Home Network Security — Deep Dive

Preparation
1

Home Network Security — Deep Dive

Difficulty: Advanced
Time to Complete: 90+ minutes to read, 3–5 hours to implement

Overview

Your home network is the front door to everything digital in your life — personal data, financial information, smart home controls, communications, and increasingly, your physical security infrastructure. Most people treat their home network like a screened porch with no locks. This guide provides a comprehensive, technical-but-accessible blueprint for securing your home network against external attacks, insider threats, and the inevitable hardware failures of a crisis scenario. We cover everything from basic router hardening through to advanced network segmentation, traffic analysis, and maintaining security when the internet goes down.

Why This Matters

In 2025, the average UK home has 15–20 connected devices. Each one is a potential entry point. The Mirai botnet (which started with poorly secured IoT devices like cameras and thermostats) took down major parts of the internet by exploiting devices that had never had their default passwords changed. Ransomware attacks on individuals have increased by 365% since 2020. Smart home devices are being weaponised for surveillance by stalkers, burglars, and state actors.

Network security isn’t just for corporations. If your router is compromised, someone can:

  • Steal your passwords and banking credentials
  • Monitor all your communications
  • Recruit your devices into botnets
  • Access your smart locks and cameras
  • Use your IP address to commit crimes
  • Install ransomware on your devices

Layer 1: Router Hardening — The Foundation

Your router is the most critical piece of your network. If it falls, everything falls.

Step 1: Replace the Default Router

The router your ISP provided is almost certainly less secure than a good third-party router. ISPs use cheap hardware with limited security features and often delay firmware updates.

Recommended replacements:

Router Best For Approximate Cost Notes
Ubiquiti UniFi Dream Router Advanced users £150 Enterprise-grade, VLAN support, excellent management interface
ASUS RT-AX86U Pro Most users £200 Excellent built-in security, easy setup, AiProtection included
pfSense/OPNsense box Enthusiasts £300+ build Full firewall appliance, maximum control, steep learning curve
GL.iNet travel routers Portability/emergencies £40–£100 Small, portable, OpenWRT-based, good for backup networks

:warning: If replacing isn’t possible right now, you can still secure your ISP router — see the steps below. Don’t let perfect be the enemy of good.

Step 2: Change Everything That’s Default

Default credentials are the #1 cause of router compromises. Botnet scanners check default credentials continuously.

  • Admin password: Change from default to a strong, unique password (16+ characters, mixed case, numbers, symbols)
  • Wi-Fi password: WPA3 if available, WPA2 if not. 12+ character passphrase.
  • SSID (network name): Don’t use your name, address, or ISP brand. Something generic that doesn’t identify you.
  • Admin interface access: Disable remote (WAN-side) admin access completely
  • Default gateway IP: Consider changing from 192.168.1.1 to something non-standard (e.g., 192.168.47.1)

Step 3: Firmware and Updates

  • Check for firmware updates immediately after setup
  • Enable automatic updates if your router supports them
  • If not, set a quarterly calendar reminder to check manually
  • Before crisis: Download the latest firmware file and store a copy offline (USB drive) in case you can’t access the manufacturer’s website later
  • Subscribe to security advisories from your router manufacturer

Step 4: Disable Vulnerable Features

Feature Recommendation Why
WPS (Wi-Fi Protected Setup) :cross_mark: DISABLE Easily brute-forced; known vulnerability
UPnP (Universal Plug and Play) :cross_mark: DISABLE Opens ports automatically; malware exploits this
Remote administration :cross_mark: DISABLE Never expose admin interface to the internet
Guest network (if unused) :cross_mark: DISABLE Reduces attack surface
Telnet access :cross_mark: DISABLE Unencrypted remote access protocol — use SSH only
DMZ (Demilitarised Zone) :cross_mark: DISABLE Exposes a device fully to the internet
WPA/WEP encryption :cross_mark: DISABLE Cracked WEP in minutes; WPA is deprecated

