Secure Your Home Network

We were sitting outside, in front of my house.  My neighbor presses a button on his laptop and the garage door opens.  How the hell did he do that?  To find out, we need to backtrack a few days.  I was setting up some wireless security cameras.  To connect them to the Wi-Fi network, these cameras first connect to an app on my smartphone.  I enter the network password in the app and it gets sent, wirelessly, to the camera.  Sounds nice, right?  The not so nice part is that when the app sent the password to the camera, it did so without encrypting it.  I basically broadcast my Wi-Fi password, and my neighbor was listening.

Just imagine coming home from work and finding that your house has been robbed.  No signs of forced entry, no evidence whatsoever.  It’s like the thief had a key to your house.  Thanks to your “cloud connected” door lock that can be unlocked with your phone, he did.  How does one protect themselves?

One option is to not have any smart devices or don’t connect them to the internet.  Pretty simple concept.  The rule of thumb is “if it connects to the internet, it can be hacked”; surely the inverse of that must be true, right?  Not necessarily.  A more accurate rule would be, “if it has an operating system, it can be hacked”.  Try as you might, but you won’t be able to hack my red Swingline stapler.  For those of us who want to have our cake and eat it too, here are a few simple tips.

Don’t Use WPS

WPS is convenient.  You press a button on your router and device and they connect.  Sure this sounds secure, arguably it is.  This is due in part to the fact that an attacker has to have physical access to your router to exploit this.  Let’s face it, if an attacker has physical access to your router, that may be the least of your problems.

The problem with WPS is that you also have to use a PIN.  A simple 8 digit PIN.  This is for any device that doesn’t have a button to press to connect.  There are 100,000,o00 possibly 8 digit codes.  This may sound like a lot, and if we were talking about money, it is.  A typical desktop PC can brute force that pin in less time than it takes for you to finish reading this sentence.  Most consumer routers don’t have a limit on how many times one can enter the PIN incorrectly so an attacker can try every combination until he gets it right.

Instead, use a secure password with WPA2.  If possible, set the encryption algorithm to AES as it is more secure than TKIP.  Of course, this won’t do any good if you don’t follow the next tip.

Don’t Give Out Your Wi-Fi Password

You have guests over your house for a gathering.  Your sister-in-law asks you the dreaded “what’s your Wi-Fi password?”.  Without thinking, you give it to her.  She loses her phone and the kid next door finds it.  Now, that little snot-nose punk isn’t about to do the honorable thing and return it.  He now has a device connected to your network and he’s going to exploit it.  Sound like an unlikely scenario?  It’s not as far-fetched as you think.

Any wireless router worth its salt has the ability to create a guest wireless network.  A guest network would be completely isolated from your main network and devices on the guest network would be isolated from each other.  This means, if your sister-in-law connects to your guest network and the kind next door gets his hands on her phone, he won’t be able to see other devices on your guest network or anything on your internal network.

Set Up VLANs

This one is for more advanced users.  In all likelihood,  any router you find at Best Buy will not support this feature.  To set up a VLAN, you will need a business grade switch and router.  For the router, most people prefer to install the software on an old PC and use that as their router.  There are a lot of good software appliances out there from Sophos, pfSense and Untangle, just to name a few.

VLAN stands for Virtual Local Area Network and, to over-simplify it a bit, allows you to run multiple networks on the same networking hardware.  The benefit to this is you can have separate networks for your devices.  Let’s look at an example setup.

  • Internal network on 192.168.0.0/24 network.
  • Guest Wi-Fi on 172.16.0.0/28 network.
  • Cloud connected devices on 10.192.1.0/28 network.

Firewall rules have been configured not to allow any communication between the three networks, but allow access to the internet.  We also enabled client isolation on the guest Wi-Fi and cloud connected devices networks so that devices on those networks cannot see each other.  All of the Wi-Fi networks are secured with WPA2 and AES encryption.  Most importantly, they have strong, unique passwords.  This way, if someone breaks into my guest or cloud connected devices networks, the most they can do it get out to the internet; they will not have access to your other networks or devices on those networks.

We can take this a step further with firewall rules and web filtering.

Often times, a cloud connected device needs to communicate with a server on the internet.  Your smartphone also communicates with this server, allowing you to control the device.  In this case, the server acts as the middle man between your device and smartphone.  We can configure firewall rules that will allow communication from the cloud connected device only to that server.

We can use web filtering to lock down the guest Wi-Fi network.  I don’t want people on my guest Wi-Fi network going to any sites with questionable content, so I blocked them with the web filter.  We can also block email so that clients cannot send out spam email from your network.  Remember, in some jurisdictions, anything illegal someone does with your internet connection could be your responsibility.  Take steps to protect yourself.

How do you protect your home network?  Let me know in the comments below.