The Minimalist Method to Secure Your Home Network. Is it Possible?
Introduction
It started with a simple question: Was it possible to secure my home network without spending extra cash on new equipment? This intriguing prospect led me on a journey to find out if an Internet Service Provider (ISP)-issued router could provide an adequate amount of security features to secure a typical Singaporean home network, while accounting for the proliferation of smart home/IoT devices among my neighbours (refer to figure 1).
During the experiment, these were my definitions and guidelines for the minimalist method:
1. Not spending money;
2. Not installing any new software;
3. Simple and easy for all to follow.
** Disclaimer: This post is investigative in nature to understand whether a simple router can provide adequate cybersecurity features to protect a smart home. This post may provide some suggestions but it does not necessarily reflect the best way to secure your smart home!
My must-haves in building a secure home network
Considering the multiple levels of segregation and security controls at each layer, a typical enterprise network greatly differs from the home network. Such elaborate controls are not often found in home networks due to the high cost of these controls. As a result, home networks often carry a higher security risk as personal computers tend to contain valuable personal identifiable information.
The core security features that home routers should include are:
1. Ability to segregate networks;
2. Firewall filtering capabilities;
3. Provide WiFi security capabilities.
A router should ideally be able to segregate the network into the following segments:
· Router: The role of the router in this network (apart from routing traffic) is to act as a gateway/firewall to filter traffic between different networks and the internet.
· Guest: The guest network provides visitors with WiFi connectivity, without exposing the home private network through network segregation.
· IT Network: The IT network houses all IT equipment (e.g. Laptops).
· IoT Network: The IoT network houses all IoT/smart devices within the home.
Tinkering with my ISP router
After establishing all my requirements and the environment, I finally got down to business. In this post, I will be experimenting on my ISP-issued router which I obtained about 2–3 years ago.
Ability to segregate networks
Home networks should be segregated into 3 basic segments to ensure security through a layered defence whereby, even if one segment gets compromised, it would make lateral movement difficult. This would achieve the security objective of maintaining and protecting the confidentiality of data across different networks at home.
While rummaging through my router’s admin portal, I was unable to find any configuration controls that allowed me to segregate my LAN. This was definitely a negative for me as without this capability, I probably had to purchase an extra router/firewall and implement more complex configurations to enable the same capability that other off-the-shelf consumer routers can provide.
Firewall filtering capabilities
By having a router that provided adequate firewall filtering capabilities, I would then be able to keep unauthorised sources out of my network and prevent them from communicating with my devices at home, thereby achieving the security objective of maintaining and protecting the confidentiality of data.
My router’s firewall provided the following features that may be useful in securing the home LAN:
1. WiFi MAC address filter;
2. LAN MAC address filter;
3. Firewall Parental Controls;
Given the limited choices, the task then came down to the ability to optimise what was provided.
MAC Address filtering
A typical MAC address filter allows or denies access to the network by matching a device’s MAC address to the defined list of whitelisted or blacklisted MAC addresses.
My router provided two different MAC address filtering capabilities (WiFi/LAN). The options were:
1. Allow — A whitelisting feature
2. Deny — A blacklisting feature
Let’s briefly delve into the differences between the filtering capabilities of the WiFi MAC and LAN MAC filter. The WiFi MAC filter denies WiFi connection to any WiFi capable device, thus denying network access to the device.
On the other hand, any device denied based on the LAN MAC filter is allowed connection to the network but is not allowed connection to the internet. Thus, any MAC address denied on the LAN MAC filter is still able to reach/ping other devices on LAN.
As my router did not have a guest network feature, the WiFi MAC filter served as the best alternative to ensure security. However, the usage of a WiFi MAC filter also came with its own inconvenience. Visitors (i.e guests using your home WiFi network) needed to provide their MAC address for whitelisting, before being removed after.
Firewall Parental Control
A Firewall Parental Control denies LAN access to an external service but does not block inter-communications within the LAN.
If a device does not require an internet connection (e.g. temperature sensor), this feature can be turned on for that device to prevent it from being exploited and manipulated for attacks.
WiFi Security Capabilities
Having adequate WiFi security capabilities not only ensures that devices joining the network are authenticated, it also protects the confidentiality and integrity of the network using encryption.
Most routers come with a standard set of WiFi security capabilities. Some of the available features include:
1. Enable/Disable SSID Broadcasting
2. WiFi-Protected Access 2 (WPA2)
3. Enable/Disable WiFi-Protected Setup (WPS)
Unfortunately, my router was already 2 to 3 years old and did not have WPA3 capabilities. This is a feature to look out for in newer models!
I enabled SSID broadcast for usability and convenience even though hiding SSIDs can be an obstacle for the average citizen. It’s also worth mentioning that doing so does not thwart any hacker.
WPS was originally intended to allow people to quickly set up and add devices into their networks without complex configurations but since WPS Pin numbers can be easily forced using open source tools, it’s best to leave it disabled.
Other best practices to consider
HTTPS
The Hypertext Transfer Protocol Secure (HTTPS) is the secure version of the HTTP protocol that uses SSL/TLS certificates for encryption and authentication. In a typical network, HTTPS helps to ensure confidentiality and integrity of data and authenticate the different parties in the network.
Accessing the administration webpage via the router’s IP address, I noticed that HTTPS was not enforced. This communication channel was used to administer changes to the router. Without HTTPS, all communication with my router was in cleartext form which sadly, is not an enforceable feature.
As a best practice, an administrator password should be created to ensure that all access and changes to my network’s administrative portal are authenticated and authorised. Although not configurable, the practice of preventing passwords with less than 8 characters was enforced. Other best practices I adopt to create a strong password use a mix of uppercase & lowercase characters, symbols and numbers, to form a password with more than 8 characters.
To further illustrate the importance of HTTPS, non-HTTPS traffic is often susceptible to sniffers that can derive authentication credentials in cleartext. This can be easily accomplished by using Wireshark (a network sniffing tool) to capture network traffic, and John (a password cracker tool) to crack the captured hashed passwords.
Based on the values above, it appears the credentials obtained are hashed in MD5.
This short experiment demonstrates the importance of using complex passwords even though it was not enforced.
In Conclusion
Is the minimalist method possible without compromising on usability and convenience? The short answer is: No. The main issue was the lack of network segregation capabilities such as the inability to implement guest networks and a lacklustre firewalling capability. However, do remember that my router is an old model; the newer ISP-issued router models may come with such features so do look out for them.
So, the question now is: if I continue to use an ISP-issued router without network segregation capabilities, how should I configure it to lower my cybersecurity risks? Here’s how:
1. Use a complex password as a router admin password;
2. Create a MAC address whitelist for all devices that access the network via WiFi;
3. Identify and block internet access for devices that do not require it via firewall configurations;
4. Implement WPA2 with a strong network security key;
5. Disable WPS.
If you’re buying a secure home router from the market, these are the core features to look out for:
1. Network segregation;
2. Latest WiFi security features (e.g. WPA3);
3. Secure communications to the administrative portal (HTTPS);
4. WAN & LAN firewall filtering capability.
* WPA3 is the new kid on the block, replacing WPA2 by providing stronger security (e.g. encryption) and doing away with the vulnerabilities that were found in WPA2 (e.g. KRACK).
Are there any routers in the market that provide such functionalities? Yes; albeit at a high cost! For the tech-savvy, I strongly advise you to configure your personal firewalls based on your needs and to patch your devices in a timely manner to protect against Internet attacks. You may also consider investing in an IoT hub to centrally manage all your smart home devices.
With a heavier emphasis on cybersecurity in consumer products, I am excited to see what improvements will be made in this space!
