Contacts
the main

An example of a secure setting of the home LAN. How to set up a home router to make a secure network

Avast is always trying to be ahead when it comes to protecting users from new threats. More and more people are watching films, sports broadcasts and a television show on Smart TV. They control the temperature in their homes using digital thermostats. They wear smart watches and fitness bracelets. As a result, safety needs expand beyond personal computerTo cover all devices in the home network.

Nevertheless, home routers that are key home network infrastructure devices often have security problems and provide easy access to hackers. Tripwire's recent study has shown that 80 percent of the best-selling routers have vulnerabilities. Moreover, the most common combinations for accessing the administrative interface, in particular Admin / Admin or Admin / without a password, are used in 50 percent of routers around the world. Another 25 percent of users use the address, date of birth, name or surname as passwords to the router. As a result, more than 75 percent of routers around the world are vulnerable to simple password attacks, which opens up the possibilities of deploying threats in the home network. The security situation of routers today resembles the 1990s, when new vulnerabilities were found every day.

Home Network Security Function

The "Home Network Security" feature in Avast Free Antivirus, Avast Pro Antivirus, Avast Internet Security and Avast Premier Antivirus Allows you to solve listed problems by scanning a router settings and a home network for potential problems. In Avast Nitro Update, the "Home Network Safety" tool discovery engine was completely recycled - a multi-threaded scan support was added and an improved DNS hack detector was implemented. The engine now supports the scanning of the ARP protocol and scanning ports performed at the kernel driver level, which allows you to speed up the check several times compared to the previous version.

The "home network security" can automatically block attacks on the router with cross-site fake queries (CSRF). CSRF-exploit exploit website vulnerabilities and allow cybercropers to transmit unauthorized commands to the website. The team simulates the instructions from the user who is known to the site. Thus, cybercriminals may produce themselves for the user, for example, to translate the victim money without her knowledge. Thanks to CSRF queries, criminals can remotely make changes to the router settings in order to overwrite the DNS parameters and redirect traffic to fraudulent sites.

The "Home Network Security" component allows you to scan the home network settings and the router for potential security problems. The tool detects weak or standard passwords Wi-Fi, vulnerable routers, compromised Internet connections and included, but not secure IPv6 protocol. Avast displays a list of all devices in the home network so that users can verify that only known devices are connected. Component provides simple recommendations By eliminating detected vulnerabilities.

The tool also notifies the user about connecting new devices to the network connected to the network of TVs and other devices. Now the user can immediately detect an unknown device.

The new proactive approach emphasizes general concept ensuring maximum comprehensive user protection.

With the distribution of broadband Internet access and pocket gadgets, wireless routers (routers) were extremely popular. Such devices are able to distribute a Wi-Fi signal as stationary computers and on mobile devices - smartphones and tablets, - at the same time bandwidth Channel is enough for simultaneous connection Multiple consumers.

Today, the wireless router is almost in any house where broadband Internet has been held. However, not all owners of such devices are thinking about the fact that when default settings, they are extremely vulnerable to intruders. And if you think that you do not do anything on the Internet, what could damage you, think about the fact that intercepting the local signal wireless network, hackers can access not only your personal correspondence, but also to bank account, service documents and any other files.

Hackers may not limit the study of the memory of exclusively your own devices - their contents can tell the keys to the networks of your company, your loved ones and acquaintances, to the data of all kinds of commercial and state information systems. Moreover, through your network and on your behalf, attackers can carry out mass attacks, hacking, illegally distributed media files and software and engage in other criminal punishable activities.

Meanwhile, to protect yourself from such threats, it is worth following several simple rulesthat are understandable and accessible even to those who do not have special knowledge in the field of computer networks. We invite you to familiarize yourself with these rules.

1. Change the default administrator data

To access the settings of your router, you need to go to his web interface. To do this, you need to know his IP address in local network (LAN), as well as the username and password of the administrator.

The internal IP address of the router by default, as a rule, has the form 192.168.0.1, 192.168.1.1, 192.168.100.1 or, for example, 192.168.123.254 - it is always specified in the documentation for the equipment. Default login and password are usually also communicated in the documentation, or you can learn from the manufacturer of the router or your service provider.

Enter the IP address of the router to the browser address bar, and in the window that appears, enter the login and password. We will open the web interface of the router with the most diverse settings.

