Steps you can take to harden your home network

MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭
Hi folks...  this seems to be a topic that crops up on the forums from time to time and with so many experts here, I thought getting all these suggestions in one place might be a good idea. (and some prodding from @VioletChepil as well!)

Let me start off with what should be a simple given for any person with a home network...  Always make sure you have a password assigned to access your router or any network equipment in your home.  This includes IoT devices, thermostats, cameras etc...   That password should not be the one that came with your equipment and should be something that's complex and hard to guess.  

Let me give you an example...  Th3Sky!sBlu3 is one example of a password you could remember but substitutes in special characters to make it unique.  Look, security wise if you could use something long and random, like 983!Ei29u!#odei960dheu,  that would be better but I also realize how hard it is to do that.  Anyway, please chime in the rest of you with your helpful suggestions.
Thats Daphnee, she's a good dog...
VioletChepilCiaranYeskeithatpdaIdris_PShesTeachable

Comments

  • VioletChepilVioletChepil London, UKMember Posts: 2,474 admin
    Thanks a lot for starting this one up @Marc!
    @Pixelpopper @pwmeek @Romulus @Hronos @Crowgrandfather @vulcansheart @kltaylor @Pooh - anything to add in? 

    Community Manager at Fing

    Placebo69Hronos
  • MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭
    Here is a good thread on using guest networks to secure IoT devices.

    Alderete said:
    One way or another, your network equipment (probably your router) needs to isolate your IoT devices from your real, personal devices.

    If your wireless hardware supports it, you can create a "guest" network, and put your less trusted devices on it. If those devices don't need to talk directly to each other, or you, but need to be able to connect to a cloud-based service, this might work. But if devices need to communicate locally (on your home network), this won't work. (But it's still a great solution for your house guests.)

    The "traditional" solution (that is, beloved by network engineers and incomprehensible by most others) is to create an isolated network, either physically (expensive, problematic) or virtually using VLANs (free if your network hardware supports it, expensive/impossible otherwise). Both require you to set up mechanisms to "route" network traffic between the networks. (If you want to be able to access your camera, Sonos, or whatever you've jailed over in the other network.) Those mechanisms are...complicated to understand.

    The latest solutions are things like Eero's protection service, Eero Secure (available today), or Apple's new HomeKit for routers (available ???), https://www.engadget.com/2019/06/03/apple-homekit-secure-video-routers/. That's the best bet for "mere mortals".

    Where Fing fits in all of this, I'm not sure. So far as I've been able to tell, Fing doesn't support VLANs. (It certainly stops seeing the devices I've moved to my IoT VLAN.) And since it's not "in the middle" of your network traffic, it's hard for it to participate in the isolation. I think the best it can do today is disable rogue (unidentified) devices from using your network.

    Thats Daphnee, she's a good dog...
    VioletChepilHronosShesTeachable
  • RomulusRomulus Member, Beta Tester Posts: 34 ✭✭✭
    Updating firmware on devices is highly recommended. Manufacturers fix vulnerabilities all the while and if you don't update your device could be wide open to attack.

    The most important device to update is your Internet router. Any vulnerability in that and your whole network and all the devices on it could be accessible from the internet. It's quite common for a brand new device you buy from the store to have old firmware (it may have been on the shelf for months).  So just because it's new don't assume it's up to date.

    Also keep up to date with windows updates. If an intruder gets on your network it's much harder for them to get into your PC if it has all the known vulnerabilities patched. Make sure you are also running Anti-Virus at the very least use the built in Windows Defender on Windows machines.
    MarckeithatpdaVioletChepilHronosIdris_PAldereteT_I_75
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited December 6
    I agree with all of the above and put into a list (no particular order)
    1. Change default login credentials to routers, access points, switches (Don't use same WiFi security key as the admin password)
    2. Disable unnecessary convenience features like WPS, UPnP, and port forwarding if you don't use them
    3. Enable and utilize the Guest WiFi network (use strong password) to isolate visitors and IoT devices from your LAN devices.
    4. Use a hidden SSID for your primary network with a strong WPA2 key
    5. Don't use identifiable information in your SSID - last names, birth days, pet names, addresses, business/work names, sports teams, etc.
    6. Reduce WiFi broadcast strength/power if your signal can be detected from the nearest street (use multiple access points or a mesh system for good interior coverage while using low power)
    7. Use VPN services to secure and encrypt traffic on sensitive devices
    8. Keep firmware up to date on all network hardware and IoT devices. Keep OS security patches automatic, and anti-virus fully enabled
    9. Determine your external IP address - Google "my IP" - plug your IP address into the site https://www.shodan.io/ and click search. If results are populated and show your network devices and location, power off your modem for a few minutes to force a new DHCP address
    10. Use your Fingbox to monitor for rogue devices, open ports, and unusual activity

