How to harden your router, WiFi, and the growing pile of devices on your home network.
Why Home Network Security Matters
Your home router is the front door for every connected device under your roof. A compromise there is bad in ways that compound:
| Risk | Impact |
|---|
| Eavesdrop on traffic | Capture passwords, financial data |
| Attack connected devices | Infect computers, phones, IoT |
| Use your internet for crime | You may be blamed |
| Access shared files | Steal documents, photos |
| Redirect to malicious sites | Phishing without email |
| Become botnet member | Your devices attack others |
Router Security
Your router is the first line of defense. Most consumer routers still ship with mediocre defaults and a stock admin password printed on a sticker.
Essential Router Settings
| Setting | Recommendation | Why |
|---|
| Admin password | Change from default | Default passwords are public knowledge |
| WiFi password | Strong, 20+ characters | Prevents unauthorized access |
| SSID (network name) | Change from default | Hides router brand/model |
| Encryption | WPA3 or WPA2-AES | WEP and WPA are broken |
| Remote management | Disable | Close unnecessary access |
| WPS | Disable | Known security vulnerabilities |
| Firmware | Update to latest | Patches security holes |
Accessing Router Settings
| Step | Typical Process |
|---|
| 1. Find router IP | Usually 192.168.1.1 or 192.168.0.1 |
| 2. Enter in browser | Type IP address in address bar |
| 3. Log in | Default credentials on router sticker |
| 4. Change admin password | First priority |
| 5. Update firmware | Before other changes |
Finding Router IP
| Platform | How to Find |
|---|
| Windows | Open command prompt, type ipconfig, look for "Default Gateway" |
| Mac | System Preferences > Network > Advanced > TCP/IP |
| Linux | Open terminal, type ip route, look for "default via" |
| Phone | WiFi settings > current network > Router/Gateway |
WiFi Security
Encryption Comparison
| Protocol | Security | Recommendation |
|---|
| Open (no password) | None | Never use |
| WEP | Broken | Never use |
| WPA | Weak | Avoid |
| WPA2-TKIP | Adequate | Use if WPA3 unavailable |
| WPA2-AES | Good | Widely compatible |
| WPA3 | Best | Use if devices support |
Strong WiFi Password
| Characteristic | Reason |
|---|
| 20+ characters | Resistant to cracking |
| Random | Not guessable |
| Unique | Not reused from other accounts |
| Changed when shared widely | Limit long-term access |
Generate it in a password manager. Share with guests via QR code or the manager's sharing feature.
SSID Considerations
| Approach | Pros | Cons |
|---|
| Hide SSID | Slightly less visible | Devices broadcast it anyway |
| Generic name | Doesn't reveal router model | Hard to identify yours |
| Personalized name | Easy to find | May reveal info about you |
A generic name that doesn't reveal router brand or your identity is the safest middle ground.
Guest Networks
A guest network is a second SSID on the same router that cannot reach your main network. Use it for visitors and for everything labelled "smart".
Why Use Guest Networks
| Benefit | How It Helps |
|---|
| Isolation | Guests can't see your computers |
| IoT containment | Smart devices separated from main network |
| Easy password changes | Don't affect your main network |
| Reduced attack surface | Compromise doesn't spread |
Guest Network Setup
| Setting | Recommendation |
|---|
| Enable guest network | For visitors and IoT |
| Strong password | Different from main network |
| Client isolation | Guests can't see each other |
| Bandwidth limits | Optional, prevents abuse |
| Main network access | Disable |
What to Put on Guest Network
| Guest Network | Main Network |
|---|
| Smart TVs | Computers |
| Smart speakers | Phones and tablets |
| Security cameras | Network storage |
| Thermostats | Gaming consoles (if online gaming) |
| Visitor devices | Smart home hub (if controlling IoT) |
Firewall Basics
What Firewalls Do
| Function | Protection Provided |
|---|
| Block incoming connections | Prevent unauthorized access |
| Monitor outgoing connections | Detect malware communication |
| Port control | Close unnecessary entry points |
| Application control | Limit which programs can connect |
Home Firewall Layers
| Layer | Where | What It Does |
|---|
| Router firewall | Network edge | Blocks external attacks |
| Computer firewall | Each device | Blocks local network attacks |
| Application firewall | Specific apps | Granular control |
Firewall Settings
| Setting | Recommendation |
|---|
| Router firewall | Enable (usually on by default) |
| Windows Firewall | Keep enabled |
| macOS Firewall | Enable in System Preferences |
| UPnP | Disable if possible |
| Port forwarding | Only when necessary |
VPN for Home Use
What VPNs Do and Don't Do
| VPN Does | VPN Doesn't |
|---|
| Encrypt traffic between you and VPN server | Make you anonymous |
| Hide browsing from ISP | Protect from malware |
| Bypass geographic restrictions | Speed up your connection |
| Protect on public WiFi | Protect you from yourself |
| Hide your IP from websites | Replace need for good security |
When to Use VPN at Home
| Situation | VPN Helpful? |
|---|
| Privacy from ISP | Yes |
| Accessing geo-restricted content | Yes |
| Extra security layer | Marginally |
| Protection from malware | No |
| Anonymous browsing | Limited |
| Remote work requirements | Usually required |
Choosing a VPN
| Factor | What to Look For |
|---|
| Logging policy | No-logs policy, ideally audited |
| Speed | Minimal impact on connection |
| Server locations | Where you need to appear from |
| Device support | Works on all your devices |
| Reputation | Established, trusted provider |
| Payment options | Private payment if desired |
Recommended VPNs
| VPN | Notes |
|---|
| Mullvad | Strong privacy, no account needed |
| ProtonVPN | Good free tier, Swiss-based |
| ExpressVPN | Fast, user-friendly |
| NordVPN | Large server network |
| Surfshark | Budget-friendly |
Public WiFi Safety
Risks of Public WiFi
| Risk | How It Works |
|---|
| Evil twin attacks | Fake hotspot impersonating legitimate |
| Eavesdropping | Attacker captures unencrypted traffic |
| Man-in-the-middle | Intercept and modify communications |
| Malware distribution | Fake captive portals deliver malware |
| Session hijacking | Steal authenticated sessions |
Safe Public WiFi Practices
| Do | Don't |
|---|
| Use VPN | Access sensitive accounts |
| Verify network name with staff | Auto-connect to open networks |
| Use cellular if possible | Transfer sensitive files |
| Forget network after use | Leave WiFi on when not needed |
| Enable firewall | Assume the network is safe |
Safer Alternatives to Public WiFi
| Option | Pros | Cons |
|---|
| Mobile hotspot | Your own controlled network | Uses cellular data |
| Tethering | Same as above | Battery drain |
| Cellular directly | No WiFi risks | Data limits |
| VPN over public WiFi | Encrypts your traffic | VPN adds complexity |
DNS Security
What DNS Does
DNS (Domain Name System) turns website names into IP addresses. Whoever controls DNS controls which site your browser actually reaches when you type a name.
