2.9 Given a scenario, configure appropriate security settings on small office / home office (SOHO) wireless and wired networks.

2.9 Given a scenario, configure appropriate security settings on small office / home office (SOHO) wireless and wired networks.

• Home Router Settings
  • Change Default Passwords
  • IP Filtering
  • Firmware Updates
  • Content Filtering
  • Physical Placement / Secure Locations
  • Dynamic Host Configuration (DHCP) Reservations
  • Static Wide-Area Network (WAN) IP
  • Universal Plug and Play (UPnP)
  • Screened Subnet
• Wireless Specific
  • Changing the Service Set Identifier (SSID)
  • Disabling SSID Broadcast
  • Encryption Settings
  • Disabling Guest Access
  • Changing Channels
• Firewall Settings
  • Disabling Unused Ports
  • Port Forwarding / Mapping

SOHO Wireless Security

Some best practices for configuring a SOHO Wi-Fi network.

• Change the SSID to something that people can’t guess.
  
  
• Set the Wi-Fi encryption to the highest available setting.  Choose WPA2/WPA3 and AES if possible
  
  
• Disable the SSID broadcast.  Your Wi-Fi network will appear as a “Hidden Network”.  Users must know what the SSID is to connect to it.
  
  
• Install the access point in a secure location   Make sure that the antennas are pointed in the recommended direction (ensure best possible signal).
  
  
• Adjust the radio power levels so that the Wi-Fi signal stops at the perimeter of the building.  This prevents people outside the building from being able to access your network.  Some access points don’t allow you to adjust the power level.
  
  
• Disable WPS (Wireless Protected Setup).  WPS allows you to connect a Wi-Fi device to the router by pressing a button on the router.
  
  
• Change the channel to one that does not overlap with neighboring Wi-Fi networks.

Other Security Procedures

Some other security policies for a SOHO network include

• Change default username/password
  
  
  • A router/modem will have a default username/password.  The username/password might be “admin” and “password” or “admin” and “admin”.

• You should change it so that users can’t access the setup page
  
  
• Enable MAC filtering
  
  
  • Make a list of the MAC addresses of authorized devices
    
    
  • Block other devices from connecting to the Wi-Fi (if the MAC is not on the list)
    
    
  • Also block devices from connecting to the switch of the MAC does not match
    
    
• Assign Static IP
  
  
  • Assign Static IPs to shared resources such as servers, printers, scanners, and cameras
    
    
  • Allow other devices such as computers to connect over DHCP.
    
    
  • Assign a static IP to the WAN interface if your ISP allows it.
    
    
• Firewall
  
  
  • Enable the firewall and configure as appropriate (see previous sections)
    
    
• Port Forwarding / UPnP
  
  
  • Port forwarding allows you to forward traffic from one external port to an internal port.  This is not recommended.  Use a VPN.
    
    
  • UPnP is another tool that allows devices to automatically forward their traffic across the router.  It is dangerous.  Turn it off.
    
    
• Disable Ports
  
  
  • If your switch is managed, disable ports on a switch that are not in use.
    
    
• Content Filtering/Parental Controls
  
  
  • Allows you to block harmful/malicious/inappropriate content. 
    
    
  • This can be performed at the router level or at the computer level.
    
    
• Update Firmware
  
  
  • Update the firmware on all network devices and check for updates regularly.
    
    
  • Cloud managed devices such as Meraki and Ubiquity can automatically download the latest firmware from the cloud
    
    
  • Other devices may require you to manually download and update the firmware.
    
    
• Physical Security
  
  
  • Install the equipment in a secure location.  This might be a secure room or a locking cabinet.
    
    
• DHCP Reservations
  
  
  • Decide on a range of IP addresses for DHCP and create a scope.
    
    
  • Set static IPs for all other devices.