Advice on leveling up your home network protection

As we adjust to a new norm of working from home for the time being, I would like to share advice on leveling up your home network protection. Some of us are fortunate enough to continue our business as usual (sort of) from our home offices and may want to consider using this time to assess and strengthen security. But this advice applies across the board as we all hunker down and spend more time connected — and connecting — virtually.

I recommend the following steps based on where you are in the “DIY” IT security continuum.

For N00bs (that is, “newbies”): “I just had a Comcast person set this up for me.”

Most of us are used to plugging in the router, connecting it to the modem, and calling it a day after giving the wifi a snarky name such as, “FBI Van #4”! If that is the case, now may be a good time to rethink this approach. If you’re looking for new ideas to increase security beyond “out-of-the-box” settings and installations, here are some options for security expansion for your router — the entry-point to your network — as well as for your smart home devices.

Securing your router

First, access your router settings so you can check and improve the settings, if need be. Since many people may not know how to take this first step, an easier way may be to access your home router settings through logging into your internet provider’s website. The other way is to access the router directly. Typically this is a set IP address such as 192.168.0.1 or 10.0.0.1 that you would type into your browser. Check out your provider’s FAQ pages if you are still having issues logging in to see the router settings.  Once you have accessed the router settings, take the following basic steps:

  • Change your wifi password and the administrator password (and make them different!);
  • Change/check your wifi name, keeping in mind that you do not want to reveal personal information (e.g., Jones Family or 289 Middle Ave.);
  • Check “WPA2” as the encryption method, as other methods have been cracked;
  • Disable WPS, as it is a way for people closeby to easily get inside your wifi, even if they’re just egregious curbside wifi pirates;
  • Enable the default firewall to protect yourself from both proximity attacks and attacks from anywhere; and
  • Disable “Shared-WiFi,” because sharing isn’t always caring!

Securing smart home devices

We’ve enjoyed a proliferation of IoT devices throughout the home — from smart thermostats to video doorbells to connected lighting and shades. How can we integrate these things with peace of mind of being sufficiently protected? Here are a few pointers:

  • Choose trusted brands, even if the immediate cost is higher;
  • Think like an IT pro by making firmware updates a regular practice where you periodically log in to app that controls your IoT devices to make sure all up to date with latest firmware;
  • Make sure you have up-to-date mobile apps, since most of the time you are controlling devices from your phone;
  • Choose strong, unique passwords (phrases are good);
  • Do not use the same password for all your devices; it’s okay to go old-school and write down your passwords in a password book;
  • Disable any features you do not expect to use; and
  • Review saved voice data. I'm sure that most people with smart home devices have been in a situation where the device will respond to a conversation you're having when you didn't even mean to have it start listening. Although Amazon and Google have strict guidelines on how their employees review data to improve their systems, this is a way to ensure private conversations stay private as best as possible. For example, in Google you can find this in "My Activity" under Google Assistant settings and automatically delete after a period time or manually delete any unwanted voice data.

Splitting network into segments

Okay, brace yourself for this one. I recommend that anyone who is working from home split their network into segments: one for home use / untrusted devices (e.g., IoT gadgets) and one for business use / trusted devices (e.g., work laptop).

This advice may sound intimidating, but it’s actually somewhat simple to do. One of the easiest ways, quite frankly, is to use two separate routers. But keep in mind that you can use a single router, too. In this case, you could split VLANs by radio signals, placing all your 2.4Hz devices on one segment and your 5Hz devices on the other. Either way, make sure you have separate firewall protection based on both segments.

The Dabbl3rs (that is, the Dabblers): “I know just enough to break things.” 

If you’re looking to add something to your pretty secure existing scenario, consider setting up your own VPN. When you are doing work things, you are protected with your work VPN. But for home things in the future when we can venture out into the wild, such as sitting at a coffee shop with unencrypted wifi, using a VPN is a good idea. From there, some other ways to expand protections include the following:

  • DNS Blackhole/Sinkhole/Pi-hole: With a DNS blackhole (you can think of DNS as the “yellow pages for websites”), you can have ads not resolve (even on a kid's tablet while they play free games). With some of the more high-end routers, you can enable DNS filtering for the blocking of different categories (e.g. "gardening centers"). If you’re feeling really adventurous, you could set up a Pi-hole with a rasberry-pi or a linux server you have lying around. With this you will be able to use the default blacklist, copy community created blacklists, as well as add your own for any specific domains you would like to not resolve. All with a built-in dashboard to track the percentage of blocked domains and which devices in your network are reaching out the most for ads.
  • Intrusion detection system (IDS): Having an IDS is good to get alerted on possible issues going on, at least protecting you from known malicious activity (that is, signatures created from previously identified threats).

Be your own threat hunter

For the most daring among us, the third level of protection is essentially becoming an at-home threat hunter. You can engage in active threat monitoring with your own Network Security Monitor (NSM) system. As much as I love being a threat hunter myself and welcome the opportunity to inspire such a passion for all, I suggest sticking to the first two levels of raising the bar on your home network protection. Both will improve your security beyond the basics. With other stressors on our plates right now, a home network attack should not be one of them.

About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet Cybersecurity is a global cybersecurity leader that is revolutionizing how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing an extraordinarily high percentage of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today. Follow IronNet on Twitter and LinkedIn.