When it comes to securing our home we find it normal to buy good locks, close the doors and windows when we leave and keep the lights on at night when we are not at home. You don’t want anyone to break in into our house. But when it comes to home network security we don’t want to invest to much time or money into it. While most valuables these days are digital!
With home network security is it the same as with securing your house, you want your house to be more difficult to break in then that of somebody else in the street. Adding layers of security will slow burglars down and increase the change they will leave before the get a change to break-in.
The strategy to securing our home network is pretty much the same. We make sure all the doors are closed, add layers for security and keep our paths well lit. As a SysAdmin I know everything about securing networks and in this guide, I will help you secure your network.
Step 1 – Securing the router
We are going to start at the beginning of our home network and work our way down to the clients. Your network starts with the internet connection from your ISP. The ISP may provide you with a modem or a modem/router combo.
Tip 1 – Don’t use the router supplied by your ISP
The routers supplied by ISP’s are known to be less secure than others. They have hard-coded support credentials in it, don’t get updated to often and will give your fewer settings to secure the network. You should really “invest” in a good router. They don’t have to be expensive, you can buy a good router between the $50 and $120.
With your own router, you are in control of your network. While your ISP may have access to the router they supplied, they can’t get access to your network. If the support credentials are leaked or there is a security flaw in the router, you will be protected by your own router. So a good router is money well spent when it comes to home network security.
Read this article if you want to know more on which router your should buy and on how to set it up.
Change the default password
With any router, the first thing you do is change the default password (and username). This is something you should do with every network device. The default password of routers can be found online so hackers will always try to use those credentials to gain access.
Login to your router (open a browser and visit http://192.168.0.1 or http://192.168.1.1) and change the password. Every router is different, but try the settings page or the setup wizard. If you can’t find it, refer to the manual for instruction on changing the password.
Use a strong password and store it in a password manager on your own computer and/or online. This way you don’t have to remember all the passwords and can you easily use different strong passwords for all your accounts.
Update the firmware
Most firmware updates contain security fixes and performance updates. Keeping your network equipment up-to-date ensures you are less vulnerable to known security flaws in the router’s software.
Tip 2 – Keep firmware’s up to date
Some routers will check for updates themself and allow you to install it from the settings or management page. For other routers, you will need to check for update on the website of the manufacturer.
A simple Google search on the model of your router plus the keyword firmware update will lead you to the correct download page.
Disable remote access to the router
The management interface of the router shouldn’t be available from the internet. You should only manage your router from within your local network. So disable this setting if you find it turned on in your router.
Change the default DNS servers
Your ISP will provide you with a DNS server. But these server don’t do anything else then redirecting you to the proper server based on the DNS records. For example, if your are visiting Google.com, the address “Google.com” will be translated to the corresponding IP Address of the servers from Google.
Tip 3 – Use a DNS server that offers security
OpenDNS, part of Cisco, does a little bit more than simply redirecting you to the proper server. It will protect you from phishing websites, malware and botnets and malicious website. It also offers parenting controls so you can add some web filtering to your network.
By changing the DNS server on the router level your whole home network will be more secure. Every device is automacalliy protected by the DNS servers.
Besides the security advantages for your home network, OpenDNS is also one of the fastest DNS servers. It will translate the requested domain name (google.com for example) up to 3 times faster than the default DNS servers of your ISP.
If you want to know more about DNS servers and are more interested in finding the fastest DNS Server, then make sure you read this article.
The best firewalls are not installed on your computer but are hardware-based. Built-in to your router or maybe even a dedicated firewall device. For home users, the most common firewall is built-in to the router.
Always keep the firewall in the router turned on and if your router doesn’t come with a firewall, make sure you buy a good router that has one. Firewalls protect your network from potential cyber-attacks by blocking all unknown network traffic.
If you want to use a program or game that is unable to connect then don’t disable the firewall, but open the specific port that the game or program needs.
Step 2 – Wireless Network Security
Another important part of your home network is your wireless network. The WiFi network is broadcasted through your house and can even be reached outside your house. Because the wireless network is preconfigured when you buy a router or access point, most people don’t look at the settings at all, resulting in a network security risk.
As part of your home network security plan, you should take a few minutes to secure your wireless network. Remember, it’s all about adding layers to your network security. The more layers you add to more difficult it will be for someone to gain access to your network.
Changing the default passwords
As always with network equipment, start with changing the default password. The default logins are provided by the manufactures and can be found on the internet. So the first thing you do is change the default password to a strong and secure one.
Don’t use the same password for all your network equipment, just generate a password in your password manager
Most routers or access points are equipped with WPS, WiFi Protected Setup. This allows you as a user to easily connect a device with the push of a button on your router. Behind the WPS protocol is only an 8-digit pin code that “secures” the connection.
Without pushing the button you can try to connect to the WPS enable network by using the pin code. The problem with WPS is that it only checks the first 4 digits, making it really easy to crack. When using the button to connect, the connection information is broadcasted for a couple of minutes, allowing any device to connect to the network.
