Initial Core 2 study project

notes/SEC-10-soho-network-security.md

@@ -0,0 +1,277 @@
+# SEC-10: SOHO Network Security
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.10 SOHO network security
+
+## What You Need To Know
+
+SOHO means Small Office/Home Office. On the exam, this usually means a small router or wireless access point that combines routing, switching, firewall, and Wi-Fi.
+
+Your job is to harden the router so attackers cannot easily control it, join the wireless network, or open paths into the network.
+
+Core protections:
+- Change default admin credentials
+- Update firmware
+- Use WPA2/WPA3 encryption
+- Disable UPnP unless required
+- Disable remote management unless required
+- Use guest networks carefully
+- Place network equipment securely
+- Use content/IP filtering when needed
+
+## Memory Trick
+
+Use **P-F-W-U-G**:
+
+- **P**asswords: change defaults
+- **F**irmware: keep updated
+- **W**i-Fi: WPA2/WPA3, not open
+- **U**PnP: usually disable
+- **G**uest: disable or isolate and secure
+
+Shortcut:
+- **If it manages the network, protect the login first.**
+
+## Default Passwords
+
+Routers and access points often ship with known default usernames and passwords.
+
+Why it matters:
+- Admin access gives full control of the device.
+- Defaults are easy to find online.
+- Attackers can change DNS, Wi-Fi settings, firewall rules, and port forwarding.
+
+Best practice:
+- Change the admin password during setup.
+- Use a strong unique password.
+- Store it in a password manager if possible.
+
+## Firmware Updates
+
+Firmware is the router's built-in software.
+
+Updates can include:
+- Security patches
+- Bug fixes
+- Stability fixes
+- New features
+
+Exam clue:
+- If a router has known vulnerabilities, update firmware from the manufacturer.
+
+## Secure Management Access
+
+Router management access should be limited.
+
+Good settings:
+- Strong admin password
+- Multifactor authentication if available
+- Local management only
+- Disable Internet-facing remote administration unless required
+- Limit management access by IP address if supported
+
+Cloud management:
+- Some routers use cloud accounts.
+- Protect the cloud account with a strong password and MFA.
+
+Exam clue:
+- If a question says management is exposed to the Internet, disable remote management or restrict access.
+
+## Wi-Fi Security
+
+SSID:
+- The wireless network name.
+- Change obvious default names such as LINKSYS or NETGEAR.
+- Do not use personal information in the SSID.
+
+SSID broadcast:
+- Hiding the SSID is not strong security.
+- The SSID can still be discovered with wireless tools.
+- Use real encryption instead.
+
+Encryption:
+- Open network: no password, weak security.
+- WPA2-Personal or WPA3-Personal: common SOHO choice with a pre-shared key.
+- WPA2/WPA3-Enterprise: uses individual user authentication with a server, usually in larger organizations.
+
+Best SOHO choice:
+- WPA3-Personal when supported.
+- WPA2-Personal if WPA3 is not available.
+- Strong Wi-Fi passphrase.
+
+## UPnP
+
+UPnP means Universal Plug and Play.
+
+What it does:
+- Lets internal apps/devices automatically open inbound ports on the router.
+- Common with gaming, media, and peer-to-peer apps.
+
+Risk:
+- Apps may open ports without approval.
+- This can expose internal services to the Internet.
+
+Best practice:
+- Disable UPnP unless a required app needs it.
+
+## IP Filtering and Content Filtering
+
+Allow list:
+- Only approved traffic or destinations are allowed.
+- More restrictive.
+
+Deny list:
+- Blocks known bad traffic, sites, domains, or IPs.
+- More flexible but less strict.
+
+Content filtering:
+- Blocks traffic by URL, category, malware reputation, or content type.
+- Used for parental controls, business policy, and malware protection.
+
+Exam clue:
+- If the goal is to block inappropriate websites, use content filtering.
+- If the goal is to permit only known systems or destinations, use an allow list.
+
+## Screened Subnet
+
+A screened subnet is a separate network area for public-facing services.
+
+Older term:
+- DMZ
+
+Purpose:
+- Keeps public systems separated from the internal private network.
+- Adds a layer between the Internet and internal devices.
+
+SOHO example:
+- A router may have a DMZ host option.
+- Be careful: placing a device in a DMZ can expose it heavily.
+
+## Guest Networks
+
+Guest networks can be useful, but they must be controlled.
+
+Best practice:
+- Disable guest network if not needed.
+- If enabled, use WPA2/WPA3.
+- Isolate guests from internal devices.
+- Use a separate password.
+
+Common uses:
+- Visitors
+- IoT devices
+- Lab or test devices
+
+Exam clue:
+- If visitors need Internet but should not access internal PCs, use an isolated guest network.
+
+## Physical Placement
+
+Network devices should be physically protected.
+
+Reasons:
+- A person with physical access may reset the router.
+- A person may unplug cables or connect unauthorized devices.
+- Wireless access points need good placement for coverage.
+
+Best practice:
+- Keep routers, switches, and access points in a secure location.
+- Place wireless access points high and central when possible.
+- Plan power and access for maintenance.
+
+## Commands To Enter
+
+These commands inspect your local network. They do not change router settings.
+
+Windows PowerShell:
+
+```powershell
+ipconfig
+```
+
+What it does:
+- Shows IP address information.
+- Look for Default Gateway; that is usually your router.
+
+```powershell
+Get-NetConnectionProfile
+```
+
+What it does:
+- Shows the current network profile.
+- Public is more restrictive; Private is used for trusted local networks.
+
+```powershell
+netsh wlan show interfaces
+```
+
+What it does:
+- Shows Wi-Fi connection details, including SSID and authentication type.
+
+Linux:
+
+```bash
+ip route
+```
+
+What it does:
+- Shows the default route.
+- The `default via` address is usually your router.
+
+```bash
+nmcli dev wifi list
+```
+
+What it does:
+- Lists nearby Wi-Fi networks if NetworkManager is installed.
+- Shows SSIDs and security types.
+
+```bash
+nmcli connection show --active
+```
+
+What it does:
+- Shows active network connections.
+
+macOS:
+
+```bash
+route -n get default
+```
+
+What it does:
+- Shows the default gateway router.
+
+```bash
+networksetup -getairportnetwork en0
+```
+
+What it does:
+- Shows the connected Wi-Fi network on many Macs.
+- Some Macs may use a different interface than `en0`.
+
+```bash
+system_profiler SPAirPortDataType
+```
+
+What it does:
+- Shows detailed Wi-Fi information.
+
+Do not log in to a router you do not own or administer. Do not change router settings in this section unless you understand the impact.
+
+## Quick Checks
+
+You should be able to answer:
+- Why change default router passwords?
+- Why keep firmware updated?
+- Why is WPA2/WPA3 better than an open network?
+- Why is hiding the SSID not strong security?
+- Why is UPnP risky?
+- When should you use a guest network?
+- What is the purpose of a screened subnet?
+