A plus 1002 Sub-objective 2.10 – Given a scenario, configure security on SOHO wireless and wired networks.

Welcome to ExamNotes by CertBlaster! If you have been following up to this point, with A plus 1002 Sub-objective 2.10 you’ve reached the final sub-objective in Domain 2.0 of the CompTIA A+ Exam Objectives statement. In this section, we will look at the steps that can be taken to secure a wired or wireless network. We will begin by examining the elements of a network that are exclusively related to wireless networks. Next, we will discuss issues that are common to both wired and wireless networks. Enjoy!

Wireless specific

Wireless networks are filled with potential security compromises. The network signal can be detected by anyone with the hardware. Often, casual non-malevolent users can be seen driving around until they pick up a signal from an open wireless network so they can check their email! This is a possibility since the access point’s owner may not recognize the compromise. In addition, an open wireless network can be a free service offered by a retailer or other service provider such as a CATV provider that also offers Internet. Based on the service agreement, the Cable-provider owned router and wireless equipment may provide a hotspot on the device.

Changing default SSID

The Service Set Identifier (SSID) serves as the network name for the wireless (WiFi) network. The default SSID is set at the factory and should be changed during initial configuration of the network along with assignment of a new password. All devices on the WiFi network must be able to identify this device and must take the steps necessary to access it. This includes the password, channel number, and encryption.

Setting encryption

Encryption makes traffic unintelligible to outsiders and insiders who don’t have the public key. Since being paired with 802.11x wireless traffic, encryption methods have continuously evolved to stay ahead of threats. Wireless encryption began with WEP (Wireless encryption Protocol) which used a 40-bit key that was quickly compromised. WEP was later upgraded to a 128-bit key however it was still vulnerable.

WPA (Wi-Fi Protected Access) was an interim solution implemented to address the shortcomings of WEP. WPA can be used on legacy hardware, requiring only software or firmware upgrades, and can be combined with additional encryption standards such as TKIP (Temporal Key Integrity Protocol). WPA2 is a more secure implementation of WPA that can use both TKIP and the more advanced AES (Advanced Encryption Standard). The only drawback of WPA2 is that users of legacy wireless interfaces will have to upgrade in order to use AES. When configuring a router, it is wise to implement WPA2 with TKIP and AES in order to allow devices that cannot support AES to fall back to TKIP.

In the image below, observe that based on the operating system and the hardware, the encryption types available will vary.

Disabling SSID broadcast

By default, the router is configured to transmit its SSID every few second during a process called broadcasting. It is recommended that this feature be disabled for the purpose of network hardening since half of the SSID/Passphrase security element will be provided otherwise. This is seen in the image below on a Dual Band router using the 2.4 Ghz and 5.0 Ghz frequency bands. The passphrase is obscured.

Antenna and access point placement

The placement of the wireless access point and the wireless antenna are often overlooked by users since bandwidth is prioritized and other important issues, such as eavesdropping and interference, are often ignored. Interference occurs where two or more WAPs/Routers create overlapping but dissimilar transmission ranges. Regarding eavesdropping, consider that wireless devices are two-way radios with varying coverage areas which depend on the 802.11 protocol used and the physical environment.  Envision a circular area, representing the effective range, which extends from the WAP or Router. By picturing this circular area, it is easy to visualize why an access point should be placed in a location where it can reach all the required locations in the space.

It is usually best to place the WAP or Router in the center of the desired area since this will provide comprehensive coverage and will reduce the possibility of compromise from outsiders. A WAP or Router placed in a corner or close to a wall will make only ¼ or ½ of the range available to the users. If the WAP or Router is placed adjacent to another business entity or family, the remainder of the range is “bleeding” (escaping) into unintended areas, making them subject to compromise. Also in an office or apartment building with multiple access points, signals can overlap each other, likely causing interference on both networks. The judicious placement of wireless transmission devices reduces the probability of both security and operational issues while providing the required coverage.

Radio power levels

In addition to carefully selecting the location of the WAP or Router, control the size of the coverage range by adjusting the power of the transmitting radio. This simple step will help avoid the pitfalls of having wireless data subject to compromise.

WPS

In order to streamline the wireless setup process and help the less technically-inclined user establish wireless connections, the WPS (Wi-Fi Protected Setup) standard was implemented. This standard reduces the time and effort required to perform an initial connection, or recover a lost connection, down to a simple push of a button. Once initiated, WPS puts the WAP/router into WPA Personal or WPA2 Personal security mode and briefly makes the SSID and Passphrase (Key) available.

