Safer Home Networks

As each day passes, home network security becomes more important for many of us. Working from home in the pandemic lockdowns boosted home networks from conveniences to necessities. Although returning to the office is now considered safe, many of us have discovered that we prefer to work from home some, if not all the time. Savvy employers have begun to insist on security standards when home networks are used for work and those of us who are self-employed at home must tend to our own safety.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Much can be done to increase safety. A key network security principle is network segmentation.

Segmentation is a cybersecurity concept derived from the same principle that governs ships built with watertight compartments. If a single compartment springs a leak, the ship still floats. If the security of one network segment is breached, the rest of the network is still safe.

Businesses and other organizations have long practiced segmented physical security. All employees may have a key or code to open the employee entrance, but smart organizations have separate keys for each department. Widely distributing keys that open all the locks in the business are dangerous. A criminal or rogue employee with the key to everything can steal everything.

In a typical physically segmented business, one section of the office is accounting. Only people from the accounting department have keys to accounting offices. Only shipping employees have access to the shipping room and warehouse, only some shipping staff have keys to the warehouse. And so on.

Risk averse businesses segment their computer networks in the same way. Typically, an air-conditioning technician will not be able to access accounting files, nor will an accountant have access to heating and air-conditioning controls. Unsegmented networks have been the scenes of devasting attacks, such as the Target heist of a few years ago in which an air-conditioning subcontractor’s account was used to steal customer credit card information. A better segmented network would have prevented that catastrophe.

Do home networks need to be segmented? Not always, but as our lives become more and more wired, the benefits of segmentation have increased.

Folks may remember that in the dark days before we were touched by the wireless light, each computer in the house had a modem attached to a phone line. While the computer modem was connected, anyone who picked up a phone was treated an earful of painful screeches. Compute intensive households had separate phone lines for each computer. DSL (Digital Subscriber Line), which is still around but no longer as common, got rid of the necessity for separate phone lines and introduced routers to home computing. The day you install a home router, you have a home network.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration.

I remember well when we got our first DSL modem and wireless router. How luxurious it felt to wander into the living room in stocking feet, sit down on the couch, and connect to the office on a laptop without plugging anything in. Never mind that it was the beginning of twenty-four-seven working days for many of us. Now broadband connections via cable or fiber often replace DSL for higher bandwidth connections but the home wireless router still prevails.

Critical Changes For Home Networks

  • Everyone, including the kids, now have smartphones that pack a computer considerably more powerful than the beige box home desktop computers that started home computing. Smartphones connect to home wireless routers whenever they have the chance.
  • Homes have embraced the “Internet of Things” (IoT). We now have doorbells, entrance locks, and security and heating systems that connect to our wireless routers so we can control them remotely through our smart phones.

At our house, the refrigerator, the kitchen range, and the microwave all want to connect to the world wide web. Network-connected speakers like Amazon Alexa, home entertainment systems, and health monitors are now common.

For the last decade, one of the cheapest and easiest features to add to a household appliance has been an interface for remote control via an app on a smartphone. Too often, these devices are from product designers with scant training in network security. Many of these devices are easily hacked. A hacker thief might use your internet connected video doorbell to detect when you are not at home and break and enter your house while you are away. Your smart lock might just pop open when the thief arrives.

Home networks today are seldom as complicated as those of large businesses and other organizations, but many still require sophisticated administration. A segmented network protects each segment from damage from other segments and each segment can be configured to permit activities that could be dangerous in other segments.

Typical Home Network Segments

Cyber security experts agree that typical home networks, especially when residents work from home some of the time, would benefit by dividing the network into at least three segments: 1) home computing, 2) Internet of Things (IoT), and 3) guests.

The home computing segment is a home network before our computing life got complicated. It contains the desktops, laptops, tablets, and phones of the primary residents. Within this segment, peripherals such as files and printers can shared, and, when necessary, one computer can access another within this segment. Most people keep their email, financial records, and financial accounts here. For a writer like me, my manuscripts are stored locally in this segment. The segment often holds home business records. For folks with online storefronts, they administer their storefront and access their business records through this segment.

