Do you validate your home network security?

DHR

DHR

Soldato
Joined
30 Apr 2003
Posts
3,476
Had a few conversations lately with people using various firewall solutions for their home networks.

One thing that's come up a few times with firewall solutions is they're configured to deny by default, but that's only as a good as the configuration you put on it.

In business, it's typical to make a change then have a external party test any public facing IPs etc. to alert of misconfigurations etc.

Does anyone go that far with their home/home business network?
 
Sounds like a good business idea. Would be cool if I could pay a company to do a quick test (remotely obviously)


A lot of businesses now use a cloud firewall service that while you can configure, they also configure for you so makes it easier
 
Last edited:
A remote test doesn’t tell you anything about lateral movement inside your network which is just as important.
That'd be like the next level I suppose. It's interesting though because when and truly do you just stop!
 
I don't see the point, you're far more likely to introduce security issues into your house by bringing in some AliExpress tat or browsing a website displaying adverts from a compromised ad network than you are from someone port scanning you and finding...nothing to exploit because you don't have anything allowed through.

Basic things like ensuring you don't have the SSH/HTTPS interfaces of your router/firewall exposed to the Internet, using a VPN client for your own remote access back to things like Plex, VPN tunnels if you're sharing it with family, and only running systems that are receiving security patches would all be higher up my list of importance than having external parties trying to do a pentest on a little pfSense router.
 
I'd be doing basic things like moving to a password manager to use complex generated passwords before I started paying someone to check my home network security. The NCSC is actually a really good resource for this sort of thing



 
Last edited:
I'm lucky enough to have a PA440 at home. I've setup various Zones for things like NAS, LAN, WiFi and Sky - Sky Q is a bit of a pain as it 'needs' to be able to ping the default gateway and it does that a fair bit too.
Doing SSL decryption, advanced web filtering, DNS, IoT, Wildfire etc.

Prior to the 440 I used PfSense.
 
Just enable the standard features of the router and connected computers and the rest is just down to common sense and educating the users of your household. Nothing more is necessary in the general household, and anything beyond that falls into specific use case scenarios such as enthusiasts who like playing with this stuff, home-business needs, or quite simply paranoia.
 
Just enable the standard features of the router and connected computers and the rest is just down to common sense and educating the users of your household. Nothing more is necessary in the general household, and anything beyond that falls into specific use case scenarios such as enthusiasts who like playing with this stuff, home-business needs, or quite simply paranoia.

I would agree with that. The vast majority of issues come from users clicking on links and agreeing to install malware. You can theoretically install antivirus at the router, and automatically tag known hostile sites using web filters at the edge of your network. In practice encrypted traffic often bypasses these so all you get is a sluggish feeling browsing experience.

From past experience trying to sell ‘services’ people generally are not interested or they expect you to be capable of putting up something that will defeat the Fancy Bears. Bottom line is that someone hacked the Pentagon, realistically what hope do any of us have?
 
  • Like
Reactions: mrk
While I wouldn't pay for external testing (and I know how expensive it is from day job) I do an ever increasing amount of validation on my home network as it has grown in complexity over the last decade. I've gone from a basic system using just the ISP provided router to a system with many VLANs, three WANs and way more complex routing and firewall rules.

I've documented all configuration changes to all my home PCs/servers for years which is a great time saver for replacing devices, and for key devices I do specific tests depending after changes. For my pfSense box I perform tests after all applicable changes to ensure I am still invisible from the internet and that inter VLAN access is as expected plus a few devices are restricted as expected. Individual device security is still key as mentioned above, but it's so easy to mess up network wide that some basic validation seems worth it to me, especially given the issues I've found on big corporate systems over the years!
 
Do you mean open ports? Only an issue if you leave UPNP enabled which allows any device on the network to open whatever port it wants, so a compromised device could allow access from a bad actor from the outside. There's no need for the vast majority of users to enable UPNP anyway, all smart devices work without needing it, and anything needing specific ports to be allowed will be manually set up in a router's setup page anyway and directed to a specific local IP. All ports should be stealth otherwise (you can check via GRC's Shields up: https://www.grc.com/x/ne.dll?rh1dkyd2)
 
Last edited:
While I wouldn't pay for external testing (and I know how expensive it is from day job) I do an ever increasing amount of validation on my home network as it has grown in complexity over the last decade. I've gone from a basic system using just the ISP provided router to a system with many VLANs, three WANs and way more complex routing and firewall rules.

I've documented all configuration changes to all my home PCs/servers for years which is a great time saver for replacing devices, and for key devices I do specific tests depending after changes. For my pfSense box I perform tests after all applicable changes to ensure I am still invisible from the internet and that inter VLAN access is as expected plus a few devices are restricted as expected. Individual device security is still key as mentioned above, but it's so easy to mess up network wide that some basic validation seems worth it to me, especially given the issues I've found on big corporate systems over the years!

Meanwhile people like me were happy for years with the BT HomeHub and have just recently decided to be "tech savvy" and set up a plug and play AiMesh :p
 
Meanwhile people like me were happy for years with the BT HomeHub and have just recently decided to be "tech savvy" and set up a plug and play AiMesh :p

I can assure you there are times when trying to resolve complex issues (such as recently having issues after a firewall software update with failover across my WANs) that make me miss those simpler days. Keeping it simple is best unless important needs require otherwise.
 
Back
Top Bottom