> Set up a guest network to enable internet connection for your guests and for your IoT devices.
I would definitely recommend separating guest and iot networks, iot is usually pretty weak (the S in IoT stands for security) so they need as much protection as possible; putting them to guest network is throwing them to wolves.
> Enable port filtering. For example, the SANS Institute recommends blocking outbound traffic
Tbh egress filtering is generally not very useful, except for some special case networks (like aforementioned iot network). Blocking IRC seems just silly.
> Use Media Access Control (MAC) filtering to choose which trusted devices connect to your network.
Afaik MAC filtering is pretty much useless, MAC is easily snooped and spoofed. WPA should be sufficient access control, go for EAP ("Enterprise") if you need better than PSK ("Personal") security.
> Disable remote access management
Realistically, not going to happen. Better advice would be to have separate management network, with tighter access controls.
Ky feelings on egress port blocking have been one of the big changes in cyber security over the years, and I think a lot of best practise guides will take years to catch up.
At one point you could restrict egress to certain ports and be reasonably confident in what was going on on a network. These days basically everything is tunnelled over port 443, including most malware communication.
If you’re not using IRC yourself anyway, then you might as well block it. And let’s face it, most people don’t use IRC anymore. They’ll be using Discord instead.
Same. It took a couple seconds to proc that statement wasn't some kind of unique misprint or accidental slip up. Same thing happened when i first got a summary of IoT security in general.
Disabling SSID broadcasts is pointless and just makes some client-side WiFi features worse.
The real advice is:
1. Don’t trust your ISP supplied router, replace it with a modem only CPE or figure out how to operate it in bridge mode. Then buy your own router you fully control.
2. Don’t buy a router made by a Chinese company. Preference routers that run or can run well maintained open source network OS like OpenWRT, Vyatta, pfsense, and similar.
3. Change all the default passwords and set good ACLs and other traffic policies.
You can separate different types of devices on different VLANs. As an example I keep my home lab, general use (phones, laptops), work, and IOT (cameras, thermostat) on separate VLANs from one another.
They all get access to the Internet, but are segmented from one another with different policies applied.
>Schedule routine reboots to clear the system memory and refresh all connections. Rebooting the router may disrupt any potential malware that may have been implanted.
If they are read only file systems it will disrupt any malware on the router. I’ve reversed routers whose file system only allows signed executables, and update packages. It’s good practice. I give the same advice to people and their phones, reboot regularly.
"Threat actors" in the vicinity include, say, people who have the Instagram on their phone. It can read SSIDs but can't put the networking hardware into promiscuous mode.
Regularly rebooting probably isn't worth the pain, but not all compromises are persistent / rootkits.
Permissions to manage network information. Apps on Android (and I believe iOS, but I'm not 100% certain) with network permissions can see broadcast SSIDs.
> Routers are responsible for forwarding messages (data packets) between devices within a network
For official document, this seems particularly confused definition. In IP networks, routers route packets between different networks, not within a network. That is pretty much the defining characteristic of a router. Typically the device responsible for forwarding traffic within a network is either a switch (wired) or access point (wireless).
> Is enabling WPA3 practical for home networks? I assume my Nintendo Switch wouldn't be able to connect any more if I did.
If it doesn't support WPA3 it won't connect to a network that only allows WPA3, however I've seen several routers that have the option to simultaneously enable WPA2 and WPA3 and let the clients specify which version to use.
Interesting list. I have been working with routers for a decade now. Few things to note :
home router makers use boards from companies like QC, Broadcom, mediatek etc that provide a base configuration of a board and something like openwrt along with their updated drivers and a patched kernel to go with it. Generally these things run something as old as openwrt 15.05 when it comes to something like even wifi 6. It fits their purpose and time to market is small with a proven track record of stability. manufacturers put their modifications for their product lineup and sell it until they can make money. firmwares generally receive patches through their original SDKs and depending on severity the manufactures will send out updates which can take months since the vulnerability was reported or even patched in the SDK.
