KEEP INTRUDERS OUT
USE WPA3
If you have a router made in the past few years, it probably supports the latest WPA3 Wi-Fi encryption standard. This closes off a security hole that could allow a nearby eavesdropper to spy on a WPA2 connection, so ensure that WPA3 is enabled on both the router and on any compatible clients. For now you’ll probably need to leave WPA2 enabled as well, to allow older devices to connect to the network, but as WPA3 becomes more commonplace, you can progressively reduce your exposure.
DISABLE WPS
Wireless Protected Setup (WPS) lets you conveniently connect any device to your home network by just entering a PIN or pressing a button. Unfortunately, the PIN system is vulnerable to brute force attacks, making it possible for someone physically nearby to crack their way onto your network. A physical WPS button is more secure, but it could still allow someone who visits your home to quickly tap it and connect to the network without your knowing it. If you really want to keep your network secure, consider disabling
WPS on the router.
MAC ADDRESS FILTERING
In most homes there are only a dozen or so devices that need to connect to the router. Each one has a unique media access control (MAC) address coded into its network interface; you can normally browse these by visiting the list of attached devices in your router’s administrative dashboard. And on most routers, it’s possible to create an allow-list of recognised devices, so that anything that isn’t on the list of approved MAC addresses won’t be permitted to connect to your network. It might be a drag to manually add clients from time to time, but this is a rock-solid way to ensure that no one’s piggybacking on your private network without your knowledge.
DISABLE REMOTE MANAGEMENT
Many routers, NAS appliances and other home devices offer remote management, allowing you to access administrative settings from wherever you happen to be. Unfortunately, this also raises the possibility of a remote attacker taking control, either by exploiting a vulnerability or by using stolen or brute-forced credentials. It’s much safer to reject all connection attempts from outside the local network – after all, how often do you really need to check up on your router settings when you’re out of the house?
MONITOR FOR NEW DEVICES CONNECTING TO YOUR WI-FI
If MAC address filtering is too restrictive, you may prefer to simply get an alert when a new device connects to your network for the first time so you can take immediate action if it’s not one you recognise. There are numerous free tools that can do the job, such as NirSoft’s Wireless Network Watcher (see pcpro. link/332watcher) or Easy WiFi Alert for
Android ( pcpro.link/332alert).
FIREWALL EVERYTHING
Even if a device needs to be on your local network, it doesn’t necessarily need internet access – or if it does, it most likely only requires a few specific ports. If your router has a customisable firewall, consider applying a restrictive policy to all clients, and then only adding exceptions as needed.
Alternatively, if you don’t mind digging a little into the technical side of things, you can set up a Raspberry Pi to act as a firewall for your home network, using the free UFW (uncomplicated firewall) package – see pcpro.link/332pifirewall for a guide.
KEEP AN EYE ON YOUR TRAFFIC
Some router firmware includes a traffic meter that can break down network usage by client and by application. This can help you spot when a device is crying out for more bandwidth, or when an app is flooding your network and needs to be deprioritised. It can also help you identify suspicious behaviour: huge bursts of outgoing traffic are symptomatic of a system that’s been compromised and is being used to contribute to denial-of-service attacks, while if you spot a computer that’s continually reaching out to neighbouring clients, that could be malware trying to spread.