Baselines Part I: The Local Network
Updated March 27, 2016.
This site is no longer being maintained so anything below could still be accurate, or very outdated.
Network equipment is not a collection of insignificant boxes destined to be connected and then forgotten about. A router, modem and such things are computers in their own right, and their operating systems called firmware. While not something you often interact with like an editing workstation or smartphone, network equipment is part of your environment nonetheless and must be maintained as part of the whole.
If neglected, these devices can become the Achilles' heel of your local network by sending your web traffic to malicious command & control servers, guiding you to phishing sites and/or offering root access for other unkind purposes. But if your network is properly hardened, these devices can instead be little heroes, quietly saving the day by resisting attacks and denying unwanted traffic to—and even from—your network hosts.
- Strict access - Administrative access to network devices should be highly secured.
- Ownership - Equipment should be owned outright whenever possible, not rented from an internet service provider.
- Default deny - No network services should be running on any device unless necessary. No unsolicited traffic should be accepted.
- Network segmentation - Use VLANs to isolate untrusted devices or zones on the network from those which are trusted.
- Good housekeeping - Static IP addresses and wired connections wherever possible, and minimal intra-network chatter.
Keep device firmware up to date.
If you're using OEM firmware on consumer routers and modems, this can be futile because most devices are quickly dropped from manufacturer support as new models are released. Don't rely on the "Check for Updates" feature inside the device's configuration pages to accurately do so. Often I've found firmware updates for modems and routers on the manufacturer's website when the internal update check said that nothing was available. This was for brand new equipment, not decade old hardware.
With the alternative router firmwares, you do have a constant stream of upgrades but most aren't critical, sometimes just minor GUI or version changes. These firmwares will provide a changelog with each release so you can decide if you want to apply it. More on alternative router firmwares below.
Config in a separate browser
When logging into the configuration pages of your modem or router, always do it in a browser which is NOT the one you're causally web surfing in. A new window, even if in Incognito/Private mode won't suffice here—it must be a totally separate browsing instance from one you've already started.
This will prevent cross-site attacks like CSRF and XSS on the router or modem during the configuration session and doesn't mix cached configuration session data with that of already open tabs. When finished configuring, clear the cache before closing the browser so the config session data is deleted. In addition to this, don't save router or modem passwords in a browser's password manager.
While it's still not widely used, if you have a major ISP then they probably deliver IPv6 natively. You should NOT enable tunneling from IPv6 to IPv4 unless your device has firewall rules for IPv6 too. This is because IPv6 traffic—both ingress and egress— when tunneled to IPv4, will bypass a firewall which only has IPv4 rules. Most people allow all outbound IPv4 anyway, but for IPv6 tunneling, you want a minimum of denying unsolicited ingress (inbound and forward) traffic.
Good security practices will take IPv6 into consideration from the beginning, so if you're doing things right, it's is not a problem to leave enabled. That said, you're not really missing much yet by disabling it, and IPv6 still isn't available in some consumer-grade standalone modems. In the name of not enabling unneeded network services, and what would be best for the device type (mobile or stationary), decide what would be best for you.
Stillness is part of good housekeeping.
Networks should be relatively quiet when no client devices are present or active. You can spot a badly configured network and/or client by looking in firewall logs at the deluge of MDNS, SMB, Bonjour or other default-on services advertising shares or trying to connect to anything that will allow them. Simply disabling unneeded newtork-facing services will reduce this chatter for a smaller processing overhead and less log entries.
This will most often show up in SOHO settings when a modem which has routing functions is being used with a separate router. It's generally undesirable, if not certainly inefficient, to have two or more devices on the network with network address translation enabled. Sometimes it's unavoidable altogether due to the lacking sofware capabilities of consumer-level network devices.
Double, dual or cascaded NAT means that each incoming packet into the network is forwarded through two separate local networks: once from modem to router and again from router to endpoint (computer, smartphone, etc.). The real-life consequences of this are mild. You'll have a very small increase in latency and it can complicate remote access from outside your LAN for things like SSH or UPnP unless you manually open the needed ports.
In a single NAT network, you must bridge the modem (also referred to as putting it into gateway mode) and do PPPoA or PPPoE authentication with the router or security appliance. Then only that device would be doing NAT, and not both the modem and router. An alternative solution for double NAT is to convert your network to IPv6 addresses. IPv6 doesn't need network address translation but not all devices can use it yet. The bottom line is, if you can remove a dual NAT scenario easily, then do so. If not, it isn't a big deal unless you have a problem caused specifically by it.