    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    MarcHronosCiaranVioletChepilIdris_PShesTeachable
  • CiaranCiaran Administrator Posts: 220 admin
    Thanks all for the suggestions here, personally, this is really useful for me.
    MarcVioletChepilIdris_P
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    I'll keep adding to my post above as people suggest more. I added a line for SSID names.
    edit*
    I just stumbled on this excellent bulliten posted by the, uh... NSA:

    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    I just stumbled on this excellent bulletin posted by the NSA that has great tips for keeping your home and personal identity safe:
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    MarcVioletChepileJonyIdris_PAlderete
  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
    Vulcansheart link is really comprehensive. 

    Marc's suggestion is fantastic.

    I would highly recommend everyone identify a password manager they like and can commit to use. Strong passwords just can't be remembered, because 1) you would need too many of them for all the modern passwords one needs to manage, 2) because the complexity of a strong password makes it difficult to remember and 3) if you use a "number substitution" password for a phrase, seasoned hackers likely know the process you use and have a dictionary with the substitution rule you use.

    I don't recommend using browser based password managers because that locks you into a particular browser. Try an independent app instead. Yes, there are some concerns about the security of some password managers, but I think the 3 market leaders are 

    I use LastPass, but I've read DashLane and 1Password area also great. The price of entry is usually free for the basic functionality. 
    MarcIdris_P
  • MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭
    eJony said:
    Vulcansheart link is really comprehensive. 

    Marc's suggestion is fantastic.

    I would highly recommend everyone identify a password manager they like and can commit to use. Strong passwords just can't be remembered, because 1) you would need too many of them for all the modern passwords one needs to manage, 2) because the complexity of a strong password makes it difficult to remember and 3) if you use a "number substitution" password for a phrase, seasoned hackers likely know the process you use and have a dictionary with the substitution rule you use.

    I don't recommend using browser based password managers because that locks you into a particular browser. Try an independent app instead. Yes, there are some concerns about the security of some password managers, but I think the 3 market leaders are 

    I use LastPass, but I've read DashLane and 1Password area also great. The price of entry is usually free for the basic functionality. 
    +1 on the 1Password...  I’ve been using the non subscription version of it for years and it’s served me well.  I’m not sure if they still offer that but I think you can’t go wrong either way.
    Thats Daphnee, she's a good dog...
    Idris_P
  • ThorkildIpsenThorkildIpsen Member, Beta Tester Posts: 1
    Hi
    In the perfect (and safe) world, passwords for Wifi should be like "983!Ei29u!#odei960dheu", but we don't live in the perfect world, and if these random and long password are used, they will also be written down somewhere, and that's not safe.  Instead I suggest to develop an easy to remember, but still personal password, like:  "Only4Us#<MyStreetName>" ≈ "Only4Us#BulkStreet" or use a known other name after the "#", like the pet's name or the name of your summerhouse city etc.  It does not really matter what you use, as along as it is something the hole family easily can remember.  
    Idris_P
  • ChiefplumberChiefplumber Member, Beta Tester Posts: 9 ✭✭
    Lots of good recommendations in this thread.  I have looked at several password managers and settled on Keeper.  All the other managers have experienced breaches.  The decryption key for Keeper is kept on your device(s) and not in the cloud.  It will sync the databases on all your devices and being third party is browser/device agnostic.  As far as securing your home network ... I found commercial equipment is much more flexible than the typical home router.  For about the same money as a high quality home router, I implemented a Cisco ASA5550.  eBay is a wonderful resource.  This way you can support multiple LANs, AnyConnect (TM) remote access and have industrial strength firewall support.  That beast will actually handle >1Gb per second throughput for all devices all while processing the firewall rules.
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    edited December 2
    @Chiefplumber I also use keeper for those same reasons, but also in combination with a Yubi USB security key for multi-factor password management.
    As for home routers, the Cisco ASA's are excellent appliances for homeowners looking for second hand enterprise grade equipment, but be careful of big learning curves and hardware that is end-of-life, as it will no longer receive firmware updates for security flaws.
    As a simple, easy to use device with a LOT of flexibility for homeowners looking for business grade security, I recommend the Untangle z4 appliances. Or, build your own box and install Untangle NG Firewall.

