Safe Home Networks

Building and maintating a safe home network today has become both more difficult and more necessary than ever now that IoT, the Internet of Things, has filled our homes with smart devices that are hackable computers. I’ve talked about the necessity of securing IoT on home networks here and here, but now I’ll get down actions that increase control of your network of screenless computing devices.

I was tempted to begin this post with a shot at shaming folks into home network security: “you can’t manage what you can’t measure.” The quote has been attributed at various times to Edward Deming and Peter Drucker, two thinkers who have shaped my notions of management of computer systems.

But, you know, that saying is hogwash and neither Deming nor Drucker said it.

There’s no question that both Drucker and Deming favored measurement and data, but they never fooled themselves into avoiding management when metrics were lacking. You can manage a home network with a reasonable effort to gather data without the tedium that drives you to neglect security. Always shoot for tangible benefits, not perfection.

Network elements and safe home networks

Telecommunications IT uses a technical term: network element, which I like. The term is general enough to capture everything important about your home network. My rough and ready definition of a network element is “anything that matters on a network.”

The apps you have installed on your phones, laptops, and tablets, the services you subscribe to, along with the devices themselves, are network elements. The smart sensors and apps that control your thermostat, your kitchen appliances, and your security system are also network elements. Anything that affects the safety, efficiency, or usefulness of your network is a network element.

Well-managed IT environments maintain something called a configuration management database (CMDB), which is an inventory of network elements. Thousands of entries are common in the CMDB of a medium size business.

CMDBs are, frankly, a pain to maintain. Enterprises invest heavily in automating CMDB creation and maintenance. An accurate CMDB tells technicians where to look to solve problems. More important, they are also a roadmap for heading off issues before they occur.

Whether you solve your own home network issues or call in an expert, the equivalent of a CMDB will help maintain a safe home network.

Home CMDBs

A few years ago, the idea of a home CMDB was preposterous overkill. Typical home networks consisted of some kind of modem for connecting to the Internet, a personal computer, and maybe a printer. That’s all of three network elements. Not even worth entering in a spreadsheet. In the early days of home computing, looking over your desk and glancing at the floppy disks and CDs in the old shoebox next to your PC did as much as you could wish for a CMDB.

That was the old days. As I am writing this, I have 16 devices connected to my home router and an additional 16 that have connected recently, for a total of 32 devices. Worse, when I look at the device list on my router, a few of the entries are familiar, but most of them show as strings of hexadecimal digits (0-9 and A-F).

Unless your brain is staggeringly computation oriented, a list like that is meaningless. After fifty years of working with computers, I’m used to reading hexadecimal, but the device list on our home router is still tough.

Nevertheless, that wild list contains all the hardware network elements for effective CMDB and safe home network.

Let’s tame it.

IP and MAC addresses

On current networks, all devices have two addresses, some also have a name. One address is called the IP address. IP stands for “Internet Protocol”. This address shows where the device is connected to the network. If you know the IP address of a device, you can send a message to it. Great. But an IP address is only temporary, changing as devices move around and network conditions change. The IP address of your laptop is one thing when you’re at home, and a different address when you’re at a coffeeshop, school, work, or wherever, as your connection to the network changes.

Every device that connects to the network has a second address called the Medium Access Control address, or MAC. MACs are unique serial numbers that are burned in when a network connection component is manufactured. They appear as a sequence of 12 hexadecimal digits, usually separated into groups of 2 with a hyphen (-) or a colon (:). They are fixed until replaced or physically altered. The MAC can be used to trace the manufacturer of the component.

Well, that used to be true. There are now ways to change MAC addresses in software. But for now, assume MAC addresses never change because it is unlikely in a home network.

The network name of a computer is usually assigned by the user when the operating system, like Windows, is installed. Depending on the imagination of the owner, network names can be mundane like “MyPC” or fanciful, like “SherlocksDamnEggPlant”. These names are seldom seen outside local networks and often go a long way toward making CMDBs comprehensible. Unfortunately, many devices don’t have a network name, or they are hexadecimal gobbledygook, usually the device’s MAC.

