Everyone seems to have a post like this, I thought I’d pile on and share my thoughts and process for my home network. It’s been built over the last few years and I feel I have a good handle on what’s coming in and out. I hope this series of posts can help the causal worker and the more hardcore techies among us. Of course all this is in an effort to make things harder for adversaries to get a foothold.

As infosec practitioners we’re all familiar with most company’s work from home structure it’s mostly planned around:

  • Use a corporate standard laptop or PC to work;
  • Connect to some kind of client VPN (hopefully IPSEC and a recently patched concentrator);
  • Use collaboration tools (Skype, Zoom, Teams, Sharepoint etc…);
  • Profit.

Is this enough though? How can we better ensure that our data and our lives aren’t being leaked out of our home networks? In this post I’ll be going into greater depth into the technologies we take for granted in these global work from home days and make some suggestions to improve security around home network use.

1. Work Computer

My workplace furnishes a laptop so I can work from home. At the same time I’m always on the lookout for tweaks that could stop me from staying secure and productive. Some things I always look out for:

  • Does my computer user have admin creds? If so, is it needed? I don’t need admin creds to browse the web or input data into apps.
  • Is the software firewall enabled? What kind of rules are running?
  • If running a Microsoft Windows OS, what kind of GPOs or local policies are installed?
  • Is there anti-virus installed? Does it have the latest signatures, updates, models etc.. Does it report when it detects something?
  • When was my machine last patched? Are patches run centrally? If not, has my machine run a patching cycle recently?

2. Home Network

My background is in IT networking, the crux of these posts will concentrate on this aspect. Most home networks resemble the picture below. Our internet service providers are in the business of making connectivity to the internet a turnkey process. Make things as simple as possible for end users to connect quickly.

Security rarely, if ever, comes into the equation. This is why hardening your home network after the face is important. The way my home ISP functions, the shared secret for the ‘default’ wireless SSID is on a sticker on the device and is activated right from the start! Easy yes – but secure? No.

How to better secure your network?

Below are some quick wins if you decide to keep the all-in-one box from your ISP.

  • Login to the management interface of the device
    • Change the default password to something unique, with alot of characters (use a passphrase!) and keep it away in a password vault.
    • Change the range of the default wired and wireless networks. The default range (usually 192.168.1.x) is low hanging fruit for adversaries. For example change your wired network range to 10.248.0.1/24 and any for any other networks add a 1 to the third octet. (10.248.1.1/24, 10.248.2.1/24 etc..)
    • Change your DHCP range to line up with the new IPs.
    • Change the default DNS on the DHCP to point to more secure DNS servers. DNS traffic is often overlooked, but so much can be gleaned and intercepted from DNS. I use Cloudflare’s 1.1.1.1 to block known calls to malware. They also have other IPs to block adult content.
    • Change the name of the default SSID. Add other SSIDs and networks and assign them a trust level. For example: Home Zone for important hosts, Guest Zone for guests, Others for any IoT devices.
    • Change the shared secret password for connecting to the wireless SSIDs. Make this a long passphrase as well, the longer the more work it is to crack it.
    • If you can, make a 2nd (or 3rd) SSID and network for any devices that you don’t have much control over such as home automation (google, amazon, smart lights and plugs), gaming consoles, phones and guests.
    • Try to patch this ISP device as often as possible, they’re sitting on the internet. If a vulnerability exists, it will be taken over quickly by adversaries.
    • Make sure the admin interface and other services aren’t available from the internet. Check to see if you can reach your public IP (find via ipchicken.com). Better yet if you can run NMAP or a vulnerability scanner on it it will see if any services are broadcasting.

I hope these tweaks can help you out with increasing your security posture at home. Stay tuned for my 2nd post where we’ll do a deep dive into the home network architecture. Let me know in the comments if there’s other actions you’ve taken to better secure your home environment.