A plus 1002 Sub-objective 2.10 – Given a scenario, configure security on SOHO wireless and wired networks. – Dumps4shared

A plus 1002 Sub-objective 2.10 – Given a scenario, configure security on SOHO wireless and wired networks.

Go back to A+ 220-1002 Domain 2.0 table of content

Welcome to ExamNotes by Dumps4shared! If you have been following up to this point, with A plus 1002 Sub-objective 2.10 you’ve reached the final sub-objective in Domain 2.0 of the CompTIA A+ Exam Objectives statement. In this section, we will look at the steps that can be taken to secure a wired or wireless network. We will begin by examining the elements of a network that are exclusively related to wireless networks. Next, we will discuss issues that are common to both wired and wireless networks. Enjoy!

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Wireless specific

Wireless networks are filled with potential security
compromises. The network signal can be detected by anyone with the hardware.
Often, casual non-malevolent users can be seen driving around until they pick
up a signal from an open wireless network so they can check their email! This
is a possibility since the access point’s owner may not recognize the
compromise. In addition, an open wireless network can be a free service offered
by a retailer or other service provider such as a CATV provider that also offers
Internet. Based on the service agreement, the Cable-provider owned router and
wireless equipment may provide a hotspot on the device.

Changing
default SSID

The Service Set Identifier (SSID) serves as the network name for
the wireless (WiFi) network. The default SSID is set at the factory and should
be changed during initial configuration of the network along with assignment of
a new password. All devices on the WiFi network must be able to identify this
device and must take the steps necessary to access it. This includes the
password, channel number, and encryption.

Setting
encryption

Encryption makes traffic unintelligible to outsiders and
insiders who don’t have the public key. Since being paired with 802.11x
wireless traffic, encryption methods have continuously evolved to stay ahead of
threats. Wireless encryption began with WEP (Wireless encryption Protocol)
which used a 40-bit key that was quickly compromised. WEP was later upgraded to
a 128-bit key however it was still vulnerable.

WPA (Wi-Fi Protected Access) was an interim solution implemented
to address the shortcomings of WEP. WPA can be used on legacy hardware,
requiring only software or firmware upgrades, and can be combined with
additional encryption standards such as TKIP (Temporal Key Integrity Protocol).
WPA2 is a more secure implementation of WPA that can use both TKIP and the more
advanced AES (Advanced Encryption Standard). The only drawback of WPA2 is that
users of legacy wireless interfaces will have to upgrade in order to use AES.
When configuring a router, it is wise to implement WPA2 with TKIP and AES in
order to allow devices that cannot support AES to fall back to TKIP.

In the image below, observe that based on the operating system
and the hardware, the encryption types available will vary.

Encryption Types by System

Disabling SSID
broadcast

By default, the router is configured to transmit its SSID every
few second during a process called broadcasting. It is recommended that this
feature be disabled for the purpose of network hardening since half of the
SSID/Passphrase security element will be provided otherwise. This is seen in
the image below on a Dual Band router using the 2.4 Ghz and 5.0 Ghz frequency
bands. The passphrase is obscured.

SSID and Passphrase

Antenna and
access point placement

The placement of the wireless access point and the wireless antenna are often overlooked by users since bandwidth is prioritized and other important issues, such as eavesdropping and interference, are often ignored. Interference occurs where two or more WAPs/Routers create overlapping but dissimilar transmission ranges. Regarding eavesdropping, consider that wireless devices are two-way radios with varying coverage areas which depend on the 802.11 protocol used and the physical environment.  Envision a circular area, representing the effective range, which extends from the WAP or Router. By picturing this circular area, it is easy to visualize why an access point should be placed in a location where it can reach all the required locations in the space.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

It is usually best to place the WAP or Router in the center of the desired area since this will provide comprehensive coverage and will reduce the possibility of compromise from outsiders. A WAP or Router placed in a corner or close to a wall will make only ¼ or ½ of the range available to the users. If the WAP or Router is placed adjacent to another business entity or family, the remainder of the range is “bleeding” (escaping) into unintended areas, making them subject to compromise. Also in an office or apartment building with multiple access points, signals can overlap each other, likely causing interference on both networks. The judicious placement of wireless transmission devices reduces the probability of both security and operational issues while providing the required coverage.

Radio power levels

In addition to carefully selecting the location of the WAP or
Router, control the size of the coverage range by adjusting the power of the
transmitting radio. This simple step will help avoid the pitfalls of having wireless
data subject to compromise.