The key security element of the home network is the ability to change the settings, so it is necessary to change all the default administrator data, because they can be used in tens of thousands of instances of the same routers as yours. We find the appropriate item and enter new data.

In some cases, the possibility of arbitrary changes in the administrator data is locked by the service provider, and then you will have to seek help.

2. Install or change passwords to access the local network.

You will laugh, but still there are cases when the generous owner wireless router Organizes an open access point to which each can connect. Much more often for the home network is selected pseudoparol type "1234" or some banal words specified when installing the network. To minimize the likelihood that someone can get into your network with ease, you need to come up with a real long password from letters, numbers and characters, and set the signal encryption level - preferably WPA2.

3. Disconnect wps.

WPS technology (Wi-Fi Protected Setup) allows you to quickly establish protected wireless communication between compatible devices without detailed settings, but only by pressing the corresponding buttons on the router and the gadget or by entering the digital code.

Meanwhile, this convenient system, usually included by default, has one weak point: Since WPS does not take into account the number of attempts to enter an incorrect code, it can be hacked by the "coarse force" by simple busting using the simplest utilities. It will take from a few minutes to several hours to penetrate your network through the WPS code, after which it will not be much difficult to calculate and network password.

Therefore, we find in the "admin" corresponding item and turn off the WPS. Unfortunately, making changes to the settings will not always really turn off WPS, and some manufacturers do not provide for such an opportunity.

4. Change the name SSID

The SSID identifier (Service Set Identifier) \u200b\u200bis the name of your wireless network. It is his "recall" various devices that, when recognizing the name and availability of the necessary passwords, try to connect to the local network. Therefore, if you save the standard name installed, for example, by your provider, that is, the likelihood that your devices will try to connect to a variety of nearest networks with the same name.

Moreover, a router translating the standard SSID is more vulnerable to hackers who will approximately know its model and ordinary settings, and will be able to strike into specific weak points of such a configuration. Therefore, choose as a unique name as possible, nothing speaks about the service provider, nor about the equipment manufacturer.

At the same time, the frequently encountered tip hide the broadcast of the SSID, and such an option is standard for the overwhelming majority of routers is actually untenable. The fact is that all devices trying to connect to your network in any case will be sorting out the nearest access points, and can connect to networks specifically "placed" by intruders. In other words, hiding SSID, you complicate life only yourself.

5. Change the iP router

To further impact unauthorized access to the web interface of the router and its settings, change the default internal IP address (LAN) in them.

6. Disable remote administration

For convenience technical support (basically) in many household routers a function is implemented remote administrationWith which the router settings are becoming available via the Internet. Therefore, if we do not want to penetrate the outside, it is better to disable this feature.

At the same time, however, it is possible to go to the web interface via Wi-Fi if the attacker is in the action field of your network and knows the username and password. Some routers have a function to limit access to the panel only if there is wired connectionHowever, unfortunately, this option is quite rare.

7. Update the firmware

Each self-respecting and clients manufacturer of routers constantly improves the software of its equipment and regularly releases updated firmware versions ("firmware"). IN fresh versions First of all, detected vulnerabilities are corrected, as well as errors affecting the stability of work.

Please note that after the update, all the settings you make can be reset to factory, so it makes sense to make them backup - Also via the web interface.

8. Go to 5 GHz

The basic range of Wi-Fi networks is 2.4 GHz. It provides confident reception Most of the existing devices at a distance of about 60 m in the room and up to 400 meters outdoors. The transition to the 5 GHz range will reduce the range of two or three times, limiting for extraneous ability to penetrate your wireless network. Due to the smaller employment of the range, you can also notice the increased data transfer rate and connection stability.

The minus of this solution is only one - not all devices work C Wi-Fi standard IEEE 802.11ac in the 5 GHz band.

9. Disconnect the functions Ping, Telnet, SSH, UPNP and HNAP

If you do not know that it is hidden behind these abbreviations, and we are not sure that these functions will need to be required, find them in the router settings and disconnect. If there is such an opportunity, instead of closing ports, select hidden mode (Stealth), which, when trying to enter them from the outside will make these ports "invisible", ignoring requests and pings.

10. Turn on the router firewall

If your router has a built-in firewall, then we recommend that it is included. Of course, this is not a bastion of absolute protection, but in the complex with software (Even with a firewall embedded in Windows), he is able to resist attacks quite adequately.

