# SEC-10: SOHO Network Security Status: not started Domain: - 2.0 Security Objective alignment: - 2.10 SOHO network security ## What You Need To Know SOHO means Small Office/Home Office. On the exam, this usually means a small router or wireless access point that combines routing, switching, firewall, and Wi-Fi. Your job is to harden the router so attackers cannot easily control it, join the wireless network, or open paths into the network. Core protections: - Change default admin credentials - Update firmware - Use WPA2/WPA3 encryption - Disable UPnP unless required - Disable remote management unless required - Use guest networks carefully - Place network equipment securely - Use content/IP filtering when needed ## Memory Trick Use **P-F-W-U-G**: - **P**asswords: change defaults - **F**irmware: keep updated - **W**i-Fi: WPA2/WPA3, not open - **U**PnP: usually disable - **G**uest: disable or isolate and secure Shortcut: - **If it manages the network, protect the login first.** ## Default Passwords Routers and access points often ship with known default usernames and passwords. Why it matters: - Admin access gives full control of the device. - Defaults are easy to find online. - Attackers can change DNS, Wi-Fi settings, firewall rules, and port forwarding. Best practice: - Change the admin password during setup. - Use a strong unique password. - Store it in a password manager if possible. ## Firmware Updates Firmware is the router's built-in software. Updates can include: - Security patches - Bug fixes - Stability fixes - New features Exam clue: - If a router has known vulnerabilities, update firmware from the manufacturer. ## Secure Management Access Router management access should be limited. Good settings: - Strong admin password - Multifactor authentication if available - Local management only - Disable Internet-facing remote administration unless required - Limit management access by IP address if supported Cloud management: - Some routers use cloud accounts. - Protect the cloud account with a strong password and MFA. Exam clue: - If a question says management is exposed to the Internet, disable remote management or restrict access. ## Wi-Fi Security SSID: - The wireless network name. - Change obvious default names such as LINKSYS or NETGEAR. - Do not use personal information in the SSID. SSID broadcast: - Hiding the SSID is not strong security. - The SSID can still be discovered with wireless tools. - Use real encryption instead. Encryption: - Open network: no password, weak security. - WPA2-Personal or WPA3-Personal: common SOHO choice with a pre-shared key. - WPA2/WPA3-Enterprise: uses individual user authentication with a server, usually in larger organizations. Best SOHO choice: - WPA3-Personal when supported. - WPA2-Personal if WPA3 is not available. - Strong Wi-Fi passphrase. ## UPnP UPnP means Universal Plug and Play. What it does: - Lets internal apps/devices automatically open inbound ports on the router. - Common with gaming, media, and peer-to-peer apps. Risk: - Apps may open ports without approval. - This can expose internal services to the Internet. Best practice: - Disable UPnP unless a required app needs it. ## IP Filtering and Content Filtering Allow list: - Only approved traffic or destinations are allowed. - More restrictive. Deny list: - Blocks known bad traffic, sites, domains, or IPs. - More flexible but less strict. Content filtering: - Blocks traffic by URL, category, malware reputation, or content type. - Used for parental controls, business policy, and malware protection. Exam clue: - If the goal is to block inappropriate websites, use content filtering. - If the goal is to permit only known systems or destinations, use an allow list. ## Screened Subnet A screened subnet is a separate network area for public-facing services. Older term: - DMZ Purpose: - Keeps public systems separated from the internal private network. - Adds a layer between the Internet and internal devices. SOHO example: - A router may have a DMZ host option. - Be careful: placing a device in a DMZ can expose it heavily. ## Guest Networks Guest networks can be useful, but they must be controlled. Best practice: - Disable guest network if not needed. - If enabled, use WPA2/WPA3. - Isolate guests from internal devices. - Use a separate password. Common uses: - Visitors - IoT devices - Lab or test devices Exam clue: - If visitors need Internet but should not access internal PCs, use an isolated guest network. ## Physical Placement Network devices should be physically protected. Reasons: - A person with physical access may reset the router. - A person may unplug cables or connect unauthorized devices. - Wireless access points need good placement for coverage. Best practice: - Keep routers, switches, and access points in a secure location. - Place wireless access points high and central when possible. - Plan power and access for maintenance. ## Commands To Enter These commands inspect your local network. They do not change router settings. Windows PowerShell: ```powershell ipconfig ``` What it does: - Shows IP address information. - Look for Default Gateway; that is usually your router. ```powershell Get-NetConnectionProfile ``` What it does: - Shows the current network profile. - Public is more restrictive; Private is used for trusted local networks. ```powershell netsh wlan show interfaces ``` What it does: - Shows Wi-Fi connection details, including SSID and authentication type. Linux: ```bash ip route ``` What it does: - Shows the default route. - The `default via` address is usually your router. ```bash nmcli dev wifi list ``` What it does: - Lists nearby Wi-Fi networks if NetworkManager is installed. - Shows SSIDs and security types. ```bash nmcli connection show --active ``` What it does: - Shows active network connections. macOS: ```bash route -n get default ``` What it does: - Shows the default gateway router. ```bash networksetup -getairportnetwork en0 ``` What it does: - Shows the connected Wi-Fi network on many Macs. - Some Macs may use a different interface than `en0`. ```bash system_profiler SPAirPortDataType ``` What it does: - Shows detailed Wi-Fi information. Do not log in to a router you do not own or administer. Do not change router settings in this section unless you understand the impact. ## Quick Checks You should be able to answer: - Why change default router passwords? - Why keep firmware updated? - Why is WPA2/WPA3 better than an open network? - Why is hiding the SSID not strong security? - Why is UPnP risky? - When should you use a guest network? - What is the purpose of a screened subnet?