The home network is equally important to secure as the organization you work for. Think about it, this is the network that you use when not in the office; you plug your work laptop in, access sites that are unfiltered/unprotected by your company’s proxy, and then bring the laptop back in to the office the next day and plug it in to the production network. This has the potential to introduce significant risk to the organization. This risk is only exacerbated if someone is able to compromise your home network. In fact, using work laptops outside of the company network is one of the most common ways malware makes it into the organization.
For these reasons it is important to take security seriously both inside and outside of the office. To help with this, I’ve put together 7 steps that you can take to improve the security of your home network.
1. Encrypt your home network using WPA2 and a strong password
Open wireless networks should be avoided unless there is no other option. When using open networks, a VPN should be employed to protect your data while in transit. When it comes to your personal home network, there is absolutely no reason to leave the wireless network open. Encryption is built in to every standard Wi-Fi router so there is absolutely no reason to not enable this. More importantly, Wi-Fi Protected Access 2 (WPA2) should be used as it is the most secure Wireless protocol available for home use. WEP and standard WPA can be cracked and are not considered secure.
In addition to enabling encryption, a very strong password should be used. This doesn’t need to be something ridiculously hard to remember, or so complex that you need to write it down. Remember, when it comes to password strength it’s all about entropy. So, the longer the password the better. This could be something as simple as a sentence with a few capital letters, spaces, and maybe one special character. This makes it very hard to guess but easy to remember, and if someone is able to capture the challenge-response, it will be very difficult for them to crack.
2. Change default router passwords and settings
Just do it… This is the very first thing that every penetration tester will try once connected to a wireless network. If they can log in to the administrative interface using a default or easily-guessable password, then all bets are off. The same goes for default settings. The fact that they are ‘default’ means that they are generally public knowledge and a quick google search will give an adversary everything they need to gain access to your network.
Aside from passwords — which should be changed for obvious reasons, the main setting of concern is the default IP address. This is normally 192.168.x.1 and various exploit kits are hard-coded to take advantage of these default configuration settings. Simply changing the IP address to anything else (IE: 10.112.123.111) will greatly improve the security of the router and subsequently, your home network as a whole.
One other setting that should not be overlooked is Wireless Protected Setup (WPS). This feature is prone to well-known and simple proximity attacks and can be broken very easily. When using WPS to configure devices such as printers or similar technology, it is best practice to enable WPS, add the device, and then disable WPS once the device has associated with the access point.
3. Set up a guest network for family and friends to use when they visit
Guest networks are a simple and effective way to segment your devices from potentially untrusted devices on the network. Sometimes a friends system can contain malware that could infect other systems over the network. Or, if you have guests regularly (think Air BnB) that connect to your network, do you really want them to be able to access your computer, servers, or other systems on your personal network? Another aspect to consider if you have ‘untrusted guests’ is to lock the router away to deter physical access attacks.
Many routers have a built-in guest feature. If yours doesn’t support this, you may want to consider purchasing another cheap router and bridge this off of your normal access point. This segments the network and keeps untrusted devices off of the main network. This could also be key if someone uses your guest network to download torrents or perform other illegal activities, as showing that this was conducted over your guest network by a device that you don’t own could get you out of hot water.
4. Set up a separate network for Internet of Things (IoT) devices
If you can control your lights from the internet, so can anyone else who happens to guess the password to your Internet of Things control center. What’s worse is that if they can get to your lights, what else can they access on your network? With the rise in home automation and remote access to physical devices, it is important to segment the network to reduce the risk of an outsider gaining access to the internal network by way of an exposed service.
5. Disable remote access to your home network
Many routers come with the ability to allow remote access. This can be very dangerous, especially if default passwords are still in place. Once someone gains access to the router remotely, they can sniff traffic and access systems on the internal network from anywhere in the world. Often these technologies are only protected by a username and password, which can be easily broken with a dictionary attack, often without the owner even knowing. This is why it is very important to only enable remote services when you can compensate for the risks by adding protections such as multifactor authentication.
The same precautions should be taken when running a demilitarized zone (DMZ) and exposing Windows or Linux servers to the internet. Unless it is absolutely necessary to access these systems directly from the internet, a VPN with multifactor authentication should be used instead. This will allow you to access your home network remotely in a more secure manner. If you are running a web server or something similar and need to have these services directly exposed, any remote administration protocols such as RDP or SSH should be protected using a public/private key pair in addition to the username/password combination.
6. Use a firewall
Firewalls are a cheap and effective way to curb attacks against your home network. Plus, they give you additional insight into the traffic that is traversing over the network boundary, in addition to maintaining a separate record of traffic history. Firewalls can also be implemented on the router directly, in fact most modern routers come with the built in ability to block specific ports or even filter specific types of traffic. A really good one that I would highly recommend is pfsense.
If you are exposing servers to the internet, Honeyports are a free and easy to use tool can be used to detect and ban IP addresses as attacks are observed. Artillery is one of my favorite tools for this and it can be installed on the server and up and running in minutes. This will prevent known-bad IP addresses from reaching your server once a connection attempt has been made against one of the exposed Honeyport services.
7. Log out of the router when not using it
Many of the attacks against routers today are done by forcing the client to perform an action within the administrative interface of the router on behalf of the attacker. This attack is commonly referred to as Cross-Site Request Forgery (CSRF) and is a very effective means of gaining access to a router. Some of the attacks simply enable remote access to the router and change the administrative password while others completely take over the device and backdoor it. For these reasons, it is important to always log out of the router’s web interface when you are done administering the services.