This chapter covers SOHO (Small Office/Home Office) network security for the CompTIA A+ Core 2 (220-1102) exam, focusing on Objective 2.4: Given a scenario, configure a SOHO network security. Approximately 10-15% of the Security domain questions touch this topic, so mastering it is essential. You will learn the specific settings, default values, and common misconfigurations that the exam tests, including wireless encryption, firewall rules, MAC filtering, and guest network isolation. This is not a theoretical overview—every detail here is directly examinable.
Jump to a section
Imagine a small house with a single door (the router). You want to let family members (trusted devices) come and go freely, but you also want to allow specific guests (like a delivery person) to enter only the front hall (a specific port) and only at certain times. You install a lock with multiple deadbolts (firewall rules) that can be set to allow entry only to people with a specific key (IP address) or only during daytime (scheduled rules). You also set up a video doorbell (intrusion detection) that alerts you if someone tries to pick the lock (port scan). If a guest tries to force the door, you have a panic button (automatic blocking) that locks all deadbolts for 10 minutes. Inside, each room has a separate key (SSID/password for guest network) so that a guest in the living room cannot wander into the bedroom (isolated LANs). You also change the default locksmith code (default admin credentials) immediately after moving in, and you disable the old keyhole that was used for the previous owner's dog door (WPS). This house is your small office/home office network, and every security measure has a direct counterpart in router settings, firewall rules, and wireless configuration.
What is SOHO Network Security and Why Does It Exist?
SOHO network security refers to the configuration of a small network (typically a single router/switch/WAP combo device) to protect against unauthorized access, data breaches, and malware. Unlike enterprise networks with dedicated security appliances, SOHO devices combine routing, switching, wireless, and firewall functions into one box. The exam expects you to know how to secure this device and its connected clients.
Wireless Encryption and Authentication
The most critical setting is wireless security mode. The exam tests three main protocols: - WEP (Wired Equivalent Privacy): Uses a static 40-bit or 104-bit key (often entered as 10 or 26 hex digits). It is deprecated because the RC4 cipher is easily broken in minutes with tools like aircrack-ng. The exam will ask: which is the least secure? Answer: WEP. - WPA (Wi-Fi Protected Access): Uses TKIP (Temporal Key Integrity Protocol) with RC4. Still vulnerable to attacks like Beck-Tews. Not recommended. - WPA2 (Wi-Fi Protected Access 2): Uses AES-CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol). This is the minimum standard for the exam. The default is WPA2-PSK (Pre-Shared Key) with AES. The passphrase must be at least 8 characters (up to 63). - WPA3 (Wi-Fi Protected Access 3): Uses SAE (Simultaneous Authentication of Equals) handshake, replacing PSK. Provides forward secrecy and protection against brute-force attacks. The exam expects you to know that WPA3 is the most secure option available.
Default values: Most SOHO routers ship with WPA2-PSK [AES] enabled. The default SSID is often the manufacturer name (e.g., "Linksys") and the default admin password is often "admin". Both must be changed.
Firewall Settings
The SOHO router typically includes a stateful packet inspection (SPI) firewall. Key settings: - SPI Firewall: Enabled by default. It tracks connection state and only allows incoming packets that are responses to outbound requests. The exam tests that you should never disable SPI unless troubleshooting. - Port Forwarding: Maps an external port to an internal IP and port. For example, forwarding TCP 3389 to a PC's RDP service. The exam loves to ask: what is the risk of port forwarding? It exposes internal services to the internet. Use port triggering instead when possible. - Port Triggering: Opens a port only when a specific outbound traffic pattern is detected. More secure than static port forwarding. - DMZ (Demilitarized Zone): A single device exposed to the internet with all ports open. The exam warns: DMZ is a last resort and should only be used for devices that cannot work behind NAT. Never put a client PC in DMZ. - Content Filtering: Block URLs or keywords. Often uses DNS filtering (e.g., OpenDNS). The exam may ask about blocking categories like "adult" or "social networking".
