Home > Articles

Security

This chapter is from the book

Configuring Security on SOHO Networks

220-1002-exam-icon2.jpg

220-1002: Objective 2.10: Given a scenario, configure security on SOHO wireless and wired networks.

Both wireless and wired small office/home office (SOHO) networks are important to businesses of all sizes as well as individual users. However, they also represent significant vulnerabilities if they are not properly secured. The following sections explain how the different encryption methods work and the additional steps that must be taken to completely secure a wireless network.

Wireless-Specific Security

key_topic_icon2.jpg

The default settings for a wireless network should be changed to provide security. The following sections discuss these issues.

Changing Default SSID

The service set identifier (SSID) can provide a great deal of useful information to a potential hacker of a wireless network. Every wireless network must have an SSID, and by default, WAPs and wireless routers typically use the manufacturer’s name or the device’s model number as the default SSID. If a default SSID is broadcast by a wireless network, a hacker can look up the documentation for a specific router or the most common models of a particular brand and determine the default IP address range, the default administrator username and password, and other information that would make it easy to attack the network.

To help “hide” the details of your network and location, a replacement SSID for a secure wireless network should not include any of the following:

  • Your name

  • Your company name

  • Your location

  • Any other easily identifiable information

An SSID that includes obscure information (such as the name of your first pet) would be a suitable replacement.

Setting Encryption

The importance of setting encryption to the latest possible standards is covered earlier in this chapter, in the section “Wireless Security Protocols and Authentication.” The information there applies to SOHO networks as well, as a SOHO may be set up as an extension of a business. In such a case, all security policies from the business should apply at the SOHO extension as well.

Disabling SSID Broadcast

Disabling SSID broadcast is widely believed to be an effective way to prevent a wireless network from being detected and is so regarded by the A+ certification exams. But that is not always enough. Even though disabling SSID broadcast prevents casual bandwidth snoopers from finding your wireless network, Microsoft does not recommend disabling SSID broadcasting as a security measure because there are methods serious hackers can use to discover networks.

Figure 7-22 illustrates a Linksys router configuration dialog in which several of these security recommendations have been implemented.

FIGURE 7-22

FIGURE 7-22 Configuring a Router with Alternative SSIDs, WPA2 Encryption Enabled, and SSID Broadcast Disabled

Antenna and Access Point Placement

When configuring and/or troubleshooting wireless connections, think about the wireless access point’s (WAP’s) location. The placement of the access point plays a big part in a strong signal. Generally, it should be placed in the middle of an office to offer the greatest coverage while reducing the chance of outsiders being able to connect to the device. The antennas on the access point should be set at a 90-degree angle to each other. Keep the device away from any forms of electrical interference, such as other wireless devices, speakers, and any devices that use a lot of electricity.

Radio Power Levels

Some wireless routers and access points have adjustable radio power levels. When they are set too low, clients at the perimeter of the building will not be able to gain access. When they are set too high, computers located in neighboring businesses will be able to attempt access. If a wireless signal is too weak, regardless of the router location and radio power levels, and the router is older, consider replacing it with a new wireless router.

WiFi Protected Setup (WPS)

Using WiFi Protected Setup (WPS) is an easy way to configure a secure wireless network with a SOHO router, provided that all devices on the network support WPS. There are several ways that WPS can be configured. The most common ways include:

  • PIN: A personal identification number (PIN) marked on the router may be entered into each new device added to the network. This is the default method.

  • Push button: The router or WAP may have a push button, and each new device may also have a physical push button or (more often) a software push button in the setup program. Both the button on the WAP or router and the button on the other device must be pushed within a short period of time to make the connection.

A security flaw with the PIN method was discovered, and many professionals recommend against WPS on this basis. But it really depends on the features available on the router. Some routers let you disable the PIN and allow the push-button method, but many do not. Some routers allow you to disable WPS altogether. These settings are worth investigating when looking to install or replace a WAP. Figure 7-23 depicts WiFi Protected Setup options.

FIGURE 7-23

FIGURE 7-23 WiFi Protected Setup Options

Change Default Usernames and Passwords

As mentioned previously, the documentation for almost all WAPs and wireless routers lists the default administrator password, and the documentation can be readily downloaded in PDF or HTML form from vendor websites. Because an attacker could use this information to “take over” the device, it is essential to change the default to a private password. Most routers use the Administration or Management dialog for the password and other security settings.

Enable MAC Filtering

As mentioned earlier in this chapter, every device on a network has a MAC address. All devices on a SOHO network, including phones and tablets, have MAC addresses as well, and they need to be managed with filtering. Refer to the section “Physical Security Measures,” earlier in this chapter, for details about software used to hack networks. MAC filtering is described in more detail in Chapter 2.

