The preamble.
The need to secure the home network is more important than ever. Enterprise networks with cloud-assisted and machine learning-enabled security features, as well as constant ongoing employee security awareness training are becoming harder to compromise.
The most sophisticated hackers are those that live of the land.
Ever heard the term, take what the defense gives you? It is a term commonly used in the NFL. It refers to the offense not forcing plays that have a low success rate but instead focusing on easier plays that have a higher chance of being successful. It means taking the path of least resistance.
The anatomy of the home network.
In network security, there is a term called defense in depth. It means that you deploy security in layers, and thus make it very difficult for someone to break in. Think of it like an onion, to get to the middle, you must peel many layers. A home network, in contrast, is commonly referred to as a flat network. This means that all devices are in the same onion layer. If someone gains access to any device, they can poke around the network and potentially access all other devices.
The current situation.
Because of Covid-19 a lot of folks are working from home, this means that now corporate data is being accessed by devices in a network that is not secured. This is a hacker’s dream, a less secured network that combines both personal and corporate information. The current state of affairs has put the home network right at the center of attention.
Ever shine a light into a dark spot in the house? All of a sudden you notice a lot more dust on the furniture. Some organizations that have security in mind will take proactive measures to ensure that employees are secured, unfortunately, that is not always the case. Many of my friends are working from home, sometimes using personal devices, and without any security posture enhancements being made by their employer.
What we are experiencing right now will pass, but for many organizations it will take years to go back to normal. Employees might be working from home for a long time.
What are the options?
Unfortunately, home network devices like routers are still lagging far behind business solutions in terms of security features. There is also a lack of information about security options and features that are available to consumers as well as how to use them.
For example, consumer VPNs have become very popular, and I commonly hear them being used as a way to protect data. This is a perfect example of people using a technology for something other than what it is intended for.
VPN technologies serve to mask a connection source and to encapsulate the connection in its own private tunnel.
What does that even mean?
If I am working from home, and my company has a NAS or File Server in the office where we store documents, I can use a VPN connection to securely connect to it from home. The tunnel uses encryption, which means that the whole communication is scrambled so that it cannot be accessed and the information stolen and read if someone intercepts it. Additionally, the organization doesn’t have to expose the NAS or File Server to the internet which would make it visible to those scanning the web for vulnerable data repositories.
The VPN device at the office will broker the connection and route the request to a NAS or File Server that sits internally in the office network and that only the VPN device knows how to get to.
I can use the same VPN device to filter connections initiating from my home that are going out to the internet and back if my employer wishes to inspect all work related traffic. In this scenario any request from my home computer to Office365 or Google Suite will be routed through the office VPN device before going to the final destination. The response from the service requested will also be routed on its way back.
VPNs like the ones that we download on our phones are mostly used to mask the identity of the device, user, or connection. This works very similarly to the above example. Here we try to connect to the Google website using a VPN and that connection is routed through a middle device(s) which makes the request for us. To the Google website, it looks like the connection is coming from the middle device.
We can use mail a couple of mail analogies to explain. Let’s say I want to send you a letter, but I don’t want you to know it came from me. I can do this by changing the sender’s address and putting the letter in someone else’s mailbox. When you receive the letter you will reply to the sender’s address. You can think of it like a virtual PO Box, you can send and receive from it, but it is not your home.
Some of these tools are more useful for identity protection and data protection as it travels the internet outside of your network. They are not designed to protect the inside of our network. VPN technology is someone redundant outside of identity masking. If you are browsing, for example, It doesn’t make sense to use a VPN to access Bank of America. The connection is already encrypted if you use the app or the website. When you see that lock on the website page on the left of the address you are trying to reach, it means the connection is encrypted. That is usually a good sign.
How do I protect my castle?
Home network protection efforts should primarily focus on a few things.
Separate Wi-Fi segments for different types of wirelessly devices and guests.
If you invite friends over and they are connected to your network, you should have a separate Wi-Fi network for that, with a separate password.
If you have smart devices in your home that are connected using Wi-Fi, those too should have their own Wi-Fi with a separate password. Smart devices are notoriously vulnerable to attack. This is going to get worse my a gigantic measure once 5G communications become mainstream. 5G will allow devices to connect and share data at significantly faster speeds, networks will be able to handle more traffic and therefore more of these smart devices will be introduced to networks to provide convenience.
Check out this article about how to trick a ring into setup mode to steal Wi-Fi credentials. This vulnerability has since been patched, but like this one, there are many others out there.
Ring-a-ding: IoT doorbell exposed customer Wi-Fi passwords to eavesdroppers
Separate network segments for different types of connected devices.
If you have a NAS at home that you use to store important documents, it should not be accessible from every device in the network that is connected. Using segments and VLANs in your network can prevent more access than necessary. Implementation has grown a lot easier than it used to be.
Consolidate the number of network devices.