MAC Filtering
MAC (Media Access Control) filtering is a whitelist or blacklist of MAC addresses allowed to connect. The exam highlights that MAC filtering is NOT a security measure because MAC addresses can be spoofed easily (e.g., using macchanger on Linux). It is only a minor inconvenience for attackers. The exam will ask: what is the biggest weakness of MAC filtering? Answer: MAC spoofing.
DHCP Settings
DHCP (Dynamic Host Configuration Protocol) assigns IP addresses to clients. Security-relevant settings: - DHCP Lease Time: Default is 24 hours (1440 minutes). Shorter lease times reduce the window for stale entries but increase network traffic. - DHCP Reservation: Maps a MAC address to a fixed IP. Useful for servers or printers. The exam tests that DHCP reservation is different from static IP configuration (which is set on the client). - Disable DHCP: For networks with multiple routers to avoid IP conflicts. Only one device should serve DHCP.
Guest Network Isolation
A guest network is a separate SSID that provides internet access but no access to the main LAN. The exam expects you to know:
Enable "Guest Network" or "Guest Access" on the router.
Configure a separate SSID (e.g., "Home_Guest").
Set a different password or use a captive portal.
Check the option "Allow guests to access my local network" — this should be UNCHECKED.
Some routers allow bandwidth limits per guest.
Firmware Updates
Router firmware is the operating system. The exam requires you to:
Check for updates on the manufacturer's support site.
Download the correct model and version.
Apply via the router's web interface (often under Administration > Firmware Upgrade).
Never interrupt the update (power loss bricks the router).
Enable automatic updates if available.
Physical Security
Change default admin credentials immediately.
Disable remote management (WAN administration) unless absolutely necessary.
Disable WPS (Wi-Fi Protected Setup) — it is vulnerable to brute-force PIN attacks (the PIN is 8 digits, easily cracked in hours).
Disable UPnP (Universal Plug and Play) — it allows devices to automatically open ports, often exploited by malware.
Common Misconfigurations
Using WEP or WPA-TKIP: Still seen in older devices. The exam will ask you to identify them as insecure.
Default SSID and password: Attackers can look up default credentials online (e.g., routerpasswords.com).
Open Wi-Fi: No encryption. Anyone can connect and sniff traffic. The exam says never use an open network without a captive portal.
Disabling firewall: To "speed up" the network. This is dangerous; instead, enable SPI.
WPS enabled: The PIN can be brute-forced in under a day. Disable it.
Verification Commands
On Windows:
- ipconfig /all — Shows IP config, MAC address, DHCP status.
- ping — Test connectivity.
- tracert — Trace route to internet.
- nslookup — DNS resolution.
On the router:
Check the status page for connected devices.
View logs for blocked attacks.
Run a port scan from inside (e.g., netstat -an) to see open ports.
Interaction with Other Technologies
SOHO security integrates with: - DNS: Content filtering often uses DNS blacklists. - VPN: Some SOHO routers support VPN servers (e.g., PPTP, OpenVPN) for remote access. - IoT Devices: Many IoT devices only support WPA2; do not use WPA3 if compatibility is needed. - Powerline Adapters: These extend the network but are not encrypted by default; use the security button on the adapters to encrypt traffic.
Exam Tips
The 220-1102 exam will present a scenario (e.g., "A small business wants to allow guests to use Wi-Fi but not access internal file shares"). You must select the correct configuration: enable guest network, disable local access. Another scenario: "A user's laptop cannot connect to Wi-Fi after changing the router password". The solution: update the Wi-Fi password on the laptop.
Remember the acronym SSID (Service Set Identifier) — it is the network name. PSK is the pre-shared key (password). TKIP is deprecated. AES is required for WPA2.
Default Values to Memorize
WPA2-PSK passphrase: 8-63 characters.
WEP key: 10 or 26 hex digits (64/128-bit).
DHCP lease: 24 hours default.
Router default IP: 192.168.0.1 or 192.168.1.1 (common).
Default admin: admin/admin or admin/password.
WPS PIN: 8 digits (vulnerable).
Step-by-Step Configuration
Connect to the router via Ethernet cable (not Wi-Fi) to avoid losing connection during changes.