11. Disconnect filtering by MAC addresses

Although at first glance it seems that the ability to connect to the network only devices with specific MAC addresses fully guarantees security, in reality it is not so. Moreover, it makes the network open even for not too ingenious hackers. If the attacker can track the incoming packages, it will quickly receive a list of active MAC addresses, because in the data stream, they are transmitted in unencrypted form. And to replace the MAC address is not a problem even for non-professional.

12. Go to another DNS server

Instead of using the DNS server of your provider, you can go to alternative, such as Google Public DNS or OpenDNS. On the one hand, it can accelerate the issuance of Internet pages, and on the other, improve safety. For example, OpenDns blocks viruses, botnets and phishing requests for any port, protocol and annex, and thanks to special large data based algorithms are capable of predicting and preventing a variety of threats and attacks. At the same time, Google Public DNS is just a high-speed DNS server without additional features.

13. Install an alternative "firmware"

And finally, a radical step for one who understands what does is the installation of a firmware written by not the manufacturer of your router, but enthusiasts. As a rule, such "firmware" not only expand the functionality of the device (the support of professional functions like QoS, the mode of the bridge, SNMP, etc. is usually added, but also make it more resistant to vulnerabilities - including at the expense of non-standardity.

Among the popular Open-Source "Firmware" can be called Linux based

Introduction

The relevance of this topic is that the changes occurring in the economic life of Russia is the creation of a financial and credit system, enterprises of various forms of ownership, etc. - have a significant impact on information security issues. For a long time In our country there were only one property - state, therefore the information and secrets were also tolly-affordable, which were guarded by powerful special services. Problems information security constantly exacerbated by the processes of penetration in almost all areas of the activities of the Company of technical means of processing and data transfer and, above all computing systems. Objects of encroachment can be technical means (Computers and peripherals) as material objects, software and databases for which technical means are environment. Each dispensing of the computer network is not only "moral" damage for employees of the enterprise and network administrators. As the technology of payments for electronic, paperless documents and other, a serious failure of local networks can simply paralyze the work of entire corporations and banks, which leads to blasphemous material losses. It is not by chance that data protection in computer networks It becomes one of the most acute problems in modern computer science. To date, two basic information security principles have been formulated, which should provide: - data integrity - protection against failures leading to loss of information, as well as unauthorized creation or destruction of data. - Privacy information and, at the same time, its availability for all authorized users. It should also be noted that certain areas of activity (banking and financial institutions, information networks, government systems, defense and special structures) require special data security measures and have increased demands on the reliability of the functioning of information systems, conversation with the nature and importance of the tasks solved by them.

If the computer is connected to a local network, then potentially, to this computer and information you can get unauthorized access from the local network.

If the local network has been connected to other local networks, users from these remote networks are added to possible unauthorized users. We do not bear the availability of such a computer from the network or channels through which the local networks connected, because it is certainly on the outputs from local networks, there are devices that encrypt and control traffic, and the necessary measures are taken.

If the computer has been connected directly through the provider to an external network, for example, through a modem to the Internet, for remote interaction with its local network, a current burglars and information in it are potentially available to crackers from the Internet. And the most unpleasant thing is that it is possible to access hackers through this computer and to the resources of the local network.

Naturally, with all such connections, either regular means of delimitation of access are applied. operating systemor specialized means of protection against NSDs or cryptographic systems at the level of specific applies, or both together.

However, all these measures, unfortunately, cannot guarantee the desired security when carrying out network attacks, and explains this by the following main reasons:

Operating systems (OS), especially Windows relate to software products High difficulty creating large developers' teams. A detailed analysis of these systems is drastically difficult. In this connection, it is random to reliably substantiate for them, errors or undocumented capabilities, accidentally or deliberately left in OS, and which could be used through network attacks, it is not possible.

In a multitasking OS, in particular Windows, many different applications can work at the same time, ...

A few years ago, homemade wireless networks were quite simple and consisted, as a rule, from the access point and a pair of computers, which were used to access the Internet, online shopping or games. But in our time, home networks have become much more complicated. Now the home network is connected a large number of devices that are used not only to access Internet or view funds mass media. In this article we will talk about how to make home network Safe for all family members.

