Definitive steps to create a more secure ecosystem at one's house

My motivation for asking this question is a growing understanding that our home networks become larger and larger, thereby providing ample opportunity for intrusion, via wireless or internal propagation from an infected system.  What I am asking for advice from knowledgeable members is the following:

 

1) where do we start?  i.e. our home networks have wireless routers etc.. should we change passwords, remove admin or reset admin passwords, how to we find smart devices which also can be used to access the network etc..

 

2) next steps, sort of a descending check list from easy to harder on the best way to secure our networks

 

3) how do we test our defense? I've heard about drive by invasion to networks gaining access via probing various weak entry points (easy passwords etc)

 

4) if we let friends join our WiFi, obviously this is a dangerous offer.. is there anyway to make it safer?

 

5) Let's say we are fairly confident our system is currently secure, what are the steps to further improve the security listed from easiest to most difficult (usually the quite technical)

 

Basically, I would like to start a discussion that will help all of us better understand how we can build a more secure network and network operation habits.  it's a bit daunting at times and is constantly changing.

 

I often read.. don't click on anything or open any emails you are not 100% they are from valid sources.. but hay, how can one even work in that condition..  What I did do, for example of something easy, was to disable viewing images in gmail by default. that was super easy and has very little effect on the usefulness of the system..

 

Hoping we can start a helpful thread for everyone

4) if we let friends join our WiFi, obviously this is a dangerous offer.. is there anyway to make it safer?

 

 Use Double NAT to create the first router as a "friends' network and at the end of the first router's Route table then connect the 'home' router  with a different route table. So the second router can 'see' both the first and second router's connected devices, but the first router's connected devices cannot see the second router's connected devices.

There are probably better solutions, but this is the one I have used in the past with good results.

 

Consider using an older desktop as a Linux firewall that does filtering, malware scanning and site blocking for the entire network. 

1) where do we start? i.e. our home networks have wireless routers etc.. should we change passwords, remove admin or reset admin passwords, how to we find smart devices which also can be used to access the network etc..

You start with setting the admin password on the router if you can, and if you can't suggest getting a new one. Maintain all security updates on all devices including your Internet of things like SMART Thermostats and security cameras.

2) next steps, sort of a descending check list from easy to harder on the best way to secure our networks

It would all depend on your network and what you have stored on it. The best is home user education.

3) how do we test our defense? I've heard about drive by invasion to networks gaining access via probing various weak entry points (easy passwords etc)

You would need some level of penetration testing and password cracking knowledge for this to be accomplished.

4) if we let friends join our WiFi, obviously this is a dangerous offer.. is there anyway to make it safer?

Setup a guest network and separate it from your private network.

5) Let's say we are fairly confident our system is currently secure, what are the steps to further improve the security listed from easiest to most difficult (usually the quite technical)

See answer to number 3 above.

You say 'as our home networks get larger and larger'. Apart from the essential advice about changing your router's admin password, given above, I would add that if you use IoT devices you be very careful about considering the makes of these devices. By IoT devices I mean things like remote doorbells, phone controlled heating and lighting systems and such like. These are notorious for being manufactured with little regard for user security.

 

If you use a router supplied by your ISP, at least in the UK, it will now come with a strong admin password unique to that router. The problem lies with routers that you may buy yourself, these normally come with standard default passwords so that they are easy to set up. Commonly the pre-installed password is either 'admin' or 'password'' and these default passwords are available on-line. But this ease of access is intended so that you can easily choose a password of your own.

 

Chris Cosgrove

5) Let's say we are fairly confident our system is currently secure, what are the steps to further improve the security listed from easiest to most difficult (usually the quite technical)

I would add a device that tracks and log WAN activity (Ethernet packets on the LAN coming from or going to the WAN) for suspicious behaviour, e.g. unusual or unexpected destination, unreasonable bandwidth, etc...

Edited by Dominique1, 16 March 2024 - 11:35 PM.

5) Let's say we are fairly confident our system is currently secure, what are the steps to further improve the security listed from easiest to most difficult (usually the quite technical)

I would add a device that tracks and log WAN activity for suspicious behaviour, e.g. unusual or unexpected destination, unreasonable bandwidth, etc...

Not do able in home networks due isp owned equipment known as a demarcation point before it comes into your house. Your WAN is what gets the ISP IP address.

I clarified my "WAN activity" use in Post#5.

There is still no wat to do that the WAN in my case is a ONT Optical Network Terminal where the fiber gets converted to either coaxial to modem / router provided by the ISP for those with set top boxes or rj45 to either your own router or isp one.

My router logs all activity from LAN to the WAN IP address.

WAN Wide Area Network

Edited by cryptodan, 16 March 2024 - 11:54 PM.

There is still no wat to do that

Yet...

My router logs all activity from LAN to the WAN IP address.

cryptodan, you understand what I mean.

 

This is a discussion about adding further protection to a home network.  It may be overkill (or not) to add a device that will perform traffic analysis, something more proactive than blind packet logging.

The router is the device there is no way to monitor tge traffic at the ont which is the WAN. The router is still part of my local area network where I have control over it. I don't control the ONT