SOHO SECURITY ARCHITECT: TERMINAL EDITION

You are configuring a home network for a customer. The customer has requested the ability to access a Windows PC remotely, and needs all chat and optional functions to work in their game console.

// INSTRUCTIONS:
1. Deploy: Drag PC to DMZ, Console to LAN.
2. Devices: Click PC/Console to set IP/Mask/Gateway via Terminal.
3. Router: Click Router to configure WAN (/30), DMZ (/26), and NAT via Cisco IOS.
4. AP: Use dropdowns for Wireless config.

ATTEMPTS: 3/3

Wireless AP (LAN)

Wireless LAN

Edge Router

> CLICK FOR CISCO CONSOLE

Screened Subnet

(Configured via Router CLI)
DMZ Zone
!
PC
!
Console
TERMINAL SESSION
>

Available Parameters

WAN IP Addresses

98.145.20.5 /30 192.168.1.50 /24 127.0.0.1 /8 256.0.0.1

Router Interfaces

GigabitEthernet0/0 GigabitEthernet0/1

Gateway IPs (DMZ/LAN)

10.100.0.1 /26 192.168.10.1 /24 169.254.5.10 /16 127.0.0.1 /8 240.5.5.1 /4

Device IPs

10.100.0.55 /26 192.168.10.55 /24 10.5.5.55 /24 169.254.12.55 /16 240.10.10.5 /4

Port Forwarding

TCP 3389 UDP 3389 TCP 80 TCP 23 UDP 53 TCP 443

Mission Debrief / Answer Key

Architecture Analysis

You have successfully deployed a secure network architecture featuring perimeter defense (Firewall/Router), internal segmentation (DMZ), and secure wireless access protocols. This configuration minimizes the attack surface while allowing necessary services.

Deep Dive: IP Addressing & NAT

To conserve public IPv4 addresses, **RFC 1918** defines private IP ranges that are not routable on the global internet. You must use these for internal networks (LANs):

  • Class A: 10.0.0.0 – 10.255.255.255
  • Class B: 172.16.0.0 – 172.31.255.255
  • Class C: 192.168.0.0 – 192.168.255.255
Role of NAT (Network Address Translation):
Since private IPs cannot travel over the internet, the router uses NAT to translate all internal traffic (from 192.168.x.x) to the single Public WAN IP (98.145.20.5) before it leaves the building. This allows multiple devices to share one internet connection.
Cisco Configuration Breakdown

The following commands were required to configure the Edge Router correctly:

WAN Interface (IPv4 Conservation):
interface GigabitEthernet0/0
ip address 98.145.20.5 255.255.255.252
We use a /30 mask (255.255.255.252) for Point-to-Point WAN links to conserve public IP addresses. This block allows only 2 usable hosts (Router + ISP).
DMZ Interface (Segmentation):
interface GigabitEthernet0/1
ip address 10.100.0.1 255.255.255.192
The DMZ is configured with a /26 mask (255.255.255.192). This limits the subnet to 62 hosts, reducing the broadcast domain size compared to a full /24.
Port Forwarding (NAT):
ip nat inside source static tcp 10.100.0.55 3389 interface GigabitEthernet0/0 3389
This rule tells the router: "Any TCP traffic hitting the WAN IP on port 3389 should be forwarded to the PC at 10.100.0.55".
Deep Dive: Port Forwarding

By default, a router's firewall blocks all unsolicited inbound traffic. To allow remote access to the PC, you configured a Port Forwarding Rule.

Configuration (GUI vs CLI):
This is typically done in the Router's Web Interface under "Firewall", "NAT", or "Gaming" settings. You map an External Port (e.g., 3389) to an Internal IP (the PC's static IP) and Internal Port.
Why TCP 3389?
Microsoft's Remote Desktop Protocol (RDP) relies on TCP port 3389. If you had selected UDP, the connection handshake would fail. Other common ports include 80 (Web), 443 (Secure Web), and 22 (SSH).
Wireless Security Standards

1. WPA3 (Newest Standard)

Introduced in 2018, WPA3 mandates PMF (Protected Management Frames) and uses SAE (Simultaneous Authentication of Equals) instead of the 4-way handshake. This prevents offline dictionary attacks where a hacker captures a handshake and tries to guess the password later.

2. WPA2-AES (The Lab Solution)

WPA2 uses AES (Advanced Encryption Standard), a robust block cipher with 128-bit (Personal) or 256-bit (Enterprise) keys. It creates a secure tunnel for data. While WPA3 is better, WPA2-AES is still considered secure for most home networks today, provided a strong password is used.

3. WEP & TKIP (Obsolete/Insecure)

WEP used the RC4 stream cipher with a static key, leading to "IV Collisions" that allow attackers to crack the password in minutes. TKIP was a temporary fix for WEP but is also vulnerable. Modern routers often disable these by default.

Security vs. Performance:
Historically, strong encryption (AES) required more processing power, slowing down old routers. Modern chips have Hardware Acceleration dedicated to AES, meaning there is virtually no speed penalty for using maximum security settings today.