Protect Your Home Network and Set Up a Guest Network
Day 3: Protect Your Home Network and Set Up a Guest Network
Welcome to Day 3 of my 30 day security challenge, the month long challenge I created to help you gain control of your privacy and security online. You can follow along with the security challenge via my blog at snubsie.com, where you can skip ahead or download a checklist of the challenge. Each video will also be curated into a playlist so it'll be easy to follow along from Day 1 all the way through 30 here on Youtube.
Today we're going to start protecting our home networks from attacks. This includes protecting your router and modem as well as protecting all of those devices you use to connect to your home internet.
First off, do you know where your router and modem are? Bring that notepad, and go take a look at them and determine which one is which. If you only have one box, figure out if it is an ISP rental router/modem combo, or if it's a third party one that you purchased. Write down the Brand and model number for each device and google their name plus release date. How old are they? If they are several years old, you may want to consider upgrading to a newer router and modem. Oftentimes, old routers and modems won't receive new firmware updates anymore and may be vulnerable to hacks. You'll probably get a nice speed increase too by upgrading to newer models.
If you aren't sure what to choose, check out Wirecutter's articles about the Best Wireless Router and Best Wireless Modem for most people. If you have specific use case scenarios that require special devices, do some further research and ask for some advice from folks you trust.
If your modem/router is owned by your ISP (be it Comcast, AT&T, Verizon, whatever), call them up and see if there's an upgraded one available, or better yet, ask them what consumer devices are compatible with your line. Your best bet is to get your own, as you'll be in full control of the device and upgrades, not your ISP.
Once you've got a current modem and router, you can begin digging into your security settings.
Modems don't need much changin', just make sure they're compatible with your ISP and follow your ISPs directions on setting it up on your network.
The router DOES require a bunch of security settings to really be secure. First and foremost, in your browser, head over to your routers administrative interface. You can get there by typing in an IP address to your browsers address bar, clicking enter, then you'll see a login page or setup page. The IP address might be found on the bottom of your router, or in the original packaging, or via the brands website in a "get started" document. It'll look something like 192.168.0.1 for example.
Alternatively if you have a new router, some of them come with smartphone apps, and you can log into your admin interface via your iPhone or Android as well. Once logged in, change your username and password. Chances are you just logged in with something like: username admin, and password admin. Was it something harder? That's good, but lets make it even better! Change your username to something new, and your password to something hard to guess. You can write these down in your notepad for the time being, but DON'T LOSE YOUR NOTEPAD. These are your new admin credentials, so they're important not to forget. For those wondering, yes we will destroy the notepad later on in the challenge. But just for convenience, we're going to hold onto this for now. The reason why we change these from the default is because anyone who gets access to that router via the wireless could potentially log in and screw with the settings if you left the default credentials in place. That's scary, we don't want that to happen.
Next, turn off external management, remote access, and block open ports. These are all settings that allow people to log into the admin interface from outside of your home network, or to do stuff to your home network from outside. Chances are you don't need any of those options turned on, so just click OFF or DISABLE and SAVE your settings. If you're worried about ports still being open to the internet, check your router against a site like https://www.grc.com/shieldsup to make sure everything is closed.
Next, disable WPS or WiFi Protected Scan. This was built into many routers but found to be vulnerable to hacks, so it's best to just turn this protocol off completely.
Now to enable some settings! First, look through the settings for a Firewall option. This'll add an additional layer of security to your home network. If it's available on your router, turn it on. If you see a setting for enabling HTTPS access to the router interface, also turn that on.
Now for a big one, DO NOT PASS UP THIS STEP. Make sure your routers wireless settings are set to WPA2. If WPA is your only option, use that, but no matter what - DO NOT USE WEP. EVER. Now that you've got WPA2 set up, change your SSID and passcode. This is the name of your router that is seen publicly, and the passcode that you have to enter from every wireless devices to get internet access through your router. It's different from the administrative credentials you created earlier, and as such, it shouldn't be exactly the same as those previous credentials either. You can personalize the SSID name if you want to be something funny, it doesn't matter too much what you call it. But make sure the passcode is hard to guess.
Newer routers offer the option to have a 2.4 and a 5ghz wireless network. You can do both if you want - just make sure each one has it's own SSID and passcode - the only difference between the two is the frequency and strength. I won't get into the technical details here, but if you want to find out more, Google it!
If you have the option available, set up a secondary network for guests. This will be a separate network that goes through your router that is solely to be used by guests that come to your house and visit you, and internet of things devices. Your internet of things devices include light bulbs, thermostats, amazon echos, and anything else that is considered a connected appliance - those all would go into this guest network. Don't worry too much about connecting those today, as we'll cover more on IoT security tomorrow.
Now that you've changed your SSID and passcode, you'll probably need to log back into your wifi on all of your devices, too, so go ahead and do that now. Keep in mind - if it's an IoT device, stick it on the guest network. If it's your personal smartphone, laptop, or computer, stick it on the internal network. And so on and so forth.
Last thing to do for your router is to update it's firmware. Yours might automatically update the firmware, while others require you to log into the admin interface to check for updates. Either way, find that option in your settings and ensure your router is completely up to date from the manufacturer. If you don't see an update via the interface, check the brands website as well, because a firmware update might be available via the website and not the admin interface.
Want to take it a step further? Consider restricting which IP addresses can access the admin interface; change the routers IP address, consider using a VLAN instead of a guest network if you want to; or even install custom firmware instead of the firmware from the manufacturer. All of these are a bit more advanced technical steps you can take, but take care when delving into these as they are much more complex.
And you're done! Remember to log out of your admin interface once you've made all the updates you want to make. Remember: your WiFi is NOT the internet. Your WiFi is how you ACCESS the internet. And as such, you should protect your WiFi at all costs.
Now take a breather! I know this was a tough one to get through and follow, but I tried to make it as easy to follow as possible since all routers menus are going to be different.
Tomorrow I'll share how to figure out what devices are on your network and how to choose which devices go on which network - guest, or internal. But first, make sure to subscribe on youtube and hit up snubsie.com for the downloadable checklist and to skip ahead on the 30 day security challenge. Again, I'm Shannon Morse and I'll see you tomorrow for day 4!