Securing Your Home Network
For many of us, our home networks have become a vital part of our home. From relaxing and watching Netflix on a weekend evening to working from home, it's our gateway to the rest of the world. But it can also be our weakest link in keeping ourselves safe and private. The internet is a large, dangerous place, and our network configurations can either protect us from all that danger or invite it in. A compromised network can be abused to steal your sensitive information, plant malware, or turn your devices into cryptominers and bots, resulting in decreased performance and possibly even legal troubles. In this guide, I seek to share some common practices to help secure your network against dangers and keep you safe regardless of whether you're gaming, streaming, or working.
You don't necessarily have to read every word of this section, especially if you already know this stuff, but if you find yourself confused by an of the words used in this article, feel free to check back here and reference them.
- Flashing: The process of installing a new firmware on a device, such as a custom ROM onto a phone or a new
- Gateway: a dual router/modem. These days, most devices are gateways.
- ISP: Internet Service Provider. This could be Spectrum, AT&T, Google Fiber, or perhaps a local company. It's whoever you pay your bill to so that you have internet access.
- LAN: Local Area Network. This is everything inside your home, everything before you hit the WAN. If the internet suddenly went out (but the power stayed on), you would still be able to access everything inside the LAN with no issues. This could include things like wireless printing or controlling your Smart device from your phone.
- Modem: the device that connects your LAN to the WAN.
- Router: the device that organizes and directs traffic within your home. The router is what makes sure that the search engine you tried to access on your smartphone loads on your smartphone while the movie you just selected on your TV loads on your TV. These days most routers are actually dual router/modems called gateways.
- SSID: Service Set Identifier. You likely know this better as your "WiFi." It's the name you give to your network so people can select the right network, such as "Smith_Household" or "FBI Surveillance Van." (Personal note from the author: PLEASE stop using this one. It's not original or clever, I see at literally every apartment complex I go to.)
- WAN: Wide Area Network. This is the internet, everything outside your home. This includes things like your email, streaming services, and more.
Picking a Router
Most of the time, at least in the US, subscribing to internet service often means that your ISP will provide a router for you. I strongly advise against using this router alone. In many cases, it is heavily locked down and you cannot make any meaningful changes to the settings. Even if you can, the ISP can and likely is spying on your traffic. In some cases this is to serve you their own ads, in some cases it's to detect piracy and illegal downloads, and in many cases it may be to sell your browsing history to data brokers. Using your own router gives you signficantly more tools at your disposal to protect against this.
There are a number of open-source options for routers that will take even a small consumer router and turn it into a powerful device with enterprise-level capabilities. My personal favorite is DD-WRT, but other popular options include pfSense, OpenWRT, and Tomato. While you can buy pre-flashed devices in some cases (FlashRouters for DD-WRT and Protectli for pfSense), I always encourage you to do it yourself if you're comfortable to ensure maximum security (and also to be familiar with the update process). Having said all of this, if you are unsure if an open source router is right for you (the wealth of options can be overwhelming to some), I still encourage you to get a router that wasn't provided by your ISP. Make sure it offers VLANs and VPN capabilities, as we will be using these heavily to protect your home.
Network Best Practices
Be sure to change any default passwords, especially the default password to log in to the router and the default password of your SSID (especially if you choose not to change the SSID itself). See my page on passwords for more information on what makes a good password and how to remember them.
If your router offers multiple encryption options for your WiFi, be sure to pick "WPA3" with "AES" and "TKIP" if available. WPA3 a relatively new protocol, so your router may not offer it. If not, "WPA2" should be available. Avoid WPA and WEP if offered.
Be sure to create separate VLANs (or subnets, if your router doesn't offer VLANs) for different purposes: one for IoT devices, one for gaming consoles, one for desktop devices, etc. This will ensure that if one device gets compromised, the impact will be contained. (Tip: If your router does not offer VLANs/subnets, I recommend putting all your IoT devices on the guest network.)
For your SSID, it makes no real difference if you choose to hide it or not. Even a relatively unskilled attacker can easily scan for and find hidden networks. I do, however, recommend that you avoid an SSID with any identifying information such as "Smith House" or "Apt23B." (For the record, this alone will not stop a dedicated stalker, but there's no need to just hand out that information to everyone unsolicited.)
For your guest WiFi, I recommend using a passphrase (five or more randomly chosen words) insead of a password. It will be just as strong as a password, but significantly easier to share. (Tip: use a QR-code generating website such as this one to generate a QR code that your guests can simply scan with their device's camera to instantly and easily connect to the guest network.)
Behind-the-Scenes Best Practices
Be sure to always keep your device updated with the most recent updates to patch any security issues. If the device offers auto-updates, enable it. If it does not, set a reminder to check at least once a month.
I recommend putting a VPN on your router. This will offer a small amount of protection to every device in your home, including those that can't natively load a VPN (such as IoT devices) and also serves a loophole to circumvent the "number of devices" limitations imposed by your VPN provider as the router only counts as a single device (for example: a tablet, two phones, a desktop, a laptop, a TV, an Alexa, and a doorbell all going through the router's VPN still only counts as a single connection to the VPN provider).
If you are not using a VPN on your router - or if the VPN setup instructions did not specify a DNS resolver to use, I suggest adding an encrypted resolver of your choice. Privacy Guides still offers an excellent list of choices.
Be sure to enable any firewalls if they are not enabled and to disable Universal Plug-and-Play (sometimes abbreviated "UPnP") as this setting is frequently abused by malicious actors to plant malware and compromise your network.
Disable WPS (WiFi Protected Setup) if it's available. This the feature where you push a button on the router and it adds new devices automatically. This feature may be tempting and easy to use, but it's also extremely easy to abuse. Disabling it will dramatically secure your network.
Disable the option for remote access, if such an option exists and is enabled.