Posted on

Safe Home Networks

Building and maintating a safe home network today has become both more difficult and more necessary than ever now that IoT, the Internet of Things, has filled our homes with smart devices that are hackable computers. I’ve talked about the necessity of securing IoT on home networks here and here, but now I’ll get down actions that increase control of your network of screenless computing devices.

I was tempted to begin this post with a shot at shaming folks into home network security: “you can’t manage what you can’t measure.” The quote has been attributed at various times to Edward Deming and Peter Drucker, two thinkers who have shaped my notions of management of computer systems.

But, you know, that saying is hogwash and neither Deming nor Drucker said it.

There’s no question that both Drucker and Deming favored measurement and data, but they never fooled themselves into avoiding management when metrics were lacking. You can manage a home network with a reasonable effort to gather data without the tedium that drives you to neglect security. Always shoot for tangible benefits, not perfection.

Network elements and safe home networks

Telecommunications IT uses a technical term: network element, which I like. The term is general enough to capture everything important about your home network. My rough and ready definition of a network element is “anything that matters on a network.”

The apps you have installed on your phones, laptops, and tablets, the services you subscribe to, along with the devices themselves, are network elements. The smart sensors and apps that control your thermostat, your kitchen appliances, and your security system are also network elements. Anything that affects the safety, efficiency, or usefulness of your network is a network element.

Well-managed IT environments maintain something called a configuration management database (CMDB), which is an inventory of network elements. Thousands of entries are common in the CMDB of a medium size business.

CMDBs are, frankly, a pain to maintain. Enterprises invest heavily in automating CMDB creation and maintenance. An accurate CMDB tells technicians where to look to solve problems. More important, they are also a roadmap for heading off issues before they occur.

Whether you solve your own home network issues or call in an expert, the equivalent of a CMDB will help maintain a safe home network.

Home CMDBs

A few years ago, the idea of a home CMDB was preposterous overkill. Typical home networks consisted of some kind of modem for connecting to the Internet, a personal computer, and maybe a printer. That’s all of three network elements. Not even worth entering in a spreadsheet. In the early days of home computing, looking over your desk and glancing at the floppy disks and CDs in the old shoebox next to your PC did as much as you could wish for a CMDB.

That was the old days. As I am writing this, I have 16 devices connected to my home router and an additional 16 that have connected recently, for a total of 32 devices. Worse, when I look at the device list on my router, a few of the entries are familiar, but most of them show as strings of hexadecimal digits (0-9 and A-F).

Unless your brain is staggeringly computation oriented, a list like that is meaningless. After fifty years of working with computers, I’m used to reading hexadecimal, but the device list on our home router is still tough.

Nevertheless, that wild list contains all the hardware network elements for effective CMDB and safe home network.

Let’s tame it.

IP and MAC addresses

On current networks, all devices have two addresses, some also have a name. One address is called the IP address. IP stands for “Internet Protocol”. This address shows where the device is connected to the network. If you know the IP address of a device, you can send a message to it. Great. But an IP address is only temporary, changing as devices move around and network conditions change. The IP address of your laptop is one thing when you’re at home, and a different address when you’re at a coffeeshop, school, work, or wherever, as your connection to the network changes.

Every device that connects to the network has a second address called the Medium Access Control address, or MAC. MACs are unique serial numbers that are burned in when a network connection component is manufactured. They appear as a sequence of 12 hexadecimal digits, usually separated into groups of 2 with a hyphen (-) or a colon (:). They are fixed until replaced or physically altered. The MAC can be used to trace the manufacturer of the component.

Well, that used to be true. There are now ways to change MAC addresses in software. But for now, assume MAC addresses never change because it is unlikely in a home network.

The network name of a computer is usually assigned by the user when the operating system, like Windows, is installed. Depending on the imagination of the owner, network names can be mundane like “MyPC” or fanciful, like “SherlocksDamnEggPlant”. These names are seldom seen outside local networks and often go a long way toward making CMDBs comprehensible. Unfortunately, many devices don’t have a network name, or they are hexadecimal gobbledygook, usually the device’s MAC.

Network names are human friendly, IP addresses direct messages, and MAC addresses unambiguously identify devices. In real life, Jim Smith is the equivalent of a network name, his street address is like an IP address, and his social security number is his MAC address. “Jim Smith” is not enough to pick your Jim from the thousands of Jim Smiths out there. With his street address you could send him a letter, but to really nail old Jim, you need his social. It’s the same on a network. But most of the time, for practical home network management, you need a recognizable network name to go with the MAC.

Tracking network elements at home

If your connected device list is all recognizable network names, you’re home free, but that’s not likely. So the first task in taming that connected device list is to figure out some way to make the list from your router understandable.

