Network Overview

Let’s start by identifying the parts of your home network—called a local area network (LAN) . For your computer to connect to the Internet (referred to as a wide area network [WAN]) , you first need to have Internet service—often called broadband or high-speed Internet service. For most people, this is provided by their cable or phone company.¹ In rural areas, you might get your Internet service from a satellite company. In many metropolitan areas, you can get Internet service over fiber-optic cable. But regardless of the specific way in which you connect to the Internet, the company that provides you with this service is called your Internet service provider (ISP) . Somewhere in your house you will have a box that this company provided to you that allows you to connect your computer. This box is usually called a modem (which is short for “modulator-demodulator”). A typical modem looks something like Figure 6-1.

The modem converts the common Internet Protocol (that your computer understands) to some sort of special protocol that allows the communication to flow over the phone lines, cable line, fiber-optic cable, or satellite link. This device is assigned an Internet Protocol (IP) address, and like the address on your house, it’s associated specifically with you (or your account). When your computer talks to the Internet, the return address on all its packets is your IP address.

In the simplest case, you just connect your computer directly to this modem and you’re done. That’s your entire network. But many of us today have more than one device in our homes that wants to access the Internet, and in that case you need another piece of equipment called a router . Your ISP gives you only one IP address. If you have multiple devices, then you need some way to give those devices their own addresses—at least within your home—so that each one of those devices can carry on their own conversations with other things on the Internet. (We discussed how this works in previous chapters.)

It’s important to note that if you have multiple devices on your home network, they often talk to each other, as well. That is, they send information between themselves that’s not meant to leave your house. Maybe you’re streaming some music from your computer to your home theater system or printing a document from your laptop to a network printer. In this case, all the info is completely within your network. It’s like someone in marketing sending a package to the sales department via internal company mail. The U.S. Postal Service never sees or knows about this; it’s completely internal and private. We’ll see why this is important in the next section.

Most routers today are wireless routers . This is a little box that often has one or more little antennas on it and is directly connected to your modem via a cable called an Ethernet cable . It will look something like Figure 6-2.

Ethernet cables are like phone cables—they usually have little clippy things on the end that snap into place. Ethernet cables are the most common cords that are used to connect things to a network directly. The router box is then connected to all the other devices in your house that need to access the Internet—either hardwired with an Ethernet cable or connected virtually over the air, wirelessly. The wireless connection is called Wi-Fi or sometimes by its technical spec name, 802.11. Networks created by Wi-Fi routers are commonly referred to as wireless LANs (WLANs). (I know... couldn’t they come up with something a little less confusing? LAN, WAN, WLAN—really? Don’t shoot the messenger, folks.) There are many versions of Wi-Fi—over the years they improved things and gave the spec different names like 802.11b, 802.11n, and 802.11ac. But all you really need to know is that the router acts like an internal, private mail room—the router allows all the devices in your house to have private addresses inside your home to talk with each other and to share a single public Internet address for communications with the outside world. Many businesses (hotels, cafes, restaurants, airports, libraries) often provide free Wi-Fi Internet access for customers. These locations are referred to as Wi-Fi hotspots .

That’s pretty much your home network in a nutshell. You have a modem, a router, and a bunch of devices that are connected to that router (either wired or wirelessly). Those devices include desktop computers, laptops, smartphones, printers, and tablets. We’re now also seeing other “smart” devices connecting, as well: TVs, streaming boxes (like Apple TV, Fire TV, or Roku), DVRs, home appliances, thermostats, and even light bulbs.

Now that we know the pieces to the home network puzzle, let’s take a look at the security and privacy issues associated with your home network and how to deal with them.

Modem

The modem provided to you by your Internet service provider is generally something you cannot control, and that makes a security- and privacy-conscious person nervous. Many ISPs are now providing a combo product: a modem and Wi-Fi router all in one—how convenient! That’s even worse. Why? Because what’s best for your ISP is not the same as what’s best for you.² Your network router is doing two crucial things: it’s a wall between your network and the rest of the wild, woolly Internet, and it’s the hub for all the data traffic within your home network. There’s just no reason to trust your ISP to perform those critical functions. While ISPs will usually try to protect your home network from bad actors on the Internet, they have no reason whatsoever to protect your privacy or to insulate you from their own meddling. Furthermore, you want to have full control over the configuration of your Wi-Fi router, and your ISP may not give you that access. For these reasons alone, I strongly suggest you always insert your own router between your computer and your ISP’s modem. Basic models are pretty cheap, and this book can help you get it set up.