The IoT segment is the wild west. The devices there are not quite trustworthy. It’s bad enough that a criminal might hack into your smart doorbell, but giving the miscreant access to your bank account and business documents doubles down on trouble. Isolating this segment allows you to take advantage of the convenience of networked devices without quite opening a vein in your arm for the crooks.

The guest segment is valuable when you have teenagers in the house who bring in friends. Sharing internet connections with visitors is basic hospitality these days, but keeping your home network secure can be a problem. You may not mind sharing your network password with your brother, but you have to worry about your kids’ squirrelly friends who just might leave their smartphone with access to your home network on a park bench or in the video arcade. Worse, even good kids might use the colossal bad judgement of adolescence to hack your system just to see if they can.

Even if kids don’t visit, you can’t be sure that all your friends are as careful as you are about keeping phones free from dangerous apps and criminal bots waiting to rob your network blind. A network segment with a special password that permits connections with the outside world, but not to the devices in your home, protects you from the mistakes of your guests.

Next Steps

In the best of all worlds, I would now give you quick and easy instructions for implementing a segmented home network. I can’t. The market is still catching up and implementing a segmented home network is not simple enough to describe here. For our house, I have a jury-rigged setup that reuses an old router and a network switch that I happened to have lying around. I did some fancy configuration that I would not wish on anyone but myself.

For most people, investing in professional help may be the solution. Expect to pay for some new equipment. If you want to try setting up your own segmented network, this link contains some specific information: An Updated Guide to Do-It-Yourself Network Segmentation . I caution you that newer hardware may be available but the link will get you started.

You’ll end up with a password for each part of your home network, but you will be safer.

Safe Home Networks

Building and maintating a safe home network today has become both more difficult and more necessary than ever now that IoT, the Internet of Things, has filled our homes with smart devices that are hackable computers. I’ve talked about the necessity of securing IoT on home networks here and here, but now I’ll get down actions that increase control of your network of screenless computing devices.

I was tempted to begin this post with a shot at shaming folks into home network security: “you can’t manage what you can’t measure.” The quote has been attributed at various times to Edward Deming and Peter Drucker, two thinkers who have shaped my notions of management of computer systems.

But, you know, that saying is hogwash and neither Deming nor Drucker said it.

There’s no question that both Drucker and Deming favored measurement and data, but they never fooled themselves into avoiding management when metrics were lacking. You can manage a home network with a reasonable effort to gather data without the tedium that drives you to neglect security. Always shoot for tangible benefits, not perfection.

Network elements and safe home networks

Telecommunications IT uses a technical term: network element, which I like. The term is general enough to capture everything important about your home network. My rough and ready definition of a network element is “anything that matters on a network.”

The apps you have installed on your phones, laptops, and tablets, the services you subscribe to, along with the devices themselves, are network elements. The smart sensors and apps that control your thermostat, your kitchen appliances, and your security system are also network elements. Anything that affects the safety, efficiency, or usefulness of your network is a network element.

Well-managed IT environments maintain something called a configuration management database (CMDB), which is an inventory of network elements. Thousands of entries are common in the CMDB of a medium size business.

CMDBs are, frankly, a pain to maintain. Enterprises invest heavily in automating CMDB creation and maintenance. An accurate CMDB tells technicians where to look to solve problems. More important, they are also a roadmap for heading off issues before they occur.

Whether you solve your own home network issues or call in an expert, the equivalent of a CMDB will help maintain a safe home network.

Home CMDBs

A few years ago, the idea of a home CMDB was preposterous overkill. Typical home networks consisted of some kind of modem for connecting to the Internet, a personal computer, and maybe a printer. That’s all of three network elements. Not even worth entering in a spreadsheet. In the early days of home computing, looking over your desk and glancing at the floppy disks and CDs in the old shoebox next to your PC did as much as you could wish for a CMDB.

