Secure Home Network: Create an isolated segment for guests. How to set up a home router to make a secure network

PNST301-2018 / ISO / IEC 24767-1: 2008

Preliminary National Standard of the Russian Federation

Information Technology

Security of home network

Safety requirements

Information Technology. Home Network Security. Part 1.Security Requirements

OX 35.110, 35.200,35.240.99

Total with 2019-02-01

Preface

Preface

1Inmed by federal state budgetary educational institution of higher education "Russian Economic Enterprise I.G.V.Plekhanov" (FGBOU VEU NAMI I.G.V. Plakhanova) The equanka of its own translation into Russian, the English version of the International Standard specified in paragraph 4

2The Technical Committee on Standardization TC 22 "Information Technologies"

3Added and enacted by order of the Federal Agency Funny Regulation and Metrology of September 4, 2018 N38-PNST

The 4-present standard is identical to the international ISO / IEC24767-1: 2008 * "Information technology. Information technology. Safety of the home news. Part 1. Security Requirements" (ISO / IEC 24767-1: 2008, "Information Technology - Home Network Security - Part 1: SecurityRequirements" IDT)
________________
* Access to international and overseas documents mentioned here by idalee in the text, you can get by clicking on the link to the site. - Note making database.

The rules of applying the standard and monitoring is established inGOST R 1.16-2011 (Sections 5 and 6).

The Federal Agent Agency Technical Regulation and Metrology collects information to the Optotic Application of this Standard. These information, attack notice and suggestions for the content of the standard can be possible no later than 4 mes before the expiration of the deadline for the developer of this Standard at: 117997Moscow, Strong Pereulok, D.36, FGBOU VEUi.G.V. Plakhanova"and to the federal agency for sweetened regulation and metrology at: 109074Moscow, Kitchensky passage, D.7, P.1.

In case of canceling the standard, the relevant information will be published by a monthly information indicator "National Standards" as it will be posted on the official website of the Federal Agency Directorate and Metrology on the Internet (www.gost.ru.)

Introduction

ISO (International Organization for Standardization) and IEC (International Elektrotechnical Commission) form a specialized system-based standardization. State bodies that are ISO or IEC, participate in the development of international reporters through technical committees. Participation in the development standard in a particular area can accept any interested partner, which is a member of ISO or IEC. Other international campaigns, government and non-governmental, contacting ISO and IEC, also take part in the work.

The influence of ISO information technologies and IEC established the Joint ISO / IEC Stax Committee 1. Projects of International Standards prepared by the Joint Technical Committee are sent to the National Committees to Vote. The publication of the Account of International Standard requires an approval of at least 55% of national committees participating in the voting.

Official decisions of or formulation of IEC and ISO on technical issues are expressed, however, the internationally agreed opinion on attributing issues, as each technical committee leads representatives from all interested National Committees -Chelms IEC and ISO.

The Publications of IEC, ISO IISO / IEC, have the form of recommendations for international use, are hosted by national committees - members of IEC and Iso, it is the internal understanding. Despite all the efforts to ensure the technical content of the Publications of IEC, ISO and ISO / IEC, Nekili ISO is not responsible for how they are used or for their incorrect interpretation by the end user.

Interesting international unification (unified system) National Committees of IEC and ISO undertake to ensure maximum exploration of the application of international standards IEC, IISO / IEC, as far as state and regional conditions of this country are allowed. Any discrepancy between the publications of ISO / MAKI relevant national or regional standards can be clearly designated in the latter.

ISO and IEC are inconsistening to the labeling procedures and are not responsible for love equipment, stated for compliance with one of the standards / IEC.

All users must have to use the last edition of the present.

IEC or ISO, Irudovement, employees, employees or representatives, including reader experts and members of their technical committees, as well as the National Committees of IEC or ISO are not responsible for accidents, material damage or other damage, direct or indirect, or for costs (including judicial Costs) incurred in connection with the publication or due to the use of ISO / IEC / IEC or other publication of IEC, Icio Iliso / IEC.

Special attention is paid to the required documentation quoted in this publication. Using reference documents is necessary to correctly enter this publication.

NATO's attention is drawn that some elements of this international standard generation to be subject to patent rights. ISO and IEC is not irrelevant for determining any or all such patent management.

International Standardo / IEC 24767-1 was developed by the Subcommittee of 25 "Interconnecting Equipment Information Technologies" of the Joint Technical Code of ISO / IEC 1 "Information Technologies".

