Part 3: Network & Home Security

🗺️ Series: Overview • Part 1: Recognizing Scams → • Part 2: Essential Tools → • Part 3: Network Security (current page) • Part 4: Daily Habits →

⚠️ Disclaimer

I’m not a certified security professional or lawyer. I’m just sharing my experience and security habits - things I try to follow myself and urge my mom to practice as well. This is not a professional security consultation, nor a legal advice. Your situation may differ. When in doubt, consult with qualified paid professionals.

A home network is like a house. Nobody would leave their front door unlocked, right? Yet many people leave their routers with default passwords and wide-open network access.

This post is about building a secure home network - my digital fortress.

🎯 Bottom Line

The router is the front door to digital life. Secure it properly, and most attackers are blocked.

1. Security Doesn’t Have to Be Expensive

For Most People: A Good Router

A decent router with firewall capabilities costs $100-$300.

What I looked for:

• Built-in firewall (most modern routers have this)
• Regular firmware updates from manufacturer
• Support for guest networks
• WPA3 encryption (or at minimum WPA2)

Routers I recommend:

• asus_rt_ax86u (good balance of features/price)
• TP-Link Archer BE6500 (budget-friendly)
• Netgear Nighthawk RS90 (solid performance)
• amazon_eero_7 (easy setup, mesh support)

What I Personally Use: Firewalla

🛡️ What I Use: Firewalla

I use Firewalla at home. It’s on the pricey side ($189-$500+ depending on model, up to $1,000 for Gold Pro), but it’s what I set up for my mom too because:

• Automatic updates - set it and forget it
• Great network monitoring - I can see what’s happening on my network
• Excellent ad-blocking and threat-blocking
• Very easy interface - my mom can actually use it
• Great support when I need help

I’ve tried many routers/firewalls over the years (pfSense, UniFi, OpenWRT, D-Link, Linksys, etc.), and for home use, Firewalla is my top pick for non-technical family members.

For Tech-Savvy Users

For those comfortable with more complex setups:

• pfSense - Free, powerful, open-source firewall
• UniFi Dream Machine - Prosumer-grade networking
• OPNsense - Another excellent open-source option

💸 Worth It?

Compared to the cost of identity theft recovery? It’s worth it.

Identity theft recovery costs:

• Direct financial loss: $500 median (but 18% lose $1,000-$5,000, 12% lose $10,000+)
• Recovery expenses: $1,200+ average (legal fees, lost wages, document replacement)
• Time investment: 6-12 months on average (100-200+ hours of work)
• Severe cases: Can exceed $100,000+ in losses
• Complex cases (especially tax-related): Up to 2+ years to fully resolve

Router security investment:

• Good router cost: $100-400 (budget to premium)
• Time to set up: 1-2 hours

2. I Changed The Default Passwords (Finally!)

This is the #1 mistake I see people make.

What Hackers Do

1. Scan for routers on the internet
2. Try default username/password combinations
3. Get in because people never changed them
4. Access the entire network

What I Changed

Router admin password:

• Default was: admin/admin or admin/password
• I changed it to: Strong unique password (from my password manager)

WiFi password:

• Default was: Printed on bottom of router
• I changed it to: Long, complex passphrase

Router SSID (network name):

• Default was: “NETGEAR-5G” or “TP-Link_XXXX”
• I changed it to: Something that doesn’t identify the router model
• Bonus: I didn’t use my address (hiding in plain sight)

💀 Real Attack

A friend’s router got hacked because they never changed the default password. The hacker:

• Changed DNS settings to redirect to malicious sites
• Intercepted online banking credentials
• Cost: $3,000 in fraudulent charges

All because of “admin/admin”

3. How I Segment My Network (Guests & IoT Separated)

I think of my network like my house with different rooms:

• Private room (my computers, phones, sensitive data)
• Guest room (visitors’ devices)
• Garage (IoT devices - smart TVs, cameras, etc.)

Why I Do This

My scenario: I have cheap smart lightbulbs with terrible security. If a hacker compromises one, without network segmentation, they’d have access to:

• My computer
• My files
• My security cameras
• Everything on my network

With segmentation: They only get access to my lightbulbs. Big deal.