That was the old days. As I am writing this, I have 16 devices connected to my home router and an additional 16 that have connected recently, for a total of 32 devices. Worse, when I look at the device list on my router, a few of the entries are familiar, but most of them show as strings of hexadecimal digits (0-9 and A-F).

Unless your brain is staggeringly computation oriented, a list like that is meaningless. After fifty years of working with computers, I’m used to reading hexadecimal, but the device list on our home router is still tough.

Nevertheless, that wild list contains all the hardware network elements for effective CMDB and safe home network.

Let’s tame it.

IP and MAC addresses

On current networks, all devices have two addresses, some also have a name. One address is called the IP address. IP stands for “Internet Protocol”. This address shows where the device is connected to the network. If you know the IP address of a device, you can send a message to it. Great. But an IP address is only temporary, changing as devices move around and network conditions change. The IP address of your laptop is one thing when you’re at home, and a different address when you’re at a coffeeshop, school, work, or wherever, as your connection to the network changes.

Every device that connects to the network has a second address called the Medium Access Control address, or MAC. MACs are unique serial numbers that are burned in when a network connection component is manufactured. They appear as a sequence of 12 hexadecimal digits, usually separated into groups of 2 with a hyphen (-) or a colon (:). They are fixed until replaced or physically altered. The MAC can be used to trace the manufacturer of the component.

Well, that used to be true. There are now ways to change MAC addresses in software. But for now, assume MAC addresses never change because it is unlikely in a home network.

The network name of a computer is usually assigned by the user when the operating system, like Windows, is installed. Depending on the imagination of the owner, network names can be mundane like “MyPC” or fanciful, like “SherlocksDamnEggPlant”. These names are seldom seen outside local networks and often go a long way toward making CMDBs comprehensible. Unfortunately, many devices don’t have a network name, or they are hexadecimal gobbledygook, usually the device’s MAC.

Network names are human friendly, IP addresses direct messages, and MAC addresses unambiguously identify devices. In real life, Jim Smith is the equivalent of a network name, his street address is like an IP address, and his social security number is his MAC address. “Jim Smith” is not enough to pick your Jim from the thousands of Jim Smiths out there. With his street address you could send him a letter, but to really nail old Jim, you need his social. It’s the same on a network. But most of the time, for practical home network management, you need a recognizable network name to go with the MAC.

Tracking network elements at home

If your connected device list is all recognizable network names, you’re home free, but that’s not likely. So the first task in taming that connected device list is to figure out some way to make the list from your router understandable.

Finding the MAC of a Windows, Apple, Unix, or Linux computer is easy. On a Windows PC, you can go to the command or the PowerShell window and enter “ipconfig /all”. You’ll get a screenful of information. Look for the “Physical Address”, Microsoft’s term for MAC. On Linux or Unix, on a command line, type “ifconfig -a”. Again, you’ll get a screenful. Find the line that begins “ether”, “HWaddr” or “lladdr”. Look for 12 hexadecimal digits separated by hyphens or colons.

You can find MAC addresses for your phones in the system settings. You may have to poke around. Look for MAC address, physical address, Wi-Fi address, and other variations. It will always be 12 hex digits.

For other devices, finding the MAC is a pain but possible. Frequently, you can go to the settings for the device and find the MAC under network settings. However, it’s not always easy. For example, I could not find a MAC address for the Amazon Firesticks we have on our TVs.

The procedure I followed was to go around the house making a list of all the MACs I could find with descriptions of the devices. That still left me with several unexplained entries on the router list. A network with unknown devices is not a safe home network.

Network scanning apps

My next step was to look for network scanning apps. Several are available for Android, and I assume for iPhones. I tried some. As near as I can see, they all scan local network traffic for MACs, then use the MAC to guess the device. The guesses are not perfect. Fing, the best of the Android scanning apps I tried, told me that my Microsoft Surface Pro tablet was a Lumia smart phone: the correct vendor, but the wrong device. However, Fing did identify the two Amazon Firesticks we have in use and offered clues to other devices on my router’s list.