A list of all available time of the ISO / IEC 24767 series parts under the general name "Information Technologies. Home Network Safety" is presented by the IEC website.

1 area of \u200b\u200buse

This standard identity requirements for the protection of the home network from internal or even threats. The standard serves as the basis for the development of system security protecting the internal environment from different threats.

Requirements are protected in this standard relatively informally. Despite the fact that many issues discussed in the present store are guided by the development of security systems in the internal network and the Internet, they wear typical demands.

Knutrennaya (home) network connected various devices (see Syno 1). Devices "Household appliances network", "Entertainmentual / video" devices and devices for working with "information applications" have various functions and working actors. This standard contains means for analyzers for each device connected to the network and definitions for each device.

2Termines, definitions and reductions

2.1Termines and definitions

The following terms and definitions are applied by the standard:

2.1.1 consumer electronics (Brown Goods): Audio / video devices that are used in entertainment purposes, such as a DVD recorder TV.

2.1.2confidentiality (Confidentiality): Property that provides inaccessibility and non-disclosure to information on the affordable persons, organizations or processes.

2.1.3 authentication (Data Authentication): The service used to provide the correct verification of the claimed sources.

2.1.4 integrity (Data Integrity): Property confirming that this data has been changed or destroyed in a unresolved manner.

2.1.5 authentication user (User authentication): service to save the identification information provided by the Partner Communication, despite the fact that the authorization service is supported by the access of identified and authorized-headers to specific device Or the application of the housework.

2.1.6 appliances (White goods): Devices used in digestive, for example, air conditioning, refrigerator, etc.

2.2Security

The following abbreviations are used by the standard:

Audio Video -

audio devices / visual devices;

(Compact Disc) CD;

(Distributed Denial OfService) Distributed Type Distribution Attack;

(DENIAL OF SERVICE) Failure to service;

(Digital Rights Management) Digital Rights Management;

(Digital Television) Digital Dealer;

(Digital Versatile Disc) DVD CD / Format;

(Externally Supported Multiplehomes Hes) Home electronic system for several houses, managed by a third party;

(Externally Supported Singlehome Hes) Home Electronic System for One House, Managing Peace Side;

(Home Electronic System) Home Electronic System;

(Information and CommunicationTechnology) Information and Communication Technologies (ICT);

(Internet Protocol) Internet protocol;

(IP Security Protocol) Internet Protocol Security Protocol;

(Internet Protocol Version 4) Internet protocol, version 4;

(Internet Protocol Version 6) Internet protocol, version 6;

(Information Technology) Information Technology (IT);

(MOVING PICTURE EXPERT GROUP) Standard Packaging Full-length Video Packaging;

(Owner Supported Single Homehes) Home Electronic System for One House, Manufactured Debel;

(Pocket Personal Computer) Pocket Personal Computer (PDA);

(Personal Computer) Personal Computer (PC);

(TRANSMISSION ControlProtocol) Transfer Management Protocol;

(Transport Layer Security) Transport Safety Protocol;

(UNIFORM Resource Locator) system of unified resource addresses;

(Video Cassette Recorder) Cassette video recorder;

3Conality

The standard is contained methodical instructions without any conformity libeling.

4 Requirements Security of Internal Home Electronic Systems

4.1 General provisions

Special for the development of the Internet and related network technologies appeared the possibility of installing communication between computers in the offices of ideas with the outside world, which ensures access to multiple course. Today, technologies that have become the basis of this success have reached our homes and provide the possibility of connecting the uses of the same way as well as personal computers. Thus, onin only allow users to track and monitor their previous devices, being both inside and outside the house, but to state new services and capabilities, such as remote control household appliances and its service. This means that the home computer environment of the house is converted to the internal life network, combining many devices, security will also be provided.

It is necessary that tenants, users and owners of both homes and systems trusted the home-electronic system. The purpose of the security of the home electron system is to ensure confidence in the system. Since many components of the electronic system are in the work continuously, 24 hours a day, and automatically communicate with information with the outside world, information security is necessary to ensure the confidentiality, integrity and availability of data and the system. The attributable way to resolve the Safety reflumes, for example, what access to the system and saved Enterprising and outgoing data receive only authorized users and processes, and that only authorized users can use the system and make it possible.

The safety defense requirements of the HES can be described in several ways. This store is limited to the IT security of the HES network. However, the security of information technologies should go beyond the Ramcisama of the system, since the house must function, albeit with shameful capabilities, in the event of an IT system reflect. Intelligent functions that are usually supported by the HES network can also be performed when the system bonds are broken. In such cases, it can be understood that there are security requirements that will not be part of the system itself, but the system should not register the implementation of reserve solutions.

There are a number of security stakeholders. Not only residents and owners should be trusted to the home office system, but service identities and content. The latter must be confident that the services and the services and the content are used only by the permit. However, one of the basics of system security is that a specific service security administrator must be responsible for it. Obviously, such responsibility should be found on residents (system owners). It does not matter whether the administrator deals with this personally or goes to outsourcing. In love case, the responsibility is the system security administrator. The question of the confidence of service providers and the content of the Mother electronic system and their confidence that the users apply their services and the content is properly determined by contractual obligations between the parties. A strong, for example, can be listed functions, components of orprocesses that should support home electronics.

The architecture of the home-electronic system is different for different species houses. For any models there can be a specific set of requirements. Below is a description of three different modulating electronic systems with different sets of requirements.

Obviously, nonsense of security is more important than the rest. Thus, it is clear that the support of some countermeasure measures will be. In addition, countermeasures may differ at the bottom and cost. Also for managing and maintaining such measurements may require various skills. In this Standard, an attempt was made to clarify the motives of the listed safety requirements and thereby allow the development of the e-system to determine which functions of the security propriet home systemAs well, with consideration of quality and efforts to ensure service management, which mechanism should be selected for such functions.

The requirements of the security of the network depend on the definition of security and the "house", the attack from what is understood by the "network" in this house. If the network is simply a channel connecting a separate PC with a printer with a climbing modem, then to ensure the safety of home networks to ensure the safety of this channel and equipment that it connects.

However, if there are dozens in the domain, if not hundreds of devices united in a network, while some of them belong to the household as a whole, the anecutors belong to people who are in the house need to be needed more complex security measures.

4.2 Security home electronic system

4.2.1 Definition of electronic system and security system

Home electronics and network can be defined as a set of elements, which process, transmit and store information, as well as control it, providing communication and integration of the set computer devices, attack devices of control, control and connections that are in the fore.

In addition, domestic electronic systems and networks ensure the relationship of entertainment information devices, as well as communication and security devices, and the household appliances available. Such devices and instrument will exchange information, they can be controlled and controlled by, while in the house, or remotely. Accordingly, certain internal home networks will require definite-step security protecting their daily work.

The safety of the network of the virgin can be understood as the ability of the network or information system at a certain level to withstand by random events of or climbing actions. Such events or actions may make a threat to accessibility, authenticity, authenticity The iconfidentiality of preserved or transmitted data, and the services covered with them offered through such networks.

Information security incidents can be combined into the following groups:

An email may be intercepted, the data can be resolved or changed. This may cause damage caused to violating the rights of personality, fined and by abuse of intercepted;

Unauthorized access to the computer and internal computer networks is usually performed with malicious intent on copying, changing data destruction and can be distributed to automation equipment and systems located in the house;

Malicious attacks on the Internet have become quite common in the future, there may also be a telephone network more vulnerable to the future;

Malware softwareSuch as viruses can be out of order computers, delete or change data, liberyogramize household equipment. Some attacks are devastating and expensive viruses;

Distortion of information on physical or legal entities It may be a significant damage to becoming a significant damage, for example, customers can download-free software from a website, a masking subside source, contracts can be terminated, alarmfidential information may be directed by improper proliferations;

Many incidents information security They are associated with snowcred and unintentional events, for exampley disasters (floods, storms and earthquakes), refuses of hardware or software, as well as a replication factor.

Today, almost every apartment has a home network to which stationary computers, laptops, data warehouses (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices are connected. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP / IP protocols are used. With the development of Internet technologies in the network came out appliances - Refrigerators, coffee makers, air conditioners and even electrical equipment. Thanks to solutions " Smart House»We can control the brightness of lighting, remotely configure the microclimate in the rooms, turn on and off various devices - it makes it great easier for life, but can create the owner of advanced solutions. Sultuous problems.

Unfortunately, the developers of such devices will not care about the safety of their products, and the number of vulnerabilities found in them grows as mushrooms after the rain. There are often cases when, after entering the market, the device ceases to be supported - in our TV, for example, the 2016 firmware is installed, based on Android 4, and the manufacturer is not going to update it. Add problems and guests: to refuse them in access to Wi-Fi is inconvenient, but also to put into their cozy network who did not want to go to their cozy network. Who knows what viruses can settle in strangers mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do it, as it is called, with low blood and with the least financial costs.

Isolating Wi-Fi network
IN corporate networks The problem is solved simply - there are controlled switches with support for virtual local networks (VLAN), a variety of routers, firewall and points wireless access - It is possible to build the desired amount of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (Ting) device, for example, the task is solved literally in several clicks. It is enough to connect the network guest segment switch to a separate Ethernet port and create Firewall rules. For the house, this option is not suitable due to the high cost of the equipment - most often the network is controlled by one device that combines the functions of the router, switch, the wireless access point and God knows what else.

Fortunately, modern domestic routers (although they are more correctly called online centers) also became very smart and almost in all of them, except if there are absolutely budget, there is an opportunity to create an isolated Wi-Fi guest network. The reliability of this isolation itself is a question for a separate article, today we will not explore the firmware of household devices of different manufacturers. As an example, take Zyxel Keenetic. Extra II. Now this line has just become known as Keenetic, but our hands got the device, released still under the ZyXEL brand.

Setup via the web interface will not cause difficulties even at beginners - a few clicks, and we have a separate wireless network with your SSID, WPA2 protection and password for access. It can be used in it, as well as include televisions and players from a long time not updated firmware or other customers that you do not particularly trust. In most of the devices of other manufacturers, this function, repeat, is also present and is included in the same way. So, for example, the task is solved in firmware d-Link routers Using the setup wizard.

You can add a guest network when the device is already configured and running.

Screenshot from the manufacturer's site

Screenshot from the manufacturer's site

Insulating Ethernet network
In addition to connecting to a wireless client network, we can crash with a wired interface. The connoisseurs will say that the so-called VLAN are used to create isolated Ethernet segments - virtual local networks. Some household routers support this functionality, but here the task is complicated. I would not like to make a separate segment, we need to combine ports for wired connection With a wireless guest network on one router. This is not all kinds of teeth: a surface analysis shows that in addition to the Keenetic Internet centers, add Ethernet ports to a single Wi-Fi network, the guest segment is able to still models the Mikrotik line, but the process of their settings is no longer so obvious. If we talk about comparable at household routers, solve the task for a couple of clicks in the web interface can only Keenetic.

As you can see, the experimental easily coped with the problem, and here it is worth paying attention to another interesting feature - you can also isolate wireless guest customers from each other. It is very helpful: the smartphone infected by the malfunction of your friend will be released on the Internet, but it will not be able to attack other devices even in the guest network. If there is a similar function in your router, it is necessary to turn it on, although it will limit the ability to interact customers - say, make friends with a TV with a media player via Wi-Fi no longer work, you will have to use a wired connection. At this stage, our home network looks more protected.

What is the result?
The amount of security threats from year to year is growing, and manufacturers smart devices Not always pay enough attention to the timely issue of updates. In such a situation, we have only one way out - differentiation of customer customers and the creation of isolated segments for them. To do this, you do not need to buy equipment for tens of thousand rubles, with a task may well cope with a relatively inexpensive household Internet center. Here I would like to warn readers from buying devices of budget brands. Iron Now almost all manufacturers are more or less identical, but the quality of the built-in software is very different. As well as the duration of the support cycle of released models. Even with a fairly simple task of combining in an isolated wired and wireless network segment, not every household router can cope, and you may have more complex. Sometimes you need to configure additional segments or DNS filtering to access only safe hosts, in large rooms you have to connect Wi-Fi clients to the guest network via external access points, etc. etc. In addition to security issues, there are other problems: in public networks it is necessary to ensure registration of clients in accordance with the requirements of Federal Law No. 97 "On Information information technologies And about the protection of information. " Inexpensive devices are able to solve such tasks, but not all - the functionality of the built-in software they will repeat, very different.

