Practical privacy and simple cybersecurity.
TheNewOil.org

Network Security

In my first blog post this month, I decided to focus on cybersecurity basics in celebration of October being Cybersecurity Awareness Month. Originally the blog was “5 Cyber Security Basics” and included Network Security as #5, however as I began to write that portion it quickly ballooned into a bigger topic that nearly doubled the post length and deserved its own deep dive. So this week, let’s pick up on that topic and really dig in.

If you have internet at home – as most of us do – you can leverage your router for added device protection, and in some cases add protections that may otherwise not normally be available. For example, a smart TV rarely (if ever) allows you to load a VPN on the device, but putting one on your router can give you that same protection. Here are a few basic pieces of network protection that I will discuss in order of accessibility:

1. Change default passwords

Try this: go to your favorite privacy-respecting search engine and search “[your router model number] default login.” You may be surprised to see that your router probably has a pre-programmed login – especially if it’s inexpensive – and that many forums and websites share that default information for lots of perfectly valid reasons. Most people don’t bother to change this information, and furthermore most people don’t bother to change the router’s default IP address – usually 192.168.1.1. If an attacker were able to access your network, they could easily find your router login page, determine what type of router you’re using (it usually says on the login page) and then do the same search you just did. So the first line of defense that anyone can do is to change the default login on your router. At bare minimum, you should change the password, but most of them also allow you to change the username too. You should also change the default IP address while you’re at it.

2. Use a good passphrase for the WiFi

If you’re like me, the first question you ask in most new places – especially if it’s someone you know somewhat well – is “what’s the WiFi?” If you set up your guest WiFi appropriately – discussed further down – then you’ll probably be more than happy to let people login. But you also want to make sure only approved people log in. The easiest way to do that is to use a strong password, but trying to tell your friends to login using the password “h+h{u3eUda.i2k7E” is a nightmare. Instead, I personally have found it extremely easy to use a 6-word passphrase for the WiFi, then when people ask I say “it’s all lowercase, with spaces” then read off the words to them one at a time (or just hand them a piece of paper). Your friends may laugh at your over-the-top password, but in my experience they also express a degree of respect for having such a strong one and because it's all words it's still relatively easy for them to put in.

3. Enable a firewall

Most routers come with a built-in firewall. This may or may not be sufficient for more advanced tasks, like blocking known IP addresses of trackers or porn sites (if you want child-friendly filters), but they should do a decent enough job of keeping outsiders from being able to probe your network. A good firewall will block most connections unless you initiate them, meaning that your experience should change little, if at all, while outsiders are thwarted. Personally I like the “try it and see what happens” approach. If you enable a firewall setting and it turns out to be too much, you can always disable it later.

4. VPN

Some routers possess the ability to load a VPN onto them. Not all routers support this – usually the one your ISP issues you and the cheapest ones you can buy yourself don't – but it is increasingly common, even in the mid-range “off the shelf” routers you'd find at any given big box store. If your router supports a VPN, this a great way to work around the simultaneous connection limits of less expensive plans – a router on your VPN only counts as one connection, even if you have a dozen devices connected to it. Not to mention, as I said earlier, many devices like smart TVs or home assistants don’t allow you to load a VPN directly onto the device, but loading it onto the router can allow you to safely hide them behind the tunnel anyways. (Of course, I encourage you to be judicious with your IoT devices, but sometimes they’re unavoidable.)

If your router doesn’t support a VPN, it almost certainly supports changing the DNS. While this provides significantly less privacy than a VPN, I still encourage you to switch to a DNS provider that provides content blocking if a VPN is not an option. Some of the providers listed here provide lists that block known trackers, malware, ads, and even adult websites if you have kids.

5. VLANs

Just as some routers support VPNs, some nicer routers also support VLANs. VLANs are Virtual Local Area Networks. To put it in simple terms: VLANs are isolated subnets within your network. Two devices on separate VLANs will treat each other as if they’re in separate parts of the world, even if they’re right next to each other and connected to the same router. This can be a powerful piece of defense against malware: if your smart TV gets compromised but is isolated to its own VLAN, the malware is unable to spread to other devices on other VLANs. If your router supports VLANs, you should set these up. Generally speaking, the minimum recommended setup is to have an isolated guest WiFi, an isolated WiFi for people who live in the home, and an isolated IoT network – whether WiFi or hardwired – specifically for IoT devices. You can add more if your router supports it and you feel the need.

6. Update the Firmware

As with most firmware, router firmware typically doesn't get updated very often, if at all. When purchasing a new router, be sure to check and make sure that it does indeed get updates. In a perfect world, you should get one that has automatic updates, but in my experience those are rare (if they exist at all). Instead, the next best solution is set a reminder to periodically check the manufacturer website for new firmware and update the router manually. Personally, I recommend at least once every six months, but of course you're always welcome to do that more often if you want.

This is also a good time to mention flashing custom firmware such as DD-WRT, OpenWRT, or Tomato onto your router. It's likely that a stock router firmware – from companies like Linksys, Asus, or Netgear – probably collects at least some degree of user data, even with things like VPNs enabled. Using an open source firmware will likely reduce much – if not all – of this data collection, and reduces the likelihood of software backdoors. These can take some time to adjust to and require specific routers, so be sure to do your research. I personally have been using DD-WRT for over a year now and how found it more than enough for my needs. Your needs and resources may vary.

Conclusion

As with anything in the privacy game, there’s always more to do. This is just scratching the surface of ways you can secure your home network. But just using these few techniques will put miles ahead of most people and give you a relatively secure and private network you can use at home to help protect yourself from snooping ISPs and trackers, non-targeted malicious attack, and just give yourself a lit more safety and peace of mind.

Tech changes fast, so be sure to check TheNewOil.org for the latest recommendations on tools, services, settings, and more. You can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...