Many of us have now spent nearly nine months working from home due to the COVID-19 pandemic and have adapted to this new way of doing things potentially on a long-term or even permanent basis. Many employers now realize that their workers can be just as efficient as working remotely as they would on-premises. But just because you can work efficiently in a remote setting doesn’t mean you are working in the most secure way possible. Here are several technologies you can look at — some of which may already exist as options that need to be turned on in your home networking equipment — that you can use to work more securely at home over the next year and beyond.
Desktop Ethernet Switches
Nothing beats good old fashioned wired Ethernet for security and network performance. If you have a home office and can put a small switch on your desk, connect your PCs, printers, and other work equipment to it, and then switch to the router, do that instead of using Wi-Fi. If you have one of those new Macbooks or Windows laptops that don’t have an Ethernet port, by all means, get one of the USB-C ethernet dongles or a docking station. Those are especially good for adding extra USB ports and splitting out the video and audio to multiple external monitors and speakers.
See it now:
Wi-Fi 6 and WPA3
Wi-Fi 6 is a faster wireless technology, but it is also more secure because it is much more resistant to an attacker who wants to listen in on your device’s connection to the access point or router. This new security protocol standard that Wi-Fi 6 uses is called WPA3 and was introduced a few years ago as an experimental feature in 802.11ac, or Wi-Fi 5 routers and APs. If you can turn this on in your existing equipment, possibly through a firmware update, absolutely do it.
WPA3 is more secure than the previous WPA2 (which replaced WEP, and you absolutely should not have devices or equipment that use this in your home or small business), because it prevents the wardriving attacker from recording when your devices connect to the access point, playing back that connection on their computer and cracking your passwords offline.
The easiest way to put Wi-Fi 6 on your home network is to get a Wi-Fi 6 access point and connect it to your existing routers, such as using an internet provider that gives you a router needed for connecting to their broadband technology, like AT&T or FIOS. You can also set many third-party routers to Bridge Mode or run what is referred to as Double NAT. In my opinion, a double NAT should be avoided if possible due to the additional complexity it introduces.
Remember that your devices also have to support Wi-Fi 6 or WPA3, but all the current mobile and PC/Mac OSes support WPA3, and all these new Wi-Fi 6 access points are backward compatible with your existing equipment.
See it now:
Guest Networks and SSIDs
Another way of segregating equipment and setting what can and cannot talk to each other is Access Control Lists (ACLs). This is again a setting in your router configuration and allows you to define patterns for ingress and egress to the internet using the MAC address of specific devices on your network.
Also, in separate access points and some higher-end consumer Wi-Fi routers and access points, you can create additional SSIDs (the name of your wireless network) to go with these VLANs and even turn off SSID broadcast so only you know what network to connect to; nobody else in your neighborhood can see it.
I don’t know how many times I have seen that ATT string or the original manufacturer SSID like Linksys or Netgear or whatever because people never change them or are not even aware they can or should change them.
VLANs and ACLs
Virtual Private Network (VLAN) is a technology you may already have built into your existing router or ethernet switch. It’s giving your wireless and hard-wired ethernet devices a dedicated highway lane that no other cars can drive on. This is done by turning on VLAN “tagging” in the switch or router configuration and creating a unique virtual network that only specifically assigned devices can see. So, for example, if you create a VLAN 100, and put your home office PCs and equipment on that VLAN 100, nothing else in your home can communicate with them, such as IoT equipment or anything like that. In Windows, a VLAN tag is set in the configuration options for your PC’s network adapters. On the Mac, it is done within Network Preferences.
If VLAN is too complicated or difficult to set up with your existing equipment, consider segregating IoT devices and such from your work systems by setting up your Wi-Fi router’s guest network and have them connect to that instead of your main Wi-Fi.
Network QoS/Traffic Prioritization
This is another way of limiting what devices on your network can do, but it is specific to bandwidth usage. QoS (pronounced “KWAZ”) means Quality of Service. If you are working from home and your office PC or Mac needs the lion’s share of the network bandwidth, such as for a traffic-heavy application like Zoom, you don’t want your kids or some other piece of equipment eating up that bandwidth when you most need it. So you can set just how much bandwidth where and when and what apps get what depending on the device, and depending on what the router offers. In some home broadband routers, this is also called Traffic Prioritization.
Firewalls and Unified Threat Management (UTM)
Many routers have some sort of firewall built-in, and most also have some kind of capabilities already enabled. But most of the ones on the market are fairly simplistic and use what is referred to as Stateful Packet Inspection (SPI) because it is much less processor intensive. However, it is not as sophisticated as Unified Threat Management or UTM, which uses a technology known as Deep Packet Inspection (DPI) and will even block things like viruses or phishing.
In Star Trek terms, SPI is like scanning someone and seeing what the shape of that person is, identifying maybe what alien race they come from, or if they are hot or cold. A Deep Packet Inspection is looking at network traffic from an atomic, at the bits and bytes level, like what the transporter does, when it takes people apart molecule by molecule before sending them from site A to B. A UTM allows you to see not just stuff like malicious behavior on things like network ports but the actual fingerprint of what malicious traffic looks like, and it will intelligently block things at the source. Doing this requires additional processing power at the device a typical home broadband router doesn’t have.
A Firewall with UTM can cost as cheap as $100 or as much as $500 to thousands of dollars depending on how fast you need it to be and how many users need to use it simultaneously. If you have a 100 megabit connection, you can get firewalls that process at your wireline speed without degrading your performance for around $100, such as the Firewalla Red. If you have gigabit connections, you might have to look into things that cost $500 or more. Some of these products also have annual subscription costs for stuff like malware signature updates. You can also build these types of firewalls using older PCs you may have sitting around, or Raspberry Pis, using open-source software such as Endian, and a few others. You can also buy PC software like SOPHOS that you can run on an inexpensive box as well.
A VPN is a Virtual Private Network. We talked about VLANs earlier, which segregates devices from talking to each other on your own network before going out to the internet. This technology is different because it creates an encrypted “tunnel” that traffic between your device, at the originating point or endpoint, to wherever it is going on the internet.
If your employer has a VPN endpoint, like Cisco or Microsoft, they’ve likely given you the software or settings file you can run on your PC or Mac or even your mobile device or even your router (or firewall device) itself to connect to things at work, in your company data center or cloud provider. But you can also set up VPNs at public endpoints using subscription services so that it’s more difficult for your traffic to be snooped. VPNs are used heavily by users in other countries like China so they can get to websites like Google and Facebook because they are blocked/censored by firewalls. It is also used to bypass media restrictions set by services like Netflix, allowing users from specific regions to view certain content. So, for example, if some movies and shows can only be viewed from the UK, you can connect to a UK VPN and play that content.