DNS Security Options
| Option | Benefits | Example |
|---|
| ISP default | None (default) | Assigned automatically |
| Public resolvers | Privacy, sometimes speed | Cloudflare 1.1.1.1, Google 8.8.8.8 |
| Encrypted DNS | Privacy from ISP | DNS over HTTPS (DoH) |
| Filtering DNS | Block malware, ads, adult content | OpenDNS, NextDNS, Pi-hole |
Recommended DNS Providers
| Provider | Address | Features |
|---|
| Cloudflare | 1.1.1.1 | Fast, privacy-focused |
| Cloudflare Family | 1.1.1.3 | Blocks malware + adult content |
| OpenDNS Family | 208.67.222.123 | Content filtering |
| NextDNS | Custom | Configurable filtering |
| Quad9 | 9.9.9.9 | Malware blocking |
Setting DNS at the Router
Changing DNS on the router affects every connected device at once:
| Step | Action |
|---|
| 1 | Log into router admin panel |
| 2 | Find DHCP or DNS settings |
| 3 | Enter new DNS server addresses |
| 4 | Save and restart router |
IoT Device Security
The Mirai botnet (2016) demonstrated the cost of cheap IoT: hundreds of thousands of insecure cameras and DVRs were quietly recruited and used to take down major sites. Treat smart devices accordingly.
IoT Risks
| Risk | Example |
|---|
| Default credentials | Camera accessible to anyone |
| No updates | Vulnerabilities never patched |
| Poor encryption | Traffic easily intercepted |
| Botnet recruitment | Devices used for DDoS attacks |
| Network pivot point | Entry to attack other devices |
Securing IoT Devices
| Action | Why |
|---|
| Change default passwords | Stop easy unauthorized access |
| Update firmware | Patch known vulnerabilities |
| Use guest network | Isolate from main network |
| Disable unused features | Reduce attack surface |
| Research before buying | Choose devices with security support |
IoT Device Inventory
Keep track of what's connected:
| Device Type | Information to Record |
|---|
| All connected devices | Name, IP address, MAC address |
| IoT devices specifically | Default password changed? Firmware updated? |
| Unused devices | Disconnect or disable |
Network Monitoring
Why Monitor Your Network
| Reason | What You Might Find |
|---|
| Unauthorized devices | Someone on your WiFi |
| Unusual traffic | Malware communicating |
| Performance issues | Bandwidth hogs |
| IoT behavior | Devices phoning home |
| Tool | Purpose |
|---|
| Router admin panel | See connected devices |
| Fing (app) | Network scanner |
| GlassWire | Traffic monitoring (Windows) |
| Little Snitch | Application firewall (Mac) |
| Pi-hole | DNS-level monitoring and blocking |
What to Look For
| Indicator | Possible Issue |
|---|
| Unknown device connected | Unauthorized access |
| High bandwidth usage | Malware, unauthorized streaming |
| Connections to unusual countries | Data exfiltration |
| Lots of blocked DNS requests | Infected device trying to reach malware servers |
Home Network Checklist
Initial Setup
| Task | Completed |
|---|
| Change router admin password | |
| Update router firmware | |
| Enable WPA3 or WPA2-AES | |
| Set strong WiFi password | |
| Disable WPS | |
| Disable remote management | |
| Set up guest network | |
Regular Maintenance
| Task | Frequency |
|---|
| Check for router firmware updates | Monthly |
| Review connected devices | Monthly |
| Change WiFi password (if shared widely) | As needed |
| Verify security settings | Quarterly |
| Update IoT device firmware | When available |
Key Takeaways
- The router is the front door. Change the admin password and update the firmware first.
- WPA3 or WPA2-AES. Anything older is broken.
- Put IoT on the guest network. Smart bulbs do not need to see your laptop.
- Disable WPS. It's been broken for over a decade.
- VPN on public WiFi. Or use cellular and skip the WiFi.
- Use a filtering DNS resolver. Cloudflare 1.1.1.3 or NextDNS handle a lot for free.
- Inventory your devices. Know what's on the network.
- Update everything that connects. Router, phones, IoT, every quarter at minimum.
- Watch for anomalies. Unknown devices on the network are a real signal.
- Network security is ongoing. A 30-minute checkup once a quarter is enough.
Next Steps
Continue to 07-mobile-security.md for the device that holds more sensitive data than any laptop you own: your phone.