If you are absolutely worried about security you can see why the above model is weak to begin with. While you can do all these things in the list, it's not going to protect you from actual firmware vulnerabilities. Cheap routers never receive firmwares beyond like a few months or a year of launch. higher end ones are more frequent but they arent cheap and you can do much better at those prices.
depending on how serious you are about your network, a SOHO will likely opt for something like a router with opnsense or an OS that gets regular patches and then put an access point on top it. This is also tricky as the above issue is still true for AP makers these days as many of them use openwrt as well for their APs since the chips tend to be similar and as a result suffer from same issues depending on the maker and model.
If you look at Cisco lower end hardware like CBW150AX you may find updates (this one was the cheapest Cisco wifi 6 AP I could find) but you may not get the best performance or features which are available in the higher end ones or from other makers in the similar range. So you may consider paying for higher end APs and then you run into licensing etc. An alternative is generally finding routers with openwrt support and putting them in front your router in AP mode but the stability for an office environment is questionable. I have had weird issues with bands locking up and such APs straight up rebooting randomly in the middle of something.
There is really no one size fits all problem here if you are interested in security. You have to start from the OS and hardware first then move to the top of rules and lists and wireguard and keys and policies and separated LANs etc. What is listed above might take your home network from 10% secure to maybe 50% secure (just making a point). Some things will be better but may not necessarily do that much in the grand scheme of things especially if you run a small business.
I liked the old Cisco where if there was a sufficiently high CVE, you could call TAC and have your long-passed (or retired but now running the home network) device get the latest security patch in that train. Better for the internet as a whole, to have patches available.
Now all the vendors hide their severe CVE fixes behind the maintenance contract. I get putting new feature branches behind the contracts, but in the meantime, it'll be their name in the news when the equipment gets exploited.
I think "hiding" the SSID is a particularly stupid advise.
The access point will still send the beacon frames, just with an empty SSID, so the network will show up as "hidden network", or similar, drawing more attention.
In the end, it doesn't even matter because those that know how to crack a network with a weak password will also know how to recover the SSID from the clients, which is trivial.
Even worse, since the clients can't see the presence of the known network, the only way they have to connect is to continuously probe for the network (this is what reveals the SSID). Besides draining the battery faster, it's a massive privacy concern: imagine walking around with a megaphone announcing all the places you recently have been.
For SSID's the one thing I would recommend is appending "_nomap" onto the name to opt-out of location service databases from Google, Microsoft and Apple.
> In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.
> Asked about the changes, Apple said they have respected the “_nomap” flag on SSIDs for some time, but that this was only called out in a support article earlier this year.
Anyone know of a good list of consumer routers to avoid, regarding lax software/firmware updates past the 12-month warranty (which is sometimes it's artificial EoL)?
The reason I run a router based on open-source, is I know it's going to get updates for years. Previously I've encountered a number of vendors that either only provide updates for their flagship models, hide behind the latest revisions of their hardware getting updates, or they just ship the occasional major update when a CVE hits the news (ie too late to provide protection).
Active firmware updates, specially if we are talking about home routers. If the firmware can be changed to some actively maintained distribution that cares about security, like OpenWRT, the better.
Do change the default name of the SSID, but avoid choosing a new one that sounds cool, fun, or original.
Take a look at the rest of networks on your area and choose an SSID name as similar as possible to the rest. Better keep a low profile than drawing unnecessary attention on yourself.
I would definitely recommend separating guest and iot networks, iot is usually pretty weak (the S in IoT stands for security) so they need as much protection as possible; putting them to guest network is throwing them to wolves.
> Enable port filtering. For example, the SANS Institute recommends blocking outbound traffic
Tbh egress filtering is generally not very useful, except for some special case networks (like aforementioned iot network). Blocking IRC seems just silly.
> Use Media Access Control (MAC) filtering to choose which trusted devices connect to your network.
Afaik MAC filtering is pretty much useless, MAC is easily snooped and spoofed. WPA should be sufficient access control, go for EAP ("Enterprise") if you need better than PSK ("Personal") security.
> Disable remote access management
Realistically, not going to happen. Better advice would be to have separate management network, with tighter access controls.