SOHO Network Security for CompTIA A+ 220-1102

SOHO routers combine multiple functions: router, firewall, switch, wireless AP, and sometimes DHCP/DNS. Default router security steps: Change default admin username and password immediately — default credentials are published online and known to attackers. Update firmware: router firmware patches vulnerabilities; check manufacturer website regularly or enable auto-update. Change default IP range: instead of 192.168.1.x (very common), use 192.168.10.x or 10.0.5.x — minor deterrent to automated attacks. Disable remote management: UPnP (Universal Plug and Play) allows devices to automatically open ports — disable UPnP to prevent malware from creating port forwarding rules. Disable WAN-side management access (web interface accessible from the internet) unless specifically needed. SPI (Stateful Packet Inspection) firewall: verify it is enabled — drops unsolicited inbound traffic.

Port forwarding: rules that direct inbound traffic on specific ports to specific internal devices. Required for hosting services (web server, game server, IP camera remote access, NAS remote access). Security implications: every open port is an attack surface. Only forward ports that are absolutely necessary. Use non-standard ports when possible (minor obscurity benefit). Configure per-service, not wide ranges. DMZ (Demilitarized Zone): configuration that exposes a single device to the internet without firewall protection. Router sends all inbound traffic to the DMZ host. Use case: devices that need many ports open (game consoles sometimes) or full exposure (dedicated web servers). Security risk: the DMZ host has no inbound firewall protection. Never put sensitive computers (workstations with personal data) in the DMZ. A proper enterprise DMZ uses two firewalls with a network segment between them — SOHO DMZ is a simplified single-device exposure.

DHCP filtering: prevent rogue DHCP servers from handing out incorrect IP configuration. DHCP snooping (managed switches): only allow DHCP responses from trusted (authorized) ports. Disable DHCP on the router if using a separate DHCP server. Static IP assignments: critical network devices (servers, printers, cameras) should have static IPs or DHCP reservations — makes firewall rules more reliable. DNS security: Use reputable DNS servers (8.8.8.8, 1.1.1.1, 9.9.9.9). DNS over HTTPS (DoH): encrypts DNS queries to prevent ISP monitoring and DNS hijacking. DNS filtering/content filtering services (Cisco Umbrella, CleanBrowsing): block malicious domains at the DNS level — blocks malware from communicating with C2 servers. DNSSEC: validates that DNS responses come from the authoritative server and haven't been tampered with.

Guest network: a separate Wi-Fi SSID with its own VLAN that is isolated from the primary network. Visitors connect to guest network — cannot access internal devices (computers, NAS, printers). Essential for BYOD environments and when IoT devices are present. IoT network: create a third SSID/VLAN for smart home devices (smart TVs, cameras, thermostats, speakers) — IoT devices are notoriously poorly secured and should not be on the same network as computers. Network isolation: enable 'AP isolation' or 'client isolation' on guest/IoT networks — prevents devices on the same SSID from communicating with each other. VLAN (Virtual LAN): logical network segmentation — assigns different traffic to different VLANs even on the same physical equipment. Requires managed switch and router that supports VLANs (most consumer-grade equipment does not).

Router-level content filtering: many SOHO routers include built-in content filtering or parental controls. Categories: block adult content, social media, gambling, malware sites. DNS-based filtering: configure router to use a filtering DNS service (OpenDNS, Cisco Umbrella) — all devices on the network benefit. Per-device filtering: most consumer routers allow per-device scheduling and content rules. Time restrictions: limit internet access for specific devices during specific hours. OpenDNS: free and paid DNS filtering service — filters by category, blocks malware/phishing domains. Pi-hole: free, open-source DNS sinkhole run on a Raspberry Pi or VM — blocks ads and malicious domains for the entire network at the DNS level. Application control: some routers can block specific applications (P2P, VPN bypass tools).