Three steps to protect your home network

Today, the typical structure of an internet connection is that you have a router in your home, usually a small box located somewhere in your house that acts as a gateway to the world of the internet. The router creates a local network to which you connect your devices, including your computer, phone, TV, game console, and anything else that needs to connect to the internet or to each other. It's easy to think of the router as a dividing line, with the internet on one side and your devices on the other. But this is a terrible misconception, because in reality, on one side of your router is the entire world of computer networks , and on the other side is your digital life. When you use the internet directly, you are accessing a shared area of ​​someone else's computer network. When you're not using the internet, it doesn't disappear, and there are many scripts and programs designed to access millions of routers trying to find open ports or services. With the proliferation of the Internet of Things (IoT), there are sometimes more services running on your home network than you think. By following these three steps, you can audit and protect your home network from unwanted access and attacks.

1. Agreement first

Part of a router's job is to separate the internet from your home network. But when you access the internet, you're inviting parts of the internet into your home. That means you're creating an exception to the rule that bypasses the normal rule that blocks the internet from your local network.

On many websites, the only thing that passes through your router is the text content. For example, when you visit your favorite blog site to read the latest tech news, you download a few pages of text. You read the text, and then continue your visit. It's a simple one-to-one connection.

However, the HTTPS protocol is powerful, and the applications that run on the Internet are diverse. For example, when you visit a website, you're not just downloading text. You get graphics, and maybe a script or an e-book. You're also downloading cookies in the background, which helps website administrators understand who is visiting the site, improve support for mobile devices, provide new designs for better accessibility, and understand what readers like. When you surf the web, you may not think of cookies or traffic analytics as something you interact with, it's something that is "buried" in the page interaction because the HTTPS protocol is designed to be broad and general, and highly trusted in most scenarios. When you visit a website over HTTPS (or, in a browser), you may unknowingly agree to automatically download files that you think are useful and innocuous. For a file sharing model designed to reduce trust, you can try the ​​Gemini​​​ or ​​Gopher​​ protocol.

When you join a video conference, you use a similar protocol. Not only do you download the text on the page, and cookies for traffic monitoring, but you also download the video and audio material.

Some sites go even further, designed to allow users to share their computer screens and sometimes even control of their computers. The idea is that this helps remote technicians fix problems on their computers, but in reality, users can be tricked into visiting the site and have their financial credentials and personal data stolen.

If a website that provides text articles asks you for permission to access your webcam while you read, you should be wary. You should be equally cautious and vigilant when a device requires access to the internet. It is important to pay attention to what implicit agreements you agree to when you connect a device to a network. A device designed to control the lights in your house should not require internet access, but in fact many devices do and do not clearly state what permissions you grant the device. Many IoT devices want to be connected to the internet so that you can access the device through the internet when you are away from home. This is also part of the appeal of a "smart home". However, it is impossible to know what code all devices are running. When possible, use open source and trusted software such as ​​Home Assistant​​ to interface with your IoT devices.

2. Create a guest network

Many modern routers can create a second network for your home (usually called a "Guest Network" in the configuration panel). You might not think you need a Guest Network, but it actually makes sense. It's designed to provide Internet access to people who visit your house without you having to tell them your private network password. In my foyer, for example, I have a sign with the name and password of my Guest Network. Anyone who visits can join that network to access the Internet.

On the other hand, there are applications for IoT, edge devices, and home labs. When I bought “programmable” Christmas lights last year, I was surprised to find that in order to connect to the lights, they had to be connected to the internet. Of course, these $50 lights from no-name factories don’t come with source code, nor any way to interact with or inspect the firmware embedded in the adapter, so I had some concerns about agreeing to connect them to my local network. They have been permanently relegated to my guest network.

Every router vendor is different, so there are no universal instructions on how to create a "sandbox" guest network on your router. Generally, you access your home router through a web browser. Your router's address is sometimes printed on the bottom of the router, and it starts with 192.168 or 10.

Visit your router's address and log in with the credentials you used when you configured your Internet service. This is usually simply "admin" and a numeric password (sometimes this password is also printed on the router). If you don't know how to log in, call your Internet provider or manufacturer to find out.

In the graphical interface, find the panel that says "Guest Network." This option is in the Advanced Configuration on my router, but it might be somewhere else on yours, and it might not even be called "Guest Network" (or it might not even be an option). The specifics vary from manufacturer to manufacturer.

Creating a Guest Network

This may require some patient searching. If you find that your device has this option, then you can set up a guest network for guests, including apps running on untrusted bulbs.

3. Configure the firewall

Your router probably already has a firewall running by default. A firewall keeps unwanted traffic out of your network, typically by limiting incoming packets to HTTP and HTTPS (browser traffic) and a few other common protocols, and rejecting requests that you didn't initiate. You can check if the firewall is running by logging into your router and looking for a "Firewall" or "Security" setting.

However, many devices can run their own firewalls. A network is called a network because the devices on it can connect to each other. Putting a firewall between devices is like putting a lock on a door in your house. Guests can wander the halls, but they won't be invited into your private office without the right key.

On Linux, you can use the ​​firewalld​​​ interface and the ​​firewall-cmd​​ command to configure your firewall. On other operating systems, the firewall is sometimes in a control panel labeled "Security" or "Shared" (sometimes both). Most default firewall settings only allow outbound traffic (that is, traffic you initiate by opening a browser and navigating to a website) and inbound traffic in response to your requests (that is, network data in response to your navigation). Incoming traffic that is not initiated by you is blocked.

You can configure rules to allow specific traffic as needed, such as ​​SSH connections​​​, ​​VNC connections​​​, or ​​game server​​ hosts.

Monitor your network

These tips help build your awareness of what's going on around you. The next step is to ​​monitor your network​​​. You can start simple, like running ​​Fail2ban​​​​on a test server on your guest network. Take a look at the logs, if your router offers them. You don't have to know everything about TCP/IP and packets and other advanced stuff to see that the Internet is a busy and noisy place, and seeing this firsthand can go a long way in informing you about the precautions you can take when you install a new device in your home, whether it's IoT, a mobile device, a desktop or laptop, a gaming console, or even a ​​Raspberry Pi​​​​.