LAN with Firewall

Securing A Home Network

Computer security used to be as simple as securing your Windows PC because the Windows PC was ubiquitous with all things online — install your antivirus/firewall software and everything was good to go. In recent years, just about everything electronic nowadays can be connected to the internet: Macs, Chromebooks, iPhones, iPads, iPods, Android phones, Android tablets, smart TV’s, set-top boxes, WiFi receivers, Blu-ray players, smart watches, cameras, surveillance cameras, baby cams, HVAC controllers, appliances, and game consoles. This hyper-connected world of devices of all kinds has been dubbed the “internet of things” or IoT. Much of the communication on connected devices is not user initiated, rather it is traffic that is sent back to servers on the internet or other devices on the same network.

Unfortunately for many people though these devices are usually not secure by default, having vulnerabilities that can be easily exploited. Likewise, unlike phones, tables, and computers, these devices rarely if ever receive security updates beyond the original firmware that was installed on them at the factory. These factors create many potential attack vectors. The “DDoS” attack on 10/21/2016 was a highly orchestrated attack that was launched from a number of these IoT devices, mostly cameras and set-top devices. Thousands of these devices were compromised then had malware installed on them that was commanded to direct an attack against the Dyn Network, which shutdown access to many popular websites like Twitter.

Given the lack of control over these devices, there is very little a consumer can do to secure them. However, there are a few things that can be done, principally by “securing the perimeter” — That is strengthening security on “edge” devices which are typically the devices that connect one’s home to the one’s internet service provider (ISP). Here’s a few tips:

EASY: Scan for Vulnerabilities. Bullgaurd Internet Security offers an online tool for scanning for vulnerabilities on your network. It’s simple to use: logon to the page while on your network using a phone, tablet, or laptop, then click “Check if I am a Shodan”. (“shodan” means newbie) This will scan your network from the outside to see if there are any holes.

shodan
Once you run the check, you will see a list of exposed “ports”. Typically on a home network, there shouldn’t be any ports exposed, but just because something is exposed doesn’t mean that it is a threat. Run “Deep Scan” on those ports to see if these ports are exposing any threats.

shodan1

In my case, I do run services on my network. If there are ports exposed unintentionally, then these need to be addressed. Some of the following steps can help mitigate security risks.

EASY: Disable UPnP. UPnP is a protocol that allows devices on a network to automatically discover and configure connections to other devices on a network. Some of these devices open connections to the internet that allow attackers to compromise a UPnP device, and even gain access to other devices on your network. This protocol was the one used to compromise the camera used in the massive DDoS attack. UPnP is typically easy to disable on a device, but varies. Check the documentation for the device to learn how to disable UPnP.

Open DNS

EASY: Use OpenDNS Family Shield. Internet services use domain names (ie. example.com) which are associated with a unique number on the internet known as an IP address. These directories are called domain name services (DNS) DNS acts like a phone book, where devices look up domain names and get IP addresses. Once the IP address is obtained, devices use the address to send data. OpenDNS protects networks by protecting against domains that distribute viruses, malware, and other threats. It also provides content filtering by blocking access to adult sites and other inappropriate content.  Family Shield is an anonymous easy to use service with a set of preset filters that offer content filtering and basic malware protection. There’s no sign-up required and doesn’t require too much to set up.

Open DNS provides a database of instructions for many popular routers. You will need to know the model of your router to look it up in the database and how to logon to your router on your home network. Once you know the model, select it from the database and Open DNS provides instruction how to setup the router.

EASY to MODERATE: Use Open DNS Home. Open DNS Home is like Family Shield, but it gives the user more fine-grained control of the content categories and more robust malware and threat protection. In additional to router configuration, this service requires a sign-up and also requires the user to install an app on one of the computers on the LAN (Mac or PC) that updates OpenDNS with a new IP address when it changes so open DNS can track the results. The address can be updated manually, however if the address does change, the category selection will not work. Users can also download a history report showing what sites were accessed and how often.

OpenDNS Categories

MODERATE: Don’t use the ISP provided devices for Wi-Fi or routing. Not in every case, but more often than not the device provided by an ISP are either sold or rented to users. These devices provide a connection to the Internet as well as a have built in Wi-Fi with little or no security features. A typical network looks something like this:

ISP Device Network
Typical ISP Device Network

Using a third-party device can substantially improve security because many third-party devices have more advanced security features built in. Depending on the router, these may include virus/malware detection, content filtering, a basic firewall, ability to disable UPnP, and intrusion detection. Linksys E-series routers have the ability to easily install apps that scan internet traffic for malware as well as filter content. They can also be used along side of OpenDNS for additional protection.

Hooking up a third-party router usually means disabling the WiFi on the ISP’s router, then connecting a LAN port on the ISP router to the WAN (Internet) port on the third-party router. This configuration offers a modest front-line defense with the ISP’s router and a more robust defense with the third-party router.

Third Party Router Network
Ideal Third Party Router Network

MODERATE to HARD: Buy and install a firewall. A home firewall offers the highest level of protection, but it also requires that the user set it up. Firewalls have come a long way in terms of ease of use and configuration, however they still require the user to have a basic knowledge of how networks work, so these aren’t recommended for just anyone.

Unless the firewall has WiFi, then it is usually installed in line between the ISP’s router and a WiFi router. The firewall itself replaces a great deal of functionality on the WiFi router such that the WiFi router is simply serving as an Access Point and not doing any routing features. This requires that routing features on the WiFi router be disabled, such as DHCP which assigns addresses on the network and DNS services.

LAN with Firewall
LAN with Firewall

Untangle NG is one of the easiest to use firewalls, with an intuitive interface and setup wizard that most any moderately technical individual can understand. Untangle has a lot of free services — content filtering, malware detection, intrusion detection, spam protection, ad blocking, geo blocking (blocking traffic to and from countries) and many premium versions of these same apps.

JLTCTech offers a number of affordable, Untangle-powered firewall devices, some with built in WiFi.

HARD: Build a firewall. Building a firewall is possible, but this option is not for the faint of heart. It’s generally cheaper than a purpose-built firewall, but it takes a lot of time and effort to do it right. Untangle offers Untangle NG for free to those who want to make a DIY firewall. It runs on x86 hardware, 32-bit and 64-bit. An old desktop or laptop (with an added NIC) both make good candidates for Untangle.

0 comments on “Securing A Home NetworkAdd yours →

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − 7 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.