Network Recommendations

Home network devices include modems/routers, wireless access points (WAPs), printers, and Internet Protocol (IP) telephony devices. These devices control the flow of information into and out of your network and should be carefully secured.

  1. Configure a Flexible Home Network
    Your Internet Service Provider (ISP) likely provides a modem/router as part of your service contract. To maximize administrative control over the routing and wireless features of your home network, use a personally-owned routing device that connects to the ISP-provided modem/router.
  2. Disable Internet Protocol Version 6 (IPv6) Tunneling
    Both IPv6 and its predecessor, IPv4, are used to transfer communications on the Internet. Most modern operating systems use IPv6 by default. If IPv6 is enabled on your device, but not supported by other systems/networks to which you are communicating, some OSes will attempt to pass IPv6 traffic in an IPv4 wrapper using tunneling capabilities such as Teredo, 6to4, or IntraSite Automatic Tunnel Addressing Protocol (ISATAP). Because attackers could use these tunnels to create a hidden channel of communication to and from your system, you should disable tunneling mechanisms. In Windows, you can disable these through Device Manager (be sure to select "View hidden devices" under the View menu).
  3. Provide Firewall Capabilities
    To prevent attackers from scanning your network, ensure your personally-owned routing device supports basic firewall capabilities. Also, verify that it supports Network Address Translation (NAT) to prevent internal systems from being accessed directly from the Internet. Wireless Access Points (WAPs) generally do not provide these capabilities so it may be necessary to purchase a wireless router or a wired router in addition to the WAP. If your ISP supports IPv6, ensure your router supports IPv6 firewall capabilities in addition to IPv4.
  4. Implement WPA2 on the Wireless Network
    To keep your wireless communication confidential, ensure your personal or ISP-provided WAP is using Wi-Fi Protected Access 2 (WPA2) instead of the much weaker, and easily broken Wired Equivalent Privacy (WEP) or the original WPA. When configuring WPA2, change the default key to a complex, hard-to-guess passphrase. Note that older client systems and access points may not support WPA2 and will require a software or hardware upgrade. When identifying a suitable replacement, ensure the device is WPA2-Personal certified.
  5. Limit Administration to the Internal Network
    To close holes that would allow an attacker to access and make changes to your network, on your network devices, disable the ability to perform remote/external administration. Always make network configuration changes from within your internal network.
  6. Implement an Alternate Domain Name System (DNS) Provider
    The DNS associates domain names (e.g. www.example.com) with their numerical IP addresses. The ISP DNS provider likely does not provide enhanced security services such as the blocking and blacklisting of dangerous websites. Consider using either open source or commercial DNS providers to enhance web browsing security.
  7. Implement Strong Passwords on all Network Devices
    In addition to a strong and complex password on your WAP, use a strong password on any network device that can be managed via a web interface, including routers and printers. For instance, many network printers on the market today can be managed via a web interface to configure services, determine job status, and enable features such as email alerts and logging. Without a password, or with a weak or default password, attackers could leverage these devices to gain access to your other internal systems.