Securing the residential network

Understand the composition of a secure LAN

A secure local area network (LAN) needs three essential elements to keep your sensitive information safe from vulnerabilities.

Hardware

Hardware concerns the appliances in use, which should be high-quality and kept up-to-date. This may include firewalls, remote monitoring devices, routers and access points. It can also include added security for existing devices, like server room door locks and biometric readers. We need to consider the capabilities of these appliances, for example, Bluetooth connectivity.

Configuration

Configuration refers to the settings applied to each device. The type of configuration can vary depending on many factors, in particular, the strength of security needed for the application – for example, simple home electronics versus enterprise grade security.

Professional support

The most secure residential networks will have at least some level of professional support. A CEDIA integrator can provide everything upwards of basic installation to updates and remote monitoring, again, depending on the needs of the client.

With this in mind, we see four grades of local area networks. The higher the security need, the higher the grade:

• Consumer grade: Low security demand products that can be installed by customers.
• “Prosumer” grade: Customer products intended to be supported by professionals.
• Enterprise grade: Products with long life spans/low failure rates for large organisations.
• Carrier grade: Products designed with 99.9999% uptime, such as telecommunication carriers.

Best practices – implanting the NIST framework

For enhanced information security, the National Institute of Standards and Technology uses the following five-pillar framework:

1.        Identify: Discovering the physical assets and processes that need protection.

2.        Protect: Putting the right safeguards in place for these assets.

3.        Detect: Using the most appropriate techniques to identify incidents.

4.        Respond: Implementing the best practices to minimise damage.

5.        Recover: Finding effective methods to restore operations post-incident.

Key hardware and configuration for network security

For maximum residential network security, integrators should recommend the following best practices:

Edge devices

These sit at the edge between two networks, forming a critical barrier to prevent security threats from entering. Common examples include firewalls, routers or network switches.

Dedicated hardware firewalls

In settings with higher security needs, such as enterprise and carrier grade networks, dedicated hardware firewalls are best. These may have a second failover unit for redundancy, and are capable of deep data analysis during incidents. They have been engineered to ensure minimum data throughput requirements, even when at full-load.

Secure VPNs

Rather than using port forwarding, which can help hackers gain entry, it is better to use secure VPNs. These allow you to access devices remotely without compromising security.

Traffic segmentation

In cases where data is forwarded between one location and another, such as a home and a work office, VLANs offer a secure solution. The virtual local area networks are broadcast domains that are partitioned and isolated at the second (data link) layer of a network.

Even in lower security applications, we can also use enterprise grade switches and wireless access points (WAPs) for ultimate protection.

Authentication, passwords and encryption

Wi-Fi authentication should never be open – that is, accessible without a password. Certificate-based authentication such as Port-Based Network Access Control (PNAC) offers a secure alternative.

Your password should be strong, including a minimum of 10 characters with a variety of types such as letters, numbers, punctuation marks and upper/lower case.

Finally, Wi-Fi should be encrypted to the highest standard, which is currently WPA3. This enables more robust authentication with increased cryptographic strength. WPA3 networks supersede older technology like WPA2, requiring Protected Management Frames and disallowing legacy protocols or outdated security methods.

Human element and device awareness

As with all cyber threats, the biggest one is the human element – otherwise known as “wetware”. Attacks of this nature capitalise on a user’s trust, for example, looking at patterns in their behaviour or encouraging them to forgo essential security steps.

Some common attacks include social engineering, such as Trojan emails, phishing, or impersonation. The key here is to educate users to recognise these kinds of attacks, for example, strange looking attachments or email addresses.

Likewise, we should monitor the network continuously for unauthorised device access. Only authorised users should be able to connect to the network.

Emerging threats and ongoing maintenance

The key thing to remember with secure residential networks is that threats are always evolving. This is particularly true with smart home devices; for instance, drones and IoT hardware may not meet the latest security standards.

To combat this, integrators should offer regular network audits and firmware updates. Ideally, an evaluation once a year will keep clients safe and improve all-round customer service.