Minor security improvements for the typical home network

Read "some networking concepts explained for the non-techie" that hopefully explains the basic concepts you may find helpful. 

A typical home network setup

Let's start by looking at a typical home network after your local internet provider has set you up.  A typical home network will have the following three components:

1. the Internet

This is the huge network of networks out there where netflix.com and lululemon.ca live.

2. The magic box your ISP gave you - the ISP modem

If your home network has been set up by your ISP, it will typically look something like this.  

They will have provided you with a nifty box that has been configured to do three things for you:

• be a modem, and connect your home network to the internet
• be a router, and route traffic between your devices.  It will have some basic rules set up to hide your home devices from the internet, not allow traffic in, etc.  You can plug in a number of ethernet cables and the router will take care of letting things talk to each other.
• be a Wireless Access Point or WAP, which creates your wireless network (wifi). 

Your ISP should have given you an IP address (usually 192.168.0.1) to connect to the modem to change its settings.   You can type this into your browser's address bar and a login screen should appear - and your ISP should have given you the login information.

On the setting screen you can typically also give your wifi network a name, set up authentication for your wifi, and define some routing rules. 

3. Everything else: your devices

In most typical home networks all devices are connected to the network created by ISP's modem.    And that includes your visitors that you have ever given the wifi password to or your children's friends that were given wifi access.

Your smart TV can see all the traffic on your network, and provide data to the manufacturer.   Your smart ring doorbell home security device can send all the videos it takes to the company. 

And if your aquarium smart filter ever gets compromised, it has access to everything.   If you turned on 'file sharing' on your device to play your music, and your smart TV gets compromised and you click on the wrong thing on a website and download ransomware - you will lose everything; all your data is encrypted on all your devices and you may never get it back (even if you pay!! )

So what can you do to make this slightly more secure?

1. Change the default password on the ISP modem
   And keep track of it - preferably in a password manager: an application created for storing passwords.  Writing it down also works, and remember that someone would have to be in the house to be able to read it.  Of course, paper is also easily lost or recycled by accident, so...   Do your risk analysis and know yourself!  Are you the kind of person that usually loses slips of paper?  Are you more likely to forget the password to your password manager?  Do you not trust technology and would keep a default password if someone said you could only use a password manager?   Change the password and store it in whichever way works for you. 
2. Back up your data regularly.  For instance, buy a hard-disk caddy and a number of external hard disks.  Create a backup, and disconnect the caddy.  That way, should you get ransom-wared, this data is safe (as long as it is not connected, the ransom ware cannot encrypt).   Make sure you don't re-connect it until you have wiped the ransomware.  Having an external backup also allows you to store it somewhere else in case of fire or flood.  
3. Set up your wifi with a hard-to-guess but easy to remember long (>10 characters) password, and set it up with WEP-2 protocol.  You can use a sentence!  Or a few words together!  
4. Do put a password on your wifi, do require a login
5. Create two wifi's, one for trusted devices and one for non-trusted.  Note that this just gives you two different names and logins for what is still really the same network if you are using your ISP modem to do this.  However, this way, you're not giving out your primary password to all your guests, so that is a good thing!
6. Remember that all your devices are on the same network and can see each other.  Wherever you are enabling any sharing (file sharing, etc), keep the access as specific as possible.  For instance - enable file sharing only for specific devices, and with a username/password.  Don't set your devices to be discoverable.  Don't turn on anything on device unless you really need it.  Turn off wifi, bluetooth, anything you don't need.  
7. Educate yourself.  Even your ISP modem provides basic security through NAT - network address translation.  It is good to understand that this only allows traffic in that was initiated by a device already on the internal network.  Internal devices are not directly addressable from the internet. 
8. For certain applications to work, especially games, you may need to set up port forwarding.  This means that you allow a connection from the internet on a specific port to be redirected to an endpoint (device, computer) on the internal network on perhaps a different port.  This will allow this device to 'talk' back and forth with a game provider.  When you set this up, be as specific as possible about the ports you're allowing this for. Avoid a range wherever possible.  Lookup for the specific application the minimum needed, and only allow that.
9. Turn off UPNP if it is on!!  The "Universal Plug and Play" is not needed, and has significant vulnerabilities.
10. Make sure the administration interface is not available from the WAN, so someone from outside, from the internet, cannot get into your modem and change the settings.   Turn off this configuration setting - it should be off by default, but check!!
11. Keep your firmware (of all your devices) up to date - look up the instructions.  This makes sure that if there were issues or vulnerabilities, you get an updated and fixed version.

And there you go. Comments and additional ideas very welcome!