Home Network Security Guide

When it comes to securing our home we find it normal to buy good locks, close the doors and windows when we leave and keep the lights on at night when we are not at home. You don’t want anyone to break in into our house. But when it comes to home network security we don’t want to invest to much time or money into it. While most valuables these days are digital!

With home network security is it the same as with securing your house, you want your house to be more difficult to break in then that of somebody else in the street. Adding layers of security will slow burglars down and increase the change they will leave before the get a change to break-in.

The strategy to securing our home network is pretty much the same. We make sure all the doors are closed, add layers for security and keep our paths well lit. As a SysAdmin I know everything about securing networks and in this guide, I will help you secure your network.

Step 1 – Securing the router

We are going to start at the beginning of our home network and work our way down to the clients. Your network starts with the internet connection from your ISP. The ISP may provide you with a modem or a modem/router combo.

Tip 1 – Don’t use the router supplied by your ISP

The routers supplied by ISP’s are known to be less secure than others. They have hard-coded support credentials in it, don’t get updated to often and will give your fewer settings to secure the network. You should really “invest” in a good router. They don’t have to be expensive, you can buy a good router between the $50 and $120.

With your own router your are in control of your network. While your ISP may have access to the router they supplied, they can get access to your network. If the support credentials are leaked or there is a security flaw in the router, you will be protected by your own router. So a good router is money well spend when it comes to home network security.

Read this article if you want to know more on which router your should buy and on how to set it up.

Change the default password

With any router, the first thing you do is change the default password (and username). This is something your should do with every network device. The default password of routers can be found online so hackers will always try to use those credentials to gain access.

Login to your router (open a browser and visit http://192.168.0.1 or http://192.168.1.1) and change the password. Every router is different, but try the settings page or the setup wizard. If you can’t find it, refer to the manual for instruction on changing the password.

Use a strong password and store it in a KeePass Password Safe on your own computer. This way you don’t have to remember all the passwords.

Update the firmware

Most firmware updates contains security fixes and performance updates. Keeping your network equipement up-to-date ensures you are less vunerable for known security flaws in the routers software.

Tip 2 – Keep firmware’s up to date

Some routers will check for updates them self and allow you to install it from the settings or management page. For other routers, you will need to check for update on the website of the manufacturer.

A simple Google search on the model of your router + firmware will lead you to the correct download page.

Disable remote access to the router

The management interface of the router shouldn’t be available from the internet. You should only manage your router from within your local network. So disable this setting if you find it turned on in your router.

Change the default DNS servers

Your ISP will provide you with a DNS server. But these server don’t do anything else then redirecting you to the proper server based on the DNS records. For example, if your are visiting Google.com, the address “Google.com” will be translated to the corresponding IP Address of the servers from Google.

Tip 3 – Use a DNS server that offers security

OpenDNS, part of Cisco, does a little bit more than simply redirecting you to the proper server. It will protect you from phishing websites, malware and botnets and malicious website. It also offers parenting controls so you can add some web filtering to your network.

By changing the DNS server on the router level your whole home network will be more secure. Every device is automacalliy protected by the DNS servers.

Besides the security advantages for your home network, OpenDNS is also one of the fastest DNS servers. It will translate the requested domain name (google.com for example) up to 3 times faster than the default DNS servers of your ISP.

If you want to know more about DNS servers and are more interested in finding the fastest DNS Server, then make sure you read this article.

Firewalls

The best firewalls are not installed on your computer but are hardware based. Built-in to your router or maybe even a dedicated firewall device. For home users the most common firewall is built-in to the router.

Always keep the firewall in the router turned on and if your router doesn’t come with a firewall, make sure you buy a good router that has one. Firewalls protect your network from potential cyber attacks by blocking all unknown network traffic.

If you want to use a program or game that is unable to connect then don’t disable the firewall, but open the specific port that the game or program needs.

Step 2 – Wireless Network Security

Another important part of your home network is your wireless network. The WiFi network is broadcasted through your house and can even be reached outside your house. Because the wireless network is preconfigured when you buy a router or access point, most people don’t look at the settings at all, resulting in a network security risk.

As part of your home network security plan you should take a few minutes to secure your wireless network. Remember, it’s all about adding layers to your network security. The more layers you add to more difficult it will be for some one to gain access to your network.

Changing the default passwords

As always with network equipment, start with changing the default password. The default logins are provided by the manufactures and can be found on the internet. So the first thing your do is change the default password to a strong and secure one.

Don’t use the same password for all your network equipment, just generate a password in KeePass and store it in your KeePass database.

Disable WPS

Most routers or access points are equipped with WPS, WiFi Protected Setup. This allows you as a user to easily connect a device with the push of a button on your router. Behind the WPS protocol is only an 8-digit pin code that “secures” the connection.