Finding the MAC of a Windows, Apple, Unix, or Linux computer is easy. On a Windows PC, you can go to the command or the PowerShell window and enter “ipconfig /all”. You’ll get a screenful of information. Look for the “Physical Address”, Microsoft’s term for MAC. On Linux or Unix, on a command line, type “ifconfig -a”. Again, you’ll get a screenful. Find the line that begins “ether”, “HWaddr” or “lladdr”. Look for 12 hexadecimal digits separated by hyphens or colons.

You can find MAC addresses for your phones in the system settings. You may have to poke around. Look for MAC address, physical address, Wi-Fi address, and other variations. It will always be 12 hex digits.

For other devices, finding the MAC is a pain but possible. Frequently, you can go to the settings for the device and find the MAC under network settings. However, it’s not always easy. For example, I could not find a MAC address for the Amazon Firesticks we have on our TVs.

The procedure I followed was to go around the house making a list of all the MACs I could find with descriptions of the devices. That still left me with several unexplained entries on the router list. A network with unknown devices is not a safe home network.

Network scanning apps

My next step was to look for network scanning apps. Several are available for Android, and I assume for iPhones. I tried some. As near as I can see, they all scan local network traffic for MACs, then use the MAC to guess the device. The guesses are not perfect. Fing, the best of the Android scanning apps I tried, told me that my Microsoft Surface Pro tablet was a Lumia smart phone: the correct vendor, but the wrong device. However, Fing did identify the two Amazon Firesticks we have in use and offered clues to other devices on my router’s list.

Dead reckoning

I happened to install a new simple monochrome laser jet printer on our network this week, which illustrated what I consider the proper way to maintain a home CMDB. After connecting the printer to the wireless network, I checked the router device list and noted the MAC of the new entry. Done. Accurate and easy. Do that every time you add a new device and your home CMDB is always right.

Another dead reckoning type solution is to change the password on your home network and force every device to re-register and record the devices as you give them the new password. That’s a sensible step to take occasionally anyway, especially if, like me, you are willing reveal your network password to guests when they want to use your network connection. However, the more people and devices that have your password, the greater the chances of intrusion.

Your guest may not be malicious, but if their device on which your network password has been entered inadvertently falls into bad hands, an intruder may be able to extract the password to your network. If there are teenagers in your house, they are likely to be casual about passing around wireless access, which doesn’t bother me, but they and their guests are also more careless than experienced and wary adults about losing devices.

My approach is to change the network password after I offer access to all but the most trustworthy of guests. In 2020, a year in which we have had few guests, I haven’t changed our password at all.

Record keeping

What do you do with this compiled information? For a list of 30 devices, a spreadsheet like Microsoft Excel would work well. But I have a simpler solution. On my home network, I have a Technicolor router-cable modem supplied by Comcast, which is not my favorite corporation, but the fastest and most reliable source for home broadband in my area. I’ve used various modems, routers, Wi-Fi endpoints and other networking gear in the past, and lately have settled on the convenience of a router-modem supplied by my service vendor.

The router management app supplied by Comcast is much better than some I have used. It supports user comments on the device listing, which is a useful feature. Instead of an independent spreadsheet, I’ve added comments explaining each entry exactly. So far, this has been both easy and effective.

In a future posting, I will get more into how you can use this rough and ready CMDB to help solve issues on your home network as they arise.

Posted on

Securing Home Wi-Fi

Almost everyone knows that they should secure their home wi-fi network, but many people don’t realize that in addition to your wi-fi password, you should also set the password for your home network router. I promised at my presentation at the Ferndale Public Library on personal computer security that I would explain why and how to change your router password. This blog fulfills that promise.

On Saturday March 7 and 14, 3:00 pm , I will repeat the Ferndale presentations I gave on personal computer security and privacy online at the Lynden Public Library.

Your Wi-Fi Network Password

Today, establishing a password for your network is almost automatic. When you set up your home network with your network service provider, like Comcast, you are prompted to use a password, often printed on a label stuck to the modem-router combination supplied by your network service provider.

I suggest you change the supplied password to one of your own choice for two reasons: first if your provider has a dishonest employee (let’s face it – that does happen on rare occasions) they won’t have access to your network password. Consequently, if your provider has to work on your system, they’ll have to ask for the password. That may be a slight inconvenience, but I prefer it that way. The risk to using a unique network password supplied by your network service provider is not great, but setting your own password is easy, so I prefer to avoid the small risk.

Second, the provider-supplied password is random and hard to remember. Your home network press word is one you have to use infrequently but you do have to use it when you add a new device. I prefer a password I can remember instead of having to find the sticker, write the password down on paper, use it, then remember to destroy the paper so a neighbor kid won’t pick it up and run up my wi-fi bill streaming bandwidth-hog video games. A long nonsense phrase can be both hard to crack and easy to remember. Choose a phrase that doesn’t get hits on Google searches, like “3horsesdrank2muchcarrotjuice!”.

