Securing Your Home Network Trilogy

2022.10.12

Securing Your Home Network Trilogy


Who can access your home network? With the proliferation of the Internet of Things (IoT), sometimes there are more services running on your home network than you might think. We should try to protect it from unwanted access.

The typical structure of an internet connection today is that you have a router in your home, usually a small box located somewhere in your home that acts as a gateway to the internet world. A router creates a local network to which you connect your devices, including your computer, phone, TV, game console, and anything else that needs to be connected to the Internet or to each other. It's easy to think of a router as a dividing line between the internet on one side and your device on the other. But this is a terrible misconception, because in reality, your router is the whole computer networking world on one side and your digital life on the other. When you use the Internet directly, you are accessing a shared area of ​​someone else's computer network. It doesn't go away when you're not using the internet, there are many scripts and programs designed to access millions of routers trying to find open ports or services. With the proliferation of the Internet of Things (IoT), sometimes there are more services running on your home network than you might think. With the following three steps, you can audit and protect your home network from unwanted access and attacks.

1. Agreement first

Part of a router's job is to separate the internet from your home network. But when you access the internet, you invite parts of the internet into your home. This means that you create an exception rule that bypasses the general rule that blocks internet access to your local network.

On many websites, only text content passes through your router. For example, when you visit your favorite blog site and read the latest tech news, you download a few pages of text. You read the text and then proceed to visit. This is a simple one-to-one connection.

However, the HTTPS protocol is powerful and the applications running on the Internet are full of diversity. For example, when you visit a website, you're not just downloading text. You'll get graphics and maybe a script or ebook. You're also downloading cookies in the background, which helps webmasters understand who is visiting the site, enhance mobile support, provide new designs for better accessibility and learn what readers like. When you surf the web, you probably don't think of cookies or traffic analytics as something that interacts with you, it's something that is "hidden" into a page to interact with, because the HTTPS protocol is designed to be broad and general, and is highly regarded in most scenarios. trust. When you visit a website over HTTPS (or rather, in a browser), you may unknowingly agree to the automatic download of files by default that you consider useful and irrelevant. For a file sharing model designed to reduce trust, you can try the ​​Gemini​​​ or ​​Gopher​​ protocols.

You also use a similar protocol when you join a video conference. You download not only the text on the page, the cookies used for traffic monitoring, but also the video and audio material.

Some websites go even further, they are designed to allow users to share their computer screen and sometimes even control over their computer. This was designed to help remote technicians fix problems on their computers, but in reality, users could be tricked into visiting the site, resulting in the theft of financial credentials and personal data.

If a site that offers text articles asks you to allow it to call up the webcam while you're reading, you should be on high alert. You should exercise the same caution and vigilance when a device needs to access the Internet. When you connect a device to a network, it's important to pay attention to what implicit agreement you're agreeing to. A device designed to control the lighting in your house shouldn't require internet access, but in fact many do and don't make it clear what permissions you grant the device. Many IoT devices want to be connected to the Internet so that you can access the device over the Internet when you are away from home. That's part of the appeal of "smart homes." However, it is impossible to know what code is running on all devices. Where possible, use open source and trusted software like ​​Home Assistant​​ to interface with your IoT devices.

2. Create a guest network

Many modern routers can create a second network for your home (often called a "guest network" in the configuration panel). You might think you don't need a guest network, but in fact, a guest network makes a lot of sense. It's designed to provide internet access to people visiting your house without you needing to tell them your private internet password. For example, in the foyer of my house, I have a sign with the name and password of the guest network. Anyone visiting can join the network to access the Internet.

On the other hand it can be used for IoT, edge devices and home lab applications. When I bought "programmable" Christmas lights last year, I was surprised to find that in order to connect the lights, they had to be connected to the internet. Of course, these $50 lights from no-name factories don't come with source code, nor any way to interact with or inspect the firmware embedded in the adapter, so I have some qualms about agreeing to connect them to my local network . They have been permanently relegated to my guest network.

Every router vendor is different, so there are no general instructions on how to create a "sandbox" guest network on your router. Generally, you access your home router through a web browser. Your router's address is sometimes printed on the bottom of the router, and it starts with 192.168 or 10.

Visit the router address and log in with the credentials you used to configure the internet service. This is usually simply "admin" and a numeric password (sometimes, this password is also printed on the router). If you do not know how to log in, please call your Internet provider or manufacturer for advice.

In the GUI, find the "Guest Network" panel. This option is in my router's advanced configuration, but it might be elsewhere on your router, and it might not even be called "Guest Network" (or it might not even be an option). The specifics vary by manufacturer.

Create a guest network

Create a guest network

This may require a patient search. If you find that your device has this option, then you can set up a guest network for guests, including apps running on untrusted lightbulbs.

3. Configure the firewall

Your router may already have a firewall running by default. Firewalls keep unwanted traffic out of your network, usually by restricting incoming packets to HTTP and HTTPS (browser traffic) and some other commonly used protocols, and denying requests you didn't initiate. You can check if the firewall is running by logging into your router and looking for the "Firewall" or "Security" settings.

However, many devices can run their own firewalls. A network is called a network because the devices on the network can connect to each other. Setting up a firewall between devices is like locking a door in your house. Guests can wander the halls, but they won't be invited into your private office without the right key.

On Linux, you can use the ​​firewalld​​​ interface and the ​​firewall -cmd​​ command to configure your firewall. On other operating systems, the firewall is sometimes in a control panel labeled "Security" or "Sharing" (and sometimes both). Most default firewall settings only allow outbound traffic (that is, traffic that you initiate by opening your browser and navigating to a website) and inbound traffic that responds to your requests (that is, web data that responds to your navigation). Incoming traffic not initiated by you will be blocked.

You can configure rules as needed to allow specific traffic, such as ​​SSH connections ​​​, ​VNC connections ​​​, or ​​game server​​ hosts.

monitor your network

These tips help build your awareness of what's going on around you. The next step is to ​​monitor your network ​​​. You can start simple, such as running ​​Fail2ban . Look at the logs, if your router provides logs. You don't have to know everything about TCP/IP and packets and other advanced knowledge to see that the internet is a busy and noisy place when you install a new device in your home, be it IoT, mobile, desktop or Laptops, game consoles, or even a Raspberry Pi , and seeing this firsthand can inspire you to take precautions.