About ethernet wiring
The Category 5e specification supports up to gigabit speed (128 megbytes per second). Cat6, 6a, 7 and 8 are all backwards compatible, but for speed, gigabit over Cat5e is the best you can do without investing significantly more money in 10Gbit equipment and faster storage arrays to take advantage of the higher bandwidth. At this point in time, 10Gbit ethernet is still primarily a market for datacenters and prosumers, and depending on what fiber does in the near future (and on your country of residence & region), copper for 10Gbit SOHO applications could be skipped over entirely.
You usually can't use EMI/RFI shielded wiring with consumer equipment. With shielded wiring, the devices on both sides of the wire must be electrically grounded or you'll have signal degradation. Not all network devices will have grounded RJ45 jacks (as, for example, desktop motherboards do) and even some laptops are totally ungrounded. SOHO modems, routers and switches around the world use basic ungrounded AC power plugs so they are not grounded to the building's electrical system, but some devices include a grounding clip for attaching to a rack enclosure or other ground source.
The Cat5e spec allows from 24-26 AWG wiring for twisted pairs. A lower gauge of twisted pairs is preferable. While the overall wire diameter increases from Cat5e to 6 to 6a, it's not necessarily the twisted pair wire gauge, just thicker PVC or LSZH insulation but it's still a stiffer, more durable wire. CAT6 spec does allow for 22 AWG twisted pairs, but this can be difficult to find in pre-made patch cables. Oh, and you'll be well served by choosing wiring with the snagless rubber boots on the connectors; sometimes they're called Shark Fins.
- Change devices' administrative login name and password from default to something strong. A password generator and manager would be beneficial (but not a browser's).
- Disable HTTP access to the configuration pages so that they can only be accessed over HTTPS.
- Disable all wireless and remote access to the configuration pages so that they can only be accessed by a wired connection. Often you can even lock this down to a specific IP address on the LAN.
- Disable unused services. The biggest offenders will be UPnP and FTP, but disable anything you don't need—telnet, DMZ, port forwarding, etc.
- Where there's a separate modem and router but you can't bridge the modem, give the router's WAN interface a static IP address and disable DHCP in the modem. You must use a static IP that is on the same subnet as your modem's WAN, but is not on the same as the router's LAN. So if your router's LAN IP is 192.168.1.1 and the modem's WAN is 192.168.0.1, you could use 192.168.0.2 for your router's WAN address.
- Assign a static IP address to anything stationary on the network—routers, printers, desktop computers, game consoles, media devices, etc.). You'll want to set this both in the router and in each device.
- Create a strong WiFi password with a password manager or urandom. Use only WPA2 and AES, and know that AES in this context can also be referred to as CCMP. If you have a device so old it only supprts WPA, use the fallback combination of WPA/WPA2 (if available) instead of WPA for everything. Do not use WEP, AES/TKIP or plain TKIP.
- Disable WiFi Protected Setup (WPS).
- For home networks, don't make a WiFi SSID containing information which could help identify your location, person or property.
- Split WiFi off onto its own VLAN, or VLANs if you have a guest network. You can then restrict the guest network further by traffic ports and force DNS resolvers. More on this below under Network Segmentation.
- A network without WiFi is more secure than one with it. If you're away from home for large periods of time, don't leave the WiFi on when you're gone.
- Some routers let you reduce the WiFi signal strength if you don't want it reaching beyond your home or property. Positioning the access point central to your home and containing the WiFi signal as best you can means that, depending on your location, it will be accessible to much less people, including WiFi mapping efforts like Google and Microsoft street view cars. The router's radio transmitter will use less power, generate less heat and last longer too.
- If you're doing this kind of work for someone else and they're not a technically savvy person, make it easy to find the passwords again. Write down AND create an uneditable PDF file of any login credentials you assign. Use a monospace font so characters like 1, l and I don't look identical. If you intend for easy copy & paste use, long passwords in PDFs will need a small font size so there aren't line breaks. Otherwise, the formatting will also be copied to the clipboard and the password not accepted.
- Taking the 'WiFi off when on holiday' idea further, power down and unplug your equipment when away from home for long periods of time. Devices not connected to the internet have a much harder time of being compromised and anything not connected to power won't be damaged by power surges from storms or other problems while you're away.
- Enabling WiFi AP isolation will mean that wireless devices on the network can't talk to each other, only to the wireless access point. However, wireless media streaming devices like Chromecast or Matchstick obviously won't work with this.
- You can use OpenVPN to secure all your WiFi traffic from local snooping and help protect against a WPA2 AES to RC4 downgrade attack. In such a setup, wireless devices connect to the network like normal but all web traffic is passed through OpenVPN to the router, after which it exits to the internet as usual. No commercial VPN service is needed and a local snoop running a packet sniffer would see only encrypted traffic. You would need client devices which have OpenVPN available to them (all the main platforms do), and a router or gateway appliance capable of hosting an OpenVPN server. The equivalent of this for file transfers within the LAN would be SCP or SFTP.
