kenpat/comptia-a-plus-core2
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
comptia-a-plus-core2/notes/SEC-10-soho-network-security.md

6.6 KiB
Raw Blame History

SEC-10: SOHO Network Security

Status: not started

Domain:

  • 2.0 Security

Objective alignment:

  • 2.10 SOHO network security

What You Need To Know

SOHO means Small Office/Home Office. On the exam, this usually means a small router or wireless access point that combines routing, switching, firewall, and Wi-Fi.

Your job is to harden the router so attackers cannot easily control it, join the wireless network, or open paths into the network.

Core protections:

  • Change default admin credentials
  • Update firmware
  • Use WPA2/WPA3 encryption
  • Disable UPnP unless required
  • Disable remote management unless required
  • Use guest networks carefully
  • Place network equipment securely
  • Use content/IP filtering when needed

Memory Trick

Use P-F-W-U-G:

  • Passwords: change defaults
  • Firmware: keep updated
  • Wi-Fi: WPA2/WPA3, not open
  • UPnP: usually disable
  • Guest: disable or isolate and secure

Shortcut:

  • If it manages the network, protect the login first.

Default Passwords

Routers and access points often ship with known default usernames and passwords.

Why it matters:

  • Admin access gives full control of the device.
  • Defaults are easy to find online.
  • Attackers can change DNS, Wi-Fi settings, firewall rules, and port forwarding.

Best practice:

  • Change the admin password during setup.
  • Use a strong unique password.
  • Store it in a password manager if possible.

Firmware Updates

Firmware is the router's built-in software.

Updates can include:

  • Security patches
  • Bug fixes
  • Stability fixes
  • New features

Exam clue:

  • If a router has known vulnerabilities, update firmware from the manufacturer.

Secure Management Access

Router management access should be limited.

Good settings:

  • Strong admin password
  • Multifactor authentication if available
  • Local management only
  • Disable Internet-facing remote administration unless required
  • Limit management access by IP address if supported

Cloud management:

  • Some routers use cloud accounts.
  • Protect the cloud account with a strong password and MFA.

Exam clue:

  • If a question says management is exposed to the Internet, disable remote management or restrict access.

Wi-Fi Security

SSID:

  • The wireless network name.
  • Change obvious default names such as LINKSYS or NETGEAR.
  • Do not use personal information in the SSID.

SSID broadcast:

  • Hiding the SSID is not strong security.
  • The SSID can still be discovered with wireless tools.
  • Use real encryption instead.

Encryption:

  • Open network: no password, weak security.
  • WPA2-Personal or WPA3-Personal: common SOHO choice with a pre-shared key.
  • WPA2/WPA3-Enterprise: uses individual user authentication with a server, usually in larger organizations.

Best SOHO choice:

  • WPA3-Personal when supported.
  • WPA2-Personal if WPA3 is not available.
  • Strong Wi-Fi passphrase.

UPnP

UPnP means Universal Plug and Play.

What it does:

  • Lets internal apps/devices automatically open inbound ports on the router.
  • Common with gaming, media, and peer-to-peer apps.

Risk:

  • Apps may open ports without approval.
  • This can expose internal services to the Internet.

Best practice:

  • Disable UPnP unless a required app needs it.

IP Filtering and Content Filtering

Allow list:

  • Only approved traffic or destinations are allowed.
  • More restrictive.

Deny list:

  • Blocks known bad traffic, sites, domains, or IPs.
  • More flexible but less strict.

Content filtering:

  • Blocks traffic by URL, category, malware reputation, or content type.
  • Used for parental controls, business policy, and malware protection.

Exam clue:

  • If the goal is to block inappropriate websites, use content filtering.
  • If the goal is to permit only known systems or destinations, use an allow list.

Screened Subnet

A screened subnet is a separate network area for public-facing services.

Older term:

  • DMZ

Purpose:

  • Keeps public systems separated from the internal private network.
  • Adds a layer between the Internet and internal devices.

SOHO example:

  • A router may have a DMZ host option.
  • Be careful: placing a device in a DMZ can expose it heavily.

Guest Networks

Guest networks can be useful, but they must be controlled.

Best practice:

  • Disable guest network if not needed.
  • If enabled, use WPA2/WPA3.
  • Isolate guests from internal devices.
  • Use a separate password.

Common uses:

  • Visitors
  • IoT devices
  • Lab or test devices

Exam clue:

  • If visitors need Internet but should not access internal PCs, use an isolated guest network.

Physical Placement

Network devices should be physically protected.

Reasons:

  • A person with physical access may reset the router.
  • A person may unplug cables or connect unauthorized devices.
  • Wireless access points need good placement for coverage.

Best practice:

  • Keep routers, switches, and access points in a secure location.
  • Place wireless access points high and central when possible.
  • Plan power and access for maintenance.

Commands To Enter

These commands inspect your local network. They do not change router settings.

Windows PowerShell:

ipconfig

What it does:

  • Shows IP address information.
  • Look for Default Gateway; that is usually your router.
Get-NetConnectionProfile

What it does:

  • Shows the current network profile.
  • Public is more restrictive; Private is used for trusted local networks.
netsh wlan show interfaces

What it does:

  • Shows Wi-Fi connection details, including SSID and authentication type.

Linux:

ip route

What it does:

  • Shows the default route.
  • The default via address is usually your router.
nmcli dev wifi list

What it does:

  • Lists nearby Wi-Fi networks if NetworkManager is installed.
  • Shows SSIDs and security types.
nmcli connection show --active

What it does:

  • Shows active network connections.

macOS:

route -n get default

What it does:

  • Shows the default gateway router.
networksetup -getairportnetwork en0

What it does:

  • Shows the connected Wi-Fi network on many Macs.
  • Some Macs may use a different interface than en0.
system_profiler SPAirPortDataType

What it does:

  • Shows detailed Wi-Fi information.

Do not log in to a router you do not own or administer. Do not change router settings in this section unless you understand the impact.

Quick Checks

You should be able to answer:

  • Why change default router passwords?
  • Why keep firmware updated?
  • Why is WPA2/WPA3 better than an open network?
  • Why is hiding the SSID not strong security?
  • Why is UPnP risky?
  • When should you use a guest network?
  • What is the purpose of a screened subnet?