Best Practices for Securing Your Home Network
Information Technology (IT) departments in large corporations are increasingly allocating more of their annual budgets to security for one simple reason--the value of an organization's data far outweighs that of its physical assets. While you may not be running a corporation on your home network, your data may be your most valuable asset as well. Fortunately, there are some simple and straightforward steps you can take to minimize the risk of losing that data. As long as you remember that there is no single solution to security, but rather that it requires a multi-layered approach, you should be well on your way to safer networking.
Common home network topologies
Let's start by examing the two most popular methods for connecting your home network to the Internet.
- Software Router. A single computer on your home network is connected directly to a cable/DSL modem. You use your operating system's Internet connection sharing tool to share your Internet connection with other computers on your network.
- Hardware Router. A router is installed between the computers on your home network and the cable/DSL modem. The router provides Network Address Translation (NAT) to share your Internet connection with other computers on your network.
Regardless of which scenario you choose, the practices we'll outline in this article are generally applicable.
Definition: A router is a tool that examines network traffic and determines whether the traffic belongs to the local network or another network. As its name suggests, it "routes" traffic to the appropriate network.
Enable your firewall
Every modern operating system on the market today provides some sort of firewall. These firewalls are built into the operating system and are typically pre-configured for you. Of course, you can also purchase third-party firewalls that provide additional functionality. Regardless of which topology your network uses, you should make sure that your OS firewall is enabled and configured correctly.
For example, shown below is the Firewall built-into Windows Vista and Windows 7. As you can see, the firewall provides three default network profiles: Domain, Private, and Public. For each profile, you can specify whether the firewall should be turned on or off, and whether inbound connections and outbound connections are allowed or blocked. If you click on each profile tab, you can see the default settings for each network profile.
Definition: A firewall is a set of rules that determine which types of communications can occur between computers, applications, services, and networks. Typically, the rules are configured to allow unrestricted outbound access but limited inbound access.
USE DHCP sparingly
Routers generally have a built-in DHCP server that assigns an IP address to each device on your network. While this relieves you of the burden of having to assign IP addresses to individual computers manually, it also makes your internal network more vulnerable.
For example, let's say you have a wireless router and its integrated DHCP server is enabled. If a client computer is in the broadcast range of your router, it can request an IP address and, if assigned one, can join your network. In this case, eventhough the client computer is not physically located on your home network, it now can behave as though it were.
Definition: DHCP is an acronym for Dynamic Host Configuration Protocol. When a client device requests an IP address, the DHCP server automatically allocates one from a pool of available addresses.
We recommend that you assign all your wired devices static IP addresses and allocate only enough DHCP addresses to satisfy your wireless devices. For example, if you have desktop computers and notebook computers, assign your desktop computers static IP address and reserve enough IP addresses for your notebook computers, as the latter are mobile and may need to join networks other than your home network.
Some routers support a technology known as static DHCP, which maps an IP address to the Ethernet address of a network interface card. For example, if the Ethernet address (also known as the MAC address) of one of your network cards is 00-30-1B-BD-74-81, you can create a static mapping such that this network interface always gets the IP address 192.168.11.204. If a rogue client like we described above requests an IP address, the process fails because the client's MAC address is not in your table of static DHCP assignments.
Definition: Static DHCP is a special type of DHCP that provides a one-to-one mapping between IP addresses and Ethernet addresses.
Secure your hardware router
If you're using a hardware router, make sure you login with the vendor-supplied administrative credentials, and then change them by providing a strong password. Many routers come preconfigured with the user ID admin and a weak password. One company I'm aware of uses admin for both the user ID and the password.
Also, many routers come preset with IP addresses, such as 192.168.0.1 or 192.168.1.1. You should change this default setting as well. Typically, changing the third octet to something different (for example, 192.168.27.1) should suffice. In this example, all your network devices would then be on the 192.168.27.x network, where x is a unique number between 1 and 254 assigned to a particular device.
Secure your wireless network
By their very nature, wireless connections are unsecure because there's no physical barrier between connection points. To secure your wireless network appropriately, you need to focus on two areas:
- Controlling access to your wireless network.
- Securing data carried on a wireless connection.
Hide your network
Regardless of whether your wireless access point is integrated into your router or it's a separate device connected to your wired network, it has a network name known as a Service Set Identifier (SSID) or sometimes Extended Service Set Identifier (ESSID). If this identifer is enabled, your network name is broadcast to the public. By turning off broadcasting, you can hide your wireless network from prying eyes. Doing so requires more effort on your part when connecting to your wireless network, but it also lessens the chance that a client device outside your network will attempt to connect to your access point.
Restrict access by hardware address
An access control list (ACL) is a list of Ethernet (MAC) addresses that are allowed to connect to your wireless network. If the client computer's MAC address isn't in the ACL you create, then the computer's connection attempt is denied. To create the ACL, you'll need to go to each client device on your network, determine it's MAC address, and then enter it into your access point's configuration utility. Again, this requires some effort on your part, but it's another layer of security you can add to your home network.
Require authenticated sessions
Operating system providers face a constant challenge of keeping their products secure yet making them easier for users to manage; needless to say, they don't always achieve that goal. One such instance is the fact that, in most cases, the operating system saves your login credentials automatically when you first set up a wireless connection. We recommend that you change the default setting to require a prompt for your credentials each time you connect.
Encrypt your data
Even if you've addressed access issues using the practices discussed so far, you still need to think about the data that travels across your wireless network. How would you feel, for example, if you were purchasing an item from an online store and someone was sniffing out your credit card information by captuing the data stream? To prevent this kind of cyber crime, you need to encrypt your data. Most routers support Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA), the latter being significantly more secure than the former. In the figure shown below, you can see that we've chosen WPA/WPA2 Personal for our wireless security.
Keep up the good work
Now that you've put these recommendations into practice, it's time to maintain them. Part of this job entails applying the operating system updates that both Microsoft and Apple provide via automatic online updates. It also includes keeping your router firmware up-to-date.
Enjoy your journey!