- By Darril Gibson
- Objective 2.1: Identify types of network cables and connectors
- Objective 2.2: Categorize characteristics of connectors and cabling
- Objective 2.3: Explain properties and characteristics of TCP/IP
- Objective 2.4: Explain common TCP and UDP ports, protocols, and their purpose
- Objective 2.5: Compare and contrast wireless networking standards and encryption types
- Objective 2.6: Install, configure, and deploy a SOHO wireless/wired router using appropriate settings
- Objective 2.7: Compare and contrast Internet connection types and features
- Objective 2.8: Identify various types of networks
- Objective 2.9: Compare and contrast network devices and their functions and features
- Objective 2.10: Given a scenario, use appropriate networking tools
Objective 2.6: Install, configure, and deploy a SOHO wireless/wired router using appropriate settings
It’s very common for a small office home office (SOHO) to have a network with a wireless router used as the central networking device. Computers can connect to the wireless router to share resources on the network and for access to the Internet. Additionally, wireless routers commonly include wired connections and additional services for the network.
Exam need to know...
For example: What is a MAC? What is the benefit of MAC filtering?
For example: What is the default channel used for wireless? What channel(s) should you use instead for better performance?
Port forwarding, port triggering
For example: What is the difference between port forwarding and port triggering?
Built-in networking services
For example: What are the common services built into wireless routers? What should be enabled to automatically assign IP addresses?
For example: What is the SSID? What can be done to hide a wireless network from casual users?
For example: What is a DMZ? What computers would be placed in a DMZ?
Wired and wireless network interface cards (NICs) use media access control (MAC) addresses. MAC addresses are represented as six groups of two hexadecimal characters similar to this: 1A-2B-3C-4D-5E-6F. MAC addresses are burned into NICs and can be used to identify specific computers.
True or false? You can use MAC filtering on a wireless router to restrict access to only certain devices.
Answer: True. MAC filtering can be enabled on a wireless router by using only the MAC addresses of authorized devices.
You can also use MAC filtering with wired routers. The router will block access to the network to all systems except for ones with the specifically allowed MAC addresses.
Wireless protocols are associated with specific frequency bands, such as 2.4 GHz or 5.0 GHz. However, each of these bands is divided into several channels. While a wireless router will automatically pick one of these channels, it is possible to manually select a specific channel.
True or false? If channel 6 has excessive interference, you should select channel 5 or 7 to improve performance.
Answer: False. Channel 6 is usually selected by default. However, channels 5, 6, and 7 all overlap with each other, so interference on channel 6 will also affect channels 5 and 7.
If channel 6 has excessive interference, it’s recommended to select channel 1 or 11 instead. There isn’t any overlap with the signals between these three channels.
Wireless networks in areas where multiple wireless networks are active frequently have performance problems due to interference from other networks. For example, an apartment complex might have several active wireless networks from different residents. You can eliminate interference with most networks by switching to channel 1 or 11.
Port forwarding, port triggering
Many wireless routers and firewalls support port forwarding and port triggering. These are two methods used to allow specific types of traffic through a router or firewall.
True or false? Port forwarding opens a specific incoming port after traffic is sent out on a different port.
Answer: False. Port forwarding forwards all traffic from the Internet by using a specific port to a specific IP address.
Port forwarding can be used to provide access to a system within a private network from the Internet. For example, all traffic coming in port 80 can be forwarded to a web server on an internal network.
Port triggering uses one outgoing port as a trigger to open a specific incoming port. For example, an application might send traffic out on port 3456 and receive traffic in on port 5678. A port trigger on the router or firewall will automatically open incoming port 5678 only when traffic is sensed going out of port 3456.
Built-in networking services
Hardware devices sold as wireless routers generally also include multiple services that are often enabled by default. This simplifies the setup of the internal network for users.
True or false? Wireless routers commonly include DHCP to assign IP addresses to internal devices.
Answer: True. Wireless routers include multiple services, including DHCP.
DHCP assigns a range of IP addresses to DHCP clients and also provides the IP address of the wireless router as each client’s default gateway. If desired, you can disable DHCP and manually assign IP addresses to internal systems.