WPS

In order to streamline the wireless setup process and help the
less technically-inclined user establish wireless connections, the WPS (Wi-Fi
Protected Setup) standard was implemented. This standard reduces the time and
effort required to perform an initial connection, or recover a lost connection,
down to a simple push of a button. Once initiated, WPS puts the WAP/router into
WPA Personal or WPA2 Personal security mode and briefly makes the SSID and
Passphrase (Key) available.

Change default usernames
and passwords

All network hardware such as routers, switches, and WAPs utilize
usernames and passwords (passphrases) to authenticate users and allow
configuration of the devices. Since the device needs to be setup for immediate use,
the factory sets default username/password combinations that are widely known
and easily compromised. Combat this by changing these values immediately. Shown
below is a wireless gateway with the default username displayed. In this case,
it’s “admin” which is not an effective configuration to put it mildly. Before
you decide that administrator is better, please try again!

Default username

Enable MAC filtering

Every network device is assigned a globally unique 48-bit
hexadecimal MAC (Media Access Code) address embedded in the firmware. The
uniqueness of this address, better than IP addresses, makes it a very specific
method of blocking or permitting the device. In most cases, allow devices in a
specific IP address range in order to manage traffic on a specific subnet.

Assign static
IP addresses

In the vast majority of cases, IP addresses are assigned
automatically by DHCP. This protocol provides noticeable savings in time and
effort while efficiently managing and assigning addresses from the available
address pool. DHCP addresses may change periodically and keep in mind that
address changes do not have any impact on performance. Some devices such as Web,
File, and Print servers need to have a permanent network address in order to
reliably provide its particular service.  The image below shows a static
IP address assigned to a Document Server.

Static IP

Firewall
settings

Firewalls are a crucial component in a solid network defense
strategy. When configuring a firewall, set the level as strict as possible on
the hardware and then test the system and applications for proper operation. Software
firewalls, such as Windows Firewall or from a third-party protection suite, can
then be configured. This is shown below.

Using the Norton Firewall, the Specific UDP (DHCPV6-in) rule was
selected to Modify as seen in the top window. In the second window, the rule
behavior is allowed to be changed to Block, Monitor, or Allow.

Modify Firewall Rule

Port
forwarding/mapping

Port forwarding or mapping allows inbound IP addresses and port
numbers to be redirected on the internal network. This setting allows the
firewall to change the ports and addresses used by a service to any other available
port and address in order to foil attackers. In the screenshot below, TCP/UDP is
allowed to specifically assign Port 21 to the common FTP service (No change).
The port and address can be forwarded to any available port/address combination.

Port Forwarding

Disabling ports

After remapping or forwarding a port/address combination,
traffic on the previously configured port/address can be disabled.

Content
filtering / parental controls

Parental controls or content filters restrict specific traffic
based on keywords, URLs (Domains), or the time of day. Parental Control
settings can also allow Trusted IP addresses (The Parents) to access the
restricted content at will.

Parental Control

Update firmware

It is possible that the access device may not support the speeds
that are expected or may not have new features from the service provider, regardless
if it is wired or wireless. In these cases, the device manufacturer may have
updated firmware in order to increase performance and/or implement new features.
Firmware upgrades are also provided to address problems with the device. In all
of these cases, be absolutely sure that the make, model, serial number of the
device has been recorded. Be absolutely sure that the manufacturer’s
instructions regarding the firmware upgrade process is clearly understood.
Failure to follow the instructions could render the device inoperative.

Firmware updates are a one-shot deal and there is no “undo.” Unless
you have the time and money to acquire a replacement device, read the
instructions carefully! Obtain the new firmware from the manufacturer
ONLY. DO NOT obtain firmware from the Play Store, Windows
Store, or App Store and certainly do not obtain it from a freeware download
site. Read the instructions again and perform the upgrade slowly and
deliberately. There
will only be one chance. Shown in the screenshot below is most of the
information that will be needed to perform the firmware update.

Information for update

Physical
security

We covered almost everything, however one critical point remains. We have dealt with security, configurations, and updates but not the physical security of the devices. Make sure that your equipment is safe from malicious parties and even troublemakers who may push a button to see what it does! It can happen.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Avoid placing equipment in public areas or locations where a
guest’s or employee’s contact with the equipment can’t be controlled. Hardware
should be in an area protected by a badge, key, or combination lock where only
authorized personnel can enter. Always place equipment in a room with a
locked door and limited access.
Well, that will do it
for objective 2.10 and that concludes the entire Domain 2.0. Congratulations
are in order and it’s downhill from here.
Good luck on the test!

Pass Your IT Certification Exams With Free Real Exam Dumps and Questions

Full Version 220-1002 Dumps

Tagged ,