able to find an existing MAC address, wait until it leaves the network and then spoof that MAC address on their device to gain access to your network. So this is not exactly a security mechanism as much as it is one of convenience for people to be able to get on the network.
This is one of those situations where you may be trying to obscure the method that people might use to get onto the network. But at the end of the day, it’s not really providing you any security. If you look at your router, you probably have a screen very much like this that shows a list of the MAC addresses that you can put inside. And you simply add all of the MAC addresses that you might want to have access to this network. Most routers would even give you a screen or a button you can push that will list out everyone who’s currently connected, and then you can choose from that list which ones you’d like to add into the allowed MAC address list.
When you’re configuring the wireless settings on this wireless access point or wireless router, you want to be sure you’re configuring the highest possible encryption. And the highest one that you should be able to find is WPA2, and it may be even spelled out WPA2-AES. That is the highest you would possibly use, and if at all possible that’s the one you want to be sure of.
You obviously don’t want to use WEP– it is one that has serious vulnerabilities and usually you won’t even see it as an option on your newer devices. You can see the options I have on this relatively new router. This is one that does not integrate with an enterprise. So I don’t have WPA2 enterprise which ultimately would be what you would use in larger organizations.
But when you’re in a SOHO, you generally use something called a pre-shared key where you would give all of the devices the same key. So if at all possible, use WPA2 with the pre-shared key and that’s using AES to be able to encrypt that data.
Another type of encryption you might see is WPA-PSK. That is an older version of WPA, and even it has some vulnerability so you want to avoid using that if at all possible. Notice you have the option of None. And unless there’s a very, very specific reason why you would let this be an open access point, that should never be the option you would use. Always use some method of encryption, and ideally make sure it’s WPA2.
One of the challenges you may have is not all of your devices may be brand new, modern devices. They may not be able to use WPA2. And if that’s the case, you may have to fall back to something like WPA. But to be absolutely secure, you may want to consider replacing the old devices just so you can run with the highest security of WPA2.
Every wireless router for your home office or your small office is going to use something called NAT. That stands for Network Address Translation. It’s something that’s automatically built into these devices. You may also see this referred to as Source NAT. It’s also in some cases called Port Address Translation, or PAT.
What this effectively does is take the single IP address that’s provided to you by your ISP, and it allows you to put multiple devices on your network. So even though the rest of the world only sees a single IP address, you can put many, many, many devices in your small office and your home office. And all of those devices are able to communicate out to the internet using this Network Address Translation.
Some small offices or home offices may have services that you’re providing inside of the office. You may have a web server or a file server, and you may want other people to have access to that device. In those cases you may want to consider something like a port forward. This allows you to set up 24 by 7 constant access to that particular server. Maybe that’s a web server or a gaming server or some other kind of device.
You would take the external IP address and port number that’s being used out to your external port and you would forward that to the internal address. Because remember, we’re doing network address translation. The IP addresses internal aren’t accessible from the outside.
So what this port forward effectively does is make that IP address accessible from the outside of your network. It doesn’t even have to be the same port number. You could be taking a port number that’s inbound on port 80 and converting it to port 8080 inside of your network.
You’ll sometimes hear this referred to as Destination Network Address Translation or Static Network Address Translation. Because it’s something that’s always there– it’s static, it never goes away. We’re translating the destination from that outside address to an inside address. And because it doesn’t expire and it doesn’t time out, people have 24 by 7 access to that service.
Here’s a good example of how this works. You may have devices that are out on the internet that want to access the server. And the server is actually on this 192.168.3.22 address. So you configure a network address translation or a port forward inside of your router that says if anybody ever accesses 18.104.22.168 over port 80, please forward them to 192.168.3.22 on port 80. And now your port forward is in place, and if anybody ever needs to get to that web server they simply access that external IP address.
Having 24 by 7 access into your internal network though may not be something you’re comfortable with. There is a method where you can set up dynamic access to services– this is called a port trigger. This means that you are triggering when that particular link is made and access is available from the outside.
What happens is that you configure a port trigger to occur so that if somebody internal sends out information, it opens up and provides a port forward back inside of your network. And you would configure this for games, you would configure it for certain file transfers, or anything that needs to have open services available while you’re using that application. When you close the application and you close out that session, the port that’s normally open will now close. So there’s not the 24 by 7 access that you get with a port forward, it’s only open while you’ve triggered it.
And you would configure, for instance, a particular user on a particular IP address that is sending a particular port number to now allow certain ports to be inbound on your network. It’s a relatively easy thing to configure. This is dynamically created, it can be for any port number or range of port numbers. And when you’re done with the application and you stop using it, you’ve now stopped anyone from coming inside your network. So you can start to see how a port trigger might be a little bit more secure for you than using something like a port forward.