- Some operating systems can include WiFi SSIDs and passwords in their devices' cloud backups or syncing processes. This is enabled by default in Android with the Back up my data option though some Android-based ROMs disable it. iCloud backups contain WiFi SSIDs but iCloud Keychain is what contains the passwords, neither of which are enabled by default. From Windows 8.1, passwords can be synced with other 8.1+ devices. Be aware of Wi-Fi Sense in Windows 10 and Windows Phone 8.1  .
On Owning Equipment
Do not rent modems or routers from an ISP. First of all, reasons. Second, because more often than not, rented equipment is the lowest grade of outdated hardware. Third, often you won't have configuration access to these devices, meaning there's a(nother) black box lurking just outside your local network. Some ISPs configure rented modem/router combos as WiFi hotspots for subscribers like Comcast's XFINITY WiFi. Fourth, always you'll be paying a rental fee each month when a good modem will start around $50 - $75 USD new and last you until fiber optic internet becomes more viable.
Futureproofing the purchase is easy. To start, buy with IPv6 support (it can always be disabled). For cable modems, you want the highest DOCSIS rating available (currently that's 3.0 but 3.1 is coming to consumer hardware shortly) and at least 8x4 channel bonding. For DSL modems, you're probably dealing with asynchronous DSL service (if you have SDSL, you'll know it) so you'll want ADSL2+ or VDSL/VDSL2 if available to you. Know that with a cable modem, you can't update its firmware. Only the ISP can do that, which is why it's so important to buy something they officially support. With ADSL modems, you can update firmwares but DSL providers still have lists of supported/recommended models.
Modems often have routing capabilities like DHCP, NAT and UPnP. It's best to have an individual modem and router or security appliance instead of a combination device. You then set the modem in bridge mode so it's only job is signal modulation and demodulation. Everything else, including PPPoE or PPPoA authentication, is then handled by the router or appliance. Not all edge devices can do PPPoA though, so may not be able to bridge your DSL modem.
Otherwise, the biggest obstacle here could be that not all ISPs let customers use their own hardware. Some charge a rental fee regardless and some cable providers have a policy of never updating the firmware of customer owned modems. Avoid these companies whenever possible. Call your ISP and ask questions; do it multiple times. It's common for one customer service representative to give you one answer, while on the next call, you get a new person and a completely different answer, and so on. If you must, get "escalated" to a manager.
SOHO routers are not worth lavishing money on and arguably not even worth dealing with in the first place (and if you feel the same, you should skip ahead to security appliances). Advancements in these devices are almost entirely focused on WiFi technology, misleading in description and have external requirements to even come close to their advertised link speeds.
Let practicality rule purchase decisions. This is a very good site about the very bad things consumer routers do, and the good things they don't do; the Security Feature Checklist is especially informative. Next see SmallNetBuilder's How To Buy A Wireless Router - 2015 Edition to determine what router class would be best for you. Read both links carefully—then start shopping.
Alternative Router Firmwares
To again reference Michael Horowitz, "When you buy a consumer router you are buying the hardware." Brilliantly put. You may even have some halfway decent hardware like a dual core ARM processor or the latest WiFi AC, but replacing the manufacturer supplied firmware is the fast track to begin redeeming your new personal Pandora's box of network security vulnerabilities.
There are many advantages to using open source router firmwares in place of the OEM versions. You'll gain features like OpenVPN, DNSCrypt, RADIUS, VLANs and captive portals, and without needing to buy the highest end model of router. Often you'll find that half-assed features in OEM firmwares which barely work, things like print or file servers or QoS, will perform as expected in these alternatives. Most importantly, these firmwares receive regular updates from their developers, not the hardware manufacturers, so you don't need to worry about being abandoned with unpatched vulnerabilities or stuff like this.
The biggest caveat with alternative firmwares is that you usually can't use the most cutting-edge hardware available and your hardware selection is incidentally more limited. Yet I would say that is actually a benefit because your selection focused to a range of devices which are verified stable and robust with these alternative firmwares, while still spanning a range of budgets and hardware features. This, as opposed to the newest yearly variation of a model with factory firmware bugs and a non-existent update cycle.
Going this route requires that you adopt the generally wise mentality of buying hardware to fit your choice of software. Doing otherwise often results in disappointment. Yet again I see this as an advantage because network devices are where you want the stability of a neutron star, not the shallow pride of early adoption.
