Practical security for the home network
Security is a tough subject. It’s no lie that hackers are usually a step ahead of your security countermeasures. There are so many opinions on how to use an antivirus, what antivirus to use and when to use it. There are those that swear by the antivirus and others that say it’s just a waste of CPU cycles. We won’t talk about antiviruses here though.
There are architectural issues in a home network that mean much more to security than what files you click on. Of course, you should always watch the applications you install and keep the random apps installed to a minimum. Strive for a clean and minimal system. The fewer the apps, the fewer the bugs and security holes. But for now let’s talk about things you can do in your home network to improve security and avoid attacks that would happen without you clicking on anything.
The guest WiFi network
First of all, routers usually have an option to enable a secondary WiFi network called the guest network. Do that immediately. And then you need to set a clear separation. In the home network there are personal devices like phones, laptops and a Raspberry PI home server. In the guest network there is everything else: the robot vacuum, the solar panel inverter, the smart washing machine and fridge and so on.
What does this separation mean? What is a guest network? It doesn’t really matter, the point is that you now have two WiFi networks and that there is no communcation possible between your main network and the guest network. That is enough. Because this means the fridge, the washing machine and the robot vacuum will never have any kind of knowledge about your Raspberry PI that hosts and broadcasts file shares and services to your main network.
Having a guest network also allows you to protect your main network in case friends come by and just want Internet. You can simply give them the guest WiFi password. If you have friends that want files from you, try to give them the files by using a USB stick or send the files with a messaging app. If they insist to connect to your main network think suspiciously about it. There is no need for direct access ever, especially since we can share files with chat apps from phones. Always supervise direct cable connections to your network. Stay there and watch what people are doing. If for some reason you gave your main WiFi password, change it quickly after the persons have left.
The trouble with WiFi access is that it’s persistent. If you gave the password to somebody, they can simply pass by your house, stay outside and get full access to your home network. The one where you broadcast your file shares and network services. Not a pretty picture. That’s why always give your guest WiFi password. There is nothing useful in that network.
Smart devices
Smart devices are “smart” because they usually offer you a way to see what they do when you are not at home. Robot vacuums can be managed from your phone, power generators, heating and lighting: all can be managed from your phone. To do so, they usually connect to your home WiFi network. This is exactly where attackers can get access too.
The issue with smart devices is that you don’t always control their security levels. You can’t always upgrade their firmware. And even if you can, the firmware is written by shady small companies with poor security practices. They are hardware companies, they don’t think security through. Smart TVs had security issues since their inception and they still do. Bluetooth is always on and always discoverable, exploitable network stacks, old web servers: all of them create huge risks for your home network.
So how do you deal with all that? Simple. Get them off your main home network and let them connect to your guest network. The guest network has no knowledge of your laptops, phones and files. It’s just there to allow Internet connectivity and that’s all those smart devices need. So, rule of the thumb: avoid as much as possible to connect any smart device or appliance to your home network. Of course there are exceptions, like the printer and the TV.
The printer and the TV
The printer is not so obvious because it’s still an insecure smart device but it also needs access to your files for printing. So let’s say we can allow the printer to reside in the main home network along personal devices. But this must be done with very serious configuration: go through each and every setting on that printer and turn off everything remotely looking like Internet access: apple print, google print, print by email, direct WiFi, everything. Allow your printer to act as the dumbest possible WiFi printer with no mobile app administration and certainly no printing from the Internet.
And of course your TV needs access to your files to show photos or local movies. First try to see how you would go about using the TV with it connected to the guest WiFi network. Try to see if you can cast the movies and the photos you want to see from the phone to the TV. Try to do that via bluetooth if possible. If all fails and you do need to connect the TV to the main home network, double check with caution each and every setting available to you on the TV menus. Disable bluetooth if possible or at least make the TV undiscoverable via bluetooth. Disable any kind of Internet access. If you can link your TV to Netflix or other accounts: that’s a critical failure point and you should consider moving the TV to the guest network even if that means the TV loses the ability to display local files.
Work laptops and other work equipment
Work laptops should connect to the guest WiFi network. You should not transfer files between the work laptop and your personal devices. Most of the time that is illegal anyway. Consider it a way to safeguard your network but also the work laptop itself. If by any chance you have malware running around your home network, the work laptop will be protected. And of course it goes both ways: if the work laptop is compromised, your home network will remain untouched.
There were many cases of work laptops infected with ransomware and the trouble with these kinds of infections is that they have tremendous ability to move through the network. This means your personal devices may be caught in the crossfire of a targeted office attack. If you isolate your work laptop on your guest WiFi, this problem is solved: there is no communication between the guest and the main network.
The NAS
If you have an off the shelf NAS, take caution here. The NAS is a very capable and smart device and it has certain options that allow it to make the files and services in your network available over the Internet. Sure, the feature is always advertised as secure and it’s locked behind an account for which you can also enable two factor authentication. But make no mistake, if you enable these features, you are at the mercy of your NAS company. Be it Synology, or QNAP, or ASUS: surely they have great security practices in place, but even bigger companies had huge security fails.
Never trust the security put in place by a third party. We are talking about free access to your home network after all. Better to close down all access and have peace of mind. And if you want access to your files from the Internet, you have options. One of them is the VPN and I talk about configuring a VPN server in your network here.
I hope this article shed some light on bad home network security practices. These security techniques are not about the software that you run. You must always keep your software up to date and must take caution with what you execute. But the way you organize your home network can create a lot of unwanted damage if you are not careful. Especially when you start connecting smart devices that have software and firmware stacks completely outside of your control.