Step 5: Enable the Right Features

Feature Recommendation Why
WPA3 encryption :white_check_mark: ENABLE Latest Wi-Fi security standard
WPA2 (if WPA3 unavailable) :white_check_mark: ENABLE Minimum acceptable standard
Firewall (built-in) :white_check_mark: ENABLE Basic packet filtering
SPI (Stateful Packet Inspection) :white_check_mark: ENABLE Tracks connection state, blocks unsolicited traffic
DoS protection :white_check_mark: ENABLE Basic rate limiting
DNS filtering :white_check_mark: ENABLE Blocks known malicious domains

Layer 2: Network Segmentation — Contain the Damage

Segmentation means dividing your network into isolated sections. If one section is compromised, the attacker can’t reach the others.

Think of it like bulkheads on a ship — one flooded compartment doesn’t sink the whole vessel.

Recommended Network Segments

Segment Devices Access Level Isolation
Main/Trusted Laptops, phones, tablets you personally use Full network access Can access IoT and Guest
IoT Network Smart TVs, cameras, thermostats, smart speakers Internet only, no lateral access Cannot access Main network
Guest Network Visitors’ devices Internet only Completely isolated from everything
Work/Dev Work computers, development machines Internet + specific resources Restricted from IoT and personal
Security/Management NAS, backup drives, security systems Internal access only, restricted internet Highly restricted

How to Implement Segmentation

Option A: Router/VLAN (Recommended)

  1. If your router supports VLANs (Virtual Local Area Networks), create separate VLANs for each segment
  2. Assign each Wi-Fi network (SSID) to a different VLAN
  3. Set firewall rules between VLANs:
    • IoT can → Internet (yes)
    • IoT can → Main network (no)
    • Main can → IoT (yes, if you need to control devices)
    • Guest can → Internet (yes)
    • Guest can → Any internal network (no)

Option B: Multiple SSIDs on Mid-Range Router
Many mid-range routers (ASUS, TP-Link) support multiple SSIDs with client isolation:

  1. Create separate SSIDs for Main, IoT, and Guest
  2. Enable “AP Isolation” or “Client Isolation” on Guest and IoT networks
  3. This prevents devices on those networks from communicating with each other

Option C: Separate Physical Routers (Budget Option)

  • Main network: Primary router
  • IoT network: Cheap secondary router connected to the main router’s LAN port (devices can’t route back to main)
  • Guest network: Another cheap router or mesh node with isolation enabled

IoT Isolation Rules

Every IoT device should be treated as already compromised. Smart devices are the weakest link:

Device Type Risk Specific Concerns
Smart cameras Very High Can be hijacked for surveillance; often have poor security
Smart speakers High Always listening; can be used for eavesdropping
Smart TVs High Data harvesting; often run outdated OS; microphones present
Smart thermostats Medium Can reveal occupancy patterns
Smart locks Very High Direct physical security implications
Smart plugs Medium Can be recruited into botnets
Baby monitors Very High One of the most commonly hacked device categories
Robot vacuums Medium-High They literally map the inside of your home

Layer 3: DNS Security — Stop Threats Before They Connect

DNS (Domain Name System) is the internet’s phonebook. Every time you visit a website, send an email, or your device calls home, it uses DNS. Controlling DNS is one of the most effective security layers you can add.

Recommended DNS Providers

DNS Provider Free? Blocks Threats Blocks Ads Blocks Adult Content Privacy
Quad9 (9.9.9.9) :white_check_mark: Yes :white_check_mark: Yes :cross_mark: No :cross_mark: Optional :white_check_mark: Good
Cloudflare (1.1.1.1) :white_check_mark: Yes :white_check_mark: (1.1.1.2) :cross_mark: No :white_check_mark: (1.1.1.3) :white_check_mark: Excellent
Cloudflare (Malware Only) :white_check_mark: Yes :white_check_mark: Yes :cross_mark: No :cross_mark: No :white_check_mark: Excellent
NextDNS :white_check_mark: (up to 300k queries) :white_check_mark: Yes :white_check_mark: Yes :white_check_mark: Yes :white_check_mark: Excellent — customisable
Pi-hole (self-hosted) :white_check_mark: Yes :white_check_mark: Yes :white_check_mark: Yes Configurable :white_check_mark: Perfect — you control it
AdGuard Home (self-hosted) :white_check_mark: Yes :white_check_mark: Yes :white_check_mark: Yes Configurable :white_check_mark: Perfect — you control it

Recommendation: Use NextDNS if you want a managed service, or Pi-hole if you want self-hosted control. Both provide exceptional protection.

