How to secure your home-office network

noubar-akopian.jpg
Noubar Akopian
Intern, CYBER GATES

Abstract

This article aims to sensitize the use of the internet in a business or education context. It will be explained, What needs to be undertaken by both sides (users and company). To guide how it can be gradually built a long-term serving security plan to set up remote work or education environment. In larger companies or institutions there will be specialists in the IT service department, who will take care of the issue for them. But the users and all other smaller businesses will be needing for some guidance. This article can also serve for the purpose of guidance.

Introduction

1.1 Home Office

The home office is the work environment of the future. There will be always people who will work from home and there number will only keep increasing and will not be decreasing in time. Therefore it will be the concern of most of the today’s institutions.

1.2 Secure home Office

Every data is valuable. The data security does not only assures the (confidentiality) privacy of the digital data but also the (integrity) safety of that data. This means the security assures that, the data (work) will not get lost stolen or get manipulated.

The fundamentals of securing home office environment and how to secure the data and the connection is described in the following sections.

1.3 Usable security

Unusable security is not a security. It needs to be assured, that any implemented security can be applied easily or with less effort possible. Not every user is an IT-Security specialist. Even those specialists can not know everything. But the security needs to be assured for every user in the network. Any network is only as strong as its weakest link.

1.4 Guide

The instructions for the users are presented with examples.

Internet connection

These steps are also needed to be applied to all wireless routers, regardless if the home-office PC is connecting to the router through an Ethernet cable or through wireless signal.

2.1 Use protected wireless signals

First things first make sure your network is protected by WPA/WPA2 Pre-shared key (password of the wireless) with AES encryption. Do not use unprotected Wireless networks or any router via cable which is podcasting an unprotected wireless access point.

To check it under any Windows version you can simply run the following code in any console such as cmd or powershell.

netsh wlan show interfaces

In the respond the Authentication option needs to be WPA2. As follow:

Name : Wi-Fi
Description : Intel(R) Dual Band Wireless-AC
GUID : ********-****-****-****-000000000000
Physical address : **:**:**:**:**:**
State : connected
SSID : RoutersName
BSSID : **:**:**:**:**:**
Network type : Infrastructure
Radio type : 802.11n
Authentication : WPA2-Personal
Cipher : CCMP
Connection mode : Auto Connect
Channel : 3
Receive rate (Mbps) : 144.4
Transmit rate (Mbps) : 144.4
Signal : 95%
Profile : RoutersName
Hosted network status : Not started

Alternativlely it can be checked and edited inside the router settings page. Which can be navigated through typing the routers IP address inside the url bar of internet browser. To find the routers IP address it can be written the following command in cmd.

ipconfig

Inside the respond we search for the default gateway of wifi network if we are connected through wifi. Or we search Ethernet if we are connected through a cable.

Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : ****:****::0000
Temporary IPv6 Address. . . . . . : ****:****::0000
Link-local IPv6 Address . . . . . : ****::****:****::0000
IPv4 Address. . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

Next to the Default Gateway is the IP address of the router. In our case it is http://192.168.1.1. After writing it in the browser. We navigate to this address by writing the IP address inside the url bar of any browser. The Default username or Password can be checked in the manufactures website or it can be written on the router itself. If it is not yet changed. In our case we sign in to the routers setting by using the following credentials (Username:admin, Password:admin). These default credentials can differ between router models.

Check or change the wireless security settings as follow.

D-Link configuration

TP-Link configuration

Make the same changes for both 2 and 5 GHz networks if available.

2.2 No strange users are connected to your network

There are no unknown devices connected to the network. (if So change the password of the wireless as in the previous step).

D-Link configuration

TP-Link configuration

Check for the connected devices for both wired and wireless networks.

2.3 Disable possible vulnerabilities

Disable the WPS option if it is not explicitly needed. Specially by older routers the WPS feature was vulnerable to brute-force attacks. Most of newer router are patched today. But better safe than sorry disable it, if it is not explicitly needed or used.

