Keep a Clean Machine On Your Home Network

February 26, 2015

We’re going to discuss some of the steps you can take to make your home network a little more secure. Nothing is 100% foolproof, but there are steps you can take ‒ using a layered approach ‒ that will improve your online security and reduce your chances of becoming a victim.

The following list of best practices is not all-inclusive because as technology changes, threats and vulnerabilities also change. These changes may affect how you would implement one or all of the recommendations. The list is also not in any order of precedence.

  1. Change the default username and password for your router.Some routers do not allow you to change the username, but all consumer routers should allow you to change your administrator password as a minimum. Do your best not to leave the key in the door and let someone in without your knowledge.
  2. Create a network configuration document to guide you in making future changes. The network configuration document will contain things like the media access control (or MAC) addresses, the make and model information of specific devices on your network, the operating systems on each, white-list/black-list details, etc. This can be very important for the home user as you add more and more devices to your network. In business, this type of document is used as part of a change control program. An example network configuration document you can use as is or modify to suit your needs is available on the Cybersecurity for Everyone website.
  3. Protect your network configuration document from unauthorized access. Use a password to protect the document, or store it in an encrypted folder to make sure only you or someone you trust can access it. Anyone with access to your network configuration document will have the keys to your kingdom. 
  4. Limit which devices can access your network. Setting up MAC address filtering is an excellent way to limit the number of authorized devices on your network. You might hear this called an “access control list” in which you record the white-listed (allowed access) or blacklisted (denied access) devices depending on what is best for your situation/environment. Each device with a network interface has a MAC address. Check your router’s documentation for details on how to implement this simple step. You should also implement MAC filtering for your wireless devices.
  5. Keep a tidy network. This is similar to the topic we just discussed and adds another layer of security by limiting the total number of devices that can connect to your network by stipulating the total number of IP addresses available for your network.  This is done by using your router to provide your IP addresses through the Dynamic Host Configuration Protocol (DHCP). This will allow you to specify a total range of IP addresses available for devices on your network. For example, if you only have eight devices on your network can set the range of IP addresses that your router provides through DHCP to a total of eight IP addresses. When combined with MAC filtering, this can be very powerful.
  6. Turn off wireless access to your router if you are only using Ethernet-connected devices. You might also consider disabling the wireless access on your router at night when you’re not using your wirelessly connected computers or smartphones to access the Internet. This can easily be accomplished on most routers by configuring a daily schedule.
  7. Implement wireless security if you are using wireless devices on your network. You can help improve your wireless security by making a few changes to your router’s default configuration.
    1. Most routers come with a default name for the wireless network. This name is known as the service set identifier or SSID. For example, a Linksys router’s SSID is typically “Linksys” straight out of the box. It is a good idea to change the SSID to something that does not identify the brand of router and is not easily associated with you or your business unless you are providing free Wi-Fi for customers or guests. Keeping the default SSID could make it easier for an attacker to find vulnerabilities for your wireless router. Many home users will use their name when they do change the SSID. For example, if your last name is Smith, you should not use “Smith’s Wi-Fi” as the SSID. In both of these cases it would be better to set an SSID that is a little less descriptive. In fact, it doesn’t even have to be a real name.
    2. The next thing you should do is disable broadcasting of the SSID. A determined attacker can still figure this out with the right tools but why make it easy. Only you need to know the SSID when adding devices to your network.
    3. Last but not least, set up encryption. The best encryption available on today’s routers is known as Wi-Fi Protected Access 2 (WPA2). Some routers will allow you to set a passphrase for your encryption will create a passphrase for you. If your router allows you to set your own passphrase and consider using the same principles recommended when creating a password. Make it complex and make it at least 15 characters long. You'll need to know the passphrase when you are adding devices to your network unless you are using WPS. See the next section for information on the risks of using WPS.
  8. Disable Wi-Fi protected setup (WPS) if possible. WPS can be used to recover your encryption keys and allow an attacker access to your network. If your router supports Wi-Fi protected setup (WPS), you should disable this feature after you have added all of your devices to the wireless segment of your network.
  9. Block harmful and/or offensive websites. This last recommendation is one of the least expensive things you can do but it may actually give you some of the best protection for the buck (it’s free!). The domain name system (or DNS) is essentially the phone book for the Internet. Each time you type in a domain name your DNS server translates the IP address to the domain name. Typically your DNS servers are provided by your Internet service provider. The DNS services mentioned below block known websites hosting malware, botnets and phishing scams and also filter information by content categories such as pornography, mature content, abortion, alcohol, crime, drugs, file sharing, gambling, hate, suicide, tobacco or violence through DNS. These DNS services can also improve the speed and reliability of your Internet connection.

    The level and type of protection you are interested in may drive which option you think is best for your situation. Options include OpenDNS, Norton ConnectSafeGoogle Public DNS and Comodo Secure DNS.

    Both OpenDNS and Norton ConnectSafe allow you to filter unwanted content such as pornography, sites about drugs, etc. The last two options do not filter out undesired content; however, they do provide enhanced security by blocking known malware, phishing and spyware sites.

There are so many other things we can do to improve our cybersecurity, but by applying these principles to your security you will definitely make it harder for someone to gain unauthorized access to your network. Along with the excellent resources found on the NCSA website you can visit www.cybersecurityforeveryone.com for more information on these and other ideas to improve your personal cybersecurity.

References: Sadler, T. L. (2015). Modems and Routers, Cybersecurity for Everyone Securing Your Home or Small Business Network pg 15-29 Kissimmee, Florida: Signalman Publishing