So you’re working from home for the foreseeable future? The kids are home, streaming whatever it is they stream all day. Your spouse is home, taking video conference meetings all day long. You, you’re just trying to get the numbers to match up in that 32 tab spreadsheet and for the life of you cell AF321 on Tab 12 just won’t calculate properly!
Suddenly the kids stomp in complaining that their streaming keeps pausing and buffering. Your spouse just got bumped off of their video conference call and had to dial in just to try to hear what was going on.
You wander over to the cable modem and you notice that there’s an amorphous yellow lump of plastic next to it with a lone antenna sticking up in the air and you realize your WiFi router has reached meltdown state.
You fondly recall that day in 2003 when you bought that WiFi router. It was sleek. It was state of the art. It had a maximum throughput of 10Mbps out the WAN port, and supported WEP encryption! In short, it was the bee’s knees man!
OK, maybe I’m taking a bit too much poetic license here, but when was the last time you thought about that router, the Obama administration? If so, time to pay some attention to it.
Your current WiFi router
- Do the default credentials (often admin/admin or admin/password) log you into your router? If so please change that right away (and make sure you’ll remember the password, or you’ll be familiarizing yourself with the “reset to factory defaults” process, and nobody wants that).
- Does it support WPA3 authentication? This is essentially state-of-the-art for home WiFi protection, and if you can’t identify that setting in your router it may be leaving your wireless traffic exposed to monitoring, or even allow others to use your WiFi without your permission, sucking down your bandwidth and interrupting your traffic. WPA2 is still reasonably secure if you’ve chosen a nice long passphrase for your WiFi password. If you don’t find either of these authentication (or security) options you really should replace it ASAP.
- Is there a firmware update for it? You may need to head to the manufacturer’s website to look for new firmware updates. But be warned, if you find that the date on the latest available firmware is more than a year old, your device is no longer being actively supported. That’s a strong indicator that you need to replace it ASAP.
- Has your router changed color? With all sincerity, if the plastic of your router is starting to look yellow or brown, it is time to replace it. Not because it is ugly, but because that’s an indicator of its age, and if it is that old it isn’t up to date.
Choosing a new WiFi router
You have a number of options in looking for a new WiFi router for your home.
Your Internet Provider “All-In-One” Box
You can certainly go this route. If you do so, a lot of the security issues will be addressed by your ISP. They’ll handle the firmware, they’ll even probably replace it when it is out of date. You will still be able to customize the WiFi network, but it will support secure connections, and that’s a good thing. They also may offer some great advanced features to help manage your kids’ browsing options, screen time, etc. that you may find helpful.
The bad news is you’ll probably pay a monthly rental fee for the device, and over time that will cost more than the amortized price of purchasing your own device. But this is the simplest route. Go this route and the rest of this document is probably not of much value to you.
Apartment, Condo, 2-Story Townhome, Single Floor House - Small Home Option
If you want to buy your own system, the sort of solution that will work well for you will be a single WiFi Router/WiFi Gateway device. These devices are going to be the most economical solutions, and can range from “bare bones” to devices that would make Elon Musk jealous. Here are things to look for:
- Buy a name brand. Off brands, usually cheaper, don’t spend as much on ensuring a secure solution, or even a quality solution, and aren’t likely to push out firmware updates, leaving you with a poor performing, poorly secured device. Brands like Linksys, Netgear, and Asus are all relatively reliable choices here. (Please note, these are examples, not endorsements.)
- Look for one that supports the “AC” wireless standard. While not the "bleeding edge" option anymore, it is still relatively new and quite fast, and supports good security. (WiFi 6 is the latest and greatest, up to you if you want to go down that road) By supporting this it will also be backward-compatible with your devices that don’t support this standard.
Larger and Multi-level Home
If you want your own system for a larger home, or a home with 3 or more levels, you’re probably going to need more than just a single device: you’re going to need a solution that can include a central router/gateway AND multiple WiFi Access Points. There are two basic options here:
- Mesh Networks. These solutions often include a central gateway device that has to have an Ethernet connection to your Cable or DSL modem (which also has a built-in WiFi access point), but supports other WiFi access points that may need to be plugged into power elsewhere within the house. These devices will connect back to the central device via WiFi and then act as repeaters, re-broadcasting that wireless signal to the areas of the house that can’t get the original signal. In many cases you can buy the base unit by itself and add the extenders if you find you need them later, or you can buy it all as a group at once. Brands in this space include Google WiFi, Nest WiFi, EERO, Amplifi, and Orbi. (Please note, these are examples, not endorsements.)
- Small Business Networks. Now you’re talking about systems that probably include a stand-alone firewall, PoE switch, and Ethernet connected WiFi Access Points. If you’re going down this road, you probably didn’t need this document anyway, so we’ll just stop here.
Look for the same AC feature here that you would have for a smaller home solution.
Securing That New Router
There are likely GOBS of features you could configure on that new router you just bought, and we can’t discuss all of them here, so let’s look at the basics:
- First thing first: change the login credentials! If you can change the username please do so, but before you do anything else please change that password for logging into your new system. Write it down on a piece of paper in your safe if you have to, but you MUST change that password.
- Setup good WiFi security: The settings can be confusing here, so let's focus on the ones that mean the most from a security perspective:
- WPA2 with AES encryption is the minimum security option you should be setting up. (No WPA1, no WEP, and no TKIP) If your device supports WPA3 that is even better.
- Your Password for joining the network (not the same as your password for managing the router) should be a passphrase, including punctuation and spaces. For example “Our house, in the middle of our street.” is a much better choice than “H@x0rsh!de” as a WiFi password. (though perhaps don’t choose a popular song lyric, that’s easily guessed/tried with a dictionary attack)
- Disable any “pairing button” options.
- Do not choose options to “Hide SSID” or “Do Not Broadcast SSID.” These sound great, but they put your endpoint devices at risk when you leave the house.
- Update the firmware: The device you purchased has probably been sitting on a shelf somewhere for weeks, maybe months. There is probably a firmware update for it that will be an update fixing security holes, performance bugs, etc. Set a reminder to check for and install updates at least monthly. When you start seeing that it has been 6 months or a year since the last update that’s your indicator that it might be time to replace the device.
I hope you have found this blog helpful. We’re all facing a new reality and deepwatch believes in collaborating to secure businesses, homes, families, etc. If you are a business and you would like to learn how to run a remote security team or general work from home best practices, feel free to reach out to us anytime.
About the Author
Bill Bernard currently serves as deepwatch's Director of Solutions Architecture. He is a seasoned security expert with 20+ years of experience collaborating with customers to select and deploy the right security solutions for their business. Bill has held various solutions architecture roles throughout his career and holds a variety of security certifications including CISSP, CIPP-E and CIPM.