Home Network Security and Hardening

Your home network doesn't secure itself

There are many simple things you can do to improve your security posture, and the good news is that you don't need to be a geek. Here are a few recommendations.

Change the default admin credentials

• The internet is full of default credentials, and let's face it, people tend to leave these unchanged.
• A simple solution is to change the default values to something unique and long enough.
• Use WPA3 where you can
  • Short history Wi-Fi security protocols: https://en.wikipediaorg/wiki/Wi-Fi_Protected_Access
  • Some devices don't support WPA3, but you can use WPA3/WPA2 as a solution for that
• Avoid WEP and WPA1 as they are insecure

Disable WPS

• WPS makes connecting devices to your network easy, but it is a known attack vector, disabling it is recommended.

Rename your SSID

• The name of your Wi-Fi can sell information to attackers about the manufacturer and the model.
• Changing it is a good idea, but please don't put your name, address or other personally identifiable information in it.

Set up a separate guest Wi-Fi network (network segmentation)

• It is good practice to not allow your guests into your main network
• Instead, create a separate guest Wi-Fi network for them
• This way you can isolate your trusted devices' network from your guest devices that might run some sneaky malware in the background

Update the firmware regularly

• Regularly update the firmware on your networking devices. Vulnerabilities are discovered daily, and it is good practice to apply patches to these as soon as they are ready.
• A bi-weekly check is recommended
• Some routers and switches support automatic security patching

Limit remote access

• Access the router interface from your local network only
• If remote access is a must, make sure you don't open your router interface up for the public internet. Use a VPN connection instead

Disable unused services

• The list is long here, but the most common services are UPnP, Telnet, SSH, FTP.
• Apply a deny-by-default policy, and only allow some if you really need them

DNS settings

• Using a good DNS provider like OpenDNS, Cloudflare or CleanBrowsing can block access to known malicious domains
• Your internet service provider's DNS server might not do this at all
• You can also use DNS settings for parental control and content filtering (OpenDNS Family Shield https://www.opendns.com/setupguide/#familyshield, Cloudflare for Families https://blog.cloudflare.com/introducing-1-1-1-1-for-families/)
• There are European alternatives
  • https://quad9.net/
  • https://desec.io/
  • https://flashstart.com/

Firewall rules

• These rules are crucial to block traffic that doesn't make sense.
• While this can get complicated here, we can use common sense
  • Block all inbound traffic by default
  • Allow outbound traffic but add monitoring if possible
  • Disable or restrict port forwarding
  • Disable port forwarding by default
  • If you need port forwarding for gaming or you have a NAS on your network, limit it to specific IPs

Final thoughts

Thanks for reading through the above! If you found this useful, consider sharing with those who might need it.

In our following posts we will explore some easy and more advanced techniques on mobile device security, defending against scams, and more. Feel free to follow along.