277 lines
6.6 KiB
Markdown
277 lines
6.6 KiB
Markdown
# SEC-10: SOHO Network Security
|
|
|
|
Status: not started
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Objective alignment:
|
|
- 2.10 SOHO network security
|
|
|
|
## What You Need To Know
|
|
|
|
SOHO means Small Office/Home Office. On the exam, this usually means a small router or wireless access point that combines routing, switching, firewall, and Wi-Fi.
|
|
|
|
Your job is to harden the router so attackers cannot easily control it, join the wireless network, or open paths into the network.
|
|
|
|
Core protections:
|
|
- Change default admin credentials
|
|
- Update firmware
|
|
- Use WPA2/WPA3 encryption
|
|
- Disable UPnP unless required
|
|
- Disable remote management unless required
|
|
- Use guest networks carefully
|
|
- Place network equipment securely
|
|
- Use content/IP filtering when needed
|
|
|
|
## Memory Trick
|
|
|
|
Use **P-F-W-U-G**:
|
|
|
|
- **P**asswords: change defaults
|
|
- **F**irmware: keep updated
|
|
- **W**i-Fi: WPA2/WPA3, not open
|
|
- **U**PnP: usually disable
|
|
- **G**uest: disable or isolate and secure
|
|
|
|
Shortcut:
|
|
- **If it manages the network, protect the login first.**
|
|
|
|
## Default Passwords
|
|
|
|
Routers and access points often ship with known default usernames and passwords.
|
|
|
|
Why it matters:
|
|
- Admin access gives full control of the device.
|
|
- Defaults are easy to find online.
|
|
- Attackers can change DNS, Wi-Fi settings, firewall rules, and port forwarding.
|
|
|
|
Best practice:
|
|
- Change the admin password during setup.
|
|
- Use a strong unique password.
|
|
- Store it in a password manager if possible.
|
|
|
|
## Firmware Updates
|
|
|
|
Firmware is the router's built-in software.
|
|
|
|
Updates can include:
|
|
- Security patches
|
|
- Bug fixes
|
|
- Stability fixes
|
|
- New features
|
|
|
|
Exam clue:
|
|
- If a router has known vulnerabilities, update firmware from the manufacturer.
|
|
|
|
## Secure Management Access
|
|
|
|
Router management access should be limited.
|
|
|
|
Good settings:
|
|
- Strong admin password
|
|
- Multifactor authentication if available
|
|
- Local management only
|
|
- Disable Internet-facing remote administration unless required
|
|
- Limit management access by IP address if supported
|
|
|
|
Cloud management:
|
|
- Some routers use cloud accounts.
|
|
- Protect the cloud account with a strong password and MFA.
|
|
|
|
Exam clue:
|
|
- If a question says management is exposed to the Internet, disable remote management or restrict access.
|
|
|
|
## Wi-Fi Security
|
|
|
|
SSID:
|
|
- The wireless network name.
|
|
- Change obvious default names such as LINKSYS or NETGEAR.
|
|
- Do not use personal information in the SSID.
|
|
|
|
SSID broadcast:
|
|
- Hiding the SSID is not strong security.
|
|
- The SSID can still be discovered with wireless tools.
|
|
- Use real encryption instead.
|
|
|
|
Encryption:
|
|
- Open network: no password, weak security.
|
|
- WPA2-Personal or WPA3-Personal: common SOHO choice with a pre-shared key.
|
|
- WPA2/WPA3-Enterprise: uses individual user authentication with a server, usually in larger organizations.
|
|
|
|
Best SOHO choice:
|
|
- WPA3-Personal when supported.
|
|
- WPA2-Personal if WPA3 is not available.
|
|
- Strong Wi-Fi passphrase.
|
|
|
|
## UPnP
|
|
|
|
UPnP means Universal Plug and Play.
|
|
|
|
What it does:
|
|
- Lets internal apps/devices automatically open inbound ports on the router.
|
|
- Common with gaming, media, and peer-to-peer apps.
|
|
|
|
Risk:
|
|
- Apps may open ports without approval.
|
|
- This can expose internal services to the Internet.
|
|
|
|
Best practice:
|
|
- Disable UPnP unless a required app needs it.
|
|
|
|
## IP Filtering and Content Filtering
|
|
|
|
Allow list:
|
|
- Only approved traffic or destinations are allowed.
|
|
- More restrictive.
|
|
|
|
Deny list:
|
|
- Blocks known bad traffic, sites, domains, or IPs.