    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    Alderete
  • SimoneSpinozziSimoneSpinozzi Member, Beta Tester Posts: 77 ✭✭✭
    Honestly the highest recommendation to secure your house from attacks is "don't overwhelm yourself with too many devices that might be open to attack."
    When people attack networks they try and find the weakest link, so if even one of your devices is insecure... eh... though luck.
    All you need is a self updating device that gets an update notice from an insecure source using a vulnerability before it gets plugged.
    I have 24 plugged devices in my house, between stacked cabled routers, wi-fi APs, several computers, radio bridges, printers, etc. etc. etc. I need them all for work.
    It's a security nightmare often times i just shut down half of my devices so i have less stuff to take care of and do security check-ups before turning them on again. 😨😰😨😰
    Don't be like me. I (barely) get paid to keep my stuff running. Doing this to yourself because you think it makes your house more comfortable is... i honestly lack a comparison. Just... don't do it. It's the opposite of comfortable...

    ...and why the $%^&%$%^& do you need a juice squeezer that you can control from your phone anyway?! 😂😂😂👍💖
    ShesTeachable
  • MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭

    As far as I know, 1password has not experienced a breach. Can you forward where you read that? If it has, i’ve got some investigations to do for a new manager.

    thanks

    Thats Daphnee, she's a good dog...
  • ksuevdislivdjksuevdislivdj Member, Beta Tester Posts: 1

    Regarding password manager, I think that the way they allow you to secure and synchronize your passwords (locally/cloud,etc...) is important. Should they have been breached, look at the number of time they were and have a look at the way they dealt with the problem, it much more interesting that just relying on the one that might not have detected the breach yet...

    About password, I rather prefer a long sentence: it is generally easy to remember and harder to guess, especially because of punctuation.

  • RainCasterRainCaster My deskMember, Beta Tester Posts: 16
    Guest WiFi doesn't always work. If you have configured your WiFi router as a WAP, it will create a Guest network, but it will not connect to the network or internet because the Guest network is connected only to the WAN port on the router. VLAN support is a built-in part of Ubiquiti's WiFi solutions, and that works very well.
    As another suggested, a firewall works very well, and I also use Untangle and find it to be a fantastic solutiuon.
  • benabena Member, Beta Tester Posts: 16
    edited December 2
    I always think a long password is better than a short random one, what do others think?
    eg Hs6U2!ms
    or ialwaysfeedmydogbeforeigotobed
    I don't believe using ! and 1 for i and 3 for e  etc is very good security 
    Marc
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    I promote pass phrases, including use of the spacebar. It's much easier for the users to remember, and typically more difficult to be cracked with conventional tools.
    You can always put your passwords to the test:
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    MarcCiaraneJony
  • ChiefplumberChiefplumber Member, Beta Tester Posts: 9 ✭✭
    Marc,
    Attached is a link you should read.  1Password is on the list of password managers with issues.
    https://www.washingtonpost.com/technology/2019/02/19/password-managers-have-security-flaw-you-should-still-use-one/

  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
     1Password is on the list of password managers with issues.

    @Chiefplumber isn't it more accurate to say that "1Password was flagged as having a potential vulnerability in February of this year?"

    I wonder if anyone would be left with the impression that 1Password currently has an issue, based on the this message and the link you provided?

    I sometimes wonder if people who point of problems with password managers can be compared to people that point out problems in vaccinations. 

  • MarcMarc Member, Beta Tester Posts: 485 ✭✭✭✭✭
    Marc,
    Attached is a link you should read.  1Password is on the list of password managers with issues.
    https://www.washingtonpost.com/technology/2019/02/19/password-managers-have-security-flaw-you-should-still-use-one/

    Thanks @Chiefplumber, I'll take solace in the proximity and steps a hacker would have to take to access the managers data (See below quote from the article)...  If my system was breached like that, I've got bigger issues then a password manager vulnerability..

