The following is a step by step guide on securing your home network. This guide borrows basic network security principals as well as those outlined in the SEC security bulletin. This guide makes 2 assumptions:
- your are in a home office environment.
- You dont not have the equipment or means to set up a windows domain. (for the windows domain guide click here: Link to come)
Step 1: Physical Security
This may seem obvious or unnecessary, but the first layer of security is always the physical layer. Specifically If you live with roommates or in a share space you are going to want to restrict physical access to your edge devices (your modem, router, firewall, switches, etc). Having them in a key locked room, closet, or enclosure is recommended. When I lived with roommates i kept it all in a locked wall mount rack like this: Rack
Step 2: Edge Devices/Hardware
Your Edge devices are those that connect you directly to the internet/outside world. In a home office this would be your ISP/Cable Modem and Firewall or Router. It is recommend to use a business grade firewall and not an “off the shelf” router such as a linksys or netgear router. These at best use scaled back software firewalls which provide very basic security and by default are left pretty open. The following is recommended hardware:
Modem: The supplied cable modem from your ISP is fine to use. but you want to take the following precautions:
- Change the default modem password. these are published and known. if not changes your modem is vulberable
- Change the default Lan subnet. again this is public and known for most ISPs. Your ISP’s technical support team can help you change it. i’d suggest something off the 192.168.x.0/24 subnet. something along the lines of: 10.10.x.0/24
Firewall Off the shelf Routers dont not provide much as far as edge security. it is STRONGLY recommended that you invest the money in a hardware firewall such as a SonicWALL TZ Soho or TZ 300 firewall to replace your router. These provide much more in terms of edge security:
- multiple interfaces to separate traffic at a physical layer.
- stateful packet inspection, gateway security/antivirus protection
- strong firewall and port security, locked down by degault
stand-alone wieless access point I reccomend stand alone access points, not those built into a router or firewall. this allows you to place the access point on a segment of your network physically seperate from computers that store crypto wallets prevent access to them from computers connected to your wifi.
Step 3 - Securing network devices Your Network devices should have all the publicly known defaults changed. All default usernames and passwords should be changed to something complex (8 or more characters, capital letters, numbers,and symbols). You should NEVER write these passwords down or attached them to the devices. store them either in a keylocked safe or encrypted file.
Network subnets should be changed from the defaults. most routers/switches come sub-netted at 192.168.1.0/24. This is in the hardwares documentation and anyone with this knowledge would potentially be able to access your gateway/edge devices and attempt to log in. I’d suggest changing it to something very different. such as 10.10.100.0/24 or 10.10.254.0/24.
Step 4 - patching your network hardware Best practices dont do much help if you dont apply the newest firmware updates to your network devices. not doing so may leave known security holes unpatched allowing access to your firewall, switch, or router.
Always check monthly for new firmware. export your devices settings BEFORE applying the new firmware. then apply the firmware. I can nto stress this step enough. Linksys STILL has unpatched routers being hacked every day,
step 5 - Network Typology Your network should be configured in a logical way to maximize security. You should have 3 different subnets:
- your many data subnet for all your comptuers with normal internet traffic
- your wireless subnet for all your devices that connect wirelessly
- an high security subnet, for devices that no other LANS/computers can access
these 3 subnets can be achieved by using the interfaces on the firewall.
X0 - default LAN (all computers). your network switch should connect to his interface
X2 - your wireless Lan. your wireless access point should connect to this interface
X3 - your security LAn. only your computer with your crypt wallets should connect to this interface
a firewall rule should be created so that there is no trust between X3 and any other interface.
NOTE: if you dont have a firewall with multiple interfaces (like a TZ SOHO or TZ300) there are other ways to seperate traffic which i can address later in this thread.
Step 6 - Wireless Security Your wireless access point is the most common point of unwanted entry since its physically accessible anywhere your wifi signal reaches. The following at a minimum should be set:
- do NOT broadcast your SSID
- set your wifi security to WPA2/PSK
- set a complex passphrase (12+ charecters, cap letters, symbols)
- change the wifi password monthly
- turn off remote management
- give your access point a static IP address
- use MAC access list to make sure only your devices can connect. restrict access to any device not in your MAC list
Step 7 - computer accounts All your computers should have unique logins for users. computers should never auto login and should always be password protected:
- create an admin account on all machines, with a complex password
- set the password to expire every 9- days
- disable guest accounts
- set the screen lockout to 10 minutes
- require the password be entered after returning from lockout
- set a polcy so non-admin users can not use USB media
Step 8 - Software protection The use of antivirus is key. but web filtering at the DNS level is even more important. your comptuers should all be protected at a minimum with:
- up to date anti-virus software (i recommend webroot)
- you should check for virus definitions/updates weekly and apply them or set to auto apply
- point the DNS forwarders/set your DNS servers on your router or firewall to point to Umbrella openDNS servers: https://use.opendns.com/
these are free to use and help protect you from ransomeware/malware at a DNS level.
Step 9 - Monitoring You need to constantly monitor your networks. Check your DHCP leases on your firewall for unkown machines. check you access point for unkown connected devices. do an ip scan for unknown devices. check the warnings/alerts in your firewall/router/WAP logs.
it is very critical to keep an eye on your network. if you had people lingering in your yard or near your back yard you would want to keep an eye on them. same goes for your network!
Step 10 - Backups! backup and disaster recovery is part of network security. losing your data to a disater is just as bad or worse then being hacked. i recommend a local + cloud based backup solution such as carbonite, intronis, acronis, crashplan, or mozy pro.
do both a hourly file backup and daily image backup to the cloud. if anything happens to your drives or hardware you can then restore.
Step 11 - encryption and endpoint security A computer account password is great. but if your computer is lost or stolen, it is not of much use. as windows passowrds are easily cracked with a CDd or USB utility. your hard drive can also be removed and accessed via another machine. to prevent this you can do 2 things:
- set a bios password. unlike windows, bios passwords are touch to crack/hack.
- change your bios password every 9- days
- encrypt your hard drive (id recommend bitlocker, which is free with windows 10). if the drive is encrypted it cant be accessed from another machine physically
Step 12 - MFA/2FA all your online accounts should use multifactor authentication. Google or RSA tokens can be used with most crypto sites. enable this and use it! also NEVER save your psswords into your browser and always log off on public machines… or better yet, never check your accounts on public machines!
step 13 - securing your crypto wallets unless its short term for trading, always keep your crypto currency in an offline//oaoer or hardware wallet. the following are critical ways to secure your offline wallets:
Restrict the wallet software to only being run by certain users (your user account only). windows 10 this is pretty easy to setup: https://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/
Print out your private keys/restore passphrases. store them in a locked fireproof/waterproof safe as well as in a safety deposit box. this is NOT overkill. if your safe is lost or your house explodes you still have the safety deposit box backup. you ALWAYS want redundancy!
take a screen shot of all your private keys. convert that screen shot to a PDF. encrypt that .PDF file. add the PDF files to a password protected zip file. store that in a password protected folder on your computer. make sure that folder is backed up on your cloud backups. make sure those cloud backups are encrypted (intronis,acronis, and crashplan are by defaut)
close all wallets and log off your computer while not in use. shut the computer down or lock the screen out.
Please let me know if i missed anything or if you have specific questions on any of these steps or how to set it up… i can also provide info on even more advanced security… this is just basic/best practice for a home office with some borrowed protocol from compliance standards.