Securing a SOHO Network – CompTIA A+ 220-1002 – 2.10


The security requirements of a small office/home office aren’t much different than a large organization. In this video, you’ll learn about the techniques for securing wireless networks, configuring firewalls, filtering content, and more.

<< Previous Video: Data Destruction and Disposal Next: Troubleshooting Windows >>


Our smaller networks are just as important to secure as our larger networks. In this video, we’ll look at securing the small office and a home office network. Whenever you install a wireless access point, you assign a name to the network. This is the service set ID or the SSID. A common default for these SSIDs is Linksys, Default, or Netgear. If you want to discourage people from connecting to your wireless network, you may want to change that SSID from something other than the default.

You also have the option to disable the SSID broadcast. This is the broadcast that populates the name of the wireless network in the pulldown list of available networks. And if you disable that broadcast, it won’t show up in that list. This doesn’t mean that people would then not be able to connect to your network. Because as long as they know the SSID, they can still manually connect to your wireless network.

It’s for that reason we don’t consider disabling of the SSID broadcast to be a security function. It’s more of an organizational feature. This is sometimes referred to security through obscurity, which means if you know the method that’s used to secure it, it’s very easy to circumvent that security.

The one thing that does truly secure your wireless network is encrypting all of the data that goes over the air. Every device that is on that network can listen in to what’s going on. If you encrypt all of the data going over your network, then it doesn’t matter who’s listening. They won’t be able to see any of your data inside of those streams of information.

So you would either provide a shared passphrase to be able to encrypt that data, or you would use passphrases that are specific for an individual user. The point is that only the people who have the proper credentials would have access to the wireless network and would be able to encrypt and decrypt the information being sent over those wireless links.

If you have a home network, then you probably only have a single access point and a single set of antennas. And you commonly put that access point in a central location so that everybody can access that network equally. But in a larger office, you may have to specify different locations for different antennas. And you want to be very careful that you’re not overlapping frequencies on those networks as well.

On a 2.4 GHz network, you might have multiple access points using different frequencies, or different channels. And by specifying channels that don’t overlap, you can avoid some of those frequency conflicts. We often think that our access point should be broadcasting with as much signal as possible, but there may be environments where it makes more sense to turn down the power of that access point and limit who may be able to hear that signal outside of your building.

In some access points, you have access to this power level setting. And you can set the signal level to be lower than what the standard might be for that access point. The amount that you would set for this, though, needs to be determined based on who needs access to the access point and how far away they happen to be. So this may take a bit of work around your area to see just how far you can go with the current power level.

Even then, someone outside the building with the right kind of antenna may still be able to hear the traffic going over that wireless network. That’s why it’s important not only to change the power level of the access point, but also where it may be located within the building. If you’ve ever looked at all of the different configuration settings for wireless encryption on an access point, you’ll find that it’s a relatively complex process.

One way that we tried to make this process easier for the end user is we created WPS or Wi-Fi Protected Setup. This was originally called Wi-Fi Simple Config. The goal was to have somebody connect to your wireless network and use an encrypted channel, but not have to go through a lot of configurations to make that happen. There were different ways to initiate this connection. One was to put a PIN number on your laptop or your mobile device. Another one was to push a button that was on the access point when you were close by.

Some access points also provide an option for Near Field Communication or NFC, where you simply need to bring your mobile device close to the access point, and it would begin the synchronization process. And the WPS standard used to have a process using USB keys where you could plug a USB key into the access point and then plug that same key into your laptop to gain access to the wireless network.

Unfortunately, in December of 2011, a significant flaw was seen with the WPS standard. This vulnerability was based on a problem with the personal identification number used to synchronize a mobile device with the access point. This PIN is an eight-digit number. But in reality, it was really a seven-digit number and a checksum. And of course, seven digits means that we have about 10 million possible combinations.

But in reality, it was actually much fewer than 10 million. This WPS process broke the number up into two separate pieces. So there would be a first half, which had four digits, and a second half, which only had three digits because that last digit was the checksum. This meant the first half had 10,000 possibilities. And the last half had 1,000 possibilities.

And 11,000 possibilities is much fewer than the 10 million possible combinations that you would think would be available. This meant if you didn’t have a lockout process that a laptop could go through all 11,000 possibilities in about four hours.

And eventually, you were able to find that personal identification number and connect to anybody’s WPS-enabled network. Although newer versions of WPS include a lockout function, most people choose to disable WPS completely and avoid any vulnerabilities associated with WPS.

The access points and the wireless routers that we might install in to a small office or a home office all have a default username and password. It may be admin, admin, or admin, password. If you’re installing a wireless router or an access point, you want to be sure to change this default username and password.

If someone does have the username and password, then they would effectively have full control over that particular access point, or wireless router. These default credentials are very easy to find. You can go to websites like routerpasswords.com, find the exact model you’re looking for, and know the default username and password for that particular device.

