SOHO SECURITY ARCHITECT

You are configuring a home network for a customer. The customer has requested the ability to access a Windows PC remotely, and needs all chat and optional functions to work in their game console.

// INSTRUCTIONS:
Use the drop-down menus to complete the network configuration for the customer. Each option may only be used once, and not all options will be used.

LAN Infrastructure

Wireless AP

Router Config

ROUTER

DMZ Infrastructure

Screened Subnet
!
PC
!
Console
CONFIGURE DEVICE

Mission Debrief / Cut Sheet

Architecture Analysis

You have successfully deployed a secure network architecture featuring perimeter defense (Firewall/Router), internal segmentation (DMZ), and secure wireless access protocols. This configuration minimizes the attack surface while allowing necessary services.

Deep Dive: IP Addressing & NAT

To conserve public IPv4 addresses, **RFC 1918** defines private IP ranges that are not routable on the global internet. You must use these for internal networks (LANs):

  • Class A: 10.0.0.0 – 10.255.255.255
  • Class B: 172.16.0.0 – 172.31.255.255
  • Class C: 192.168.0.0 – 192.168.255.255
Role of NAT (Network Address Translation):
Since private IPs cannot travel over the internet, the router uses NAT to translate all internal traffic (from 192.168.x.x) to the single Public WAN IP (98.145.20.5) before it leaves the building. This allows multiple devices to share one internet connection.
Deep Dive: Port Forwarding

By default, a router's firewall blocks all unsolicited inbound traffic. To allow remote access to the PC, you configured a Port Forwarding Rule.

Configuration (GUI/CLI):
This is typically done in the Router's Web Interface under "Firewall", "NAT", or "Gaming" settings. You map an External Port (e.g., 3389) to an Internal IP (the PC's static IP) and Internal Port.
Why TCP 3389?
Microsoft's Remote Desktop Protocol (RDP) relies on TCP port 3389. If you had selected UDP, the connection handshake would fail. Other common ports include 80 (Web), 443 (Secure Web), and 22 (SSH).
Wireless Security Standards

Security protocols have evolved to combat increasing computing power used to crack passwords. Here is a breakdown of the options:

1. WPA3 (Newest Standard)

Introduced in 2018, WPA3 mandates PMF (Protected Management Frames) and uses SAE (Simultaneous Authentication of Equals) instead of the 4-way handshake. This prevents offline dictionary attacks where a hacker captures a handshake and tries to guess the password later.

2. WPA2-AES (The Lab Solution)

WPA2 uses AES (Advanced Encryption Standard), a robust block cipher with 128-bit (Personal) or 256-bit (Enterprise) keys. It creates a secure tunnel for data. While WPA3 is better, WPA2-AES is still considered secure for most home networks today, provided a strong password is used.

3. WEP & TKIP (Obsolete/Insecure)

WEP used the RC4 stream cipher with a static key, leading to "IV Collisions" that allow attackers to crack the password in minutes. TKIP was a temporary fix for WEP but is also vulnerable. Modern routers often disable these by default.

Security vs. Performance:
Historically, strong encryption (AES) required more processing power, slowing down old routers. Modern chips have Hardware Acceleration dedicated to AES, meaning there is virtually no speed penalty for using maximum security settings today.