D-Link configuration

TP-Link configuration

VPN connection

3.1 Commercial VPNs

The use of VPN in general context is the question of trust. Who is more trustworthy the ISP or the VPN service provider company? With the use of VPN service the data will be hidden from the ISP, but not from the VPN company itself. Because they act like proxy servers. Every connection between the user and the VPN server is encrypted. But the same request continues to the target server unencrypted as soon as it lefts the proxy server. Throughout history we know that the VPN companies can lie about their data collection policies. The collected telemetry data from these companies is also a myth.

3.2 Zero trust policy

The zero trust policy is always the best way to ensure security. But most of the time it’s not the most efficient way. Institutions cannot invest time developing or implementing there own security solutions. Hereby the automated solutions play a key role in businesses.

3.3 VPNs in home-office context

In the home-office context the VPN is provided by the institution itself so the work payload is encrypted through the Virtual Private Network. VPN’s can be used in conjunction with an existing WiFi network to ensure that the data is encrypted when it’s sent to and from your office. VPN’s also anonymize an employee’s web traffic when they’re working remote and using a less secure WiFi signal. In the case of full tunnel VPN connections for all remote host traffic on the corporate network. This can cause some performance issues, especially when the users stay on the VPN after finishing there work or study.

How to set a VPN connection between cooperate network and users? The OpenVPN protocol is safe and easy to set. The cooperate Network’s router needs to support OpenVPN protocol. The manufacturer company will be having a guide which can be followed.

In our case.

At the user side the OpenVPN GUI client can be installed and used to connect to the institution’s router. It is easy to set and use.

Network management

4.1 Network structure

The excellent strategy is to separate the departments, rooms, servers physically or virtually to isolate them, this offers secure, authenticated proxy services that sit in front of applications. That won’t solve all problems, but it can drastically reduce the surface area you are presenting to malicious users. Monitoring and logging the network traffic is also on of indispensables. In addition to the monitoring tools, the following tools in this section are also used. Which tool or tools are needed depends on the context and the need. Always keep it simple. Over engineering any security application can lead to unintended vulnerabilities.

4.2 Firewall

Firewalls regulate network traffic in several ways:

Packet Filtering firewalls: These firewalls can examine packets to check, whether they are suitable to the security rule or not, as those packets attempt to pass in and out of network. It compares packets against filters, which identifies network threats and then blocks unwanted packets. It works through inspecting some specific meta data like source and destination IP address, port number, protocol, and other surface-level data. Packet filtering firewalls don’t open and examine the contents of packets. Any data packet that fails the simple inspection is dropped. These firewalls are not resource-intensive and have a low impact on system performance. Their main disadvantage is that they provide only basic protection, which is vulnerable to being bypassed. Packet-filtering firewalls can either be stateful or stateless. Stateless firewalls only analyze each packet individually, whereas stateful firewalls is a more secure option, it takes previously inspected packets into consideration. Stateful Inspection conducts an in-depth examination of a data packet’s elements, such as source IP addresses and ports, and compares them against a database of trusted information to ensure that data packets aren’t malicious.

Proxy firewalls: also known as application-level firewalls. These types of firewalls may work more slower than others, but they are great at mirroring the system behind the firewall, which prevents direct connections between data packets and the end system device. This is useful in keeping malicious data packets away from the main devices. It works as an intermediary between two systems, proxy firewalls monitor traffic at the application layer (protocols at this layer include HTTP and FTP). To detect malicious traffic, Both stateful and deep packet inspection are used.

NAT firewalls: Network address translation (NAT) firewalls work by assigning a public address to a group of devices inside a private network. With NAT, individual IP addresses are hidden. This prevents attackers from scanning for IP addresses on a network, so it is not possible to discover certain details from outside of the network. NAT firewalls and proxy firewalls both act as a intermediaries connecting groups of devices with external traffic.

Web application firewalls (WAF): are responsible for filtering, monitoring and blocking data packets as they go in and out of websites or web applications. A WAF can either reside on the network, at the host or in the cloud and it is typically placed in front of one or many websites or applications. WAFs are available as server plugins, cloud services, or network devices. A WAF is most similar to the proxy firewall, but has a more specific focus on defending against application layer web-based attackers. It protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server. A WAF operates according to a set of rules often referred to as policies. These policies are designed to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by changing WAF policies.