The network interface card in your device has a burned-in address that we call the hardware address. This is the MAC address or Media Access Control address. The MAC address of a network interface card is unique. So there’s no other MAC address anywhere in the world that matches the one that’s on your network interface card.

Knowing that that MAC address is unique means that we can start setting filters to allow or disallow access to a network from that specific physical network interface card. This means that we can keep neighbors out of our network, or specify exactly what MAC addresses are allowed on our wireless network.

Although this might help with some aspects of wireless network administration, unfortunately, it’s not a security feature. It’s very easy to find the MAC address of a device by capturing packets that are going across the air. MAC address information is not encrypted by default. So it’s very easy to perform a packet capture and view all of the MAC addresses on a particular network.

The driver of the network interface card in your operating system often allows you to change the MAC address to whatever you’d like. This means you can grab a known good MAC address from your packet capture, put that into your system, and now be able to circumvent the MAC address filter. This is another example of security through obscurity.

Once you know the MAC address filters in place, it’s very, very easy to circumvent that security. Here’s the MAC address filter on my access point. You would simply add the MAC addresses into your list, enable the filter, and now only those MAC addresses would be able to communicate on your wireless network.

When you turn on your computer, it gets an IP address automatically using a method called DHCP, the Dynamic Host Configuration Protocol. Some people prefer turning off that automated process and manually addressing devices individually on the network.

The argument is that these IP addresses are encrypted on the network and therefore make it a little bit more difficult for a hacker to gain access to your system. But of course, there are ways to gather IP address information even if you’re not on that wireless network. And if somebody does circumvent the encryption, they’ll, of course, be able to see all of the IP addresses on the network.

The process of obtaining an IP address automatically or having one assigned manually is more of an administrative function and doesn’t serve any security purpose whatsoever. Since the IP address information is so easy to obtain, and there’s no security feature associated with it, it’s best to put this in the category of security through obscurity.

The throughput requirements for a small office or home office are often much less than you would find in a much larger environment. Because of that, we’re usually implementing a single appliance to perform firewalling, wireless access capabilities. There’s usually content filters built into this. And you can do it all through this single component, rather than having multiple devices connected to the network.

This integration of capabilities, though, may bring some challenges for the network manager. For example, there may be capabilities that aren’t built into this integrated device, such as dynamic routing. And the number of options for remote support may be limited to whatever is available on that remote device.

As with your other operating systems and components, you want to be sure your SOHO firewalls are also updated to the latest version. There are always security updates available. So you want to make sure that your switches, your routers, and your integrated components such as these are always at the latest version of software.

You may have the ability to build specific firewall rules on these devices. For your inbound traffic, you want to think about what type of traffic would ever need to come into the inside of your network. This would commonly be traffic that’s connecting to a server or a service that’s on the inside of your network.

On many of these devices, this is accomplished by configuring port forwarding, which is going to map an external port number to an IP address and a port number on the inside of your network. Some of these devices allow you to build a DMZ or a demilitarized zone. This would allow you to put a server or a set of services in a midpoint that would still allow people access from the outside, but would still prevent access to the inside of your network.

For all the traffic going outbound, there are usually two philosophies that people will follow. The first is to create a blacklist. A blacklist allows all traffic outbound. And you would only filter the things that were unwanted. The other philosophy is to configure a white list. This would block all traffic. And then you would only enable the traffic that was approved.

Another good best practice is to limit what interfaces on a switch would allow access to your network. In many environments, it’s very common to disable physical interfaces in public areas, such as conference rooms or break rooms. It’s also common to disable any interfaces which may be unused. This would prevent somebody from walking into a wiring closet and plugging into the network.

And many wired and wireless networks have 802.1X configured. This is a type of network access control or NAC. This would require some type of authentication before you are allowed access to the network. So even if you’re plugging in a computer or third-party device, you still need to provide the proper credentials to gain access to the rest of the network.

Most organizations have some type of content filtering that they’re doing on the network. This is usually a device that’s looking into the traffic flows and determining if that information should be allowed, or if that information should be blocked. This can help organizations that would like to block sensitive materials from going out to the internet so they can look for credit card numbers, or social security numbers, or any other sensitive information, and block it at the content filter.

These devices can also block information which may be inappropriate. There may be information that’s not appropriate for work, or if you’re using this at home, there may be parental controls that you can install. And many content filters can integrate with lists that may block you from visiting known bad sites.

If you have physical access to a server or device, then you can effectively circumvent all of the security of that device. This is why we have data centers with big doors that are locked to prevent anybody from gaining access to that data. The same security concern exists for your small office and your home office. So you have to think about how these devices are secured at a physical level.

Of course, all of your equipment should be behind a locked door, whether this is a traditional key with a lock, or whether it’s an electronic lock. And you may want to provide additional authentication to get through that lock. There may be biometric settings, so you use a fingerprint to be able to access that lock, along with perhaps a personal identification number. Regardless of what you use, it should be a well-documented process and one that you can apply to any of your small offices or home offices.