Setting Up Pi-hole (Self-Hosted DNS Sinkhole)

Pi-hole is a network-level ad and tracker blocker that also blocks known malware domains.

What you need:

  • Raspberry Pi Zero W (£10–15) or any always-on Linux machine
  • Ethernet connection to your router (can work on Wi-Fi but ethernet is more reliable)

Basic setup:

  1. Install Raspberry Pi OS (Lite version is fine)
  2. Run the Pi-hole installer: curl -sSL https://install.pi-hole.net | bash
  3. Follow the guided setup — it asks you which blocklists to use
  4. Set your router’s DHCP server to hand out the Pi-hole’s IP as the DNS server
  5. Every device on your network now gets Pi-hole protection automatically

Blocklists to enable:

  • StevenBlack’s Unified Hosts List (default — combines several lists)
  • OISD Blocklist (comprehensive, well-maintained)
  • ThreatFox by abuse.ch (malware-specific)
  • URLHaus (malware URL blocklist)
  • AdGuard DNS Filter (ad + malware)

Expected result: Your network will block 40–60% of DNS requests as ads/trackers/malware. The speed improvement is noticeable.

:warning: Note: Pi-hole needs to stay powered on and running. In a crisis scenario, make sure it’s on an uninterruptable power supply (UPS) or can be easily restarted.

Layer 4: Device Security — The Endpoints

Your router can be Fortress Knox, but if one device is compromised, the game changes.

Every Device: Baseline Security

Control Implementation Priority
Auto-updates enabled OS, browser, all applications :red_circle: Critical
Full disk encryption BitLocker (Windows), FileVault (Mac), LUKS (Linux) :red_circle: Critical
Unique password per device Password manager managed :red_circle: Critical
Two-factor authentication On every account accessed from the device :red_circle: Critical
Antivirus/anti-malware Windows Defender (built-in, adequate); Malwarebytes for second opinion :yellow_circle: Important
Firewall enabled Built-in OS firewall; don’t disable it :yellow_circle: Important
Minimal installed software Uninstall everything you don’t use :green_circle: Good practice

Smart Home Device Security

IoT devices generally cannot be secured through traditional means (no antivirus, no firewall). Here’s the strategy:

  1. Put all IoT on the isolated network (see Layer 2)
  2. Change default credentials on every device before connecting
  3. Disable cloud features on devices that don’t need them — if your smart plug works without phone connectivity, use it that way
  4. Check firmware regularly — some IoT manufacturers fix critical vulnerabilities
  5. Buy from reputable brands — a cheap, no-brand smart camera is a massive security risk
  6. Physical disconnect — if you’re concerned about a device, unplug it. Physical disconnection is the only 100% secure state.

Layer 5: Monitoring — See What’s Happening

You can’t secure what you can’t see. Network monitoring tells you when things go wrong.

Basic Monitoring (Everyone)

Check your router’s connected devices list weekly:

  1. Log into your router admin panel
  2. Find “Connected Devices” or “DHCP Client List”
  3. Verify every device listed is one you recognise
  4. If you see something unfamiliar, investigate immediately

Set up email/phone notifications (if your router supports them):

  • New device connections
  • Firewall block events
  • Firmware updates available

Intermediate Monitoring

Fing App (iOS/Android):

  • Free network scanner
  • Lists all connected devices
  • Alerts when new devices appear
  • Shows device type and manufacturer
  • Runs a quick port scan

Advanced: GlassWire (Windows) or LuLu (Mac):

  • See which applications are making outbound connections
  • Get alerts when a new app accesses the network
  • Visual bandwidth monitoring