Assign Static IP Addresses

The DHCP server built into a router hands out IP addresses to all computers connected to it. This is convenient, but if you want to limit access to the Internet for certain computers or log activity for computers by IP address, the DHCP setting should be disabled, and a static IP address should be assigned to each computer. This way, outside devices will not be assigned IP addresses and be able to access the network.

Firewall Settings

By default, most WAPs and wireless routers use a feature called Network Address Translation (NAT) to act as simple firewalls. NAT prevents traffic from the Internet from determining the private IP addresses used by computers on the network. However, many WAPs and wireless routers offer additional firewall features that can be enabled, including:

  • Access logs

  • Filtering of specific types of traffic

  • Enhanced support for VPNs

See the router manufacturer’s documentation for more information about advanced security features. Figure 7-24 shows an example of firewall settings.

FIGURE 7-24

FIGURE 7-24 Firewall Settings

Port Forwarding/Mapping

Use port forwarding (also known as port mapping) to allow inbound traffic on a particular TCP or UDP port or range to go to a particular IP address rather than to all devices on a network. A basic example would be an FTP server internal to a LAN. The FTP server might have the IP address 192.168.0.250 and have port 21 open and ready to accept file transactions (or a different inbound port could be used). Clients on the Internet that want to connect to the FTP server would have to know the IP address of the router, so the clients might connect with an FTP client using the IP address 68.54.127.95 and port 21. If there is an appropriate port-forwarding rule, the router sees these packets and forwards them to 192.168.0.250:21, or whatever port is chosen. Many ISPs block this type of activity, but port forwarding is a common and important method in larger networks.

Disabling Ports

Blocking TCP and UDP ports, also known as disabling ports, is performed with a firewall app such as Windows Defender Firewall with Advanced Security. Hackers take advantage of unused ports sitting idle on a network, and disabling unnecessary ports makes it harder to access your domain.

Content Filtering/Parental Controls

Windows Defender is Microsoft’s anti-spyware tool that has evolved over the Windows releases. Windows 8 combined Windows Defender with other tools so that Windows was equipped to fight off virus attacks without any additional software. In Windows 10, the same Windows Defender protection is in place, and it has been combined with other tools and put into the Settings menu as an app. Figure 7-25 depicts the Windows Defender Security Center options. Windows Defender includes the following sections:

  • Virus & Threat Protection: Allows tracking of Windows Defender and third-party antivirus software

  • Account Protection: Includes Windows Hello and Dynamic Lock features

  • Firewall & Network Protection: Contains access control rules and other network and domain security settings

  • App & Browser Control: Contains filter controls for browsers and apps

  • Device Security: Tests device security and sets core security

  • Device Performance & Health: Scans devices and apps to report on status

  • Family Options: Provides parental controls and family device management options

FIGURE 7-25

FIGURE 7-25 Windows Defender Settings in Windows 10

Spending time getting to know the settings in the Windows Defender Security Center is a must for any technical support professional.

Apple has parental controls in macOS versions. They can be found by selecting the Apple menu > System Preferences > Parental Controls.

Linux distros do not include parental controls, but many third-party apps are available.

Update Firmware

Most SOHO router vendors issue at least one firmware update during the life span of each model of WAP and wireless router. Updates can solve operational problems and might add features that enhance WiFi interoperability, security, and ease of use. To determine whether a WAP or wireless router has a firmware update available, follow these steps:

key_topic_icon1.jpg
  • Step 1. View the device’s configuration dialogs to record the current firmware version. Also note the router’s model number and revision from the back or bottom of the device.

  • Step 2. Visit the device vendor’s website to see whether a newer version of the firmware is available.

  • Step 3. Download the firmware update to a PC that can be connected to the device with an Ethernet cable.

  • Step 4. Connect the PC to the device with an Ethernet cable.

  • Step 5. Navigate to the device’s firmware update dialog.

  • Step 6. Follow the instructions to update firmware.

Physical Security

In a SOHO network environment, physical security refers to preventing unauthorized use of the network. The same basics of physical security apply in a SOHO network in a large office environment:

key_topic_icon.jpg
  • Secure the network equipment in a locked wiring closet or room.

  • Disable any unused wall Ethernet jacks by either disabling their switch ports or unplugging the patch panels in the wiring closet.

  • Route network cables out of sight, in the walls and above the ceiling. Having them out of sight cuts down on the chances of someone tapping into the network.

  • Lock doors when leaving.

  • If possible, dedicate a lockable room as a workspace in a home office to protect company devices and other resources from the hazards of daily family life, such as children and pets.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020