Your network and WAN connection
- Details
- Last Updated: Wednesday, 26 February 2025 14:42
The Network
This includes all the infrastructure that your PC and other devices use to connect together (LAN) and to the internet (WAN). We are not particularly concerned about the cabling in your dwelling or office, although it should be kept in good condition and the cable be of good quality. Cat5e cable should work reliably at 1GBs for distances up to 100M. Some suppliers stock cheap versions labeled as 5e that can barely handle 1GB for more than a few metres and should be avoided.
Wifi is a much greater risk, and should must always be kept secure using strong passwords and encrypted with WPS and not WEP. While mostly of short range, it is still vulnerable to access from anyone nearby, and much further with a high-gain directional aerial. Radio signals are invisible, have few barriers, and broadcast everything to the world. Without secure encryption it's really no different to climbing on your roof with a megaphone and shouting all your secrets to the world. Its also a shared medium, mostly half duplex (one direction at a time), has higher latency, and speed drops dramatically when more than one user accesses it at the same time. Liken it to trying to hold a conversation in a room full of people, or having a cell-phone conversation at a public event. Therefore WiFi should be reserved for portable devices only. TV, desktop PC's, and laptops and devices with cable network options should always use cable where possible. Cable is generally exclusive to each connection and for common or shared segments is controlled by switches, which support store and forward, meaning data can be delayed but rarely corrupted or lost.
Things..
The most dangerous things these days are appliances: TV's, Fridges, Smart Ovens, Heat pumps, Baby monitors, Old phones, and many IOT (Internet of things) devices, such as door bell / video security systems, etc. In fact anything controlled via WiFi and your phone. The big worry is that these devices "Phone Home" to servers somewhere to allow your phone to interact from anywhere. Many are not securely designed and weaknesses have since been discovered with no possibility they will ever be fixed and able to be updated. Foreign manufacturers have been found to be very negligent in this respect.
We expect many of our home appliances to be usable for 10 to 20 years, but for how long will the software be updated and what happens when a major flaw is discovered. These devices need to come with a published and guaranteed service life which cannot be ignored just because they are out of warranty. One should ask for answers to these issues prior to purchase of such devices to force retailers to acknowledge they do have new ongoing responsibilities to consumers.
A popular baby monitor was recently found to allow the viewing other peoples children simply by changing the username while browsing. No further password required once logged in!
Attacks on IOT devices increased by 217% in 2018 with Routers (See next) and Cameras accounting for most of them.
If you have Phillips Hue light bulbs or other Zigbee devices be sure to update the bridge software to the latest version as its been discovered (Feb 2020) that they allow easy access to your network by anyone within 100 metres of your Wifi access point! If one of your bulbs goes crazy and unreachable its likely infected. Do not reset it - just remove the bulb and dump it. A reset and re-discovery will allow a hacker access to your whole network.
We recommended, implementing the FBI IOT Recommendations that separate local network be used for such devices. Often a couple of older ADSL routers can be used to achieve this with little effort. Simply, the output of your main internet connection's LAN port(s) is connected to the Internet connection of the older router's LAN port (which may also have their own WiFi aerials). Because routers act like one-way valves, signals can get out, but not inwardly unless via a connection first created by an internal device. These two networks are then isolated from each other. Use one for your IOT devices and the other for normal internet. No connections between them is possible without specific configuration, so if one of your IOT devices get owned, your main devices are likely safe. The disadvantage is that some times a cross connection is actually needed for management which reduces security. If this access is important, consult an expert and request a system isolated using VLAN technology. While somewhat complex, these can be configured to allow specific local devices to securely access both networks.
Router
This is probably the most neglected area of your network. In many cases it also provides your WiFi as well as DSL modem to your phone line, or more recently an ISP provided router for UFB or Fibre internet connection. These little boxes have a huge responsibility to isolate your local network from the internet and to only allow wanted traffic to cross. It provides our only real border security and often they use outdated systems that have been found to have serious flaws. Responsible manufacturers regularly provide updates to fix these, but very few are automatically installed. Some will alert you that updates are available, but you need to log in to it in order to do this. Also a shocking number of these routers have been discovered to have old flaws that have never been fixed and are still present in their latest models some years later. Worst of all is that most domestic users are totally unaware they are vulnerable and that fixes might exist, or how to connect to the router to update them, and often don't know the username and password needed for access. These are often still the using factory defaults as the owner has never changed them, meaning anyone can find these on Google or at routersecurity.org for the brand and model. Better models have one allocated at random with it written on a label underneath.