Next generation firewalls (NGFW): It is a combination of several technologies according to the need. Such as packet inspection, stateful inspection, deep packet inspection, intrusion detection and prevention, malware filtering, antivirus and even encrypted traffic inspection. As the threat landscape intensifies, the Next-generation firewall (NGFW) is the most popular firewall type available today. Thanks to the major improvements in storage space, memory, and processing speeds, it can unpack the packet’s data to prevent any packets with malicious data from moving forward. Securing each and every device on your network is still a challenge, but not impossible. With a judicious mix of technology (antivirus/anti-spam, firewall, business activity monitoring, etc) and management (internet usage policy, BYOD guidelines, identity management, regular updates, etc) you can ensure that your network, devices and databases can be insulated from most threats.

4.3 Privileged Access Management (PAM)

Sometimes referred to as privileged identity management (PIM) or privileged access security (PAS). It protects against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cybersecurity strategy, comprising people, processes and technology to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. PAM is grounded in the principle of least privilege, wherein users or programs only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. By enforcing the principle of least privilege, organizations can reduce the attack surface and mitigate the risk from malicious insiders or external cyber attacks that can lead to costly data breaches.

4.4 Identity Governance and Administration (IGA)

IGA automates the creation, management, and certification of user accounts, roles, and access rights for individual users in an organization. This means companies can streamline user provisioning, password management, policy management, access governance, and access reviews within their business. It is a policy-based approach to identity management and access control. As the name implies, IGA systems merge identity governance and identity administration to provide additional functionality beyond traditional identity and access management (IAM) tools. IGA differs from IAM in that it allows organizations to not only define and enforce IAM policy, but also connect IAM functions to meet audit and compliance requirements. This means Identity Governance and Administration has the distinct purpose to ensure IAM policies are connected and enforced. Identity governance helps support overall IT security and regulatory compliance.

It has two components are:

4.5 Identity and Access Management (IAM)

IAM is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. The IT managers can control user access to critical information within their organizations. There is a difference between identity management and authentication. Systems used for IAM include single sign-on systems, two-factor authentication, multi-factor authentication and privileged access management. These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared. IAM systems can be deployed on premises, provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid model.

On a fundamental level, IAM encompasses the following components:

In this way it helps protecting the sensitive data within the system and securing the system itself. Together, PAM and IAM help to provide fined-grained control, visibility, and auditability over all credentials and privileges.

5 Backups

Regular backups are indispensable for every institution, because the increasing number of home office employees and the increasing dependence of institutions on the Internet increases the likelihood of cyber attacks of all kinds. Not only these attacks can endanger the data, but also some human errors or some bug in code can seriously risk the security of the data. As a result, not only protection needs to be provided, but also a backup plan, which is carried out after a compromise is detected, needs to be set. Partial and full backup plans should be set, and restored according to the size of the compromise. Zero trust policy must also be taken into account for the paid and free cloud storage solutions. It is preferable to host your own cloud storage server. If this is not a valid option, data encryption can be implemented before some data has been saved to online cloud storage.

6 Security awareness by users

Training should emphasize strong separation of home and work environment, phishing education and awareness, the need for continuous backups, and the importance of security updates to keep devices secure. Always keeping the device locked when it is not used. Even the users with great training and motivation are not a guarantee against incidents. The training should also make sure, that users know how and whom to contact in the institutions side for security emergencies. Such as IT-security responsible person or team. Gamification is one of the most popular and effective ways in cyber security training Today.

7 Conclusion

Setting up a secure home office environment can be seen as a continuous work. Manual and automated monitoring is required to ensure the security. Setting up the correct security solutions must also be carefully selected. The solutions needs to be usable and never over engineer a security solution. Human factor must be reduced as much as possible. Automated security solutions and Awareness training are best solutions for this problem.

Share this article

Comments ()

Recommended articles


Instant notifications

Subscribe to our Telegram channel to instantly receieve the latest cybersecurity news, resources and analysis.