Without pushing the button your can try to connect to the WPS enable network by using the pincode. The problem with WPS is that it only checks the first 4 digits, making it really easy to crack. When use the button to connect, the connection information is broadcasted for a couple of minutes, allowing any device to connect to the network.

So if you find WPS is enable on your router, disable it. Because leaving it on is a huge home network security risk.

Change the default wireless network

Every accesspoint comes with a preconfigured wireless network. The wireless network name (SSID) and password can most of the time be found on the back or bottom of the device.

By changing the default wireless network name you make it harder for hackers to find out what type of router or access point you have. If they know the manufacturer of your device they can easily find the security vulnerabilities of your device.

Give your wireless network a non-saying name. So don’t name it after your family name or house address. Also, make sure you add a strong password to it. Atleast 12 characters, but the more the better. Using a password sentence is a good practice to create secure passwords.

Use secure protocols

Always use the latest security protocols for your wireless network. WEP and WPA are outdated and shouldn’t be used anymore. Every device these days can connect to a wireless network that is secured with WPA2.

The advantage of WPA2 is that it uses the latest security protocols and AES encryption, making sure the network traffic can’t be intercepted.

WPA3 is coming up and you will see more devices in 2019 supporting WPA3. If you have a router or access point that supports WPA3, make sure that your client devices (mobile phones, computers) also support it.

Turning your wireless network off

Some articles online recommend turning your wireless network off when your are not home. Now this might seem a logic thing to do, if your network equipment is turned off nobody can hack it.

But keep in mind that we have more and more smart home equipment these days in a house that requires a network connection to function. Your smart thermostat won’t work if it can get access to the internet. Your light might won’t turn on or your security camera can’t send an alert when it detects motion.

Use MAC Address filtering

By default every device that knows the wireless network password can access the network. If you really want to beef up your security you should enable MAC Address filtering. A MAC address is a unique network address that every network device has.

With MAC Address filtering you can really control which device is allowed to make access to your network. But this requires looking up the MAC address of every device and add it manually to your router or access point. Not really user friendly but a real security improvement.

An easy way to find the MAC address of your current network devices is using Advanced IP Scanner, this tool scans your network and lists all the IP and MAC Addresses of every device.

Update the firmware

Just like with your router, update the firmware of your access point. This way you are up to date with the latest security fixes for your network device.

Use a separate guest network

If you have guests coming over they might want to use your wireless network. Which is pretty normal, but keep in mind that their computer or mobile phone can have a virus on it. By giving them access to your network you risk they infect your computers as well.

By creating a separate guest network you prevent this from happening. Check out this article if you want to know more about creating a guest network.

Step 3 – Securing the client devices

The last step in our home network security guide is securing the clients (your computer and mobile phones). By using OpenDNS we already added a security layer for our clients as well. But there is more to do.

Make sure you keep your devices up to date. Windows updates can be annoying, but they will prevent you against know security issues. Other import programs, like your browser, java and pdf readers should be updated regularly as well.

Anti Virus

Most people have anti-virus software on their computer. They protect your against common and known virusses which is good. But the real thread these days are in the ransomwares that encrypt every file and photo on your computer.

The only way to protect against this is to use an advanced antivirus that can recognize the patterns of ransomware and block or kill the process before it can do real damage. Personally, I am a great fan of Sophos. I have used for more than 10 years now, both in an enterprise as in home environments. Sophos isn’t well known in the consumer market, but it’s one the leading antivirus solutions in the corporate world.

Tip 4 – Invest in good anti ransomware software

The antivirus solution from Sophos is free for 3 devices, but I really recommend you spend the $ 50,- a year for the Premium version. It allows you to install Sophos on 10 devices and protects your against malware, ransomware, virusses and even new unknown virusses.

Just give the trial a go. Sophos home comes with a central dashboard to manage all the devices and set up things like parenting control if you want.

Check if your accounts are compromised

While you might have done everything to protect your home network, your online accounts are important as well. Big sites, like Linkedin and Adobe have been hacked before. These kind of sites are honeypots for hackers, they contain millions of accounts and when hacked the data can be sold to other criminals.

You can easily check if you account is breached as well based on your emailaddress. Just run it through HaveIBeenPwnd and setup a notication.

Final thoughts on Home Network Security

Remember that digital assets are harder to replace then physical things. If you TV is stolen you can easily replace it. Yes it will cost you money, but you can buy a new one. If you holiday photo’s or the photo’s of kids are lost due to a ransomware, you can’t replace them.

So you should take securing your home network really serieus. Invest in a good router and a decent antivirus / anti ransomware software. Take your time to go through the settings of your router and accesspoint and make sure you use strong passwords.

If you have any questions, just drop a comment.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment