Securing family network

My parents used a very weak password for both our wifi and control panel, so obviously I changed those. I also disabled UPnP as it seems that’s another point of vulnerability. What else can I do to tighten up security?

4 Likes

Change the configured DNS servers to use a non-ISP DNS server that’s more privacy respecting and security focused (malware domain filtering etc.) like CloudFlare’s they also have Malware blocking DNS servers now as well, I’d recommend using these:

Malware Blocking Only
Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2

If there is a text box in the config for a third DNS server IP make sure to not leave it blank or it will default back to an ISP DNS server, use 1.1.1.1 in the third spot or two entries of 1.0.0.2 if it allows you.

1 Like

If there is a text box in the config for a third DNS server IP make sure to not leave it blank or it will default back to an ISP DNS server, use 1.1.1.1 in the third spot or two entries of 1.0.0.2 if it allows you.

That’s interesting behavior. Is it a widespread problem? I am assuming so since the OP didn’t volunteer any configuration information.

Good question, I believe it is, but it depends on a few things. I know many ISP’s will pass in three of their DNS servers when you obtain your WAN DHCP lease from them and in some routers the manual DNS server config won’t override all three of them in some cases (e.g. you can specify three manually but only enter two). This may be a bug in a lot of routers (or a “feature” depending on who you are) but it’s a sneaky leak point that can happen and something to be aware of and test to avoid a potential leak in terms of your DNS queries falling back on that third ISP DNS server if your router is one with this issue. I know some common setups like DD-WRT + ASUS routers have this problem and quite possibly many others depending on different factors.

We have an xFi Gateway and it looks like there’s no way to change DNS servers without buying new hardware.

Disable WPS if you have that in your settings.

You may reference this and many more articles out there if you do a simple search.

Thanks, I think that gives me a better understanding. I’m mainly trying to protect myself and my devices because I can’t do much about my family’s poor security habits. They keep reusing weak passwords, visiting sketchy sites, getting infected with malware, etc. Even though I have good security on my end, I’m paranoid that somehow I might be compromised because we’re on the same network. Should i be looking at a way of isolating myself, like network segmentation or something?

That’s some excellent threat modeling you did there btw. Your users engage in risky behavior and you wish to manage threats to yourself and to the infrastructure.

You might want to run it like a “free WiFi” or a college campus. Device isolation, dedicated management network etc. Ensure the user can only access the Internet from their device and not each other or local services.

You might want to run some filtering eg on the DNS layer (someone mentioned CloudFlare, that’s a great choice) to avoid reduce the probability and impact of a compromise.

Another option is locking down the endpoints. Non admin user accounts, abuse resistant hardware like iPads or Chrome books.

Note that this does nothing to prevent remote compromise. If someone guesses their gmail password, finds a scan of their passport and their credit card number and starts stealing their identity or their money, network segmentation won’t help.

As an extra step, as long as you don’t have a lot of new devices connecting to your wifi randomly, you could authorize only the specific MAC addresses of your family’s devices. An outsider would have to want to get in to find and spoof your parents MAC addresses and get the password.