March 24, 2020
We’re going to do a little deeper dive into how to harden a home firewall in this post. Since we are being asked to do more work from home offices as we self-isolate, it is important to build in as many protections as possible to ensure we are protecting our homes and our employers. Your home router is the first line of defense against Internet threats to your home. This guide is for a little more technically advanced individual and may require in-depth understanding, or advanced Googling, to perform some of the tasks involved.
The first line of defense is always changing the defaults of your device whenever possible. Hackers can easily find these pieces of information on the web and consider them first line of attack as they are the easiest to check. Let's look at a few of these defaults and how we can change them.
Own Your Router - Do not rely on the device provided by your Internet service provider. Make sure that you have your own router/firewall and configure it to your best abilities. In most cases, 30 minutes of configuring your own device will provide you improved protections over the ISP provided device. For many ISP's, these devices do nothing more and deliver raw Internet with no protections. If your router is over five years old, please consider replacing it.
Automatic Updates - Turn on the automatic updates so your device can consistently improve the security posture as flaws are discovered and remediated. There are a growing number of legitimate reasons to reconsider this guideline so if you choose to manually update, make sure you do it at least monthly. Regardless, update your device one way or another.
Firewall - Always turn on the firewall of your router. This basic step is the first layer of defense for the entire network in your home. Spend some time and do it to the best of your ability.
WPA2 or WPA3 - When it comes to protecting the communications on your home network, encryption is the key. WPA3 is the latest and strongest encryption standard so it should be employed whenever possible. At a minimum, use WPA2 if that is all that's available but use the Largest encryption key possible (ie 1024 bit over 256-bit encryption).
Remote Access - Turn off remote access to your network. There are very few users that need access to files or applications from their home network. Disable the service on your router and if possible, block remote access on your firewall.
Disable Services - Turn off as many services as you can. Most commercial devices are configured to cause minimal support issues. This means that they are much less restrictive then they should be. Services such as telnet, FTP, TFTP, echo, and many others are simply turned on to reduce the number of service calls to the manufacturer. If you see a service turned on and don't recognize the name, turn it off. Odds are you will never affect the services that you need. If for some reason a service doesn't work, refer to the technical documentation of the application and check the specific firewall settings.
Logging – Turn on the router logging and at least log Warnings, Errors, and Criticals. It may be frightening the first few times you look through the logs but it will definitely let you know what you are up against.
Admin account - The admin account should never be left at the default settings. At a minimum, the default password should be changed to a complex password as this is changed on a less frequent basis and primed up brute force attacks. If possible, change the name of the admin account as well. Trying the default passwords is standard practice for hackers.
IP Address Range - Standard IP ranges and default gateways are easily guessed. Most home routers use 192.168.0.1 network with a default gateway of .1 or .254. The truth is your home network will work on any private network space. Consider using a 10 network or a 172.16 network as your home address space. In addition, reduce the available IP space to what is required in your home. Most homes will function quite well was 32 IP addresses available inside the DHCP pool. Limiting the number of available IPs also limits the possibility of unknown devices on our home network.
Wireless Configuration - Never use the default SSID under the wireless router. Make sure this is changed to a name that doesn't identify your house and preferably is not broadcasted. The wireless space is generally one of two attack surfaces hackers will use to gain access to your home network. Make it hard. In addition, turn off the 2.4 GHz radios if they're not needed. Running the higher-speed 5GHz radios tune to power levels that don't radiate very far outside your house will make it more difficult for an intruder to leverage this asset. This will also prevent your neighbor from piggybacking your bandwidth.
WPS and UPnP - Wireless Protected Setup (WPS) was initially designed as a user-friendly method for new devices to connect to a WiFi network. Unfortunately, it’s been found to allow attackers to connect to WiFi networks without permission. Universal Plug and Play (UPnP) is a network protocol suite that allows devices on a network to easily communicate but has been found to contain numerous and severe security flaws. Getting these two settings correct can have a large positive impact on home network security.
Guest Networks - If your router can set up a guest network that uses a custom SSID and/or a WPA2 or better encryption, then consider setting it up and having your children run off that network. It separates your home traffic and offers another layer of protection if something should go wrong. If it only sets up without a custom SSID and no encryption can be configured, turn it off.
Working through the above pointers will get you a solid start to securing your home network. The router and firewall are the outside locks to your home network and need to be as strong as possible. This is not the only defense, but it is typically the first.
There are a number of great general guides that can be used to dig deeper into your firewall and harden the network perimeter even further. One great source is from the Center for Internet Security and is titled CIS Controls Telework and Small Office Network Security Guide. This resource combined with best practices from your manufacturer can help protect your home from cyberthreats. And always, reach out to an IT professional if you need additional assistance.