Securing Home Network
In enterprise network security the weakest part of any security is usually the user. The same is true for home network security. Here I will exam several ways to keep the home network safe while maintaining the Spouse Acceptance Factor.
I break home network security down into several areas...
- things I can control. like my computers, patching, etc.
- things I can hope to control. kids devices, spouse devices
- things I have no hope of controlling. kids misc apps, internet services, etc.
Things I can control...
Education
I would guess that if you are reading this article, let me you come from a highly technical background. My family...well... does not. Some time I think that they are actually more cleaver and are actively trying to subvert and aggravate me. And there are time when if they cannot get what they want through the "right" way, they will find the "next best" way and security doesn't enter their mind.
Recognizing those difference I try and start with education. I have come up with these bullet points that seem to help...
- The internet is like the real world... there is good and there is bad. Never assume.
- Nothing is for free. Nothing! If you are not paying money for it, then you are the product.
- Very few things on the Internet require your IRL information... So don't give it.
OS patching
For all my OSes, I patch regularly. If it were just me then life would be easy. I run OpenBSD-current as my daily driver. Sometime things get interesting, but I have only had real issues that I caused myself. (backups, backups, backups! If you are not doing them well... you like me deserve everything you get/loose)
But the reality is that it is not just me. So I end up patching Windows, Mac and Android devices when patches are available. Even thought patches sometime break things generally I try to patch within a week of the patch release. I figure a week is enough time to "discover" any major issues so I don't get bit by them. (Remember backup, backup, backup!)
Network Segmentation
I have another blog post about this, but suffice it to say, I utilize network segmentation within my home network to make sure that devices are only able to communicate with other devices when I allow it.
DNS
I run my own DNS servers for both internal and for several external domains. I have for years. This is particularly helpful with trying to filter/protect content into my own home network. I have lists of domains/services that I am able to block. If a device on my network cannot looks up it's C&C server then it cannot send traffic. (I know that this is not 100% effective but from my experience it is extremely helpful).
If you are not incline to run your own DNS service I would recommend subscribing to one of the free/open DNS services out there. Google, OpenDNS, Cloudflare, etc. Just remember the rules above.
DNS over HTTP (DoH!)
I really don't think they could have named this any better. I feel that this is a mistake on many levels. The first and foremost is that it virtually removes control from the DNS administrator to control how clients resolve names and places it into the hands of large companies. I'm not saying there isn't a need for this type of service, but building it into browsers like Google and Mozilla are doing is basically placing all users of their applications into the same group assuming that they all "need" the same thing. And using that guise to collect massive amounts of information on people. Remember, "whom ever controls the DNS of the clients controls their entire world!"
How do I address this in my home? I get a list of all the DoH systems that I can find and block them at the home firewall. No HTTPS to those locations. At this point I have not run into anything that refused to work with this in place but I'm assuming it will happen eventually.
Things I hope to control...
Phones and Apps
I try and patch the phones religiously. The only problem is that the phones seem to last longer than the manufactures interest and willingness to maintain patch production (To me this is the main argument for right to repair excemption to the DCMA). When a device gets too old, it get relegated to the toy/experiment bucket. I generally do throw any away until its good and broke. I also limit the application I have running on my phone and try to monitor the phones of my kids and ask that they do the same. (I did say try.)
If I don't use an App it is remove (if possible... I "love" these built in application that cannot be removed). Any application that I do not use and cannot remove I try and make sure it's disabled and cannot startup. Not always possible but worth a try.
Who uses email still? I do. :) There are many fine email services out there. Some "free". Some will cost a minimal amount. If you are so incline you can do like me and run your own email service. There may be a bit of a learning curve to understand where all the pitfalls are, but if you are technical, it might be a fun weekend project. If there is interest I might write a blog about my setup.
Regardless of whither you run your own service or use a service from someone else, having an email is, in my opinion, still essential. One thing that I find handy is to have the ability to create aliases. Aliases let me create and track different names that I can give out an will help me sort the incoming email into interesting piles.
The reason I have this one in the "hope to control" list is that while I do run my own email servers, I do not run everyone's email server. Kinda obvious. And with any distributed system, changes/policies/behaviors on one side of the system impact everyone else. I try and be a good net citizen. Keep my servers secure. Prevent sending SPAM. But not everyone has the same... motivation. So I do spend some cycles making sure that I prevent SPAM from getting in and when it does, I've educated my family to mark the message as spam in their email client allowing the Bayesian filters to learn new signatures and hopefully prevent future occurrences.
Things I cannot control...
Internet companies
One of the main things that you and I cannot control are Internet companies (Ok there might be someone reading this that can control their Internet company, so if that's you you can skip this part). From Terms of Service changing, to the discontinuing of different SaaS offerings (looking at you Google) to the security of my information Internet companies have access to and control large parts of our life. How important is my information to me? Does it have the same importance to the Internet company? Doubtful. Here are some strategies that I utilize to minimize any breach or loss of my data.
Personal information
Whenever possible I do not use any real information. If my name doesn't need to be real, I use a pseudonym. My DOB... made up. My passwords are always different. Security question answers are made up or nonsense. How do I remember all this information, usernames, passwords, recovery questions, etc. Simple. I don't. That is, I keep all that information in a password database (If you don't already have one, you need to get one). That way, when I need the information it is a quick lookup and away I go.
Now there are times when legally you must provide real information. You'll know when it's that time and in that time, you should provide correct information.
Accounts
In almost 100% of the online activities where you get an account for a site you will need to submit a valid email address to activate the login. If you run your own email service or your email service allows you to create aliases, you can create a new alias for every site. Another option, if the site supports it is using the email address form email+comment@example.com format. Where email@example.com is your valid email address but the +comment relates to the account you are creating. I've run into "validating" javascript on sites that doesn't understand this format, but most sites I've run into allow +comment as part of the email address. With either of these strategies (email alias or +comment) you can create a "unique" email for any given account.
Then when there is a breach you can use the email as an indicator to which site had a problem. And on the chance that you start getting email or spam to one of these email addresses that doesn't belong, you know that either a) your data was sold or b) your data was stolen. If not then you'll never know. But that is OK since the information that was "lost" was made up anyway.
Summary...
There is a lot of tasks in this post. I wouldn't expect anyone to a) agree with everything I've written and b) I'm interested to know if someone is doing something that I might not have thought of.