if you've ever installed a wireless router or any type of small office home office device you'll notice that it has a default username and a default password these defaults are necessary so that you can log to the device the first time but you should be sure to change those passwords after your first login these devices usually have a single login and that login has administrative access to the entire device if someone does have access to this device and the default login is still active they will effectively have full control and even if someone doesn't know the default login this information is very easy to find on the internet there's a website routerpass.com that lists out all of these device models their default username and their default password many of these all-in-one SOHO devices often have a number of security features for example you might be able to do content filtering or IP address filtering on the device you usually have the option of setting an allow list so that nothing passes through the firewall except the things that you specify this is obviously the most restrictive of the settings because every IP address or website you'd like to visit needs to be added to the firewall a more common implementation would be the deny list where you're allowed to visit any site you'd like except for the ones that are specifically listed in the security policies so there might be a list of URLs or IP addresses that you cannot visit but everything else on the internet is effectively available these appliances that we install into our home office or small office have an operating system that also has to be maintained this operating system is referred to as the firmware of this device and this firmware is usually proprietary and comes directly from the manufacturer these updates don't usually have the same frequency as something like Microsoft Windows but any updates that get pushed out might have bug fixes new features or security patches just like your laptops and mobile phones you'll also want to make sure that all of your SOHO appliances are up to date with the latest version of firmware so make sure that your update processes include these devices whether they are a router a firewall a switch or any other device that you might be using content filtering is a very good way to restrict what people can see in their browser this is usually filtering information based on a specific URL or it's based on a broad category of URLs that you might visit for example your content filtering might have a single URL that's pointing to a well-known gambling site or you could set a broad website category that says "Deny all access to any website that is categorized as gambling." This is also a way that you can control the transfer of sensitive data in and out of your network so you might want to set a content filter that restricts access to any of the file sharing websites that people commonly visit we also see this being used to prevent things that are inappropriate from showing up on your screen at work so if it's not for professional use then you'll probably see it restricted in your content filtering security policy and some content filters may allow you to visit a site but they will scan all of the incoming data to make sure that no viruses or malware are allowed inside of your network in a small office home office environment there's usually a single device that has multiple features so it might be a router a wireless access point a switch a content filter and a firewall all in one device usually that one device is located somewhere close to the connection coming in from the internet service provider in a small office you might have multiple devices a number of servers and other pieces of equipment so all of that equipment might be stored behind a locked door or in a secure room if you have a single wireless access point having that device where your internet service provider line comes in may not be the most convenient location for access points you'd like to get them high in the air and in a central location so that everybody has equal access to that signal you also have to think about how you might have to reboot that device so if this is something that has to be managed directly on the box you may not want to put it too high out of reach if you are able to plan out where this will go and you're able to run the appropriate cables you might be able to install it in a central location where everybody has easy access to the wireless network one of the challenges with these small office or home office devices is there's not usually an IT technician who's available to do any type of configurations this is why UPN was created this is universal plug-and-play this is a feature built into these small office routers that allows them to be configured using software that you're running as an application this means we don't have to log into the router and make configuration changes we simply start an application on our local internal network that application will communicate with your router and using universal plug-and-play it will make configuration changes to your router to allow inbound traffic to that application from a security perspective universal plug-and-play is usually not turned on because you don't want to have an application able to make configuration changes to inbound traffic on your router this could cause significant security problems so it's very common to disable universal plug-and-play on all of these devices some firewalls will support a configuration that includes a screened subnet you might have heard of this referred to as a demilitarized zone or DMZ this is a network that you would connect to your firewall that's not part of your internal network where all of your private company information is it's a completely separate subnet that is specifically designed for inbound traffic to your local services so now you have this protected screen subnet where you can keep all of these publicly facing services but still maintain an internal network that still has high security for example your local network might have a web server that's providing services for people on the internet and you would put that web server into the screen subnet your internal network would still be available to support all of your local systems and keep all of your company data private these small office and home office routers become very important devices once you log in you effectively have full control over what data is able to go from one network to another for that reason it's important to tightly control who has access to that device you've certainly changed the default login for this device but you also want to make sure that the password that you're using is a strong password and if you're able to add additional multiffactor authentication that would also provide additional security some devices also allow you to log in to a cloud-based service which then grants you access to manage this device remotely and some of these devices provide additional security controls by IP address so you can define what IP addresses are able to connect to this device and log in to the management front end as another best practice you may want to make sure that any type of remote management is disabled so that no one is able to log into this device from across the internet you must be on your local network to be able to log in to the management front end of this device one thing that you might see often is