There are many alternative router firmwares but DD-WRT, OpenWRT and Tomato are the heavyweights, are under active development and have thriving communities. Gargoyle is less known but also active and Asuswrt-Merlin is another choice for Asus routers. Tomato has different versions called mods. They used to be more numerous but have reduced down to Shibby (and AdvancedTomato based on Shibby) and Toastman being the most well maintained. Both DD-WRT and Tomato have various builds (example) to choose from like VPN (OpenVPN), mini and BT (Bittorrent). When in doubt, AIO (all in one) will give you everything.
For more info on these firmwares, see DD-WRT’s forums (seek out the peacock thread), Linksysinfo.org and sites like SmallNetBuilder and DSL Reports. If you want the super easy way, Buffalo and Netgear make several routers with DD-WRT preinstalled (albeit an OEM-modified version) while FlashRouters sells a variety of makes and models with DD-WRT and Tomato (if money is no object). The Turris Omnia is another OpenWRT router and while new, it looks very promising.
A typical small network looks something like the diagram below. All devices are on one trusted LAN behind a router (or router/modem combo) with network address translation and a basic SPI firewall.
Segmentation is when you separate devices on a network according to some principle. For a basic home network, you can split off WiFi onto its own subnet away from ethernet devices. You can take the idea further and divide things up into network zones according to trusted or untrusted devices. At the farthest side of the spectrum, isolating each device on the network into its own VLAN ensures that nothing could become aware of anything other than the internet connection gateway.
Introduction to VLANs
A VLAN is what you get when you split one OSI layer 2 local area network into multiple separate or virtual LANs. VLANs are useful for security purposes because they compartmentalize different hosts and/or devices on your network so they have no access to each other, not even through network mapping utilities. A simple example is guest WiFi access, where guests' devices can reach the internet but are unable to prod around anywhere or infect anything on the network if they've already contracted something nasty.
VLANs are the active ingredient of network segmentation but they're not a feature of most consumer-level routers. That means you've got four main options:
- If you have a router which doesn't support VLANs, you can buy a switch which does. Then your VLANs would be configured entirely through the switch. For this you would need a managed switch, not one which is unmanaged. More on this below.
- The alternative router firmwares can do VLANs, and the OEM firmware of some higher-end routers can VLAN too. Whether they allow separate VLANs to communicate or not will depend on the firmware (DDWRT and Tomato isolate VLANs by default). A home router will max out at 4 ports though, so the least expensive way of adding more is with an unmanaged switch for about $50 USD. In the router's firmware, you would 'tag' a specific router port for a VLAN, then the switch would be used to expand that port into a multi-port VLAN subnet. Alternatively, you could buy a managed switch to take advantage of its ASIC hardware and other software features, then VLAN entirely through the switch.
- Move over to a UTM system. Depending on your hardware and the amount of devices you have, you may be able to just add a few 2-4 port PCIe ethernet cards and you would VLAN through the UTM's web management. If you have an embedded system with no PCI access, or if you have many devices, then you'll need a managed switch. More on UTMs below.
- Though technically not a VLAN, you can daisy-chain together multiple 4-port home routers. Each router can have its own subnet even if their firmwares don't support VLANs and this would isolate devices from each other. Daisy-chaining like this is generally seen as a temporary or poor-man's solution. Sure it works, it can be very inexpensive and perfectly usable and manageable for a small network, but it introduces higher latency and gives you less flexibility than a dedicated switch. It also multiplies the problem of abandoned router firmwares and their many security holes.
If you want to do VLANs with an ethernet switch, you'll need one which has some degree of configuration management. Managed or semi-managed (also called Smart) switches give you CLI and/or HTTPS configuration access like a router, while unmanaged switches don't allow any config changes. Managed switches are often multilayer, meaning that they're a layer 2 device at minimum, but have various layer 3 capabilities available.
VLANs take place at OSI layer 2 and can be done with a fully managed or semi-managed switch. However, the members of different VLANs on a L2 switch can't talk to each other; your tablet on VLAN 2 can't access the printer or NAS on VLAN 3. For inter-VLAN communication, you need routing capability, found in layer 3 devices. Aside from routing and DHCP, the additional features of layer 3 switches (sometimes also called L2+) will depend on the manufacturer.
The cost of a gigabit ethernet switch to fulfill the need of creating VLANs for network segmentation depends heavily on the number of ports you want and whether you want multilayer capabilities. Adding power over ethernet then roughly doubles the price. As mentioned above, you can use a router with an alternative firmware and an inexpensive unmanaged switch for software-based VLANs.
