The Best Home Network Security Plan
I'm sure I don't have to tell you that having a home network security plan is important. The question is how to do it properly. Some people will swear up and down that security measure X is the most important, while others claim that the same thing is insecure or even useless. The truth is that either view can be correct, depending on the situation. That sounds like an answer nobody wants to hear. Please continue reading and I will elaborate.
First: A Reality Check
I want to share some possibly shocking information with you that is not meant to scare you, but rather I hope it will set the stage as you decide how to implement your home network security plan. What is this information, you ask? It is this:
There is no such thing as a completely secure home network. It does not exist. If someone really wants to get into your network then they can and they will. No matter what you do.
Again, I'm not trying to worry you or make you paranoid. I'm not the first person to say this, and I will not be the last. Any other IT or security expert will tell you the same thing. With this in mind, please continue reading.
The #1 Goal For Home Network Security
When you are setting up your home network security, the goal is not to make it 100% secure. The real goal is to make it as difficult as possible for potential intruders to gain access to it. We can do this by creating and implementing a plan. Having any plan at all (even a bad plan) is better than having no plan. Benjamin Franklin said it best:
If you fail to plan, then you are planning to fail!
For the record, the purpose of this page is to teach you how to create a great home network security plan. Not a bad one, of course.
Home Network Security Plan: Common Measures and How they Work
The best home network security plan is one that has layers. Each different technique you implement represents a layer. If you only have WPA2 encryption set on your WiFi, then all someone has to do is crack that and they have free reign to do whatever they want. However, if you also have a mac address filter, now they have to get around that as well. That process will require a completely different set of tools and knowledge. As you can imagine, the more security measures you have in place the more time, knowledge, effort, and tools it takes to break into your network.
WiFi Security Layers to Consider
Here are the common security options for you to consider. You may decide to only implement a couple or most of them. This is just a review of the options that are available to you. Do not get the impression that you have to implement all of these options. In fact, implementing every WiFi security measure available can actually hinder your own access to your network, and can decrease performance. At the end, there is an example of what home network security plan I would implement.
Change the Default Password
Changing the default password to login to the router (not to be confused with the password to join the wireless network) is the first thing you should do. This way, nobody can easily login and change your settings without your knowledge. Any home network security plan is worthless if a default password is used.
- PROS: People can't login to the router without your knowledge
- CONS: None.
If WEP is the only option available for WiFi encryption, then it is better than nothing and you should use it. However, it is very strongly recommended to use another option, if there are others available. With the proper tools and knowledge, WEP can be cracked within a matter of seconds. It may prevent the average PC user from accessing your network, but those who are curious and have the time can easily find ways to crack it.
- PROS: It's better than nothing and keeps the average user out.
- CONS: Extremely quick and easy to crack.
WPA vs WPA2 Encryption
WPA2 is a newer version of WPA (Wireless Protected Access). Both are much stronger than WEP. The use of an encryption method known as TKIP (Temporal Key Integrity Protocol), which has known security holes, was discontinued in WPA2 in favor of AES (Advanced Encryption Standard). WPA and WPA2 are still able to be cracked, but it requires a special tool (software). Once you have the tool, it could take anywhere from several hours to even weeks to crack WPA2. The important part is that you must provide a strong password. Using common words in the dictionary will significantly reduce the time it takes to crack a WPA2 password. So when you do use WPA/WPA2, it is strongly recommended that you use a complicated password (upper and lower case letters, numbers that are not in order, and special characters). Since it has to be something complicated, I usually write the password down on a piece of tape or a sticky note and attach it to my router. I only do this because it's just my family living in my house and nobody else will have physical access to the router unless they break in or we invite them in. So someone outside of my house will not be able to see that password.
Enterprise vs Personal: WPA/WPA2 Enterprise requires you to have a RADIUS (Remote Authentication Dial-In User Service) server to authenticate with before gaining access to the network. WPA/WPA2 Personal only requires a pre-shared key (password) to join the network. Most people use Personal, unless you have the funds and resources to setup a RADIUS server on your home network.
- PROS: Very strong option for a home network. The best thing you can do for your home network is require WPA2 encryption.
- CONS: A weak password will hinder the strength of the encyption, making it easier to crack.
Don't Broadcast the SSID
This one is a pretty low-level home network security measure. Your WiFi network will not show up in the list of available networks when you or anyone scans for networks. In order for someone to connect to it, they would need to know it exists ahead of time and know what the name of it is. Unfortunately, there is software out there that can reveal these hidden networks. However, once again the average Joe or Jane will most likely not have the resources to do this. This will mainly prevent your neighbors from trying to type in passwords over and over until they get it right (since they don't know the network exists, they can't try to guess the password because it's not even an option).
- PROS: The average Joe or Jane will not even know your network exists.
- CONS: You will have to manually type in the name of your network in order to connect a device to it. Which in all honesty, really isn't that much of an annoyance.
Wireless MAC Filtering
Many professionals are divided on this one. Basically, it allows you to either set a list of authorized mac addresses that can connect, or set a list of banned mac addresses that cannot connect (more info about wireless mac filtering). The issue is that mac addresses are sent to the wireless router in plain text. What this means is that a malicious user can “sniff” the traffic in the area with some software and that mac address will display on their screen clear as day. They won't have to decrypt it or anything. They can then use that plain text mac address to spoof their own network card (making the router think that their computer is your computer) and gain access. Of course, you need to know how to acquire this software to be able to do this. Another downside is that if you want to add another device to your network (for example, a family member or friend is visiting your home) then you must retrieve the mac address from the device and then log into the router to manually edit the list of authorized mac addresses.
