Our article on how to effectively secure your home network is one of the most popular articles on our site. However, we felt that for advanced users – which also includes small businesses, which have both different needs and usually different equipment – some tips could be enhanced and others added. Since the original 5 ways to secure a network are still pretty much valid, we decided to simply write a follow up article. Let’s start the deep dive.
Tip No. 1: VLANs
While we did mention to separate networks in our previous article, we didn’t go into details that much. This time we will since there are some specifics to consider when splitting networks – or using VLANs, to use the more common term for this.
Firstly, consider necessary communication between VLANs. Before you do it, check how your routers handles that communication in general – some routers do allow data exchange between VLANs by default, others don’t. If your router does allow communication, make sure to block this as your first step. And then allow for specific devices or IP ranges to be allowed. As an example, a surveillance camera should not be allowed to broadcast outside its own network, but that same camera might need to be administered from the management VLAN, so the latter should have access to the camera.
Talking about broadcasting: also be aware that not all traffic is created equal. AirPlay devices, for example do not send specific packages, but broadcasts their existence to the entire network. Which means you have to open up the network accordingly.
And, talking about which networks to utilize: depending on whether you are a home- or office user, there should be at least the following networks:
- Home/Personal (if you’re an at home user. An additional network for the kids might make sense, too)
- IoT/Smart Home Devices (including printers)
- Management VLAN (for administration purposes only).
It difficult to get more specific, since the deployment of these scenarios depends heavily on the chosen product/solution setup. But at least the hardware needed is pretty obvious. Beside a router or gateway which supports VLANs, we recommend Access Points to take care of those devices which connect wirelessly and a managed switch for cable-based devices.
Tip No. 2: Authentication Tips
The need for a strong password was also highlighted in our first article. If you want to take things one step further, there are some additional measures you can take. Firstly, a password manager. Theses days, passwords are not only needed for most of your devices, but also for several online services. And quite a few of these are not just used for exchanging files with others, like dropbox or wetransfer. In reality some of them will be a crucial part of your business or home infrastructure. Think Office 365, Google services, online banking and others. If you also have a website to maintain (and let’s be honest – most of us do these days), these different services number in the dozens, if not hundreds. The one thing which you definitely should NOT do is re-use a password for any two (or, obviously, more) of these services. Adhering to the requirement that passwords should be as complex as possible, along with the fact that there are just too many of them can therefore be challenging. If you do manage to do this in your head – continue to do so. If not, get a password manager to handle these passwords for you. If you’re afraid those password manager services – which are often cloud-based, as well – might get hacked as well, remember one thing: Usually those password services are the main service these companies offer (look at the best known brands such as LastPass or 1Password). If they would get hacked, they’d be out of business immediately. While this is no guarantee whatsoever, you can be sure that they will take good care of your data.
Secondly (though not always feasible with devices), enable multi-factor-authentication wherever you can. Most bigger companies already offer multi- or two-factor authentication (MFA or 2FA), where in addition to the password a one time token is sent to you, often using text messages. As this methods usually involves two devices (your computer and your smartphone, for example), it is considered more secure than just using password-based authentication. If you’re more security-minded and/or for especially sensitive data, consider using a hardware token. There is an established industry standard called FIDO2, which is supported by more and more companies and services. Yubico, for example, offers a wide range of hardware keys which support FIDO2 for almost any use case. In addition, hardware manufacturers are increasingly embedding FIDO2 support directly into their devices, though we’re still far away from wide-spread support.
Tip No. 3: Cybersecurity solutions
If you’re reading our magazine regularly (and I assume you do), you know about different solutions, all of them designed to secure your home, your business, your data in general. But which ones do you really need? The typical (but true) answer would be: it depends. Having said that, since this article is directed toward home and small business users, here are two pieces of advice.
The first and most important thing you should do is be security aware. Which means that for a small business it might be a good idea to invest in a security awareness program of some sort. Social engineering, which can be described as the human propensity to trust, is still the number one attack vector used by attackers – and the most effective one. This is mirrored in the popularity of attack methods like phishing, which addresses this exact vulnerability. Hence, you want to make sure that all members of your household know about those attack methods. There are some good tests out there which simulate a phishing attack, here is an example we can recommend.
Secondly, if you do want to invest into a technical cybersecurity solution, try to invest in one which covers a lot of areas. One good place to look are the anti-virus-companies, or, more precisely, the former anti-virus companies. “Former” not so much because Antivirus is dead, as Brian Dye, Symantec’s senior vice president put it, but rather because most of these companies have upgraded their portfolio to offer comprehensive protection against all sort of cybersecurity threats. Of course, that is a rather broad statement, intentionally so. If you do want decision criteria, we recommend to take a look at the NIST framework. Without going into details: the five steps identify, protect, detect, respond, and recover are widely recognized as the most important functions in cybersecurity. If you can find a solution which does good in all five of them, you’re all set.
Bonus Tip: Backup!
It does’nt really fall under “security”, but nevertheless, having a good backup plan is as important to securing your data as cybersecurity as such. The most important rule, now widely accepted as the “golden” rule for backup is 3-2-1. We will explain all about it in another article, to be published on Wednesday (stay tuned), so we’re not going into details here. But if you look at the increasing “popularity” of ransomware, having a backup is certainly a good idea, even if you have a cyber insurance to pay you off in case something should happen.
Of course, you can never have enough security, but on the other hand, you will also never have full security. With the tips highlighted in this article as well as some of the other articles you will find on our site, you will definitely have a good baseline security to start with.