a wireless network popping up in your list that has the default name of that particular device for example you might see a link wireless network or a Netgear wireless network this name that we see in our list of available wireless networks is referred to as an SSID it stands for a service set identifier and it effectively is the name that we are associating with this wireless network a good best practice would be to change the SSID from the default to something that is either not quite as obvious or might have more of a connection with your organization and if you wanted to remove that wireless network from the pull down list you could disable the SSID broadcast there's probably a configuration option within your wireless device that allows you to enable and disable the SSID broadcast this is not a security control because it doesn't prevent somebody from connecting to the network if they happen to know the name but it does prevent the name from showing up in a list of other wireless networks so this would be more for an administrative function than it would be for a security function sometimes you'll hear this referred to as security through obscurity by making this process more obscure you're trying to make the process more secure in reality of course security through obscurity is in reality not security at all there are a number of different ways to provide authentication access to these wireless networks one of them is to simply have an open network there's no authentication password needed and anyone who is nearby can connect to that wireless network this is the type of network that you might see if you're at a coffee shop or you've checked into a hotel a more secure network might provide encryption and require you to provide additional credentials to connect to the wireless network you can do this by using WPA2 or WPA3 for your encryption and there is a method called a personal or PSK configuration that you might want to consider using this is the type of configuration you often see in a home office because the PSK is a pre-shared key it's effectively a password that you give out to everyone who wants to access the wireless network on an enterprise network however you would prefer that everyone use a separate username and password to gain access to the wireless network and those credentials are often centralized on a directory service you might see this configuration called WPA2 or WPA3 enterprise or 802.1x and if you are in an area with a lot of different access points it might be difficult to find an available frequency many access points will automatically search for the best channel to use and use that instead of something that you might configure manually this automatic configuration will also help if someone turns on another access point nearby your access point will recognize that additional frequencies are in use and it will adjust to find the best frequencies for your particular network in many of these SOHO routers you'll notice that a guest login may be enabled by default this is usually provided for convenience so that anyone can plug in this access point and immediately have multiple people connecting to the network but from a security perspective you probably don't want anyone being able to connect to your local wireless network but you could add some additional security and use the guest network for other devices such as an internet of things network or a lab network this would allow you to keep those devices off of your main network but still provide those devices with access to the internet and regardless of what you're implementing you should always enable security on these networks for a network at home or a network at your company you should at a minimum be using WPA2 and ideally WPA3 as a security professional when I walk into a conference room I'm looking around immediately to see what jacks might be available in the wall for me to plug into you'll often see these in break rooms or open areas where there's an RJ45 jack in the wall that connects to a set of switches in the main closet a good security best practice is to disable any interfaces where something is not currently connected that way I can't walk into your conference room plug into your RJ45 connection and immediately have access to all of the devices on your local network you could even take this a step further and enable 802.1x on these networks we often refer to this as network access control with 802.1x you're presented with a login screen before you're able to connect to the network this is a very common configuration on wireless networks but you can also apply 802.1x to wired networks as well in the network configuration of your SOHO router you might see an option for port forwarding this is a way for you to allow devices on the internet to gain access to services that are on the inside of your network for example you could turn on a web server on the inside of your network create a port forwarding rule and now anyone on the internet would be able to traverse your firewall to gain access to that web server there's usually three or four pieces of information that are required to create a port forward one would be a private IP address so in our example this would be the IP address that we're using internally for our web server then we would have a port number that you would access publicly that's on the outside of the firewall and then you would have a port number that is used to communicate internally to that web server sometimes these are the same port number but you could also make these different port numbers as well on larger enterprise devices we refer to this as a destinationnat or a statnat this is translating or converting a public IP address to a private IP address on the inside of your network another important consideration is when you create a port forward that port forward is always available 24 hours a day 7 days a week that's different than universal plug-andplay where the port forward may only be active while the application is running and when you close the application the port forward is automatically disabled with a statically configured port forward in your firewall that access is available always so here is our SOHO router and it's connected to a couple of switches and you can see on our internal network we have our internal web server there's a laptop and other devices that are on the network as well we would like to give people on the internet access to the web server that's on the inside of our network but people on the internet are not able to connect to a private IP address that's inside of our firewall instead we're going to create a port forward configuration that says if anybody connects to our public IP address which is 66.20.14 translate that IP address to 192.168.3.22 you can see that's the IP address of our internal web server so a user on the internet will communicate directly to 66.20.14 once that reaches our router or firewall that device will look at the conversion table and see that anything inbound to 66.20.114 should be translated to 192.168.3.22 it performs the translation inside of that device and sends the traffic to the internal web server a port forward is going to open up holes in your firewall and make your network less secure this may or may not be the objective that you're looking for so make sure that you know exactly what you'd like to configure in the port forward and that you're using the appropriate security for this connection