Introduction

The relevance of this topic is that the changes occurring in the economic life of Russia is the creation of a financial and credit system, enterprises of various forms of ownership, etc. - have a significant impact on information security issues. For a long time In our country there were only one property - state, therefore the information and secrets were also tolly-affordable, which were guarded by powerful special services. The problems of information security are constantly exacerbated by the processes of penetration in almost all areas of the activities of the Company of technical means of processing and data transfer and, above all computing systems. Objects of encroachment can be technical means (Computers and peripherals) as material objects, software and databases for which technical means are environment. Each dispensing of the computer network is not only "moral" damage for employees of the enterprise and network administrators. As the technology of payments for electronic, paperless documents and other, a serious failure of local networks can simply paralyze the work of entire corporations and banks, which leads to blasphemous material losses. It is not by chance that data protection in computer networks becomes one of the most acute problems in modern computer science. To date, two basic information security principles have been formulated, which should provide: - data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data. - Privacy information and, at the same time, its availability for all authorized users. It should also be noted that certain areas of activity (banking and financial institutions, information networks, public administration systems, defense and special structures) require special data security measures and have increased requirements for the reliability of operation information systems, conversation with the nature and importance of the tasks solved.

If the computer is connected to local network, potentially, to this computer and information in it you can get unauthorized access from the local network.

If the local network has been connected to other local networks, users from these remote networks are added to possible unauthorized users. We do not bear the availability of such a computer from the network or channels through which the local networks connected, because it is certainly on the outputs from local networks, there are devices that encrypt and control traffic, and the necessary measures are taken.

If the computer has been connected directly through the provider to an external network, for example, through a modem to the Internet, for remote interaction with its local network, a current burglars and information in it are potentially available to crackers from the Internet. And the most unpleasant thing is that it is possible to access hackers through this computer and to the resources of the local network.

Naturally, with all such connections, either regular means of delimitation of access are applied. operating systemor specialized means of protection against NSDs or cryptographic systems at the level of specific applies, or both together.

However, all these measures, unfortunately, cannot guarantee the desired security when carrying out network attacks, and explains this by the following main reasons:

Operating systems (OS), especially Windows relate to software products High difficulty creating large developers' teams. A detailed analysis of these systems is drastically difficult. In this connection, it is random to reliably substantiate for them, errors or undocumented capabilities, accidentally or deliberately left in OS, and which could be used through network attacks, it is not possible.

In a multitasking OS, in particular Windows, many different applications can work at the same time, ...

With the distribution of broadband Internet access and pocket gadgets, wireless routers (routers) were extremely popular. Such devices are able to distribute a Wi-Fi signal as stationary computers and on mobile devices - smartphones and tablets, - while the channel bandwidth is quite enough for simultaneous connection Multiple consumers.

Today, the wireless router is almost in any house where broadband Internet has been held. However, not all owners of such devices are thinking about the fact that when default settings, they are extremely vulnerable to intruders. And if you think that you do not do anything about anything that could damage you, think about the fact that intercepting the signal of the local wireless network, crackers can access not only your personal correspondence, but also to bank account, service documents and any other files.

Hackers may not limit the study of the memory of exclusively your own devices - their contents can tell the keys to the networks of your company, your loved ones and acquaintances, to the data of all kinds of commercial and state information systems. Moreover, through your network and on your behalf, attackers can carry out mass attacks, hacking, illegally distribute media files and software and engage in other criminal punishable activities.

Meanwhile, to protect themselves from such threats, it is worth following several simple rules that are understandable and accessible to even those who have no special knowledge in the field of computer networks. We invite you to familiarize yourself with these rules.

1. Change the default administrator data

To access the settings of your router, you need to go to his web interface. To do this, you need to know its IP address on the LAN (LAN), as well as the username and password of the administrator.

The internal IP address of the router by default, as a rule, has the form 192.168.0.1, 192.168.1.1, 192.168.100.1 or, for example, 192.168.123.254 - it is always specified in the documentation for the equipment. Default login and password are usually also communicated in the documentation, or you can learn from the manufacturer of the router or your service provider.

Enter the IP address of the router to the browser address bar, and in the window that appears, enter the login and password. We will open the web interface of the router with the most diverse settings.

The key security element of the home network is the ability to change the settings, so it is necessary to change all the default administrator data, because they can be used in tens of thousands of instances of the same routers as yours. We find the appropriate item and enter new data.

In some cases, the possibility of arbitrary changes in the administrator data is locked by the service provider, and then you will have to seek help.

2. Install or change passwords to access the local network.

You will laugh, but still there are cases when the generous owner wireless router Organizes an open access point to which each can connect. Much more often for the home network is selected pseudoparol type "1234" or some banal words specified when installing the network. To minimize the likelihood that someone can get into your network with ease, you need to come up with a real long password from letters, numbers and characters, and set the signal encryption level - preferably WPA2.

3. Disconnect wps.

WPS technology (Wi-Fi Protected Setup) allows you to quickly adjust the protected wireless connection between compatible devices without detailed settings, but by pressing the corresponding buttons on the router and the gadget or input the digital code.

Meanwhile, this convenient system, usually included by default, has one weak point: Since WPS does not take into account the number of attempts to enter an incorrect code, it can be hacked by the "coarse force" by simple busting using the simplest utilities. It will take from a few minutes to several hours to penetrate your network through the WPS code, after which it will not be much difficult to calculate and network password.

Therefore, we find in the "admin" corresponding item and turn off the WPS. Unfortunately, making changes to the settings will not always really turn off WPS, and some manufacturers do not provide for such an opportunity.

4. Change the name SSID

The SSID identifier (Service Set Identifier) \u200b\u200bis the name of your wireless network. It is his "recall" various devices that, when recognizing the name and availability of the necessary passwords, try to connect to the local network. Therefore, if you save the standard name installed, for example, by your provider, that is, the likelihood that your devices will try to connect to a variety of nearest networks with the same name.

Moreover, a router translating the standard SSID is more vulnerable to hackers who will approximately know its model and ordinary settings, and will be able to strike into specific weak points of such a configuration. Therefore, choose as a unique name as possible, nothing speaks about the service provider, nor about the equipment manufacturer.

At the same time, the frequently encountered tip hide the broadcast of the SSID, and such an option is standard for the overwhelming majority of routers is actually untenable. The fact is that all devices trying to connect to your network in any case will be sorting out the nearest access points, and can connect to networks specifically "placed" by intruders. In other words, hiding SSID, you complicate life only yourself.

5. Change the iP router

To further impact unauthorized access to the web interface of the router and its settings, change the default internal IP address (LAN) in them.

6. Disable remote administration

For convenience technical support (Basically) in many household routers implemented a remote administration function, with which the router settings become available via the Internet. Therefore, if we do not want to penetrate the outside, it is better to disable this feature.

At the same time, however, it is possible to go to the web interface via Wi-Fi if the attacker is in the action field of your network and knows the username and password. Some routers have a function to limit access to the panel only if there is a wired connection, however, unfortunately, this option is quite rare.

7. Update the firmware

Each self-respecting and clients manufacturer of routers constantly improves the software of its equipment and regularly releases updated firmware versions ("firmware"). IN fresh versions First of all, detected vulnerabilities are corrected, as well as errors affecting the stability of work.

Please note that after the update, all the settings you make can be reset to factory, so it makes sense to make them backup - Also via the web interface.

8. Go to 5 GHz

The basic range of Wi-Fi networks is 2.4 GHz. It provides confident reception Most of the existing devices at a distance of about 60 m in the room and up to 400 meters outdoors. The transition to the 5 GHz range will reduce the range of two or three times, limiting for extraneous ability to penetrate your wireless network. Due to the smaller employment of the range, you can also notice the increased data transfer rate and connection stability.

The minus of this solution is only one - not all devices work C Wi-Fi standard IEEE 802.11ac in the 5 GHz band.

9. Disconnect the functions Ping, Telnet, SSH, UPNP and HNAP

If you do not know that it is hidden behind these abbreviations, and we are not sure that these functions will need to be required, find them in the router settings and disconnect. If there is such an opportunity, instead of closing ports, select hidden mode (Stealth), which, when trying to enter them from the outside will make these ports "invisible", ignoring requests and pings.

10. Turn on the router firewall

If your router has a built-in firewall, then we recommend that it is included. Of course, this is not an absolute protection bastion, but in a complex with software (even with a firewall embedded in Windows) it is capable of resisting attacks quite adequately.

11. Disconnect filtering by MAC addresses

Although at first glance it seems that the ability to connect to the network only devices with specific MAC addresses fully guarantees security, in reality it is not so. Moreover, it makes the network open even for not too ingenious hackers. If the attacker can track the incoming packages, it will quickly receive a list of active MAC addresses, because in the data stream, they are transmitted in unencrypted form. And to replace the MAC address is not a problem even for non-professional.