Here’s an interesting story that will help to illustrate my point. A few years ago, Comcast (the largest ISP in the United States) began rolling out a service for its customers called Xfinity Wi-Fi. This service allows Comcast customers to use “millions” of free Wi-Fi hotspots around the world. Sounds great, right? What’s not to like? Well, the company accomplished this by turning people’s private cable boxes into public hotspots—that is, Comcast enabled this feature on your home combo modem/Wi-Fi box so that its customers near (or in) your home could connect to the Internet using your equipment. While I’m sure Comcast customers somehow implicitly gave Comcast permission to do this somewhere in their licensing agreement, I’m willing to bet most people had no idea they were doing this. Your modem is, after all, Comcast’s equipment—not yours. It provides you with a service, and that contract surely allows Comcast to offer other services using its equipment.

When this became widely understood, people rightly had serious questions about this service. Won’t this slow down my Internet connection (having to share it with others)? Will this give strangers access to my home network? What if someone uses my Internet connection to do illegal things—won’t that appear as if I did those things? Comcast has some partial answers for these concerns, and there does exist a way to opt out of this program by changing your account preferences online. But the real question is: do you trust your ISP to do what’s best for you (as opposed to what’s best for them)? If Comcast changes its strategy or decides to offer another feature like this in the future, how likely are you to be properly informed of this? And will you be given the choice to opt out? (Two customers in San Francisco filed a class action lawsuit against Comcast over this, but it was thrown out because all Comcast customers agreed to settle disputes via arbitration in their terms of service.)

The simplest solution to this is to just use your own router. If your ISP provided you with a combo modem and Wi-Fi router, I would call them up and ask them to disable the Wi-Fi service entirely. If you’re a Comcast customer, I would also opt out of the Xfinity public/shared Wi-Fi program, if possible.

Since your modem is usually provided to you by your ISP , there’s usually not much else you can do here. However, sometimes you can get your own modem—see the tips at the end of this chapter.

Wi-Fi Router

Your Wi-Fi router is arguably the most important part of your network in terms of your overall Internet security. It’s also probably the most complicated one because it performs a wide variety of important functions. Understanding how to properly configure a Wi-Fi router is not easy, but that’s why you bought this book! I’ll walk you through the primary settings you need to worry about and show you how to configure them properly. Before we get to the specifics, let’s discuss the key functions of your Wi-Fi router.

As I mentioned in earlier sections, one of the primary functions of your router is to serve as a barrier between your private, home network and the wider, public Internet. Regardless of how many devices you have inside your house, the external world sees all your packets as coming from a single address—your public IP address. Your router takes care of delivering all inbound traffic to the proper device inside your home. This function is called Network Address Translation (NAT) , and we discussed it earlier. However, your router does a lot more than that. Let’s break it down.

The primary function of a router is to act as a boundary between your private home network and the public Internet. Again, it’s like an internal mail service within your house, allowing all the devices on your network to talk to each other and, when necessary, establishing connections between your internal devices and external, public servers and services. In fact, your router is actually in charge of assigning mailing addresses (that is, IP addresses) for all the devices in your network. It does this using Dynamic Host Control Protocol (DHCP) . When you plug a device into the network or allow a new device to connect wirelessly, that device needs to have an IP address to communicate with anything else on the network—and your router is in charge of handing out those addresses.

As we’ve discussed, most routers come with a built-in firewall function that specifically prevents external entities from prying into your private home network, unless you explicitly allow it or something inside your home initiates the conversation. Routers also act as a sort of traffic cop, directing traffic in the network. The router can allow some traffic to have a higher priority than others—for example, allowing live video streams to flow freely while sending Google queries to the back of the line. Packets of audio and video information are very time-sensitive—if those packets are delayed or lost, you will have glitches in your music or your streaming movies. However, things like querying Google for local restaurants or checking your e-mail can wait a bit, if necessary (and by “a bit” I’m talking fractions of a second). This is referred to as quality of service (QoS) ; some network packets are more “important” than others. Some routers will automatically detect important traffic and prioritize it, while others need to be configured for this feature. The quality of service flag on these packets is not required to be honored, it’s more of a suggestion—but it’s a mechanism that can be used to improve the performance of time-sensitive network traffic.