One of the disadvantages of this, however, is that only one person can use this trigger at a time. So once you open up that window, everybody’s coming back to a single address. The second person who may want to have that same opening would not be able to use that– you can only open one at a time. In those particular cases, you may have to use a port forward. But if you want a more secure method of allowing access inside of your network, you’ll probably want to consider using a port trigger.
Another configuration option you have for your wireless network is the SSID. That stands for Service Set Identification and this identifies your wireless network. When somebody opens up a list of all of the available wireless networks on their device, this is the name that will show up in that list. This is something you usually make a recognizable name so you can tell people you need to connect to the wireless network that’s named Green, or the wireless network that’s named Orange. It’s something so that people can see very easily where they should be going on your wireless network.
You may also see an option or a listing for something called a BSSID. That stands for Basic Service Set Identification, and that’s really referring to the MAC address of the access point or the wireless device inside of your router. This is not normally seen by the end user and you don’t normally need to make any configuration changes to the BSSID.
One of the advantages of configuring that SSID is that people can see it when they open up a list of available wireless networks. And it makes it very easy for devices to hop on to the wireless network and then present their credentials. But sometimes you don’t want your wireless network to show up in that list.
One of the things you can do then is make the SSID invisible by restricting the broadcast. And you make that configuration change in your access point. There’s probably a section that allows you to enable or disable the SSID broadcast.
Keep in mind that this is not a security measure. Just because you’ve disabled the broadcasting of the SSID and it doesn’t show up in that list doesn’t mean that somebody can’t still access your wireless network. It’s very simple with freely available tools to see what your SSID might be.
So by disabling the SSID, you’re still allowing access to the network. You still need to have encryption and you still need to have authentication methods. Make sure that you still have those in place whether you are enabling or disabling the broadcasting of that SSID.
Another nice configuration option of most wireless routers is the ability to automatically assign IP addresses. This is done via DHCP and you can turn on and off that capability. Maybe you would like to provide IP addresses statically. You define what the IP addresses are inside of your organization rather than having them automatically assigned by the router.
If this is a network that is not using encryption, it’s very easy to see what the IP addresses are. If you’re in the clear, you can see all of the traffic going by, including the IP addresses. If somebody breaks into the network, they find a way in to your encrypted network, they will be able to use your network regardless of whether you are using static IP addresses or dynamic IP addresses.
So this again is not a security function, it’s really one more for convenience. You should not think that you’re more secure because you’ve turned off DHCP. You are just as secure as you were by using DHCP. The only thing that you’re allowing with DHCP is the automation– it’s the ease of use. And if you want that ease of use on your SOHO network, you’ll want to enable that DHCP function.
If you’ve ever configured the encryption settings inside of a wireless router, you know that there are a lot of different options– there’s WEP, there’s WPA, there’s WPA2. There’s different enterprise and non-enterprise methods in there. There are shared passwords or pass phrases that you put inside of the device– so a lot going on there.
And one of the ways that the industry created to make this process simpler is something called WPS. This stands for Wi-Fi Protected Setup. The idea is that you could simply push a button on the front of your wireless router, or put in a personal identification number that is correlated to that wireless router, and it would allow people secure access to this wireless network– a great idea.
Unfortunately, a significant security vulnerability was found with WPS that allowed people very easily to brute force the pin number that’s on these routers. That effectively would allow anybody access to your encrypted wireless network and that’s not what you want to have happen. Unfortunately, this is a default option on almost everything you’d find. So you want to go into the WPS settings inside of your router and disable the use of that pin, or maybe even disable the use of WPS entirely. It’s incredibly important if you’re setting up a SOHO wireless router that you disable this functionality to ensure that nobody gains access into this private network.
Some of the higher end SOHO wireless devices allow you to configure Quality of Service. You’ll see this abbreviated as QoS This allows you to set different priorities for different types of traffic on your network.
So you might set voice over IP traffic to have a higher priority than your World of Warcraft traffic. Or in my network, maybe I’d like it exactly the opposite. This allows you to prioritize based on the application. You can prioritize based on a MAC address that’s on your network, or even a physical port that’s on your wireless router. You almost always see this on the higher end SOHO wireless routers.
If you have a lower end SOHO wireless router, you might not have this functionality because of the overhead and the complexities involved to make that happen. But you want to be very careful when you’re configuring quality of service. You don’t want to accidentally have certain applications have the wrong priorities. You want your most important applications to have the highest priorities and the least important applications to have the lower priority. So if you ever configure this, make sure you test it thoroughly before you’re absolutely sure that it’s configured properly.