Small Office/Home Office (SOHO) networks have unique security challenges. CompTIA A+ 220-1102 tests router/firewall configuration, port forwarding, DHCP security, and guest network setup for SOHO environments. This guide covers every SOHO security concept in the A+ Core 2 objectives.
Practice this topic
SOHO routers combine multiple functions: router, firewall, switch, wireless AP, and sometimes DHCP/DNS. Default router security steps: Change default admin username and password immediately — default credentials are published online and known to attackers. Update firmware: router firmware patches vulnerabilities; check manufacturer website regularly or enable auto-update. Change default IP range: instead of 192.168.1.x (very common), use 192.168.10.x or 10.0.5.x — minor deterrent to automated attacks. Disable remote management: UPnP (Universal Plug and Play) allows devices to automatically open ports — disable UPnP to prevent malware from creating port forwarding rules. Disable WAN-side management access (web interface accessible from the internet) unless specifically needed. SPI (Stateful Packet Inspection) firewall: verify it is enabled — drops unsolicited inbound traffic.
Port forwarding: rules that direct inbound traffic on specific ports to specific internal devices. Required for hosting services (web server, game server, IP camera remote access, NAS remote access). Security implications: every open port is an attack surface. Only forward ports that are absolutely necessary. Use non-standard ports when possible (minor obscurity benefit). Configure per-service, not wide ranges. DMZ (Demilitarized Zone): configuration that exposes a single device to the internet without firewall protection. Router sends all inbound traffic to the DMZ host. Use case: devices that need many ports open (game consoles sometimes) or full exposure (dedicated web servers). Security risk: the DMZ host has no inbound firewall protection. Never put sensitive computers (workstations with personal data) in the DMZ. A proper enterprise DMZ uses two firewalls with a network segment between them — SOHO DMZ is a simplified single-device exposure.
DHCP filtering: prevent rogue DHCP servers from handing out incorrect IP configuration. DHCP snooping (managed switches): only allow DHCP responses from trusted (authorized) ports. Disable DHCP on the router if using a separate DHCP server. Static IP assignments: critical network devices (servers, printers, cameras) should have static IPs or DHCP reservations — makes firewall rules more reliable. DNS security: Use reputable DNS servers (8.8.8.8, 1.1.1.1, 9.9.9.9). DNS over HTTPS (DoH): encrypts DNS queries to prevent ISP monitoring and DNS hijacking. DNS filtering/content filtering services (Cisco Umbrella, CleanBrowsing): block malicious domains at the DNS level — blocks malware from communicating with C2 servers. DNSSEC: validates that DNS responses come from the authoritative server and haven't been tampered with.
Guest network: a separate Wi-Fi SSID with its own VLAN that is isolated from the primary network. Visitors connect to guest network — cannot access internal devices (computers, NAS, printers). Essential for BYOD environments and when IoT devices are present. IoT network: create a third SSID/VLAN for smart home devices (smart TVs, cameras, thermostats, speakers) — IoT devices are notoriously poorly secured and should not be on the same network as computers. Network isolation: enable 'AP isolation' or 'client isolation' on guest/IoT networks — prevents devices on the same SSID from communicating with each other. VLAN (Virtual LAN): logical network segmentation — assigns different traffic to different VLANs even on the same physical equipment. Requires managed switch and router that supports VLANs (most consumer-grade equipment does not).
Router-level content filtering: many SOHO routers include built-in content filtering or parental controls. Categories: block adult content, social media, gambling, malware sites. DNS-based filtering: configure router to use a filtering DNS service (OpenDNS, Cisco Umbrella) — all devices on the network benefit. Per-device filtering: most consumer routers allow per-device scheduling and content rules. Time restrictions: limit internet access for specific devices during specific hours. OpenDNS: free and paid DNS filtering service — filters by category, blocks malware/phishing domains. Pi-hole: free, open-source DNS sinkhole run on a Raspberry Pi or VM — blocks ads and malicious domains for the entire network at the DNS level. Application control: some routers can block specific applications (P2P, VPN bypass tools).
These questions are representative of what you will see on A+ exams. The correct answer and explanation are shown immediately below each question.
A SOHO user wants visiting clients to have internet access but not be able to access internal network resources. What is the best solution?
Explanation: A guest network creates a separate SSID with network isolation, preventing guest devices from accessing the primary network's resources while still providing internet access.
UPnP convenience comes at a security cost — malware can use UPnP to automatically open ports and expose your internal devices to the internet. For most home users, disabling UPnP and manually configuring port forwarding for specific needs (game servers, etc.) is safer. Many modern games and video calling apps work fine without UPnP.
Try free SOHO Security practice questions with explanations, topic links and progress tracking.