Recent content

Home Networking 101: Minor security improvements

Submitted by hkoning on
Router

A typical home network setup

Let's start by looking at a typical home network after your local internet provider has set you up.  A typical home network will have the following three components: the internet, your ISP modem, and your home network with all your devices.

1. the Internet

This is the huge global network of networks out there where netflix.com and lululemon.ca live.   This is also where your ISP has their servers that provide you with things like DNS.   Most companies will also have their own internal network, just like you have your home network, and will only have their web servers 'on the internet'  (simplifying matters slightly here :) )

Read https://vancurious.ca/networking_for_non_techie for more details.

2. The magic box your ISP gave you - the ISP modem

If your home network has been set up by your ISP, it will typically look something like this.  

typical basic home network

The ISP provider will have installed a nifty box in your home that has been configured to do three things for you:

  • be a modem, and connect your home network to the internet
  • be a router, and route traffic between your devices.  It will have some basic rules set up to hide your home devices from the internet, not allow traffic in, etc.  You can plug in a number of ethernet cables and the router will take care of letting things talk to each other.
  • be a Wireless Access Point or WAP, which creates your wireless network (wifi). 

Your ISP should have given you an IP address (usually 192.168.0.1) to connect to the modem to change its settings.   You can type this into your browser's address bar and a login screen should appear - and your ISP should have given you the login information.

On the setting screen you can typically also give your wifi network a name, set up authentication for your wifi, and define some routing rules. 

3. Everything else: your devices

In most typical home networks all devices are connected to the network created by ISP's modem.    And that includes your visitors that you have ever given the wifi password to or your children's friends that were given wifi access.

Why would I care about my home network being more secure?

There are a couple of reasons you should care. 

Privacy

By default, devices on your home network can see all network traffic even if not meant for them.  

Your smart TV can see all the traffic on your network, and provide data to the manufacturer.   It can keep track of your watching behaviour and share that.  Your smart ring doorbell home security device can send all the videos it takes to the company. 

And your visitors that connect to the wifi technically can see the traffic as well. 

Ransomware

There are bad actors out there, that make money by encrypting your data and asking for a ransom before decrypting.    They would first have to find a way to get their encryption software onto your computer - which can be done by getting you to click on a link in an email and approving an install, or if you visit a website with some scripting on it that asks you to install something, or possibly because the tool you downloaded and installed is not what you think it is. 

But another and possibly easier way is to get into any of your smart devices. 

And if your aquarium smart filter ever gets compromised, it has access to everything.   If you turned on 'file sharing' on your device to play your music, and your smart TV gets compromised or you click on the wrong thing on a website and download ransomware - you will lose everything; all your data is encrypted on all your devices and you may never get it back (even if you pay!! )  

So what can you do to make this slightly more secure?

  1. Change the default password on the ISP modem
    And keep track of it - preferably in a password manager: an application created for storing passwords.  Writing it down also works, and remember that someone would have to be in the house to be able to read it.  Of course, paper is also easily lost or recycled by accident, so...   Do your risk analysis and know yourself!  Are you the kind of person that usually loses slips of paper?  Are you more likely to forget the password to your password manager?  Do you not trust technology and would keep a default password if someone said you could only use a password manager?   Change the password and store it in whichever way works for you. 
  2. Back up your data regularly.  For instance, buy a hard-disk caddy and a number of external hard disks.  Create a backup, and disconnect the caddy.  That way, should you get ransom-wared, this data is safe (as long as it is not connected, the ransom ware cannot encrypt).   Make sure you don't re-connect it until you have wiped the ransomware.  Having an external backup also allows you to store it somewhere else in case of fire or flood.  
  3. Do put a password on your wifi, do require a login.  And choose a hard-to-guess but easy to remember long (>10 characters) password, and set it up with WEP-2 protocol.  You can use a sentence!  Or a few words together!  
  4. Create two wifi SSIDs, one for trusted devices and one for non-trusted.  Note that this just gives you two different names and logins for what is still really the same network if you are using your ISP modem to do this.  However, this way at least you're not giving out your primary password to all your guests, so that is a good thing!
  5. Remember that all your devices are on the same network and can see each other.  Wherever you are enabling any sharing (file sharing, etc), keep the access as specific as possible.  For instance - enable file sharing only for specific devices, and with a username/password.  Don't set your devices to be discoverable.  Don't turn on anything on device unless you really need it.  Turn off wifi, bluetooth, anything you don't need.  
  6. Educate yourself.  Even your ISP modem provides basic security through NAT - network address translation.  It is good to understand that this only allows traffic in that was initiated by a device already on the internal network.  Internal devices are not directly addressable from the internet. 
  7. For certain applications to work, especially games, you may need to set up port forwarding.  This means that you allow a connection from the internet on a specific port to be redirected to an endpoint (device, computer) on the internal network on perhaps a different port.  This will allow this device to 'talk' back and forth with a game provider.  When you set this up, be as specific as possible about the ports you're allowing this for. Avoid a range wherever possible.  Lookup for the specific application the minimum needed, and only allow that.
  8. Turn off UPNP if it is on!!  The "Universal Plug and Play" is not needed, and has significant vulnerabilities.
  9. Make sure the administration interface is not available from the WAN, so someone from outside, from the internet, cannot get into your modem and change the settings.   Turn off this configuration setting - it should be off by default, but check!!
  10. Keep your firmware and software  (of all your devices) up to date - look up the instructions.  This makes sure that if there were issues or vulnerabilities, you get an updated and fixed version.  When that perky reminder comes up that "an update is available" don't do what I do and click ignore.... run the update! Most updates are fast and very safe.   Home routers do get taken over (compromised) and used for nefarious purposes such as botnets.

For more background, look a "some networking concepts explained for the non-techie" that aims to explain the basic concepts. 

And there you go. Comments and additional ideas very welcome!

Tags: Geek Gathering

Add new comment

About text formats

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.