Wireless security

In almost every house there is a wireless network (or, the so-called Wi-Fi network). This network allows you to connect any device to the Internet, such as a laptop, a tablet or a gaming console. Most wireless networks are managed by a router - a device installed by your Internet provider to provide Internet access. But in some cases, your network can be monitored by individual systems, the so-called access points that are connected to the router. Regardless of which system, your devices are connected to the Internet, the principle of operation of these systems is the same: transmission of radio signals. Various devices Can connect to the Internet and to other devices of your network. This means that the safety of your home network is one of the main components of the protection of your home. We advise you to fulfill the following rules to ensure the security of your home network:
  • Change the administrator password installed by the manufacturer of the Internet router or access point. An administrator account allows you to make changes to network settings. The problem is that many routers are supplied with standard, well-known passwords and easy to find them on the Internet. Therefore, you should change the factory password to the unique and strong password, which you will know only you.
  • Change the name of the network installed by the manufacturer (it is also called SSID). This name your devices see when searching for a home wireless network. Give your home network a unique name that is easy to find out, but it should not contain personal information. Network configuration as an "invisible" - a low-efficient form of protection. Most wireless network scanning programs and any experienced hacker can easily detect the "invisible" networks.
  • Make sure that only people you trust are connected to your network, and that this connection is encrypted. This will help increase security. Currently the most safe connection is WPA2. When using it, the password is requested when connected to the network, and encryption is used. Make sure you do not use an outdated method, for example, WEP, or do not use an open network (which does not provide protection). The open network allows you to absolutely connect to your wireless network without authentication.
  • Make sure that you use a strong password to connect to your network, which does not match the administrator password. Remember that you need to enter a password for each device used only once, this password of the device can be memorable and stored.
  • Most wireless networks support the so-called guest network (Guest Network). This allows guests to enter the Internet, but the home network in this case is protected, since guests cannot connect with the home devices of your network. If you add a guest network, make sure that you use WPA2, and it is protected with a unique and strong password.
  • Disconnect Wi-Fi Protected Setup or other configuration that allows you to connect new devices without entering the password and other configuration options.
  • If you find it difficult to remember all passwords, we strongly recommend using password manager for storage.
If questions about the items listed? Go to the Internet providers, see the instructions for the router, the access point, or see the web sites of their manufacturers.

Security of your devices

Next step It is clarifying the list of all devices connected to the network and ensure their safety. It was easy to do before when it was connected to the network a small amount of devices. But in the modern world, almost all devices can be "constantly connected" to the network, including televisions, gaming consoles, children's cameras, columns, heaters or even cars. One of simple ways Detect the connected devices is to use a network scanner, for example, fing. This application once mounted on a computer allows you to detect absolutely all devices connected to the network. After you find all devices, you should take care of their safety. The best way Provide security - regularly update their operating systems / firmware. If possible, configure automatic update Systems. If you can use a password to each device, use only strong and reliable password. And finally, visit the Web Web Website of the Provider to obtain information about free way Protection of your network.

about the author

Cheryl Konley is headed by the department of information security training in the company Lockheed Martin. It uses The I Compaign TM branded technique for the training of 100,000 employees of the company. The technique actively uses focus groups within the company and coordinates the global program.

Today, almost every apartment has a home network to which stationary computers, laptops, data warehouses (NAS), media players, smart TVs, as well as smartphones, tablets and other wearable devices are connected. Either wired (Ethernet) or wireless (Wi-Fi) connections and TCP / IP protocols are used. With the development of Internet technologies in the network came out appliances - Refrigerators, coffee makers, air conditioners and even electrical equipment. Thanks to solutions " Smart House»We can control the brightness of lighting, remotely configure the microclimate in the rooms, turn on and off various devices - it makes it great easier for life, but can create the owner of advanced solutions. Sultuous problems.

Unfortunately, the developers of such devices will not care about the safety of their products, and the number of vulnerabilities found in them grows as mushrooms after the rain. There are often cases when, after entering the market, the device ceases to be supported - in our TV, for example, the 2016 firmware is installed, based on Android 4, and the manufacturer is not going to update it. Add problems and guests: to refuse them in access to Wi-Fi is inconvenient, but also to put into their cozy network who did not want to go to their cozy network. Who knows what viruses can settle in strangers mobile phones? All this leads us to the need to divide the home network into several isolated segments. Let's try to figure out how to do it, as it is called, with low blood and with the least financial costs.