Dead reckoning

I happened to install a new simple monochrome laser jet printer on our network this week, which illustrated what I consider the proper way to maintain a home CMDB. After connecting the printer to the wireless network, I checked the router device list and noted the MAC of the new entry. Done. Accurate and easy. Do that every time you add a new device and your home CMDB is always right.

Another dead reckoning type solution is to change the password on your home network and force every device to re-register and record the devices as you give them the new password. That’s a sensible step to take occasionally anyway, especially if, like me, you are willing reveal your network password to guests when they want to use your network connection. However, the more people and devices that have your password, the greater the chances of intrusion.

Your guest may not be malicious, but if their device on which your network password has been entered inadvertently falls into bad hands, an intruder may be able to extract the password to your network. If there are teenagers in your house, they are likely to be casual about passing around wireless access, which doesn’t bother me, but they and their guests are also more careless than experienced and wary adults about losing devices.

My approach is to change the network password after I offer access to all but the most trustworthy of guests. In 2020, a year in which we have had few guests, I haven’t changed our password at all.

Record keeping

What do you do with this compiled information? For a list of 30 devices, a spreadsheet like Microsoft Excel would work well. But I have a simpler solution. On my home network, I have a Technicolor router-cable modem supplied by Comcast, which is not my favorite corporation, but the fastest and most reliable source for home broadband in my area. I’ve used various modems, routers, Wi-Fi endpoints and other networking gear in the past, and lately have settled on the convenience of a router-modem supplied by my service vendor.

The router management app supplied by Comcast is much better than some I have used. It supports user comments on the device listing, which is a useful feature. Instead of an independent spreadsheet, I’ve added comments explaining each entry exactly. So far, this has been both easy and effective.

In a future posting, I will get more into how you can use this rough and ready CMDB to help solve issues on your home network as they arise.

Securing Home Wi-Fi

Almost everyone knows that they should secure their home wi-fi network, but many people don’t realize that in addition to your wi-fi password, you should also set the password for your home network router. I promised at my presentation at the Ferndale Public Library on personal computer security that I would explain why and how to change your router password. This blog fulfills that promise.

On Saturday March 7 and 14, 3:00 pm , I will repeat the Ferndale presentations I gave on personal computer security and privacy online at the Lynden Public Library.

Your Wi-Fi Network Password

Today, establishing a password for your network is almost automatic. When you set up your home network with your network service provider, like Comcast, you are prompted to use a password, often printed on a label stuck to the modem-router combination supplied by your network service provider.

I suggest you change the supplied password to one of your own choice for two reasons: first if your provider has a dishonest employee (let’s face it – that does happen on rare occasions) they won’t have access to your network password. Consequently, if your provider has to work on your system, they’ll have to ask for the password. That may be a slight inconvenience, but I prefer it that way. The risk to using a unique network password supplied by your network service provider is not great, but setting your own password is easy, so I prefer to avoid the small risk.

Second, the provider-supplied password is random and hard to remember. Your home network press word is one you have to use infrequently but you do have to use it when you add a new device. I prefer a password I can remember instead of having to find the sticker, write the password down on paper, use it, then remember to destroy the paper so a neighbor kid won’t pick it up and run up my wi-fi bill streaming bandwidth-hog video games. A long nonsense phrase can be both hard to crack and easy to remember. Choose a phrase that doesn’t get hits on Google searches, like “3horsesdrank2muchcarrotjuice!”.

I would not try to store your wi-fi network password in a password manager. You might be able to do it, but it will probably be too awkward to bother with. Most password managers are not designed to interact with wi-fi sign-ons. Choose your phrase and write it down, then store the paper in a safe place. Unless you are gaga for network gizmos, you’ll only use your network password a few times a year, so you might forget it. If you have a home safe for your important papers, that might be a good storage choice. You should be aware that stolen wi-fi is a master hacker’s network access of choice. They’ve been known to use directional antennas to pick up insecure or loosely secured wi-fi from blocks away.

As a side note, your router may have a button you can push to avoid having to look up and type in the network password when you add a new device. This method is not totally secure if you have an attentive hacker in your vicinity. I choose not to use the button.