So if you find WPS is enabled on your router, disable it. Because leaving it on is a huge home network security risk.
Change the default wireless network
Every access point comes with a preconfigured wireless network. The wireless network name (SSID) and password can most of the time be found on the back or bottom of the device.
By changing the default wireless network name you make it harder for hackers to find out what type of router or access point you have. If they know the manufacturer of your device they can easily find the security vulnerabilities of your device.
Give your wireless network a non-saying name. So don’t name it after your family name or house address. Also, make sure you add a strong password to it. Atleast 12 characters, but the more the better. Using a password sentence is a good practice to create secure passwords.
Use secure protocols
Always use the latest security protocols for your wireless network. WEP and WPA are outdated and shouldn’t be used anymore. Every device these days can connect to a wireless network that is secured with WPA2.
The advantage of WPA2 is that it uses the latest security protocols and AES encryption, making sure the network traffic can’t be intercepted.
WPA3 is coming up and you will see more devices in 2020 supporting WPA3. If you have a router or access point that supports WPA3, make sure that your client devices (mobile phones, computers) also support it.
Turning your wireless network off
Some articles online recommend turning your wireless network off when you are not home. Now, this might seem a logical thing to do, if your network equipment is turned off nobody can hack it.
But keep in mind that we have more and more smart home equipment these days in a house that requires a network connection to function. Your smart thermostat won’t work if it can get access to the internet. Your light might won’t turn on or your security camera can’t send an alert when it detects motion.
Use MAC Address filtering
By default every device that knows the wireless network password can access the network. If you really want to beef up your security you should enable MAC Address filtering. A MAC address is a unique network address that every network device has.
With MAC Address filtering you can really control which device is allowed to make access to your network. But this requires looking up the MAC address of every device and add it manually to your router or access point. Not really user friendly but a real security improvement.
An easy way to find the MAC address of your current network devices is using Advanced IP Scanner, this tool scans your network and lists all the IP and MAC Addresses of every device.
Update the firmware
Just like with your router, update the firmware of your access point. This way you are up to date with the latest security fixes for your network device.
Use a separate guest network
If you have guests coming over they might want to use your wireless network. Which is pretty normal, but keep in mind that their computer or mobile phone can have a virus on it. By giving them access to your network you risk they infect your computers as well.
By creating a separate guest network you prevent this from happening. Check out this article if you want to know more about creating a guest network.
Step 3 – Securing the client devices
The last step in our home network security guide is securing the clients (your computer and mobile phones). By using OpenDNS we already added a security layer for our clients as well. But there is more to do.
Make sure you keep your devices up to date. Windows updates can be annoying, but they will prevent you from know security issues. Other import programs, like your browser, java, and pdf readers should be updated regularly as well.
Use VPN Software
By using VPN Software like NordVPN, Surfshark, or ExpressVPN you can protect all your internet traffic. With a VPN you create an encrypted tunnel (connection) to another server keeping yourself anonymous.
Using a private VPN is really recommend when you are using a lot of public networks, like on your school or public transport. But VPNs are not only from a security standpoint interesting, it also allows you to watch movies or series on Netflix that are not available yet in your region.
Surfshark for example gives you access to 13 different Netflix libraries! If you want to know more about VPNs you should read my review here.
Most people have anti-virus software on their computers. They protect you against common and known viruses which is good. But the real thread these days are in the ransomware that encrypt every file and photo on your computer.
The only way to protect against this is to use an advanced antivirus that can recognize the patterns of ransomware and block or kill the process before it can do real damage. Personally, I am a great fan of Sophos. I have used for more than 10 years now, both in an enterprise as in-home environments. Sophos isn’t well known in the consumer market, but it’s one of the leading antivirus solutions in the corporate world.
Tip 4 – Invest in good anti ransomware software
The antivirus solution from Sophos is free for 3 devices, but I really recommend you spend the $ 50,- a year for the Premium version. It allows you to install Sophos on 10 devices and protects you against malware, ransomware, viruses, and even new unknown viruses.
Just give the trial a go. Sophos home comes with a central dashboard to manage all the devices and set up things like parenting control if you want.
Check if your accounts are compromised
While you might have done everything to protect your home network, your online accounts are important as well. Big sites, like Linkedin and Adobe have been hacked before. These kind of sites are honeypots for hackers, they contain millions of accounts and when hacked the data can be sold to other criminals.
You can easily check if you account is breached as well based on your emailaddress. Just run it through HaveIBeenPwnd and setup a notication.
Final thoughts on Home Network Security
Remember that digital assets are harder to replace then physical things. If you TV is stolen you can easily replace it. Yes it will cost you money, but you can buy a new one. If you holiday photo’s or the photo’s of kids are lost due to a ransomware, you can’t replace them.
So you should take securing your home network really serieus. Invest in a good router and a decent antivirus / anti ransomware software. Take your time to go through the settings of your router and accesspoint and make sure you use strong passwords.
If you have any questions, just drop a comment.
You may also like the following articles:
- Surfshark VPN review
- Best home network setup
- Monitoring your home network for free