Isolating Wi-Fi network
IN corporate networks The problem is solved simply - there are controlled switches with support for virtual local networks (VLAN), a variety of routers, firewall and points wireless access - It is possible to build the desired amount of isolated segments in a couple of hours. Using the Traffic Inspector Next Generation (Ting) device, for example, the task is solved literally in several clicks. It is enough to connect the network of the guest segment in a separate Ethernet port and create firewall rules. For the house, this option is not suitable due to the high cost of the equipment - most often the network is controlled by one device that combines the functions of the router, switch, the wireless access point and God knows what else.

Fortunately, modern domestic routers (although they are more correctly called online centers) also became very smart and almost in all of them, except if there are absolutely budget, there is an opportunity to create an isolated Wi-Fi guest network. The reliability of this isolation itself is a question for a separate article, today we will not explore the firmware of household devices of different manufacturers. As an example, take Zyxel Keenetic Extra II. Now this line has just become known as Keenetic, but our hands got the device, released still under the ZyXEL brand.

Setup via the web interface will not cause difficulties even at beginners - a few clicks, and we have a separate wireless network with your SSID, WPA2 protection and password for access. It can be used in it, as well as include televisions and players from a long time not updated firmware or other customers that you do not particularly trust. In most of the devices of other manufacturers, this function, repeat, is also present and is included in the same way. So, for example, the task is solved in firmware d-Link routers Using the setup wizard.


You can add a guest network when the device is already configured and running.


Screenshot from the manufacturer's site


Screenshot from the manufacturer's site

Insulating Ethernet network
In addition to the clients connected to the wireless network, we can get caught wired interface. The connoisseurs will say that the so-called VLAN are used to create isolated Ethernet segments - virtual local networks. Some household routers support this functionality, but here the task is complicated. I would not like to make a separate segment, we need to combine ports for wired connections with a wireless guest network on one router. It is not any domestic device: a surface analysis shows that in addition to Keenetic Internet centers, add Ethernet ports to one with wi-Fi network The guest segment is able to still models of the Mikrotik line, but the process of their setup is no longer so obvious. If we talk about comparable at household routers, solve the task for a couple of clicks in the web interface can only Keenetic.

As you can see, the experimentally coped with the problem, and here it is worth paying attention to another one interesting function - You can also isolate wireless guest customers from each other. It is very helpful: the smartphone infected by the malfunction of your friend will be released on the Internet, but it will not be able to attack other devices even in the guest network. If there is a similar function in your router, it is necessary to turn it on, although it will limit the ability to interact customers - say, make friends with a TV with a media player via Wi-Fi no longer work, you will have to use a wired connection. At this stage, our home network looks more protected.

What is the result?
The amount of security threats from year to year is growing, and manufacturers smart devices Not always pay enough attention to the timely issue of updates. In such a situation, we have only one way out - differentiation of customer customers and the creation of isolated segments for them. To do this, you do not need to buy equipment for tens of thousand rubles, with a task may well cope with a relatively inexpensive household Internet center. Here I would like to warn readers from buying devices of budget brands. Iron Now almost all manufacturers are more or less identical, but the quality of the built-in software is very different. As well as the duration of the support cycle of released models. Even with a fairly simple task of unification in isolated segment Not every household router will cope with the wired and wireless network, and you may have more complex. Sometimes you need to configure additional segments or DNS filtering to access only safe hosts, in large rooms you have to connect Wi-Fi clients to the guest network via external access points, etc. etc. In addition to security issues, there are other problems: in public networks it is necessary to ensure customer registration in accordance with the requirements Federal Law № 97 "On information, information technologies And about the protection of information. " Inexpensive devices are able to solve such tasks, but not all - functionality Integrated software, they will repeat, very different.



Did you like the article? Share it
Recommended articles on the topic
Cellular - what it is on the iPad and what's the differenceCellular - what it is on the iPad and what's the difference
Go to digital television: What to do and how to prepare?Go to digital television: What to do and how to prepare?
Social polls work on the InternetSocial polls work on the Internet
Visitors are now discussing
Savin recorded a video message to the TyumentsSavin recorded a video message to the Tyuments Tenda.
Menu of Soviet tables What was the name of Thursday in Soviet canteensMenu of Soviet tables What was the name of Thursday in Soviet canteens ASUS.
How to make B.How to make in the "Word" list alphabetically: useful tips Android
How to see classmates who retired from friends?How to see classmates who retired from friends? ASUS.