The Wise old elf will tell you not to put all your eggs into one basket. Same goes for your Safety Nets weather it is internet security or your home security. We will discuss about some basic steps everyone should be taking when they setup the network and computers within. If you haven’t done these at the moment, don’t worry, we have not lost the war yet, since you are still up and running to read this.
Use a Router
There is always the proverbial internet noise and threats that are actively looking for victims out in the wild. That makes connecting your computers directly to the modem one of the worst thing you could do to your computer. It has been proven in the past that a vanilla install of a Windows machine (unpatched, of course) on to the modem directly has caused the machine to be compromised by the internet flood of attacks under 5 minutes.
Get a good router (the wireless router that you may have does the same function) for your budget and have that connect to modem instead. Setup the router to be the DHCP server and connect all devices on to that. The DHCP server on the router will give all your devices an internal IP and the router will do Network Address Translation (NAT) magic and translates the source and destination of the traffic coming and going to the devices and the internet.
So, does this help with security? A little, but not by much. When we connect our computer directly to the modem, the modem doesn’t really care if the traffic coming from the Internet has a valid destination inside the network. A router does help a bit here and it drops the noise and sends the traffic only to the to the valid destination.
Divide your network
This is for advanced users and the non-techies who are brave enough to sit down, plan and dig deep. But if you have the guts for it, consider creating multiple segments of the network for different types of equipments that really have no need to talk to each other. For example, you could create two networks one dedicated to your computers and mobile devices while the other serves the connected devices at home. Some even make a third just for a Wi-Fi access point for the guests to connect to.
Why should we do this? When we have all the devices sitting in the same network, and say you have a device that is already infected. This can cause the infected device to attack others and infect as well. Unlike your computer and mobile devices, most connected devices do not get patched or updated for security as often and could be a juicy target for a Botnet. Remember the last DDoS attack that was performed by a large set of surveillance cameras? It is in everyone’s best interest to have a divided and contained network where you could have proper controls in place for.
After all, you don’t let strangers walk around inside your home without supervision, do you?
Consider a Firewall Solution
Now this gets a bit serious and truly adds to your security layer. Though it adds to your network complexity than most non-techie users would want to manage, It is an important piece of security puzzle if you can handle it. You could either buy pre-built appliance from a reputed manufacturer or build a custom solution with a spare computer that is sitting around. A firewall can be set in such a way that all traffic passes through that.
This allows you to do some cool things. Want to control what your kids watch and visit or cut your better half’s access to the net after 10 PM, anyone? er, Anticipatory Bail – I may not be held responsible for any reaction of anything you try with your better half – I am pretty sure that Newton failed to mention that the reaction could be stronger given the environmental parameters and destination of the actions. ¯\_(ツ)_/¯
Most of the networking equipment manufacturers and others like Ubiquity, PFSense and WatchGuard make readymade appliances that you can buy off the shelf and setup. If you truly plans to go there, do your research and get the one that fits your budget. For a home user, even the basic one can help.
Use a well known Public DNS Service
One of the settings in your Router will allow you to setup a DNS service. DNS, or a Domain Name System is like the Yellow Pages or the telephone directory for the internet. back in the days when the number computers were small, everyone could just use the direct address of the machine to connect to. that quickly changed when the number of machines exploded. a DNS service helps your computer to translate the yourwebsite.com address over to an IP address.
So, how does it work? When you open a browser and hit a website, your computer attempts to resolve that to an IP address to send the traffic over to. In your computer, there is a hosts file (C:\Windows\System32\drivers\etc on windows and /etc/hosts for Unix based systems) which is one of the first places the operating system looks to see if you have a local mapping set in place. If it cannot find any mapping in your hosts file, it looks for a local DNS server that may be in the settings. If we don’t specify where our systems should get the Domain Name resolution from, it would go out and query your gateway server and that in turn goes out to find an available DNS server.
One of the ways an attacker can trap you is by using a trick called DNS Cache poisoning. On a high level, the attacker makes your local ISPs DNS server believe that yoursite.com’s IP address is X instead of Y. So, when your network asks the DNS server for a resolution, it gives you the bad guy’s IP.
One of the ways to work around this is to use a public DNS service that is a managed better and a bit harder to spoof. some of the most famous ones are Google (126.96.36.199 and 188.8.131.52 as backup) and Cloudflare (184.108.40.206 and 220.127.116.11). By setting them in your router’s settings, it bypasses the local and ISP’s DNS servers.
As a side note, If you truly care about the performance of your network, it might actually be a good idea to pay a bit more and get the SMB grade solutions and have separate devices for router (to build the basic network and setup), Firewall (for security) and access point (for building out the Wi-Fi network). Cisco / Netgear / LinkSys/ Ubiquity Networks have a wide range of solutions if you truly want to go deep into that abyss.