Cybersecurity is never too far away especially for home network users where it’s at the fingertips of practicing common sense in protecting and securing a small home network to prevent eavesdropping and potential hijacking of the network. We’ll looking at different ways in how to secure your home network regardless if you’re a technology noob or expert.
Home Network Cybersecurity Starts With You…
The most important weapon in the cybersecurity toolbox starts with you since you will be the one that will be in charge of how to secure your wireless home network from top to bottom and how you want to control the people accessing the network.
Just like setting policies and safeguards for a company, you as the local user in the home network will be taking responsibility of implementing the basic steps I will list below that you can use to making sure your home network is bulletproof as much as possible.
Change Default Factory Passwords on the Router
Starting with the first defense method in how to secure a home network starts with the practice of changing the router’s factory default password settings to custom settings.
Every wireless router off-the-shelf comes with a factory sticker that has a default factory admin username and password for gaining access to the backend of the router when setting up for the first time with your ISP.
In other instances, some manufacturers may not post the default credentials on a sticker; but, still the manufacturer would still set the router to the factory default settings before it leaves the factory which means custom credentials would still need to be setup by the home network admin user.
The real problem is most people will leave the router with the factory default credentials thinking no one will be able to shut-down the router…this is a major security issue since everybody would likely know the default gateway address to easily brute-force into the router with the default credentials.
Simple solution: Lock the backend of the router down by setting up complex administration credentials to stop any brute-force attack on the router.
To change the password on a TP-Link Archer A9 router that I use, navigate to the “Administration” menu in the System Tools settings under the Advanced tab to find the Account Management options where the router password can be changed to whatever you want (just make sure to include a mix of uppercase, lowercase, numbers, and alpha characters into the password to make it harder for others to guess!)
Change the Wi-Fi Network Name
The next secure method stays on topic with default settings only this time it’s changing the default network name provided by the Internet Service Provider (ISP).
When getting the home network setup for the first time, the network name would appear as MySpectrumWifi (followed by a mix of letters and numbers) if you have Charter Spectrum or AT&T where it would appear as ATT (followed by a mix of numbers) by default
Overall, the Service Set ID (SSID or what people call the “Wi-Fi” name) identifies the network and is used with a Wi-Fi router or an access point connected to the network to establish an association of the overall wireless connection to allow the wireless client to connect to the network.
Common practice is to change the SSID every few months for both the 2.4Ghz and 5Ghz private Wi-Fi connections (it would be a good idea to also change the Wi-Fi password of both connections)
The main goal is if a hacker already has the current SSID of the home network then by changed the network name would kick the hacker off the network.
Enable WPA2/WPA3 Encryption
A home network cannot be left unprotected or “open” for everybody including neighbors to get an invitation to hijacking the network or in other ways unknowingly using up bandwidth by multi-streaming.
This is where using Wi-Fi Protected Access with either WPA2 or WPA3 (WPA3 is still limited to a number of router models) to encrypt Wi-Fi connections while both methods provide backwards compatibility to the original WPA for network adapters that still use this version of WPA.
If WPA3 is offered on the router, then it would be recommended over WPA2 since WPA3 uses forward secrecy to prevent session keys from being exposed during an exchange and past communications by revoking the private signing key when it is compromised and uniquely creates a new session key for each new session instead of using the same session key.
A similarity between WPA2 and WPA3 on a personal scale is they both support CCMP in implementing 128-bit keys making it longer for anyone to crack the keys providing benefit of data integrity.
Disable SSID Broadcasting
On top of identifying a network by the SSID, the same SSID can also be seen by drive-by hackers even a nosy neighbor that knows the network is available first-hand.
Simple solution…turn SSID/Network broadcasting off in the router to prevent the network from being seen and force anyone who wants to still connect to the wireless network to manually enter in the Wireless network information.
The exception to this would be if you have a neighborhood public network or in a place of business (mall, restaurant, library, etc.) that offers public hotspot access. Otherwise, it’s not necessary to broadcast the network name out in the open.
Disable Wi-Fi Radio
In addition to turning off SSID broadcasting, the other prevention method in how to secure a home network would be disabling the Wi-Fi radio and signal features on the router.
This is a great way of cutting off the network if looking to maintain a “minimalistic” home network (a network with very few network devices) by hard wiring each host that has an Ethernet adapter to connect to the router directly.
Common examples of devices that should never use wireless connectivity would be your desktop PC, gaming console, network-attached storage, and Voice-Over IP phones.
Enable MAC Address Filtering
Media Access Control (MAC) addresses are considered another identifier for each network host; but, it can be used in other roles for network security. This includes filtering devices in terms of either whitelisting or blacklisting to allowing or denying network access to the home network.
With MAC address filtering enabled, the router only allows devices listed in the whitelisted MAC address table to be allowed on the network or if the blacklist rule is set on the router then any device added on this table would not be allowed to connect regardless if the device has the correct Wi-Fi password.
Whitelisting MAC addresses is more effective than blacklisting since all it takes is scanning the network to find all MAC addresses whereas blacklisting MAC addresses dives into the unknown unless you’re an experienced network administrator using Wireshark to scan the statistics to find rogue MAC addresses to add to the blacklist.
Enabling Firewall Protection on the Router
Moving to controlling and analyzing IP data traffic coming from the external public network of the Internet to the private network of your home network, firewall protection helps to filtering network traffic.
The most common way is using the integration option of a Stateful Packet Inspection (SPI) firewall type to compare both inbound and outbound data packets to determine if the network connection can be allowed through.
SPI firewalls should not only be enabled to inspect data packets; but, to also inspect source and destination ports as well as each source and destination IP addresses.
Using a firewall in general accomplishes home network cybersecurity by making sure data corresponds with the outgoing requests. If data is never requested, then it never makes to the internal side of the home network from the outside.
Use a Virtual Private Network
The final way in how to secure your home network is making use of a Virtual Private Network (VPN) like NordVPN to establish a tunneling of a network connection when transmitting from the private network to the Internet.
A VPN’s main goal is to protect the home LAN from being observed by any unauthorized users including in situations arise during a man-in-the-middle attack where network traffic is intercepted.
Network traffic is no longer intercepted when connected to a VPN due to the first factor of a VPN using 256-bit AES encryption keys that breaks up streams of data into 128 bits making it harder to break.
The other factor that strengthens a VPN is the potential for a VPN implementing a “double VPN” to encrypt data more than one time by sending the data through multiple VPN servers.