CompTIA A+ Exam 220-902 sub-objective 3.7 – Given a scenario, secure SOHO wireless and wired networks

Back to the main 902 ExamNotes page

Detailed (and official) description of CompTIA A+ sub-objective 3.7

3.7 Given a scenario, secure SOHO wireless and wired networks

Wireless specific
Changing default SSID
Setting encryption
Disabling SSID broadcast
Antenna and access point placement
Radio power levels
WPS

Change default user-names and passwords
Enable MAC filtering
Assign static IP addresses
Firewall settings
Port forwarding/mapping
Disabling ports
Content filtering / parental controls
Update firmware
Physical security

Welcome to Exam Notes by CertBlaster! If you have been following, you’ve reached the final objective in Domain 3 in your CompTIA Objective statement. Here we will look at the steps you can take to secure your wired or wireless network. We will begin by examining those elements of network that are exclusively related to wireless networks. Then on to issues that are common to both wired and wireless networks. Enjoy!

Wireless specific

Wireless networks present an environment that is filled with potential security compromises. The network signal can be detected by anyone with the hardware. Often you can find casual non-malevolent users driving around until they pick up the signal from an open wireless network and then checking their Email! Consider that this is possible because the access point’s owner may not recognize the compromise. Equally this could be a free service offered by a retailer or other service provider such as a CATV provider who offers internet. Based on your service agreement the Cable provider owned router and wireless equipment you may find that the company has enabled a hotspot on the device.

Changing default SSID

The Service Set Identifier (SSID) serves as the network name for your wireless (WiFi) network. The default SSID is set at the factory and should be changed during the initial configuration along with the assignment of a new password. All devices on the WiFi network must be able to identify this device and take the steps necessary to access it. This includes the password, channel number and encryption.

Setting encryption

Encryption makes your traffic unintelligible to outsiders and insiders who don’t have the public key. Since their pairing with 802.11x wireless traffic, encryption methods have continuously evolved to keep ahead of the threats.  Beginning with WEP (Wireless encryption Protocol) which started with a 40-bit key and was quickly compromised. Subsequently strengthened to 128-bits WEP was still vulnerable. WPA (Wi-Fi Protected Access) was an interim solution implemented to address the shortcomings of WEP. WPA can be used on legacy hardware requiring only software or firmware upgrades and be combined with additional encryption standards such as TKIP (Temporal Key Integrity Protocol). WPA-2 is a more secure implementation of WPA that can use both TKIP and the more advanced AES (Advanced Encryption Standard). The only drawback is that users of legacy wireless interfaces will have to upgrade to use AES. When configuring a router it is wise to implement WPA2 with TKIP and AES to allow devices that cannot support AES to fall back to TKIP.

In the image shown you can see that based on the operating system and hardware the encryption types available will vary.

Screenshots of Encryption Types by System
Encryption Types by System

Disabling SSID broadcast

By default the router is configured to transmit its SSID every few second in a process called broadcasting. It is recommended that you disable this feature in the interest of network hardening since it provides half of the SSID/Passphrase security element. We see it here on a Dual Band router using the 2.4Ghz and 5.0Ghz frequency bands. The passphrase is obscured.

Screenshot of a SSID and Passphrase pop-up
SSID and Passphrase

Antenna and access point placement

The placement of a wireless access point and antenna location is often underestimated by users who get the bandwidth that they need without worrying about the other important issues that could cause problems like eavesdropping and interference. Interference occurs where two or more WAP/Routers create overlapping but dissimilar transmission ranges. In the case of eavesdropping consider that wireless devices are two way radios with coverage areas that vary depending on the 802.11 protocol used and the physical environment.  Envision a circular area that extends from your WAP or Router that represents your effective range. With that concept in mind it is easy to understand the need to place your access point in a location where it will provide service to all the required locations in your space. It is usually best to place your WAP or Router in the center of the desired area. This will provide coverage and reduce the possibility of a compromise by outsiders. A WAP or Router placed in a corner or close to a wall that houses another business entity or family, as the case may be, will make only ¼ or ½ of your range available to your users while the remainder is “bleeding” (escaping) into unintended areas making them subject to compromise. Also in an office or apartment building with multiple access points the signals can overlap each other with the likelihood of causing interference on both networks. Judicious placement of your wireless transmission devices reduces the probability of both security and operational issues while providing the required coverage.

Radio power levels

In addition to carefully selecting the location of your WAP or Router you have control over the size of your coverage range by adjusting the power of the transmitting radio. This simple step will help you avoid the pitfalls of having your data subject to compromise.