Advanced Monitoring

nmap Network Scanning:

  • nmap -sn 192.168.1.0/24 — discover all devices on your network
  • nmap -sV 192.168.1.1 — check what services your router is running
  • Run weekly to establish a baseline, compare for changes

Zeek (formerly Bro) — Network Security Monitor:

  • Full packet analysis
  • Detects anomalous behaviour
  • Requires dedicated hardware and expertise
  • Best for enthusiasts

Home assistant with security integrations:

  • Can monitor unusual network behaviour
  • Integrates with firewall alerts
  • Dashboard for overall network health

Layer 6: Crisis and Grid-Down Scenarios

When the internet goes down or infrastructure fails, your network security needs change dramatically.

Pre-Crisis Preparation

What to do now:

  1. Document everything: Write down all passwords, network configurations, SSIDs, WPA keys. Print this and store it in your physical emergency kit.
  2. Download firmware locally: Save router firmware files on a USB drive.
  3. Prepare offline DNS: If you use Pi-hole, document how to restart it manually.
  4. Physical security: Your router and network equipment should be in a physically secure location — not in an easily accessible area.
  5. Mesh network capability: Consider a mesh system designed to work locally without internet (e.g., goTenna, Meshtastic for text comms).

Operating Without the Internet

Your local network still has value in a grid-down scenario:

Use Case Implementation
Local file sharing NAS or shared drive for documents, maps, medical reference
Local messaging Matrix server (Synapse) or local chat server
Local entertainment Media server (Plex/Jellyfin) with downloaded content
Local comms Meshtastic devices for node-based message passing
Local security IP cameras recording to local NVR (no cloud required)
Local DNS/Pi-hole Continues to protect local network traffic

Re-establishing Connectivity

When connectivity returns:

  1. Don’t immediately connect everything — the internet will be chaotic in the aftermath
  2. Check router logs first — look for unusual activity during the outage
  3. Change all passwords — assume they were targeted during the vulnerable period
  4. Verify firmware integrity — check for updates that were released during the outage
  5. Segment new devices — any device that was offline and is now being reconnected should go on the IoT or guest network until verified

Layer 7: Physical Security of Network Infrastructure

The most secure network is meaningless if someone can walk up and plug in.

Physical security checklist:

  • Router and switches in a locked room or enclosure
  • Unused ethernet ports disabled (or physically unplugged)
  • Console port on router/switch physically secured
  • No visible network equipment labels with passwords
  • UPS (uninterruptable power supply) for critical equipment
  • Surge protection for all networking gear
  • No network cable access points visible from outside (through windows)
  • Consider a Faraday bag for storing backup routers in EMP scenarios

Quick Reference Checklist

Immediate Actions (Do This Today)

  • Change router admin password (strong, unique, 16+ characters)
  • Change Wi-Fi password (WPA3 if available)
  • Disable WPS
  • Disable UPnP
  • Disable remote admin access
  • Enable automatic firmware updates
  • Check connected devices list — verify everything is yours
  • Set up a Guest network with isolation
  • Change DNS to Quad9 (9.9.9.9) or NextDNS

Short-Term Improvements (This Week)

  • Set up network segmentation (IoT, Main, Guest)
  • Install Pi-hole or configure NextDNS
  • Enable full disk encryption on all devices
  • Enable 2FA on all accounts
  • Update all device firmware
  • Document all network settings (print and store securely)

Advanced Hardening (This Month)

  • Replace ISP router with security-focused alternative
  • Set up VLANs for network isolation
  • Deploy network monitoring software
  • Audit all IoT devices and isolate properly
  • Set up automatic alerts for new device connections
  • Create offline firmware backup
  • Test your network’s external security with ShieldsUP (GRC)

Crisis Preparedness

  • Printed copy of all passwords and network configuration
  • Backup router offline with firmware loaded
  • Local network services documented and tested offline
  • Physical security of network equipment
  • UPS for critical network equipment
  • Emergency mesh communication capability (Meshtastic/goTenna)

Sources & Further Reading

Home Network Security Series — Vivaed @ endscenar.io