I would not try to store your wi-fi network password in a password manager. You might be able to do it, but it will probably be too awkward to bother with. Most password managers are not designed to interact with wi-fi sign-ons. Choose your phrase and write it down, then store the paper in a safe place. Unless you are gaga for network gizmos, you’ll only use your network password a few times a year, so you might forget it. If you have a home safe for your important papers, that might be a good storage choice. You should be aware that stolen wi-fi is a master hacker’s network access of choice. They’ve been known to use directional antennas to pick up insecure or loosely secured wi-fi from blocks away.

As a side note, your router may have a button you can push to avoid having to look up and type in the network password when you add a new device. This method is not totally secure if you have an attentive hacker in your vicinity. I choose not to use the button.

If you think you are being victimized by bandwidth thieves, change your network password and set up a device white list on your router. I’ll explain what I mean by a white list in another blog.

Having set your network password, there is another password that you should take care of: your router password. Router passwords are not part of your first line of defense. A hacker must first break into your network in order to make use of your router password, but if you leave the default password on your router , which it will be if you don’t change it, a hacker who breaches your network can do much more damage than one who can’t get to your router.

Routers

Your router is your connection to the Internet. It is a specialized computer that routes messages to and from the computers on your home wi-fi network to the rest of the network. As computers go, a home router is very good at what it does, but it could be replaced by an ordinary personal computer running special programs. Early home networks were often implemented by designating a PC as the local network router and loading it with routing software and extra network interface cards, but home routers are now so cheap and convenient, I don’t think anyone does that anymore. Today, most home routers are a combination device comprised of a modem, which transforms incoming signals on the wire connection to something usable by the home network, a wireless radio transmitter-receiver, and a router.

Typically, you access your home router today by logging on through a web browser. After you log on, you can change the way your home network interacts with the network and your network provider. The default settings on your router fairly effectively protect you from intrusion from the outside. Fresh out of the box, home routers are set up so that all interaction with computers outside the home network must originate from inside the home network. Although it may seem like the outside world is always sending you stuff, almost without exception, a computer on your home network has initiated an interaction and the outside world is responding to its requests. This fundamental pattern can be changed in many ways by changing the configuration of the router, sometimes for good reason. For example, some group interactive games require a different communications pattern. But criminals would like nothing better than to be able to send messages to your home devices at will. A bad guy with your router password could fix it so you can’t get to your own network or arrange to use your network to attack others. Changing your router’s password to something only you know ensures that only you can mess with it.

Changing a Router Password

Changing a router password is not difficult, but it could take you into unfamiliar territory. You may want to call in an expert to help you out. Never change anything but the router password if you do not fully understand what you are changing.

Overview

Here are the steps:

  1. Find your router default administrator name from the documentation that came with the router. Usually, the name is “admin” and the password is “password”, but not always.
  2. Determine the router IP address.
  3. Bring up the router in your web browser and enter the admin name and password.
  4. Navigate to the place where you can change the password.
  5. Change the password.
  6. Store it in your password manager. (Password managers handle router passwords just fine because you access them through your web browser.)

How To Determine Router IP Address

You can determine the router address from any device on your home network because the most basic requirement for connecting to the Internet is knowing the address of the router that controls the Internet connection. Some devices are easier than others. On a Windows 10 desktop, laptop, or tablet, bring up Settings (the gear symbol). Select Network & Internet, which will open the “Status” page. Towards the bottom of the page select “View your network properties.” You will see a page something like this:

Windows refers to the router IP address as the “Default Gateway.” On Apple, you can do something similar going to “System Preferences” and clicking on the “Network” icon and look for the “Router” label.

Router IP addresses are often “10.0.0.1” or “198.168.0.1”. If you want to skip finding the correct address, odds are good that you will get your router by trying these. If both fail, try “10.0.1.1” or “198.168.1.1”. Beyond those guesses, I’d take the long way and look up network properties.

Access Router with Web Browser

All you have to do is type your router IP address into the address line in your web browser, like this:

What will appear on the screen will depend on the router. You will probably be challenged for a username and password. If you haven’t changed them, they will be the factory-set default for the router. You can look them up in the documentation for your router. Most likely, they are “admin” and “password” or something equally obvious. You are likely to find documentation for your router, or router-modem combination online. Look for the make and model on the physical device and search online.

Change Router Password

At this point, you are on your own with your router documentation, although the steps to change the password will probably be obvious. If you use a password manager, it will probably offer to generate a random password and store it for you. I would consider taking the offer.

While you are logged on to your router, take a look around, although I would be cautious about changing anything unless you know what you are doing. Your router is the control center for your home network and the key to home network security. An intruder with access can open your network up to all sorts of mischief. That is why changing from the default password, which is accessible to anyone, is so important.