Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.10

Given a scenario, apply security settings on SOHO wireless and wired networks

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.10: Given a scenario, apply security settings on SOHO wireless and wired networks

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, apply. The candidate must configure SOHO router security settings including passwords, filtering, firmware updates, physical placement, UPnP, screened subnets, secure management, and wireless-specific settings.

What this objective tests

You should be able to harden a SOHO router from factory defaults: change defaults, configure filtering, update firmware, set up the screened subnet, lock down management, configure wireless properly, and configure the firewall.

This objective pairs tightly with Core 1 obj 2.6 (SOHO router setup). 2.6 covered initial setup; 2.10 deepens the security configuration.

Key facts

Change default passwords:

  • The single most important step. Default credentials are on every scanner list.
  • Change the admin password during initial setup; rotate periodically (or use a password manager and a long random value).

IP filtering:

  • Block or allow specific IP addresses or ranges.
  • Use cases: block known-bad IPs, restrict admin interface access to specific source IPs, allow only office IPs to reach an internal service.

Firmware updates:

  • Apply vendor patches that fix known vulnerabilities.
  • Many SOHO routers reach EOL within 3-5 years; replace hardware when vendor stops patching.

Content filtering:

  • Block categories of websites (adult content, malware, gambling, etc.) at the network level.
  • Implemented via the router's built-in feature, OpenDNS/Cisco Umbrella/Cloudflare for Families DNS, or third-party content filtering appliances.

Physical placement / secure locations:

  • Router in a locked closet or rack, not in a public area.
  • Reset buttons on the router are reachable by anyone with physical access; a factory reset bypasses your admin password.

Universal Plug and Play (UPnP):

  • Lets devices/apps on the LAN open inbound ports automatically.
  • Convenience for game consoles, IoT, P2P apps. Security risk because compromised devices can punch their own holes through the firewall.
  • Disable on business networks. Echo of Core 1 obj 2.6.

Screened subnet (formerly DMZ):

  • Network segment that hosts services accessible from the Internet, isolated from the internal LAN.
  • Traffic flow: Internet > screened subnet (e.g., web server) > firewall > internal LAN.
  • SOHO routers often offer a "DMZ host" feature that exposes a single internal IP to the Internet; this is NOT a true screened subnet and should be avoided.

Configure secure management access:

  • Disable remote management (admin access from the Internet) unless absolutely required. If required, restrict by source IP and use VPN.
  • Use HTTPS for the admin web interface, not HTTP.
  • Strong admin password + 2FA where supported.

Changing the service set identifier (SSID):

  • Change from the vendor default (e.g., "Linksys") to something non-identifying. Don't use the company name (gives attackers context).

Disabling SSID broadcast:

  • Hide the SSID from broadcast beacons.
  • Security theater (devices still leak the SSID in association requests). Doesn't meaningfully stop attackers; creates UX friction. Generally not recommended.
  • Real security comes from WPA3 + strong passphrase.

Encryption settings (wireless):

  • WPA3 if all devices support it. WPA2/WPA3 transition mode for mixed environments. Never WPA-only or WEP.
  • Strong passphrase (16+ characters or use 802.1X enterprise auth).
  • Covered in detail in obj 2.3.

Configuring guest access:

  • Separate SSID for visitors, isolated from the main network.
  • Client isolation enabled (guests can't see each other or LAN resources).
  • Bandwidth throttled if needed.

Firewall settings (SOHO router):

  • Default: block inbound, allow outbound.
  • Most SOHO routers have a stateful firewall built into the NAT layer.

Disabling unused ports:

  • Physically disable unused Ethernet ports on the router/switch where possible.
  • Reduces attack surface from unauthorized device plug-in.

Port forwarding / mapping:

  • Open specific inbound ports to specific internal devices.
  • Use sparingly. Each forwarded port is potential attack surface.
  • Prefer VPN access over port-forwarded admin interfaces.

Common gotchas

  • Default admin/admin in production. Top SMB compromise vector. Change immediately.
  • Firmware never updated. Years of accumulated CVEs. Patch or replace.
  • UPnP enabled in business setting. Malware uses it to expose itself.
  • DMZ host = "single PC fully exposed." Some SOHO routers' "DMZ" is a single-IP forward of all traffic. Avoid; use port forwarding for specific services instead.
  • WPS still on. Default-on on many SOHO routers; PIN is brute-forceable. Disable.
  • Hidden SSID assumed secure. Adds nothing meaningful; creates UX issues.
  • Guest network "isolated" but reachable via router admin. Guest devices may still access the router web UI on the LAN IP. Lock down management to a restricted source.
  • Port forward to "any port" or to 0.0.0.0. Don't.

Real-world context

Hardening pass for a new SOHO router deployment:

  1. Power up; immediate priority is admin password change.
  2. Update firmware to latest stable.
  3. Set strong Wi-Fi credentials (WPA3 or WPA2/3 transition + strong passphrase).
  4. Create guest network with client isolation.
  5. Disable UPnP.
  6. Disable WPS.
  7. Disable remote admin (Internet-side admin access).
  8. Restrict admin interface to LAN, ideally a specific management VLAN or IP.
  9. Set up DNS-level content filtering if needed.
  10. Document config in the client's password manager / configuration management system.

For SMB networks beyond single-router setups, look at:

  • Business firewall (Fortinet, SonicWall, Cisco Meraki) replacing the SOHO router for advanced features (deep packet inspection, IPS, VPN concentrator).
  • Separate VLANs for voice, data, guest, IoT.
  • 802.1X authentication on wired ports for high-security environments.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.10](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [CISA: Securing Network Infrastructure Devices](https://www.cisa.gov/news-events/news/securing-network-infrastructure-devices)
  • [Wikipedia: Universal Plug and Play](https://en.wikipedia.org/wiki/Universal_Plug_and_Play)
  • [Wikipedia: DMZ (computing)](https://en.wikipedia.org/wiki/DMZ_(computing))