A new bot-net called Reaper is now actively finding and cataloging these unprotected routers and installing software. So far it has found several million of them just by using known flaws and the factory default login. No one knows just what it intends to do with these, but one year some 100,000 baby monitors were used to attack DNS servers in the USA and were able to take down almost half the internet for several hours. The power of using of millions more to sustain attacks doesn't bare thinking about, but to date Reaper has behaved very benign and some experts suggest its more a big red light to warn router manufactures to finally take some action.
Vulnerable Common Devices:
- D-Link routers.
- Netgear routers.
- Linksys routers.
- Internet-connected surveillance CCTV, belonging to companies like AVTech and Vacron.
- And this list continues to grow...
Now I challenge you to check your own router and if possible update it immediately. If its one of the above and not fixable, just replace it. To get you started; connect to your own router by pointing your web browser at your routers IP Address. This will likely be something like http:\\192.168.1.1 or 10.0.0.1 instead of a domain name, but in all cases it will be the same as the Default Gateway address it allocated to your PC. You can find this address recorded in the network properties/details of any PC connected to your network. When first connecting your browser to the router it may object to an insecure, mismatched or expired certificate, which is good but likely self-signed by the manufacture and can be safely ignored, and the certificate accepted as being OK. Username and password login boxes should then appear. At that point you are on your own, but if unknown you can examine the router case and manual for clues. As a last resort it may be necessary to reset it to factory settings that include a default login and password - typically admin/admin or 1234 etc. (Most have a reset/restart button which must be held down for 10 seconds or so to fully reset. Check you have your ISP's broadband login details first. Its often the same as the email login & password.) Once successful in gaining access, there should be a menu option somewhere to upgrade, or to apply an upgrade although you may need to visit the manufacturer's web site and down-load it first. Do be sure that it is the correct one for your router model. Its also possible you may need to apply several version upgrades as steps in a sequence. Remember to always change the default password and is quite safe to write this down in the manual or put it on a sticker underneath the router itself.
Routers don't last forever. If yours is in the habit of requiring regular power down resets to regain internet it's due for replacement. Our advice is to first do some research on Google and your local store regarding security issues and determine if frequent updates are provided. Generally you get what you pay for and depending on the features offered, such as WiFi and number of network ports we would expect a N.Z. price range from $100 to $500. The more you pay, the more a manufacture is motivated to provide ongoing support, even to automatic updates or a managed service providing hacker and bad website protection with extra security. We recommend Draytek and for very advanced & tech savvy users the Ubiquity range.
Don't expect good WiFi if your router is in your garage and your living areas are at the other end of the house. If you have any cabling installed and outlets in multiple locations, consider a straight router with multiple network ports, or purchase a separate switch and locate WiFi access ports close to where needed. A mesh network might also be a solution, but try and avoid WiFi repeaters which we have found don't work very well. Instead consider using power-line networking to simulate cabling. These use your 230V power wiring as network cables and can work extremely well, with speeds of 1Gbs if on the same fuse or breaker circuit. They often need none or minimal setting up - just plug the master in the same power socket as your router and connect it to a router port with a short network cable. Plug the slave unit into another power point, such as at your main TV or lounge. Some slave units have WiFi built-in as well as a network port you can connect direct to your TV for streaming. thus leaving the WiFi for your portable devices.
Note that WiFi is a shared bandwidth connection andif two or more devices are transferring data at the same time, the speed drops proportionally. Its basically like trying to listen to a political debate when all participants are shouting over each other. If two or more devices transmit simultaneously they interfere with each other causing data loss which must be re-sent. Wired networks generally have one cable per device or share a switch that can store and forward traffic from each device and prioritise it, which mostly eliminates lost packets.
For those who are just curious or a little technical, we recommend installing a couple of android apps on your phone: Fing (Fing Ltd) and Wifi Analysis by Farproc. These will show many details about your network which may surprise and reveal simple solutions to issues, such as your WiFi sharing the same channel as a close neighbour.