If you think you are being victimized by bandwidth thieves, change your network password and set up a device white list on your router. I’ll explain what I mean by a white list in another blog.

Having set your network password, there is another password that you should take care of: your router password. Router passwords are not part of your first line of defense. A hacker must first break into your network in order to make use of your router password, but if you leave the default password on your router , which it will be if you don’t change it, a hacker who breaches your network can do much more damage than one who can’t get to your router.

Routers

Your router is your connection to the Internet. It is a specialized computer that routes messages to and from the computers on your home wi-fi network to the rest of the network. As computers go, a home router is very good at what it does, but it could be replaced by an ordinary personal computer running special programs. Early home networks were often implemented by designating a PC as the local network router and loading it with routing software and extra network interface cards, but home routers are now so cheap and convenient, I don’t think anyone does that anymore. Today, most home routers are a combination device comprised of a modem, which transforms incoming signals on the wire connection to something usable by the home network, a wireless radio transmitter-receiver, and a router.

Typically, you access your home router today by logging on through a web browser. After you log on, you can change the way your home network interacts with the network and your network provider. The default settings on your router fairly effectively protect you from intrusion from the outside. Fresh out of the box, home routers are set up so that all interaction with computers outside the home network must originate from inside the home network. Although it may seem like the outside world is always sending you stuff, almost without exception, a computer on your home network has initiated an interaction and the outside world is responding to its requests. This fundamental pattern can be changed in many ways by changing the configuration of the router, sometimes for good reason. For example, some group interactive games require a different communications pattern. But criminals would like nothing better than to be able to send messages to your home devices at will. A bad guy with your router password could fix it so you can’t get to your own network or arrange to use your network to attack others. Changing your router’s password to something only you know ensures that only you can mess with it.

Changing a Router Password

Changing a router password is not difficult, but it could take you into unfamiliar territory. You may want to call in an expert to help you out. Never change anything but the router password if you do not fully understand what you are changing.

Overview

Here are the steps:

  1. Find your router default administrator name from the documentation that came with the router. Usually, the name is “admin” and the password is “password”, but not always.
  2. Determine the router IP address.
  3. Bring up the router in your web browser and enter the admin name and password.
  4. Navigate to the place where you can change the password.
  5. Change the password.
  6. Store it in your password manager. (Password managers handle router passwords just fine because you access them through your web browser.)

How To Determine Router IP Address

You can determine the router address from any device on your home network because the most basic requirement for connecting to the Internet is knowing the address of the router that controls the Internet connection. Some devices are easier than others. On a Windows 10 desktop, laptop, or tablet, bring up Settings (the gear symbol). Select Network & Internet, which will open the “Status” page. Towards the bottom of the page select “View your network properties.” You will see a page something like this:

Windows refers to the router IP address as the “Default Gateway.” On Apple, you can do something similar going to “System Preferences” and clicking on the “Network” icon and look for the “Router” label.

Router IP addresses are often “10.0.0.1” or “198.168.0.1”. If you want to skip finding the correct address, odds are good that you will get your router by trying these. If both fail, try “10.0.1.1” or “198.168.1.1”. Beyond those guesses, I’d take the long way and look up network properties.

Access Router with Web Browser

All you have to do is type your router IP address into the address line in your web browser, like this:

What will appear on the screen will depend on the router. You will probably be challenged for a username and password. If you haven’t changed them, they will be the factory-set default for the router. You can look them up in the documentation for your router. Most likely, they are “admin” and “password” or something equally obvious. You are likely to find documentation for your router, or router-modem combination online. Look for the make and model on the physical device and search online.

Change Router Password

At this point, you are on your own with your router documentation, although the steps to change the password will probably be obvious. If you use a password manager, it will probably offer to generate a random password and store it for you. I would consider taking the offer.

While you are logged on to your router, take a look around, although I would be cautious about changing anything unless you know what you are doing. Your router is the control center for your home network and the key to home network security. An intruder with access can open your network up to all sorts of mischief. That is why changing from the default password, which is accessible to anyone, is so important.