How I Set This Up

What I did (Easy way):

Most modern routers support guest networks:

1. I logged into my router
2. Enabled “Guest Network”
3. Gave it a different password
4. Made sure “Allow guests to access local network” was OFF

What I put on guest WiFi:

• Visitors’ devices
• Smart home devices (TVs, speakers, lightbulbs)
• Game consoles
• Anything I don’t fully trust

For advanced users (VLANs):

For those who are tech-savvy with managed switches, I’d use VLANs for better isolation.

My DMZ Setup

I have a game server that needs incoming connections, so I put it in a DMZ (Demilitarized Zone).

This gives it internet access without exposing my private network.

4. My Allow-List Philosophy

When I configured my firewall, I thought about this:

Block-list approach: Block bad things

• Problem: There are millions of bad things
• I’d always miss some

Allow-list approach: Only allow good things

• Better: There are only a few thousand good things
• Much easier to maintain

🔑 My Setup

I default to deny. I only allow what I know I need.

My Example

Bad approach: “Block known malware sites” (there are millions) What I do: “Only allow connections from my devices” (there are maybe 10)

How I Configured This

Most routers call this “Access Control” or “MAC Filtering”:

1. I listed all my devices’ MAC addresses
2. Set my router to “Allow listed devices only”
3. Anything else gets rejected

5. How I Handle My IoT Devices

Smart home gadgets are convenient but often have terrible security.

What I Do Before Connecting Any IoT Device

Before I connect any IoT device:

• I research the brand’s security reputation
• I change the default password immediately
• I check if it requires a cloud account (privacy concern)
• I put it on guest WiFi or separate network
• I disable unnecessary features (camera/microphone if not needed)
• I check for firmware updates regularly

💀 IoT Horror Stories

• Smart doorbell - Hacked, used to spy on family
• Baby monitor - Stranger talking to baby through camera
• Smart TV - Recording conversations, sending to manufacturer
• WiFi lightbulb - Used as entry point to hack entire network

My IoT Setup

What I have:

• Smart lights (Philips Hue)
• Security cameras (local storage only, no cloud)
• Smart thermostat
• WiFi speakers

How I secure them:

1. All on separate guest network
2. Firewall blocks them from accessing internet except for updates
3. Local control only (no cloud when possible)
4. Regular firmware updates

6. How I Configured My Router Firewall

My Firewall Settings

SPI (Stateful Packet Inspection):

• Usually enabled by default
• Blocks unsolicited incoming connections
• I left this ON

UPnP (Universal Plug and Play):

• Convenient but dangerous
• Allows devices to open ports automatically
• I turned this OFF

DoS (Denial of Service) Protection:

• Protects against flood attacks
• Should be on by default
• I verified it was ON

WPS (WiFi Protected Setup):

• Vulnerable to brute-force attacks
• I never use the “push button” setup
• I disabled this

⚙️ Mom’s Router Setup

1. Change admin password ✅
2. Change WiFi password ✅
3. Enable WPA3 (or WPA2 minimum) ✅
4. Disable WPS ✅
5. Disable UPnP ✅
6. Enable guest network ✅
7. Set up automatic firmware updates ✅
8. Disable remote management ✅

7. How I Keep My Firmware Updated

Router firmware updates fix security vulnerabilities.

How I Update My Router Firmware

What I do (Automatic):

• I checked if my router supports auto-updates
• I enabled it
• This is why I like Firewalla - always auto-updated

For older routers (Manual):

1. I log into the router admin panel
2. Check current firmware version
3. Visit manufacturer’s website
4. Download latest firmware
5. Upload to router
6. Restart

How often I check: Quarterly, or I enable auto-updates

🔑 Lesson Learned

Many router manufacturers stop updating firmware after 2-3 years. When my old router stopped getting updates, I replaced it.

What I’d Do First If Starting Over

If I were starting fresh, here’s what I’d tackle first:

• Change the router’s default password - This was literally the first thing I did
• Set up a guest WiFi network - Took me 10 minutes and immediately isolated IoT devices
• Move IoT devices to guest network - I did this the same day I set up the guest network
• Check for router firmware updates - I do this quarterly now, or enable auto-updates
• Disable WPS on the router - I disabled this immediately after changing the password

Next in Series

Part 4: Daily Security Habits →

Learn the everyday habits that keep people secure: safe browsing, social media privacy, online shopping safety, and what to do if hacked.

More Resources

• How to Secure Your WiFi Router - CISA Guide
• Router Security Checklist - Consumer Reports
• pfSense Documentation - For advanced users

Last updated: January 31, 2025