Open a browser and enter the router's IP (e.g., 192.168.1.1).
Log in with default credentials (found on sticker).
Change admin password immediately under Administration.
Set wireless security to WPA2-PSK with AES. Choose a strong passphrase (at least 12 characters, mix of letters, numbers, symbols).
Change the SSID from default to something unique (not your name or address).
Disable WPS and UPnP.
Enable the firewall (SPI) if not already.
Configure guest network: enable, set SSID and password, ensure "Access internal network" is off.
Enable MAC filtering only if you understand its limitations (optional).
Update firmware to the latest version.
Disable remote management if not needed.
Test connectivity from a client.
Common Pitfalls
Forgetting to apply changes after configuration (some routers require a reboot).
Using a passphrase that is too short or dictionary-based.
Enabling both 2.4 GHz and 5 GHz with different SSIDs (confusing for users). The exam says you can use same SSID for band steering.
Not disabling SSID broadcast (security through obscurity — not effective). The exam says disabling SSID broadcast does not hide the network; tools like Kismet can detect it anyway.
Summary
SOHO network security is about configuring a single device to protect a small network. The 220-1102 exam focuses on wireless encryption (WPA2-AES minimum), firewall settings, guest isolation, and disabling vulnerable features (WPS, UPnP, remote management). Memorize default values and be able to identify the most secure option in a scenario.
1. Physically Connect and Access Router
Use an Ethernet cable to connect your computer to one of the LAN ports on the router. This ensures you do not lose connection when you change wireless settings. Open a web browser and enter the router's default IP address (commonly 192.168.0.1 or 192.168.1.1). If unsure, check the sticker on the router or run `ipconfig` on Windows to find the default gateway. You will be prompted for a username and password; use the default credentials (often admin/admin) unless changed. This step is the foundation for all subsequent configuration.
2. Change Default Admin Credentials
Navigate to the Administration or System section and locate the password change option. Enter a strong password (at least 12 characters with uppercase, lowercase, numbers, and symbols). Do not reuse the Wi-Fi password. This prevents unauthorized access to the router's settings. The exam tests that default credentials are a major security risk because they are publicly known. After saving, the router may prompt you to log in again with the new password.
3. Configure Wireless Security
Go to the Wireless settings page. Set the security mode to WPA2-PSK with AES encryption. Enter a strong passphrase (8-63 characters). Avoid common words or personal information. Change the SSID to something unique that does not identify you or the router model. Disable WPS (Wi-Fi Protected Setup) because the PIN method is vulnerable to brute-force attacks. Also disable SSID broadcast only if you understand it provides minimal security; the exam warns that hidden SSIDs are still detectable.
4. Enable Firewall and Disable Unused Services
In the Security or Firewall section, ensure SPI (Stateful Packet Inspection) firewall is enabled. Disable remote management (WAN administration) unless you need it. Disable UPnP (Universal Plug and Play) because it can be exploited by malware to open ports. Disable any other services like Telnet or SNMP if not used. Each disabled service reduces the attack surface. The exam expects you to know that these features are often enabled by default and should be turned off.
5. Set Up Guest Network
Find the Guest Network option (may be under Wireless or Advanced). Enable it and create a separate SSID (e.g., "Home_Guest"). Set a different password. Crucially, uncheck the option that allows guests to access the local network (often labeled "Allow access to local network" or "Allow guests to see each other"). This isolates guest devices from your main LAN. Some routers allow bandwidth limits; you can set a maximum speed for guests. Save and test from a guest device.
6. Update Firmware and Final Verification
Check for firmware updates in the Administration section. Download the latest version from the manufacturer's website (not through the router's auto-update if it is unreliable). Apply the update and do not power off the router during the process. After reboot, verify all settings: test wireless connectivity, ensure guest network cannot access LAN, confirm firewall is active by running a port scan from outside (use a tool like ShieldsUP!). Finally, document the new admin password and Wi-Fi credentials securely.