It is unrealistic to ask every person to become a network and cybersecurity expert to protect the home network. However, as consumers, we should try to be informed and understand that there is a problem, what are the risks and how we can try to address it.
The more devices we have in our network the more complicated the configuration becomes. If we introduce devices from different vendors then we have to learn different management platforms. Go to different support pages when something is broken, or to download new firmware updates, that is quite exhausting if you are not a networking enthusiast.
How do I get there?
The easiest thing to do is to talk to your ISP to find out what kind of security features are included in the device that you are renting with your plan. Most people are using whatever device comes with their internet services. Call them up or look up the model number online and see what you can find.
If the answers are unsatisfactory, then you will have to take matters into your own hands in the form of a router. I recommend people to get their modem and router, one less thing to pay for every month. Make sure that you choose a modem that is compatible with your ISP provider and can handle the speed that you are paying for.
From a consolidation perspective, you can’t get from consolidated than one device to route the traffic, connect devices over ethernet, and offer Wi-Fi connectivity.
There are a lot of options for consumer routers from the likes of TP-Link, Asus, Linksys, Netgear. Most of these are designed for convenience and not security. Some of these vendors are stepping up their security game by partnering with security software vendors to offer 3rd party integrated solutions. Here are a couple of examples: Asus RT-AC68R , Netgear NightHawk
Some of these integrated security features are available free of charge for now, while others are offered as a yearly subscription. However, a lot of these devices still lack the basic functionality of a business perimeter device where the user can divide the network to separate priority devices from potentially vulnerable ones.
TP-Link does offer some nifty features with their HomeCare service available in their latest routers. For now, the service looks to be free for the life of the product. Link here!
See below, links to a couple of HomeCare equipped TP-Link AX series routers:
TP-Link Wi-Fi 6 Router Smart Wi-Fi Router
TP-Link WiFi 6 AX3000 Smart WiFi Router
My favorite all-in-one solution.
Enter the UniFi Dream Machine from Ubiquiti. The UDM is a router, controller, switch, an access point for compact networks in a very cool looking package.
Ubiquiti has made a name for itself with its cool looking devices and great UI experience. Check it out.
Ok, enough about the make-up. Let’s talk security, after all, we are here to make the network more secure.
First and foremost, Ubiquiti offers the user the ability to properly segment the network using Virtual Local Areas or VLANs. This we can separate connected devices. The access point functionality can handle multiple SSIDs which can also separate different devices.
Ubiquiti goes beyond basic and into borderline commercial features. The UDM offers Intrusion Detection and Prevention for traffic coming into and leaving your network. Here we see things like attack categorization and whitelisting, etc. the UDM also comes with GEO IP Blocking, which means that essentially you can block any traffic initiating from a country of your choice that is trying to reach your network. The implementation is quite cool, there is a map of the world and you simply have to click on the country you don’t want to hear from. How good is your geography?
The UDM offers DNS filtering and even Deep Packet Inspection. There are features that none of the other routers offer. That is not all, the UDM also offers device scanning which allows you to scan your network for any rogue devices that might be connected. The scanner searches also for open ports on devices, this is a somewhat advanced topic, but let’s say that part of what makes a device vulnerable to attacks is the ports that might be opened that don’t need to be. The first step to fixing this is the visibility of the problem.
Lastly, the UDM features honeypot technology. Can anyone guess what that is without looking it up? Honeypots are not a new concept, I remember studying about them in college over a decade ago. Back then you would have a dedicated device in your network that was left purposely vulnerable as to lure attackers trying to compromise your network and in doing so would steer them away from actual important devices. Now the technology is embedded in the router, well-done Ubiquiti.
There are two version of the UniFi Dream Machine, the UDM and the UDM Pro. In a nutshell, PRO usually means more compute power on the box which allows it to handle more bandwidth and to security functions faster.
One device will not always do. If you live in a multilevel home, for example, just one router on the main floor might not be enough. This an area where Ubiquiti also shines, as they can offer switches and access points that can stretch some of the above-mentioned security features to the rest of your network and provide the Quality of Service Level that we all want.
Here are some Ubiquity options for switches and access points: 8 port switch, and access point.
These are just some, there is a variety of sizes for many different configuration options.
There are better solutions than Ubiquiti for small business, however they usually involve some kind of security subscription component which in most cases would make it cost prohibitive for most home users. After all, security is not the purpose of a network, security is a necessity.
As of late it seems more vendors are following Ubiquiti's lead and offering integrated solutions that are borderline feasible for home consumers who prioritize security.
One such solution from TP-Link is Omada Software Defined Network. The TP-Link solution has all the traditional pieces in common network infrastructure including router, switch, and access point. In addition there is a controller piece, that communicates will all the other networking gear and serves as a central management and information analysis hub.
Additional link here.
J.
Comments
Post a Comment