Wi-Fi routers allow you to connect to your home network wirelessly. This feature, while extremely handy, brings with it a lot of security issues. Instead of having to physically plug an Ethernet cable into your router to get onto your network, you can now connect your laptop or other smart device through the ether simply by changing a setting. Instead of having to be physically inside your house, with Wi-Fi you only have to be near your house—like next door or parked outside on the street. To protect your network, Wi-Fi has some security options that will restrict access to your network. These include adding encryption, authentication, and even some good ol’ security by obscurity. However, there are also a lot of add-on features for convenience that have exposed some weaknesses. All of these will be discussed at length in the checklist at the end of this chapter.

The Internet of Things

The Internet of Things (IoT) refers to the current tech trend of making all of our dumb devices smart—that is, connecting them to the Internet (which I’m not sure necessarily makes anything or anyone “smart”). What good is your refrigerator if you can’t query its contents from the office before you come home? Who wants a dumb thermostat that you can’t change from halfway around the globe? Who needs a Bluetooth speaker that won’t respond when you ask it for today’s weather? We’re already spoiled by our smart devices, and this whole trend is just getting started.

The problem with adding smarts to cheap devices like light bulbs, baby monitors, thermostats, and appliances is that it adds cost—in some cases, significant cost (compared to the equivalent “dumb” version). People pay for features they can see and experience—and they tend not to pay for other stuff, like security. Security in particular can cost a lot of time and money to develop and build into your products, especially if you’re going to do it right. And so many companies don’t do it right or at all. We like to say that the S in IoT is for security…meaning there is none. So, as we’re bringing all these wonderful, connected devices into our homes, we also need to be very cognizant of the risks involved.

What does that mean, exactly? There are two primary reasons that bad guys might want to target your weak IoT devices: to establish a beachhead inside your LAN to get at other devices or to conscript your devices to serve in a zombie computer army (I’m not kidding). Let’s take these one at a time.

If a hacker wanted to try to spy on you or score some personal data, they need to get onto your home network, meaning they need to get past your router’s firewall. The best way to do that is to have an “man on the inside,” and usually the easiest target is a vulnerable IoT device. Each of these devices contains a tiny computer. If the hacker can take over that computer with malware by exploiting the weak security, it can now roam around your home network at will. Maybe they’ll try to infect other devices, including your computers. They could turn on microphones or cameras to spy on you or root around your files for sensitive information. While you might wonder why anyone would target you for this, you have to realize that many of these hacking programs are automated. It’s like robotic burglars roaming around neighborhoods looking for unlocked doors and windows and taking stuff that looks valuable.

But once they’ve compromised your devices, the more likely scenario is to use these devices to do nefarious things. We call these groups of hacked computers and devices a botnet . They listen for instructions from remote command-and-control computers and do their bidding. This may be attacking other, higher-value computers or simply mining Bitcoin to make their masters some money. But once conscripted into this zombie army, they can be called upon to do anything at any time.

This might sound silly, but it’s a real problem, and it’s already being exploited. Remember the Target credit card breach in 2014? Hackers got into Target’s payment system by first hacking the heating and air conditioning system. The system was on the same network as the credit card database. In another story, the CEO of cybersecurity company Darktrace revealed that a casino’s high-roller data was exfiltrated by first compromising a smart aquarium thermostat in the casino’s lobby.

Botnets are even more serious. When done well, a thousand compromised devices can bring down an entire web site. The Mirai botnet was responsible for crippling Internet service of much of the United States and parts of Europe in 2016 by taking down the DynDNS service.

The Internet of Things has a lot of promise, and at this point its spread is pretty much unstoppable. But device manufacturers have to step up their game, and governments need to start requiring these devices to meet minimum security and privacy standards, including the ability to be remotely and automatically upgraded to fix bugs as they’re found.

Virtual Private Network

Another important tool in the network security arsenal is the virtual private network (VPN). If you’ve heard this term before, it’s probably because you’ve worked at a large company. The most common use of a VPN is to allow traveling or telecommuting workers to access the big corporate network no matter where they are, as if they were located at the main office. That is, it allows remote workers to access e-mail, files, and internal web sites (resources that are normally blocked to all outside access) as if they were in the main office, plugged into a local network port or connected to the in-building Wi-Fi. The VPN extends the private corporate network (or LAN) outside the boundaries of the company. This creates a virtual private network—it’s not hardwired, but it acts as if it is. It allows someone connected to the public Internet, from any location, to appear as if they are connected to the private, internal corporate network. Furthermore, this connection is completely hidden from the other people on the public Internet, even though the packets of information are flowing freely between the mobile computer and the corporate network back at headquarters.