    "The bug ISE found raises a different kind of risk: passwords exposed on the memory of individual users’ PCs. Any exposure “puts users’ secret records unnecessarily at risk,” Bednarek wrote in his report. But this discovery is nowhere close to our worst-case scenario. To peer into your PC’s memory, a hacker would likely either need to be sitting at your computer or trick you into installing malware that has control over your computer."
    Thats Daphnee, she's a good dog...
    eJony
  • ChiefplumberChiefplumber Member, Beta Tester Posts: 9 ✭✭
    Couple of things boys and girls ... any program that does anything useful will always have bugs.  A perfect solution will never exist.  Proving program correctness is one of the most difficult/complex tasks for software developers so, in general, that task is skipped.  Also, most of the published testing uses the laptop/desktop environment for analysis because those systems are the easiest to check.  All these password managers have Android/iOS versions and mobile environments are much more difficult to analyze.  I like systems where no vulnerabilities of any kind were found ... yet.  Gives me hope that the app developers tried to break it in all environments.
    Marc
  • eJonyeJony Member, Beta Tester Posts: 29 ✭✭
     I like systems where no vulnerabilities of any kind were found ... yet.  Gives me hope that the app developers tried to break it in all environments.
    @Chiefplumber
    I like this community because it is free of the flame wars and disrespect sometimes shown on social media. I respect you and your perspective.

    Your thoughts above are insightful and interesting. Your post prompted me read the full article and then I read the full Independent Security Evaluator report upon which the article was written. 

    I only wonder if the lack of an identified vulnerability is evidence that the software doesn't have any. And I really wonder if a vulnerability in password managers is a good reason not to use one. Because even the article you linked said "Password managers have security flaw[s but,] you should still use one." Seems like a fair bottom line.
    MarcChiefplumber
  • ChiefplumberChiefplumber Member, Beta Tester Posts: 9 ✭✭
    eJony,
    I think we are in agreement here.  As you noted, I agree with the article which states many have flaws but you should still use one.  Even if the password manager you chose is penetrated, after the vulnerability is fixed ... at least you have everything in one place and can easily change all your passwords.  From my perspective, a lack of an identified vulnerability is not an assurance that one does not exist!  Back to my initial theorem .. any software that does anything useful will always have bugs.  By the way, the corollary to that theorem: if the software has no bugs, it does nothing useful!  However, at least the current state of testing tools has not found one which is a good thing.
    eJonyMarc
  • CiaranCiaran Administrator Posts: 220 admin
    Great conversation and input by all. I do agree about the positive of this Community is that it is generally free from negativity. Everybody is free to an opinion and input (once it is respectful to other community members, even when in disagreement) and we want to keep it that way. Thank you all for your opinions, suggestions & contributions.
    Marc
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    I just stumbled on this excellent bulletin posted by the NSA that has great advise for system hardening and best practices to keep your home and identity safe:
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
  • vulcansheartvulcansheart Member, Beta Tester Posts: 89 ✭✭✭
    I just stumbled on this excellent bulletin posted by the NSA that has great advise for system hardening and best practices to keep your home and identity safe:
    41 4c 4c 20 59 4f 55 52 20 42 41 53 45 20 41 52 45 20 42 45 4c 4f 4e 47 20 54 4f 20 55 53
    Marc
  • Brettly61Brettly61 Member, Beta Tester Posts: 5

    This is a good start. Because if you’re not doing anything proactive you will become a hacker victim.

    Use multi-factor authentication. Use your phone as a encrypted password storage. I personally swear by the iCloud KeyChain. But have lately been using LastPass premium. It’s $3 dollars a month. LastPass is a good solution for people who use both Macs and PC’s.

    But if you’re a twenty something Computer Science student who just got a certificate in Pentesting, you better think twice about practicing your Ethical Hacking on me. Trespassing is still trespassing and instead of being a student you’re going to jail.

    People don’t be naive, someone outside your window wants into your private computers. And it’s actually pretty easy for these hackers. They thrive on it

    Marc
Sign In or Register to comment.