Print
Category: Information Security

For many years, Corporations and Businesses who allow VPN access into their network have ignored the Home User Network. This is to say that it alone is a nightmare to support, so it's better off just to say "we don't support it, but we'll give you VPN access anyway".

Personally and Professionally, when asked to review or write up VPN/Remote Access Policies and Procedures, I usually add in information about Securing your Home Network. It IS a critical part of a Remote WFH user!

With the massive shift that just happened due to the "Stay at Home/ Work from Home" push, we can not ignore the "Home Network" anymore.

The weakest link in any organization is the home network. It should be mentioned that companies start looking at publishing Secure Home Network Guidelines. If they are using outdated equipment, it's a potential weak link. If their home network hardware is not up to date (software updates), it is a weak link. If their wireless can be compromised, it is a weak link.

This is not to say that a Company "will support the Home Network", no. This is to say that guidelines need to be created to ensure that when using the VPN to WFH, the Users Home Network is not compromise-able! Right now, this is the weakest link in your Security in Depth approach and should have been addressed.

Corp Laptops preconfigured with AV/MW and other is one of the best answers to this.

The following are just some steps to ensure your Home Network is secure:

  1. Check to see the age of the Cable Modem. Many outdated Cable Modems are susceptible to being compromised.
  2. Many Cable provider will lower your monthly Internet Cable charge if you go and purchase your own Cable Modem. This can be a good idea as the most recent Cable Modems are more secure. Just make sure you tell your Cable Provider that you are going to swap out the Cable Modem. Many providers will give you a suggested list of CMs for you to choose from.
  3. Install a Home Network Firewall. Believe it or not, your cable connection is being tested and hammered every single day. The best way to stop the potential attacks is to install a Home Firewall that is robust enough to block all traffic except the traffic you want. While I build my own based upon Open Source Firewalling technologies, there are some commercial ones available. Click on this link to find some of the better more affordable ones. The Link HERE is a site that has the best "free" Firewall programs. Be forewarned! You may need a dedicated PC and additional hardware, but it's worth it to make your Home Network more Secure.
  4. If your home firewall can do packet inspection or has Anti-Virus at the FW level, this can be a help to block unwanted traffic.
  5. Make sure your Home Firewall is on the latest Software Version and set to block all incoming traffic, except that which goes out (http, https, VPN out, etc.).
  6. Make sure if you are using Wireless Access Points, that they are also up to date with the latest Software. Just recently within the last few years, the home WAPs have been a target for hackers. This is because most people set and forget these devices. You must make sure that these WAPs are up to date. If not or if they can not be updated, go buy a more recent version or device. It will save your Home Network in the long run.
  7. Ensure that your WiFi connection is using WPA2, WPA2-AES, or higher encryption. WPA2 may indicate that the device is out of scope. WPA2 can be broken. Newer models of WAPs use much better encryption methods. Look at upgrading where possible.
  8. If you use your WAP as the Firewall and is connected directly to your Cable Modem, you might want to rethink this and separate them. Many Cable Providers will install both the Cable Modem and WiFi devices for you. Remember to ASK THEM for the Username and Passwords, then change them when they leave. Why does a Cable Provider need the Admin password to your WiFi ? Take control over your WiFi!
  9. Make sure that all devices that are on your Home Network are secured with a Username and Password. DO NOT reuse the same User Name and Password for all devices. If you have trouble remembering your User Names and Passwords, download and install a Password Vault. I use KeePass. It securely encrypts your Information (User & PW) in a non-breakable (as of this post) secure format (AES-256). Store all of your information in a Secure Password Vault.
  10. All Network Devices should NOT be using the default Username and Password! If you never changed the default, do so now! Store the new information into your Secure Password Vault.
  11. Make sure that your Anti-Virus software is up to date.
  12. Use a Company Provided Laptop where the Corporation monitors, maintains and locks down the Laptop with periodic updates for the Operating System, Anti-Virus Solution, Anti-Malware, etc. software.
  13. If your company allows you to VPN from your home laptop or computer system, make sure that you are on the latest revisions of the Operating System, Anti-Virus, Anti-Malware, etc. software. Hopefully you were given a Corporate Laptop and do not have to worry about this.
  14. Any Network Devices should be up to date as possible. This includes IoT devices, Switches, Hubs, Systems, Drivers and bios for Printers, etc. Ensure that the devices are on the latest Firmware. If a device can not be updated, think about replacing if possible. If the device is out of production and there are no further updates ( say more than 1 year), consider upgrading the device with a new one. That is depending upon how secure and how serious you want to keep your home Network Secure.
  15. TURN OFF ALEXA, SIRI, AMAZOIN ECHO or any other Internet Listening Devices while you are working from home! They will listen in to your Work Conversations and share that information back to the parent company of the device! These companies store your conversations in the Cloud for who knows what reasons. This technically is called "Corporate Espionage" and can open up a legal can of worms for you and your home. While they are cute, just turn them off during normal business hours!
  16. Use a VPN at all times. Even if you are surfing for home fun and enjoyment, use a VPN! This protects your Cable Modem IP address against hackers. There are tons to use. Most are paid for with a subscription. Check you the list of VPN providers here with this link. Most countries applaud the use of a VPN, but not all. You might want to sign up with a VPN provider that is reasonable, does not keep logs, does not keep login and log out times, etc. These will help protect you and your Internet Habits be they what they are. Some will allow the tunneling of a separate VPN to your Corporation, but not many. Ask, Compare and decide for yourself.
  17. Make periodic backups. I use external Hard Drives as well as a NAS solution. It's way overboard for your normal user (no one ever said I was normal ;) ) but has saved me multiple times. If you use a USB External Hard drive for your backups, turn it off for each use. A dedicated External Hard Drive of 8 TB will cost no more than $150, check for sales! Once you get one, make sure that you periodically back up your home system, Corporate Laptop or Home Laptop on a regularly scheduled intervals. Don't forget to back up your Password Vault too !!
  18. Wired over Wireless. Wired Home Networks are much more secure. However, if you just don;t want to run wires through the wall or don't have the funds to hire an electrician, WiFi is suitable. But it may cost you in the long run. When my Wife and I bought our home, I inspected the house initially and ran my own wires through the walls. (Cat 5/Cat 6), but I recognize that for many this is just not an option. Limit your WiFi footprint. if the WiFi WAP has screw on antennas, get small directional antennas. See if you can lower the power of the WiFi Signal. Any signal that escapes your house may be susceptible to being hacked. That's why Wired is the best.

 

The bottom line is that you are in control of your own Secure Home Network.  Ask questions, send me an email or talk to reputable people to get an idea of how to set this up and ensure that your Network is Secure.

Stay safe people!