Network names are human friendly, IP addresses direct messages, and MAC addresses unambiguously identify devices. In real life, Jim Smith is the equivalent of a network name, his street address is like an IP address, and his social security number is his MAC address. “Jim Smith” is not enough to pick your Jim from the thousands of Jim Smiths out there. With his street address you could send him a letter, but to really nail old Jim, you need his social. It’s the same on a network. But most of the time, for practical home network management, you need a recognizable network name to go with the MAC.

Tracking network elements at home

If your connected device list is all recognizable network names, you’re home free, but that’s not likely. So the first task in taming that connected device list is to figure out some way to make the list from your router understandable.

Finding the MAC of a Windows, Apple, Unix, or Linux computer is easy. On a Windows PC, you can go to the command or the PowerShell window and enter “ipconfig /all”. You’ll get a screenful of information. Look for the “Physical Address”, Microsoft’s term for MAC. On Linux or Unix, on a command line, type “ifconfig -a”. Again, you’ll get a screenful. Find the line that begins “ether”, “HWaddr” or “lladdr”. Look for 12 hexadecimal digits separated by hyphens or colons.

You can find MAC addresses for your phones in the system settings. You may have to poke around. Look for MAC address, physical address, Wi-Fi address, and other variations. It will always be 12 hex digits.

For other devices, finding the MAC is a pain but possible. Frequently, you can go to the settings for the device and find the MAC under network settings. However, it’s not always easy. For example, I could not find a MAC address for the Amazon Firesticks we have on our TVs.

The procedure I followed was to go around the house making a list of all the MACs I could find with descriptions of the devices. That still left me with several unexplained entries on the router list. A network with unknown devices is not a safe home network.

Network scanning apps

My next step was to look for network scanning apps. Several are available for Android, and I assume for iPhones. I tried some. As near as I can see, they all scan local network traffic for MACs, then use the MAC to guess the device. The guesses are not perfect. Fing, the best of the Android scanning apps I tried, told me that my Microsoft Surface Pro tablet was a Lumia smart phone: the correct vendor, but the wrong device. However, Fing did identify the two Amazon Firesticks we have in use and offered clues to other devices on my router’s list.

Dead reckoning

I happened to install a new simple monochrome laser jet printer on our network this week, which illustrated what I consider the proper way to maintain a home CMDB. After connecting the printer to the wireless network, I checked the router device list and noted the MAC of the new entry. Done. Accurate and easy. Do that every time you add a new device and your home CMDB is always right.

Another dead reckoning type solution is to change the password on your home network and force every device to re-register and record the devices as you give them the new password. That’s a sensible step to take occasionally anyway, especially if, like me, you are willing reveal your network password to guests when they want to use your network connection. However, the more people and devices that have your password, the greater the chances of intrusion.

Your guest may not be malicious, but if their device on which your network password has been entered inadvertently falls into bad hands, an intruder may be able to extract the password to your network. If there are teenagers in your house, they are likely to be casual about passing around wireless access, which doesn’t bother me, but they and their guests are also more careless than experienced and wary adults about losing devices.

My approach is to change the network password after I offer access to all but the most trustworthy of guests. In 2020, a year in which we have had few guests, I haven’t changed our password at all.

Record keeping

What do you do with this compiled information? For a list of 30 devices, a spreadsheet like Microsoft Excel would work well. But I have a simpler solution. On my home network, I have a Technicolor router-cable modem supplied by Comcast, which is not my favorite corporation, but the fastest and most reliable source for home broadband in my area. I’ve used various modems, routers, Wi-Fi endpoints and other networking gear in the past, and lately have settled on the convenience of a router-modem supplied by my service vendor.

The router management app supplied by Comcast is much better than some I have used. It supports user comments on the device listing, which is a useful feature. Instead of an independent spreadsheet, I’ve added comments explaining each entry exactly. So far, this has been both easy and effective.

In a future posting, I will get more into how you can use this rough and ready CMDB to help solve issues on your home network as they arise.