It’s sort of like having a private, opaque pipeline from your computer to the office. In fact, VPN connections are often referred to as tunnels for this reason. Let’s say you were locked in your castle, with an invading army at your gates laying siege to your stronghold. You would like to be able to send communications to your allies on the outside, perhaps send for help. You can’t just send a messenger out the front gate, can you? But what if you had a secret tunnel under the castle wall that ran two miles to a neighboring keep? Then you could send messengers out and even allow messengers to come in, and the army surrounding would have no idea it was happening. Actually, even if they knew it was happening, there’s nothing they could really do, unless they could somehow figure out where the tunnel was buried. If the tunnel was wide enough, your people could come and go as they pleased. That’s sort of the analogy for a corporate VLAN (virtual LAN).

But VPNs have other very interesting uses outside the corporate world, and they’re starting to become more popular with regular, everyday Internet users. Let’s look at our analogy again. A VPN is like setting up a tunnel between you and another network. This tunnel is essentially 100 percent impregnable and opaque to outside viewers. They may know it’s there, but even if they do, they don’t know where it goes. For the purposes of this analogy, it’s really almost like a magic portal: when you step through it, you are instantly transported to another place. How might we use such a thing?

Well, let’s say you’re traveling internationally for some reason—business or pleasure, it doesn’t matter. But you want to be able to access stuff on your home computer, maybe music or movies or files. You can create a VPN tunnel that will connect your laptop or tablet through the public Internet, halfway around the globe, back to your home network—as if you were sitting in your living room. (Okay, there is going to be some delay if you’re really far away, but you will still have full access to your stuff.)

But what if you want to access some of your favorite web services while you’re traveling, like Netflix or Pandora or Spotify? All three of those services are restricted; they usually work only if you’re accessing them from within your home country or region. With a VPN service, you can create a tunnel or portal from wherever you are back to your home country and appear to these services as if you’re inside the country. All of your network traffic goes through this tunnel and comes out wherever you choose (most VPN services offer you multiple “exit point” locales). For example, you might be in Italy for the summer, but as far as Netflix can tell, you’re really in Seattle, Washington, because the return IP address on all your network packets is located in Seattle, Washington. That’s because there’s a VPN server in that area that is the other end of your tunnel. (Note that these companies have begun blocking access from known VPN service addresses, so this technique doesn’t always work.)

As you might guess, the other great use for a VPN is for privacy. You may buy your Internet service from Spectrum or Comcast, but maybe you don’t want them snooping around on what you’re doing.³ Better yet, if you’re in some place with free, open Wi-Fi, you don’t want all the people around you being able to sniff the packets you’re sending and receiving. Oh, yes…they can do that. It’s wireless. You’re broadcasting your data indiscriminately to everyone within a few dozen feet. Now, if your connections are encrypted (HTTPS instead of HTTP), then the traffic to and from those specific sites can’t be sniffed in the open air... but not all web sites use encryption, though in the last year it’s gotten a lot better. As of 2014, according to SSL Pulse,⁴ only about 24 percent of the most popular web sites use HTTPS. Now they estimate that nearly 65 percent of today’s web sites have adequate HTTPS support. Industry and government initiatives have made it much easier to adopt HTTPS, but we’ve still got a way to go. So, if you’re using public Wi-Fi hotspots often, you should seriously consider signing up for a VPN service.

Summary

Checklist

Many of the configuration items in this checklist require you to log in to your router. Unfortunately, every router is different—even routers from the same maker can have different configuration screens. There’s really no way I can cover them all in this book, so you’re going to probably have to do some searching around. Your best source is the manual that came with your router. If you can’t find your manual, search the Web for it. Type in your router’s make and model plus the word manual—that will usually find it. You can find your router’s model info on a sticker on the router.

While you can use special software “wizards” to configure your router, you should also be able to access a web page on your router that has the full configuration. In most home routers, there is a special IP address assigned to your router for this purpose. Once you get to this web page, you’ll usually be asked to log in using the default administrator credentials. Again, this will be in your router’s manual.

Once you find this admin web page, spend some time looking around. Most of these special admin web pages will have helpful information right there to tell you what all the settings are for. Don’t let it overwhelm you, though—we will be tweaking only a few of these options.

Without further ado, here’s the checklist for this chapter.