- PROS: This is another one that will protect you from most average people, beyond the encryption.
- CONS: This can easily be sidestepped by someone with the proper tools/software.
Limit the Number of Devices Able to Connect
If you only have a few devices in your home then you can set some routers to only allow that number of devices to connect. If one of those devices are turned off, then a spot will be available. This can stop a large amount of devices from connecting to your network at the same time. If you are in a highly populated area, it may be effective. You may also allow your neighbors to connect to your network, but not allow them to go crazy and connect a bunch of devices and use up a lot of bandwidth.
- PROS: It can prevent a large number of devices from connecting to your wireless router.
- CONS: If you have a family member or friend who wants to connect temporarily, you either have to turn one of your devices off or change the setting to allow another device.
No Access to Admin Interface via WiFi
Some routers allow you to prevent any device connected to the router via WiFi from accessing the administrative interface. That way, the only devices that can access the administrative features are those that are connected via a cable to a LAN port on the router. If you allow your neighbors to connect to your network they will not have a chance to break in and change settings or even lock you out.
- PROS: You can let people join your network and they cannot possibly access the admin pages to adjust settings.
- CONS: Even YOU will not be able to access it over WiFi, so you will be required to have a computer physically plugged in to make adjustments.
Turn Off DHCP
This is not necessarily a great home network security measure, but it is worth the thought. Turning off DHCP (Dynamic Host Configuration Protocol) will require you to manually configure the IP settings on each device in order to establish network connectivity. New devices will not be able to automatically pull an IP from the router. It is not hard for someone to continuously make educated guesses to find out what your IP range is. Most home network routers use some variation of 192.168.X.X. It is also not hard to find an available IP once you know the range. You don't need any special software to get around this, but you may need to understand how subnetting works in order to find an available IP and connect to the network.
- PROS: Allows you to assign static IPs to your devices, gaining more “control” of your network, in a sense.
- CONS: Not necessarily a good home network security measure, but could be effective against people with no knowledge of IP addresses. You should never assume that everyone around you doesn't know what they're doing, however.
Require HTTPS for Web Administration Access
Requiring HTTPS as opposed to just HTTP to access your router's admin interface is a very good home network security measure in any scenario. This ensures that you have a secure (encrypted) connection between your computer and your router when you are making changes to it's settings. The only requirement for this setting is that you type in a slightly modified URL when you access the web interface (https://192.168.x.x instead of http://192.168.x.x). The only situation I can think of where you would not want to use this setting is if you are using a browser that does not support HTTPS. I also cannot think of a browser that does not support HTTPS.
- PROS: Encrypt the communication between your computer and your router when you make changes to settings.
- CONS: None that I can think of.
Decrease the Size of the WLAN Subnet
This is basically the same as the previous setting where you limit the number of devices that can connect to your router. The difference here is that if you have a smaller subnet (which means there are less IPs available to assign to devices) then it decreases the chances of a massive amount of people connecting to your router. By default, most routers assign a full class C network to your LAN. Without getting too technical, that means there is a possibility of 253 IPs that can be assigned to devices, not including the gateway. Most home networks have nowhere near that many devices. This requires some knowledge of IP subnetting, which your router manual most likely does not cover. I guide on IP subnetting will be included on this site in the future, so be on the lookout for that!
- PROS: Limit the quantity of IPs that are available to be assigned to devices.
- CONS: Requires knowledge of IP subnetting, which is a little on the advanced side.
My Example of a Home Network Security Plan
You now have a variety of tools available to you that can help you secure your network. You could choose to implement everything, but in some cases that may hinder your own use of your network. You really want to make a plan that works well for you. Here is an example of what I would typically implement on my home network. Please be aware that these are my own personal opinions. Everyone has their own opinions. Do not take this as fact, or a “be all, end all solution”.
Here are the typical home network security measures I would implement:
- Change the default password for the router to a STRONG password
- WPA2 Personal Encryption with a STRONG password
- Require HTTPS to access the admin interface
- Don't broadcast the SSID
- Limit the number of devices able to connect
This plan involves multiple layers. The first thing a malicious user would need to worry about is sniffing the traffic in the air to find my SSID to even know my network exists. Then, they would need to spend probably a week or longer cracking my WPA2 encryption (because I know I have a strong password). Who has a week of time to crack someone else's network? Then, if they are able to crack my password, there is still a limit to how many devices can connect to my router. So they'll have to find a way around that as well. They can't sniff my traffic to see if what changes I'm making to my router's settings because that is encrypted as well.
I would not implement a mac filter, simply because I personally think it's annoying to make changes to it if I have a friend over or if I buy a new device and want to add it to my network. Some people don't mind taking the few minutes to do this, it's up to you. In this example, if I have a friend or family member come over or I have purchased a new device, I simply have to type in my network name and type in the password.
When I set the number of devices that can connect, I will most likely consider how many devices I use in my home on a daily basis and then add one or two for consideration of visitors who I will allow to connect.
In my personal opinion, if someone can get past these defenses, then they definitely know what they are doing and can most likely get through anything else as well. It is enough to keep out “curious neighbors” or those who can't or won't pay their own internet bill and are trying to get free internet access. It also is not too much so I don't have to spend unnecessary amounts of time to hook up a friend with an internet connection real quick.
In the end, the way you design your home network security plan is up to you. There are many options available to you. Good luck!