If DHCP has been disabled, DHCP clients will assign themselves an APIPA address starting with 169.254. However, you can manually assign IP addresses and other TCP/IP configuration information for all internal clients. It takes more time, but it is possible.
DHCP can be configured to assign IP addresses for a limited range in a network, and other IP addresses in the range can be manually assigned. For example, you can have DHCP assign IP addresses in the range of 192.168.1.100 through 192.168.1.254 with a subnet mask of 255.255.255.0. You can then manually assign other IP addresses from 192.168.1.1 through 192.168.1.99.
It’s also possible to have addresses assigned based on their MAC addresses. For example, you can have DHCP always assign the same IP address to a printer. When the printer requests an IP address, the request includes the printer’s MAC address, and you can map this MAC address to a specific IP address in DHCP. This is known as a DHCP reservation.
Other services commonly included in a wireless router include the following:
Firewall. The firewall filters traffic in and out of a network. Traffic can be filtered based on IP addresses, MAC addresses, logical ports, and protocols. Most firewalls are configured to block all traffic except for traffic that is specifically allowed.
Network Address Translation (NAT). NAT is a service that replaces private IP addresses used internally on a network with public IP addresses used on the Internet. The wireless router will have a single public IP address connected to the Internet, and all internal devices can share it when accessing the Internet.
Basic Quality of Service (QoS). QoS is a group of a technologies used to control traffic on a network by assigning different priorities to specific types of traffic. For example, it can give streaming video a lower priority than other types of traffic.
A primary step you need to take for wireless security is to select a secure encryption type such as WPA2, as described in Objective 2.4, “Explain common TCP and UDP ports, protocols, and their purpose“, earlier in this chapter. A strong passphrase should be used, and the passphrase should be kept secret. In addition to using WPA2 with a strong passphrase, there are some additional steps you can take.
True or false? You can enable SSID broadcast to prevent users from connecting to a wireless network.
Answer: False. You can disable service set identifier (SSID) broadcasts to prevent users from easily seeing and connecting to a wireless network.
The SSID is the name of the network, and you need to know the SSID when connecting any device. When SSID broadcast is enabled, the network is visible to anyone in range of the network, making it easier for users to select the network. When SSID broadcast is disabled, users need to type in the name manually.
True or false? WPS allows users to configure security by pressing a button or entering a personal identification number (PIN).
Answer: True. Wi-Fi Protected Setup (WPS) is a feature on some wireless routers, designed to make security configuration almost as easy as pressing a button. Unfortunately, WPS is vulnerable to attacks and not recommended for use.
A demilitarized zone (DMZ) is a buffer network that provides a layer of protection for an internal network and a device that can be accessed from the Internet. DMZs are also known as screened subnets, perimeter networks, or buffer networks and are typically created with two firewalls. One firewall routes traffic between the Internet and the DMZ. The second firewall routes traffic between the internal network and the DMZ.
True or false? Internet-facing servers are placed in a DMZ to provide a level of protection.
Answer: True. Any server that can be accessed from the Internet has an added layer of protection when it is placed in a DMZ.
On home networks, users might place a gaming server in the DMZ to protect it while still making the server accessible to other users through the Internet. In larger networks, mail servers and web servers are commonly placed in a DMZ.
Without a DMZ, Internet-facing servers would need to be placed directly on the Internet with a public IP address or within an internal network. Note that you can place an Internet-facing server in one of the following three locations:
On the Internet. It has a public IP address and minimal protection. It is susceptible to a wide variety of attacks.
Internal network. If the system is successfully attacked, the attacker might be able to access other systems on the internal network. That is, this presents additional risks to internal systems.
DMZ. The Internet-facing server has a layer of protection against Internet attacks from the firewall between it and the Internet. The internal network has an additional layer of protection against a successful attack against the Internet-facing server.
Can you answer these questions?
You can find the answers to these questions at the end of this chapter.
What type of address can you use to block network access for specific computers?
What channel(s) should you use if your wireless network has excessive interference on channel 6?
Where should you place a gaming server that needs to be accessible from the Internet but also needs protection?