Change default usernames and passwords

All network hardware such as routers, switches, and WAPs utilize usernames and passwords (passphrases) to authenticate users and allow configuration of the devices. Since the device needs to be setup for immediate use, the factory sets default username/password combinations that are widely known and easily compromised. Combat this by changing these values immediately. Shown below is a wireless gateway with the default username displayed. In this case, it’s “admin” which is not an effective configuration to put it mildly. Before you decide that administrator is better, please try again!

Default username

Enable MAC filtering

Every network device is assigned a globally unique 48-bit hexadecimal MAC (Media Access Code) address embedded in the firmware. The uniqueness of this address, better than IP addresses, makes it a very specific method of blocking or permitting the device. In most cases, allow devices in a specific IP address range in order to manage traffic on a specific subnet.

Assign static IP addresses

In the vast majority of cases, IP addresses are assigned automatically by DHCP. This protocol provides noticeable savings in time and effort while efficiently managing and assigning addresses from the available address pool. DHCP addresses may change periodically and keep in mind that address changes do not have any impact on performance. Some devices such as Web, File, and Print servers need to have a permanent network address in order to reliably provide its particular service.  The image below shows a static IP address assigned to a Document Server.

Static IP

Firewall settings

Firewalls are a crucial component in a solid network defense strategy. When configuring a firewall, set the level as strict as possible on the hardware and then test the system and applications for proper operation. Software firewalls, such as Windows Firewall or from a third-party protection suite, can then be configured. This is shown below.

Using the Norton Firewall, the Specific UDP (DHCPV6-in) rule was selected to Modify as seen in the top window. In the second window, the rule behavior is allowed to be changed to Block, Monitor, or Allow.

Modify Firewall Rule

Port forwarding/mapping

Port forwarding or mapping allows inbound IP addresses and port numbers to be redirected on the internal network. This setting allows the firewall to change the ports and addresses used by a service to any other available port and address in order to foil attackers. In the screenshot below, TCP/UDP is allowed to specifically assign Port 21 to the common FTP service (No change). The port and address can be forwarded to any available port/address combination.

Port Forwarding

Disabling ports

After remapping or forwarding a port/address combination, traffic on the previously configured port/address can be disabled.

Content filtering / parental controls

Parental controls or content filters restrict specific traffic based on keywords, URLs (Domains), or the time of day. Parental Control settings can also allow Trusted IP addresses (The Parents) to access the restricted content at will.

Parental Control

Update firmware

It is possible that the access device may not support the speeds that are expected or may not have new features from the service provider, regardless if it is wired or wireless. In these cases, the device manufacturer may have updated firmware in order to increase performance and/or implement new features. Firmware upgrades are also provided to address problems with the device. In all of these cases, be absolutely sure that the make, model, serial number of the device has been recorded. Be absolutely sure that the manufacturer’s instructions regarding the firmware upgrade process is clearly understood. Failure to follow the instructions could render the device inoperative.

Firmware updates are a one-shot deal and there is no “undo.” Unless you have the time and money to acquire a replacement device, read the instructions carefully! Obtain the new firmware from the manufacturer ONLY. DO NOT obtain firmware from the Play Store, Windows Store, or App Store and certainly do not obtain it from a freeware download site. Read the instructions again and perform the upgrade slowly and deliberately. There will only be one chance. Shown in the screenshot below is most of the information that will be needed to perform the firmware update.

Information for update

Physical security

We covered almost everything, however one critical point remains. We have dealt with security, configurations, and updates but not the physical security of the devices. Make sure that your equipment is safe from malicious parties and even troublemakers who may push a button to see what it does! It can happen.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Avoid placing equipment in public areas or locations where a guest’s or employee’s contact with the equipment can’t be controlled. Hardware should be in an area protected by a badge, key, or combination lock where only authorized personnel can enter. Always place equipment in a room with a locked door and limited access. Well, that will do it for objective 2.10 and that concludes the entire Domain 2.0. Congratulations are in order and it’s downhill from here. Good luck on the test!

By continuing to browse this site, you accept the use of cookies and similar technologies that will allow the use of your data by CertBlaster in order to produce audience statistics- see our privacy policy.