In a real-world SOHO environment, such as a dental office with 5 workstations and a guest waiting area, network security is critical to protect patient records (HIPAA compliance). The IT consultant configures a SOHO router (e.g., TP-Link ER605) with the following: WPA2-AES for staff network, separate guest SSID with captive portal (for terms of service), and VLAN tagging to isolate guest traffic. The guest network is throttled to 10 Mbps to prevent bandwidth hogging. MAC filtering is used only as a secondary control for staff devices (with a whitelist), but the consultant knows it is not a security measure. The router's firewall logs are enabled and reviewed weekly. A common issue: a staff member brings a personal IoT device (Wi-Fi camera) that only supports WPA2, so the network cannot be upgraded to WPA3 until all devices are compatible. Another scenario: a home office for a remote worker. The router is a consumer-grade ASUS RT-AX86U. The user enables VPN server (OpenVPN) to access office resources. The security configuration includes: WPA2-AES, disabled WPS, disabled UPnP, and port forwarding for VPN (UDP 1194). The user also sets up DHCP reservation for the work laptop to ensure a stable IP. A frequent misconfiguration is leaving the default SSID (ASUS) and default admin password, which can be exploited by wardriving attackers. The solution: change both immediately. In a larger SOHO (up to 50 devices), a Ubiquiti UniFi Gateway is used with VLANs for different departments. The exam does not test VLANs deeply, but the concept of network segmentation is important. The engineer configures a separate VLAN for IP cameras to prevent them from accessing the internet (only local NVR). The firewall rules block inter-VLAN traffic except for specific ports. Performance considerations: with many clients, the router's CPU may become a bottleneck; enabling hardware acceleration (NAT offloading) can help. When misconfigured, symptoms include slow internet, inability to connect to certain services, or security breaches (e.g., a guest user accessing a file server because the guest network was not isolated). The key is to test each change and document the baseline.
The 220-1102 exam Objective 2.4 specifically tests your ability to configure SOHO network security features. The most common questions are scenario-based: you are given a small business requirement and must choose the correct settings. The exam loves to test:
Wireless encryption: Which is most secure? WPA3 > WPA2-AES > WPA-TKIP > WEP. Wrong answers often mix up TKIP and AES. Candidates choose WPA2-TKIP thinking it is secure because it has "2". Reality: TKIP is deprecated; AES is required.
Guest network isolation: The question will say "allow visitors to use Wi-Fi but not access internal computers." The correct answer is to enable guest network and disable "allow access to local network." Wrong answer: enable MAC filtering (does not isolate) or change the SSID (does not isolate).
Disabling vulnerable features: WPS, UPnP, remote management. The exam asks: "What should you disable to prevent brute-force attacks on the PIN?" Answer: WPS. Another: "What opens ports automatically and can be exploited by malware?" Answer: UPnP.
Default credentials: A question may ask: "What is the first step in securing a new router?" Answer: Change the default admin password. Many candidates think it is updating firmware, but firmware update is also important but not the first step.
MAC filtering: The exam will present a scenario where a user wants to restrict access by device address. The correct answer includes MAC filtering, but the follow-up question may ask: "What is the weakness?" Answer: MAC spoofing. Candidates often think MAC filtering is secure because it is hardware-based.
Firmware updates: Questions about when to update firmware: when a security vulnerability is announced. Not: when the internet is slow.
DHCP settings: The exam may ask about DHCP reservation vs. static IP. Reservation is set on the router; static IP is set on the client. Wrong answer: they are the same.
Port forwarding vs. port triggering: Port forwarding always opens a port; port triggering opens only when triggered. The exam asks: which is more secure? Port triggering.
DMZ: The exam warns that DMZ exposes a device to the internet. Question: "What should you avoid using for a client PC?" Answer: DMZ.
SSID broadcast: Disabling SSID broadcast is not a security measure. The exam may ask: "Does hiding the SSID prevent attackers from seeing the network?" Answer: No, it is still detectable.
Edge cases: The exam may test that WPA3 is not backward compatible with WPA2 devices. If a device only supports WPA2, you cannot use WPA3. Also, some routers have a "WPA2/WPA3 mixed mode" — this is acceptable for compatibility.