WPS

To streamline the wireless setup process and help the less technical user establish wireless connections the WPS (Wi-Fi Protected Setup) standard was implemented. This standard reduces the time and effort required to perform the initial connection, or recovering a lost connection down to a simple push of a button. Once initiated WPS puts the WAP/router into WPA Personal or WPA2 Personal security mode and briefly making the SSID and Passphrase (Key) available.

Change default user-names and passwords

All network hardware like routers, switches and WAPs utilize usernames and passwords (passphrases) to authenticate users and allow configuration of the devices. Since the device needs to be setup for use, the factory sets default username/password combinations that are widely known and easily compromised. Combat this by changing these values immediately. Here is a wireless gateway with the default username displayed. In this case it’s “admin”, not an effective configuration to put it mildly and before you decide that administrator is better please try again!

pop up showing Default username
Default username

Enable MAC filtering

Every network device is assigned a globally unique 48-bit hexadecimal MAC (Media Access Code) address embedded in the firmware. The uniqueness of this address, above that of IP addresses, makes it a very specific method of blocking or permitting the MAC address through your device. In most cases you would allow devices in a specific IP address ranges to manage traffic on a specific subnet.

Assign static IP addresses

In the vast majority of cases you will find IP addresses assigned automatically by DHCP. This protocol provides real savings in time and effort while efficiently managing and assigning addresses from the available address pool. DHCP addresses may change periodically. The address change does not have any impact on performance. Some devices Web, File and Print servers need to have a permanent address in the network in order to reliably provide its particular service.  The image below shows a static IP address assigned to a Document Server.

screenshot of a pop-up showing a Static IP
Static IP

Firewall settings

Firewalls are a crucial component in a solid defense strategy. When configuring a firewall set the level as high as possible on the hardware. Then test your system and applications for proper operation. You can also configure software firewalls such as Windows Firewall or a third party protection suite shown below. Using the Norton Firewall, in the top window the Specific UDP (DHCPV6-in) rule was selected to Modify the rule then in the second window below it allows the rule behavior to be changed to Block, Monitor or Allow.

Screenshot of Modify Firewall Rule
Modify Firewall Rule

Port forwarding/mapping

Port forwarding or mapping provides for inbound IP addresses and port numbers to be redirected on the internal network. This setting allows the firewall to change the Ports and addresses used by a service to any available Port and address to foil attackers. Here we allow TCP/UDP to specifically assign Port 21 to common FTP service (No change). The Port and address could be forwarded to any available Port/address combination.

Screenshot of a Port Forwarding configfuration
Port Forwarding

Disabling ports

After remapping/forwarding a port/address combination, traffic on the previously configured port/address can be disabled.

Content filtering / parental controls

Parental controls or content filters restrict specific traffic and can be filtered/blocked based on keywords. URLs (Domains) or the time of day. Parental Control settings can also allow Trusted IP addresses (The Parents) to access the restricted content at will.

screenshot of Parental Control settings
Parental Control

Update firmware

It is possible that your access device may not support the speeds you expect, or you may find new features from your service provider that are not present in the device whether it is wired or wireless. In cases of the availability of increased performance and/or new features the device manufacturer may have updated firmware that supports these improvements. Firmware upgrades are also provided to address problems with the device. In all of these cases you must be absolutely sure that you have recorded the make, model, serial number of the device. Be absolutely sure that you clearly understand the manufacturer’s instructions regarding the process. Failure to follow the instructions could, as you know, render the device inoperative. Firmware updates are a one shot deal and there is no “undo” so unless you have the time and money to acquire a replacement read the instructions carefully! Obtain the new firmware, from the manufacturer ONLY. Do Not obtain firmware from the Play Store, Windows Store or App Store and certainly not from a freeware download site. Read the instructions again and perform the upgrade slowly and deliberately. You only get one chance. Below is most of the information you will need to perform the process.

pop-up for Information for update
Information for update

Physical security

We covered almost everything, one critical point remains. We dealt with security, configurations and updates but not the physical security of the devices. The last point is to make sure that your equipment is safe from malicious parties and even blunderers who may push a button to see what it does! It can happen. Primarily avoid placement in public areas or locations where you can not control the guests or employees’ contact with the equipment. The hardware should be in an area where only authorized personnel can enter with a badge, key or combination lock.  Always use a room with a locked door and limited access.

Well that will do it for objective 3.7 along with the entire Domain 3.0. Congratulations are in order! If you have followed these posts in sequence you have but only one domain left to cover, 4.0. It’s all downhill from here. Good luck on the test!

Back to the main 902 ExamNotes page

Leave a Reply

Your email address will not be published. Required fields are marked *

On Facebook

Share This
Real Time Web Analytics