|
|
- More flexible but less strict.
|
|
|
|
Content filtering:
|
|
- Blocks traffic by URL, category, malware reputation, or content type.
|
|
- Used for parental controls, business policy, and malware protection.
|
|
|
|
Exam clue:
|
|
- If the goal is to block inappropriate websites, use content filtering.
|
|
- If the goal is to permit only known systems or destinations, use an allow list.
|
|
|
|
## Screened Subnet
|
|
|
|
A screened subnet is a separate network area for public-facing services.
|
|
|
|
Older term:
|
|
- DMZ
|
|
|
|
Purpose:
|
|
- Keeps public systems separated from the internal private network.
|
|
- Adds a layer between the Internet and internal devices.
|
|
|
|
SOHO example:
|
|
- A router may have a DMZ host option.
|
|
- Be careful: placing a device in a DMZ can expose it heavily.
|
|
|
|
## Guest Networks
|
|
|
|
Guest networks can be useful, but they must be controlled.
|
|
|
|
Best practice:
|
|
- Disable guest network if not needed.
|
|
- If enabled, use WPA2/WPA3.
|
|
- Isolate guests from internal devices.
|
|
- Use a separate password.
|
|
|
|
Common uses:
|
|
- Visitors
|
|
- IoT devices
|
|
- Lab or test devices
|
|
|
|
Exam clue:
|
|
- If visitors need Internet but should not access internal PCs, use an isolated guest network.
|
|
|
|
## Physical Placement
|
|
|
|
Network devices should be physically protected.
|
|
|
|
Reasons:
|
|
- A person with physical access may reset the router.
|
|
- A person may unplug cables or connect unauthorized devices.
|
|
- Wireless access points need good placement for coverage.
|
|
|
|
Best practice:
|
|
- Keep routers, switches, and access points in a secure location.
|
|
- Place wireless access points high and central when possible.
|
|
- Plan power and access for maintenance.
|
|
|
|
## Commands To Enter
|
|
|
|
These commands inspect your local network. They do not change router settings.
|
|
|
|
Windows PowerShell:
|
|
|
|
```powershell
|
|
ipconfig
|
|
```
|
|
|
|
What it does:
|
|
- Shows IP address information.
|
|
- Look for Default Gateway; that is usually your router.
|
|
|
|
```powershell
|
|
Get-NetConnectionProfile
|
|
```
|
|
|
|
What it does:
|
|
- Shows the current network profile.
|
|
- Public is more restrictive; Private is used for trusted local networks.
|
|
|
|
```powershell
|
|
netsh wlan show interfaces
|
|
```
|
|
|
|
What it does:
|
|
- Shows Wi-Fi connection details, including SSID and authentication type.
|
|
|
|
Linux:
|
|
|
|
```bash
|
|
ip route
|
|
```
|
|
|
|
What it does:
|
|
- Shows the default route.
|
|
- The `default via` address is usually your router.
|
|
|
|
```bash
|
|
nmcli dev wifi list
|
|
```
|
|
|
|
What it does:
|
|
- Lists nearby Wi-Fi networks if NetworkManager is installed.
|
|
- Shows SSIDs and security types.
|
|
|
|
```bash
|
|
nmcli connection show --active
|
|
```
|
|
|
|
What it does:
|
|
- Shows active network connections.
|
|
|
|
macOS:
|
|
|
|
```bash
|
|
route -n get default
|
|
```
|
|
|
|
What it does:
|
|
- Shows the default gateway router.
|
|
|
|
```bash
|
|
networksetup -getairportnetwork en0
|
|
```
|
|
|
|
What it does:
|
|
- Shows the connected Wi-Fi network on many Macs.
|
|
- Some Macs may use a different interface than `en0`.
|
|
|
|
```bash
|
|
system_profiler SPAirPortDataType
|
|
```
|
|
|
|
What it does:
|
|
- Shows detailed Wi-Fi information.
|
|
|
|
Do not log in to a router you do not own or administer. Do not change router settings in this section unless you understand the impact.
|
|
|
|
## Quick Checks
|
|
|
|
You should be able to answer:
|
|
- Why change default router passwords?
|
|
- Why keep firmware updated?
|
|
- Why is WPA2/WPA3 better than an open network?
|
|
- Why is hiding the SSID not strong security?
|
|
- Why is UPnP risky?
|
|
- When should you use a guest network?
|
|
- What is the purpose of a screened subnet?
|
|
|