How to eliminate wrong answers: Look for keywords. If the question asks about "strongest encryption," eliminate WEP and WPA-TKIP. If it asks about "isolating guests," eliminate any option that does not mention "guest network" or "disable local access." If it asks about "preventing PIN brute force," eliminate options like "change SSID" or "enable MAC filtering." The underlying mechanism is key: understand what each feature actually does at the packet level.
Always use WPA2-AES or WPA3 for wireless encryption; never use WEP or WPA-TKIP.
Change default admin credentials on the router immediately after first login.
Disable WPS, UPnP, and remote management to reduce attack surface.
Guest network must be enabled with 'allow access to local network' unchecked.
MAC filtering is not a security measure; it can be bypassed by spoofing.
Firmware updates should be applied promptly to patch vulnerabilities.
Port triggering is more secure than port forwarding because it only opens ports when triggered.
Default SSID and password are publicly known and should be changed.
DHCP reservation assigns a fixed IP via the router, not on the client.
Disabling SSID broadcast does not hide the network from determined attackers.
These come up on the exam all the time. Here's how to tell them apart.
WEP
Uses RC4 encryption with static 40-bit or 104-bit key.
Key can be cracked in minutes with tools like aircrack-ng.
No authentication mechanism; anyone with the key can connect.
Deprecated and not recommended for any use.
Default key length: 10 or 26 hex digits.
WPA2-AES
Uses AES-CCMP encryption with dynamic per-packet keys.
Considered secure; no practical attacks against AES-CCMP.
Uses 4-way handshake for authentication with PSK.
Minimum standard for SOHO networks (exam requirement).
Passphrase length: 8-63 characters.
Mistake
WPA2-TKIP is secure because it has '2' in the name.
Correct
WPA2 with TKIP is not secure; TKIP is deprecated. The exam requires WPA2 with AES (CCMP). TKIP uses RC4 and is vulnerable to attacks. Always choose AES for WPA2.
Mistake
MAC filtering provides strong security because it blocks unknown devices.
Correct
MAC addresses can be easily spoofed using tools like `macchanger` on Linux or by sniffing a valid MAC and changing it. MAC filtering is only a minor deterrent, not a security measure.
Mistake
Disabling SSID broadcast makes the network invisible to attackers.
Correct
The SSID is still broadcast in probe requests and can be detected by tools like Kismet or Wireshark. Disabling broadcast only hides the network from casual users, not from attackers.
Mistake
WPS is safe if you disable PIN method and use push-button only.
Correct
Even push-button WPS has vulnerabilities (e.g., some implementations have a 30-second window that can be exploited). The exam advises disabling WPS entirely.
Mistake
UPnP is convenient and does not affect security.
Correct
UPnP allows devices to automatically open ports on the router, which can be exploited by malware to create backdoors. It should be disabled in SOHO environments.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
WPA3 is the most secure, but if not available, use WPA2 with AES (CCMP). Avoid WEP and WPA-TKIP. The exam expects you to choose WPA2-AES as the minimum for security.
Log into the router, go to Wireless or Guest Network settings, enable the guest network, set a separate SSID and password, and ensure 'Allow access to local network' is unchecked. Some routers also allow bandwidth limits.
No, it does not provide real security because the SSID is still detectable. It only hides the network from casual users. The exam considers it a weak security measure.
Port forwarding permanently maps an external port to an internal IP/port. Port triggering opens the port only when specific outbound traffic is detected. Port triggering is more secure because it does not leave ports open constantly.
WPS has a PIN authentication method that can be brute-forced in a few hours (the PIN is 8 digits, but the last digit is a checksum, reducing entropy). Once cracked, the attacker can retrieve the WPA2 passphrase. Disable WPS.
Change the default admin password. Then update firmware, configure wireless security, and disable unnecessary services. The exam tests that default credentials are a critical vulnerability.
Yes, using the same SSID allows band steering, where clients automatically connect to the best band. This is recommended for simplicity. However, some older devices may have issues.
You've just covered SOHO Network Security — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?