Tuesday, April 22, 2014

Home Network Perimeter Security (or what can I do besides that old WiFi router?)

Home networks - gotta love them.  Where would we be without WiFI?  Can't even fathom this!  Just like anything else, we need our networks some TLC, including security.

Your home router fulfills a bunch of tasks, including assigning IP addresses to your local devices (that's called having a DHCP server), managing WiFi connections, and firewalling which really interests us today.  A firewall is the part that keeps (or tries to) keep the bad stuff on the Internet and outside your network and there are plenty of choices out there, let's review them from weakest to strongest.

  1. Old WiFi router from the "heydays": we all had one of those, generation 1-type devices.  Think of the trusty Linksys WRT54G, old D-Links and such.  Their firewall technology is known as "NAT" or Network Address translation.  NAT is primarily used to map traffic from your network to the internet so little Robert's iPad's traffic requests from YouTube are redirected to him and not to his sister's laptop, which is essential but from a security perspective, ouch, and I'll spare you the details.

    Consumer wisdom: ditch these old routers now, plus WiFi encryption on these may be limited to WEP or WPA (not WPA2), so your neighbors can decide to look into your network, not fun.  WEP & WPA are fairly easy to hack these days.
  2. Newer WiFi routers are much better as they're all equipped with "stateful" firewalls, where a whole lot more checks are done to validate if the traffic is desirable or not.  Make sure anything you buy is with a "stateful" firewall.  On the plus they're not more expensive :)
  3. Hacker firmware on routers is something that's being done and been there for a number of years now.  It all started with the Linksys WRT54G and open-source components (Linux stuff) which transformed into mature, stable and more feature-rich firmwares than the manufacturers'.  Even so that some WiFi router manufacturers now bundle some of these open-source alternatives as a default, the most common is DD-WRT.

    With DD-WRT you can take that $50 router of yours and turn it into a $150+ device from a feature perspective with multiple SSIDs, guest networks, VPN servers, PBX and soooo much more that the common user might just get lost in the process.  So here is my warning, if you can't format a USB key, stay away.  If you feel adventurous and are willing to read/post in forums and consult guide, give it a whirl.  I've used DD-WRT for years until recently when I upgraded my WiFi router but made sure that the new unit supports it.
  4. Recycled PC firewalls is what I use these days.  I had this AMD X2 350 with 6GB ram gathering dust which I converted to a full-featured firewall with a 2nd network card (you need 1 for your ISP, 1 for your network).  This is by far the most powerful security approach when you choose a firewall package which is complete & frequently updated such as Endian, Untangle, Smoothwall and Sophos Home UTM (which I adopted - free commercial-grade product, features & updates, can't beat that!).

    If you wish to go down that road, make sure you do your homework prior and you need to re-think your network to some extent because your wireless router is no longer the customs agent at the door.  You need to disable the DHCP server in your router to maintain WiFi otherwise the DHCP server in the firewall will compete with it and your network will just not work. 
Regardless of what you choose, make sure you check on a monthly basis for updates, nothing like leaving security holes wide open & unpatched to attract problems.  It's not like you have mission-critical information on your network but you still want to avoid problems.

A few parting items:
  • Look at your options based on your geekhood, emerging geeks should stick to commercial products or face the wrath of the spouse (been there)
  • If you have an old router, recycling is a good option, don't leave it in your network & don't trash it
  • For some old routers, check out DD-WRT, you might breathe some life into your gear for $0
'hope this helps, post comments for questions!

No comments:

Post a Comment

Please leave a comment - I'll try to moderate and/or answer it within 24hs!