Bench Talk

(Source: Proxima Studio/Shutterstock.com)

Most small and home networks connect to the internet through an internet service provider (ISP), which provides a broadband modem or router over a digital subscriber line (DSL), cable, or fiber-optic connection. This device’s primary function is to connect your home network to the internet through two components: a modem and a router. The capabilities that the modem provides often perform at the data link and physical layers: You can’t configure them. The routing components provide networking and security functionality. Although they usually don’t stack up to the features that dedicated security appliances and modern firewalls offer, you can typically upgrade or replace them with more capable options. With the proliferation of Internet of Things (IoT) devices, more connected homes, and increasingly savvy attacks, it’s more important than ever to protect your home network adequately. A quick review of the device that connects you to the internet is a good place to start.

Protecting your home network begins with your ISP broadband modem or router. Your telecommunications provider typically supplies this device, which is the demarcation point between the ISP’s service and the devices on your home network. Over the years, as telecommunications providers have improved their performance and capacity, they have required that subscribers upgrade their equipment. The latest broadband modems and routers have more security functionality than before so that in many cases, simply enabling these features is good enough to protect your home network. However, if you’re running on older equipment, you might want to consider upgrading and looking at alternatives to add modern security protections to your network.

In most cases, your ISP issues you an IP address, a subnet mask, and a default gateway to configure your broadband router to connect to the internet. The router typically has two types of ports: a wide area network (WAN) port configured with your ISP-issued public IP address and local area network ports configured to provide your home devices with dynamic private IP addresses. The router provides Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services to make this happen. All this results in a mostly plug-and-play installation process that ISPs try to make as simple as possible so that subscribers (especially less tech-savvy individuals) can connect their devices to the internet in as few steps as possible.

Unfortunately, many of these early broadband routers simply performed basic network filtering and port forwarding; they don’t protect your devices against more sophisticated attacks. Popular options for increasing this security include adding a dedicated security device, enabling security features that might be available on your broadband router but are not turned on by default, or upgrading your device to one more capable.

Add a Security Device

The first option, adding another security device, requires a bit more networking experience but also provides the greatest flexibility. This new device typically takes over the routing functionality that your ISP-provided equipment handles. If you can configure your broadband modem or router into bridge mode (which effectively bypasses any router functionality in your device), this can be a good option. Once your ISP device is in bridge mode, you can install a firewall (which acts as a more sophisticated router) behind your ISP device and configure its external WAN port with the public IP address that your ISP provided. All the networking and security functionality, such as traffic routing and inspection, DHCP, and NAT, will be handled by this new security appliance. Recently, an explosion of new, lower-cost security devices combine network firewalling, routing, switching, and services with wireless access point management and threat protection into a single device that you can install behind your broadband modem. Several low-cost open-source firewalls are available to install to provide commercial-grade protection for your network.

Enable Security Options on Your Current Device

For the second option, enabling security options on an already-installed device, you must have administrative access to your ISP broadband router and an idea of which security capabilities are available. A quick internet search on your broadband router’s make and model typically leads to a device service manual that describes the additional security configurations. In many cases, these features won’t rival those offered by dedicated security equipment, but this option is much easier and less expensive to set up than installing a new inline security device.

Replace Your Existing Router

Finally, you might replace your entire broadband router or bridge with a different model with the additional security features you want. For example, the website for the popular cable ISP Xfinity lists compatible devices that work with its service from companies such as Arris, Motorola, and NETGEAR. These products have different security features and prices, but they are all easy to install: You simply replace what you already have.

It is important to remember that many successful security attacks bypass network firewalls altogether. For example, simple firewalls won’t detect phishing attacks that trick users into divulging their credentials or clicking a link to a website that leads to malware. Although more sophisticated security devices that use threat intelligence feeds and real-time blacklists can lower the risk, a firewall solution alone is usually not adequate to fully guard against these kinds of attacks.

These broadband devices play important roles in protecting you against some attacks, but it remains critical that you enable other security protection. Protect your endpoints by patching your computers regularly with security updates and enabling the security features that your operating system provides. Don’t forget that the smart devices that you connect to your home network might have fewer security capabilities than your computer: Isolating those devices into a network separate from your sensitive data can be wise. It’s not always possible to patch these IoT devices, and their built-in security capabilities might be rudimentary at best. That said, upgrading and adding additional network security capabilities to your broadband connection might provide just enough security for these devices.