12. Go to another DNS server

Instead of using the DNS server of your provider, you can go to alternative, such as Google Public DNS or OpenDNS. On the one hand, it can accelerate the issuance of Internet pages, and on the other, improve safety. For example, OpenDns blocks viruses, botnets and phishing requests for any port, protocol and annex, and thanks to special large data based algorithms are capable of predicting and preventing a variety of threats and attacks. At the same time, Google Public DNS is just a high-speed DNS server without additional functions.

13. Install an alternative "firmware"

And finally, a radical step for one who understands what does is the installation of a firmware written by not the manufacturer of your router, but enthusiasts. As a rule, such "firmware" not only expand the functionality of the device (the support of professional functions like QoS, the mode of the bridge, SNMP, etc. is usually added, but also make it more resistant to vulnerabilities - including at the expense of non-standardity.

Among the popular Open-Source "Firmware" can be called Linux based

A few years ago, homemade wireless networks were quite simple and consisted, as a rule, from the access point and a pair of computers, which were used to access the Internet, online shopping or games. But in our time, home networks have become much more complicated. Now the home network is connected a large number of devices that are used not only to access Internet or view funds mass media. In this article we will talk about how to make a homely safe for all family members.

Wireless security

In almost every house there is a wireless network (or, the so-called Wi-Fi network). This network allows you to connect any device to the Internet, such as a laptop, a tablet or a gaming console. Most wireless networks Managed by a router - a device installed by your Internet provider to provide Internet access. But in some cases, your network can be monitored by individual systems, the so-called access points that are connected to the router. Regardless of which system, your devices are connected to the Internet, the principle of operation of these systems is the same: transmission of radio signals. Various devices can be connected to the Internet and to other devices of your network. This means that the safety of your home network is one of the main components of the protection of your home. We advise you to fulfill the following rules to ensure the security of your home network:

• Change the administrator password installed by the manufacturer of the Internet router or access point. An administrator account allows you to make changes to network settings. The problem is that many routers are supplied with standard, well-known passwords and easy to find them on the Internet. Therefore, you should change the factory password to the unique and strong password, which you will know only you.
• Change the name of the network installed by the manufacturer (it is also called SSID). This name your devices see when searching for a home wireless network. Give your home network a unique name that is easy to find out, but it should not contain personal information. Network configuration as an "invisible" - a low-efficient form of protection. Most wireless network scanning programs and any experienced hacker can easily detect the "invisible" networks.
• Make sure that only people you trust are connected to your network, and that this connection is encrypted. This will help increase security. Currently the most safe connection is WPA2. When using it, the password is requested when connected to the network, and encryption is used. Make sure you do not use an outdated method, for example, WEP, or do not use an open network (which does not provide protection). The open network allows you to absolutely connect to your wireless network without authentication.
• Make sure that you use a strong password to connect to your network, which does not match the administrator password. Remember that you need to enter a password for each device used only once, this password of the device can be memorable and stored.
• Most wireless networks support the so-called guest network (Guest Network). This allows guests to enter the Internet, but the home network in this case is protected, since guests cannot connect with the home devices of your network. If you add a guest network, make sure that you use WPA2, and it is protected with a unique and strong password.
• Disconnect Wi-Fi Protected Setup or other configuration that allows you to connect new devices without entering the password and other configuration options.
• If you find it difficult to remember all passwords, we strongly recommend using password manager for storage.

If questions about the items listed? Go to the Internet providers, see the instructions for the router, the access point, or see the web sites of their manufacturers.

Security of your devices

The next step is to clarify the list of all devices connected to the network and ensure their safety. It was easy to do before when it was connected to the network a small amount of devices. But in the modern world, almost all devices can be "constantly connected" to the network, including televisions, gaming consoles, children's cameras, columns, heaters or even cars. One of simple ways Detect the connected devices is to use a network scanner, for example, fing. This application once mounted on a computer allows you to detect absolutely all devices connected to the network. After you find all devices, you should take care of their safety. The best way to secure is to regularly update their operating systems / firmware. If possible, configure automatic updating systems. If you can use a password to each device, use only strong and reliable password. And finally, visit the Web Web Website of the Provider to obtain information about free way Protection of your network.

about the author

Cheryl Konley is headed by the department of information security training in the company Lockheed Martin. It uses The I Compaign TM branded technique for the training of 100,000 employees of the company. The technique actively uses focus groups within the company and coordinates the global program.