If you want dedicated hardware and more features, the $100 to $300 USD price range will get you about 8-26 non-POE ports on a pure L2 switch or a L2+ model, capable of IP routing and some security features like access control lists, IGMP snooping and port locking. The Cisco SG 200 (L2) and SG 300 (some layer 3 functions) series, Dell 2800 series (limited L3), HP's 1800 (L2) and 1900 (L3) series and Netgear's ProSAFE lineup (L2 and L3) are all known to be solid equipment.
In addition to multilayer, other qualities to examine are the upgrade procedure, warranty duration, power consumption and cooling method. Upgrading a firmware should be multi-platform, require no extra plugins or applications and as simple as uploading a file through the web interface or console. Some switches have lifetime warranties while others are limited. Switches are always-on devices so they're consuming power 24/7/365, some less so than others due to things like Energy Efficient Ethernet and powering down idle ports. If fan noise is of concern, then you'll want a fanless switch.
These switches are not called "managed" just for show, they are well into the territory of business-level or prosumer hardware. While they have plenty of features to play with, the learning curve can be steep if you want to use them all. The manufacturers of this level of hardware provide datasheets which will give you all the info needed to compare before making a decision. You're probably rolling your eyes at this point, but of course what you do is your decision.
Network Security Appliances
If you want to filter incoming and outgoing traffic to and from your router, or if you want to forgo the consumer/SOHO router experience altogether, then a Unified Threat Managment system or Next-Generation Firewall is what you'd use. To gloss over the distinction, a NGFW is basically a relabeling of the UTM concept to differentiate NGFWs into their own market. The function of both is essentially the same while their features and effectiveness will vary more by vendor than anything else. These platforms are literally a specialized operating system so if you're considering this option, know that the installation, configuration and maintenance is more involved than a router firmware flash.
What you get in return though, are basically enterprise level features and flexibility; nearly everything about a UTM/NGFW surpasses even the alternative firmwares. The list of benefits is long but most relevant here is network intrusion prevention. This uses ingress and egress deep packet inspection to examine web content, URLs and downloaded files using one or several antivirus engines. Malicious content from both directions is blocked at the appliance.
Some UTMs/NGFWs are 'application aware' (OSI layer 7) and can block or allow traffic based on specific web apps like Facebook, Youtube, etc.) You can block by categorization of site content (warez, shopping, etc.) and some can even MITM encrypted HTTPS and VPN traffic to filter that too.
There are many different UTM/NGFW operating systems. Some are FOSS projects and others are free limited trials of proprietary products but many also sell hardware with their platform preinstalled to help fund development. pfSense, ipFire or Smoothwall Express are popular starting points while AlienVault OSSIM and OPNsense are newer additions; all are open source. ClearOS community version, Endian UTM, Sophos UTM Home Edition and Untangle NG Firewall are the major free proprietary offerings.
UTM and NGFW systems are usually BSD or Linux underneath and if you build your own hardware, you have much more freedom of selection compared to alternative router firmwares—from tiny SOC-powered boards to full x86. These appliance aren't intended to be all-in-one devices with routing, switching and WiFi like a home router, so the starting price of new equipment is naturally higher. If you buy pre-built appliances from the vendors, the cost can be similar to a new mid-range computer for just the SOHO level stuff.
If you choose to DIY, the PC Engines APU is an excellent starting point for small networks. Its hardware is selected for BSD and Linux friendliness and the board, storage, aluminum enclosure and power supply can be had for about $200 USD. You'd then need to expand ports for your LAN either with a switch or a multi-port home router. For WiFi, you can use the same home router set in Access Point mode or buy something more specialized like a Ubiquiti. If you'd rather have WiFi from the same box, you need to buy a PCIe WiFi card as found in laptops (Atheros or Intel will have the best driver support) and an antenna to stick out the back of the enclosure. You can see the parts you'd need at mini-box.com.
An old computer rescued from the closet is another common starting point for a NGFW or UTM. It won't be the most energy efficient solution but it should have plenty of processing power, memory and storage for the job. Additional necessary hardware would be a 2-4 port Intel gigabit PCIe card, or several, depending on the intended network size, and/or a switch. Another option is to look for old pre-built appliances on Ebay from the enterprise vendors like Cisco, Fortigate, Palo Alto Networks and Sophos (there are others). Just make sure a decommissioned appliance will still receive updates before buying one.
Walling off your own wonderful garden is the first step to hardening your environment. However, beautiful as your garden may be, it should not be trusted farther than you can shotput a monolithic column at Heliopolis. No network should be trusted, even your own.
Behold the policies of Default Deny and Least Privilege. Now carry those into hardening the operating systems of each host on the network. Oh the drama!Baselines Part II: Desktop Operating Systems