Normally, we think of threats as being “out there” on the internet. The problem is that sometimes the threat is nearby, right in our own home.
This article was originally titled “How Do I Protect Myself from My Children?” On reflection, though, it’s not just the kids you need to worry about; it’s just about any device you connect to your network: the computer your friends bring over, the “internet of things” enabled device you purchase, the smart TV … and yes, sometimes the computer belonging to a precocious child.
The good news is, you can protect yourself. You just have to look at your network a tad differently.
Become a Patron of Ask Leo! and go ad-free!
Who do you trust?
First, we need to group the computers in your home into distinct buckets:
To protect one bucket from the others, we somehow need to split the network, which might be easy if your router supports it, or slightly more difficult if not. On top of that we also need to talk about how the “Internet of Things” and software firewalls affect what we do.
Split the network using guest access
One approach is to carve your local network into two: a trusted and an untrusted network.
Routers protect you from the internet; the threats that are “out there”. A more simplistic way to think of it is simply this: one side of a router is trusted — the LAN (Local Area Network) into which you plug in your computers — and the other side, the WAN (Wide Area Network), or internet side, is not.
The router protects the trusted side from the untrusted side by preventing incoming connections: only connections that originate from the trusted side can be made across the router.1 In other words, only information your computer asks for comes across the connection. Malicious attempts to get into your computer from out in the wilds of the internet are blocked.
Some modern consumer routers include what is called “guest access”. This creates two local networks isolated from one another.
Guest access protects the trusted side from the less-trusted, as no connections can be made between the two, while protecting them both from the internet.
Unfortunately, guest access is usually restricted to wireless connections. That means if you have a wired connection, like that of your kid’s computer in their bedroom, you may not have this option.
Split the network by getting a second IP
In our last example, we’ve set up two local networks isolated from one another by virtue of the split that happens at the router. This works well, as the router not only splits the network but allows you to share the single IP address assigned to you by your ISP.
Of course, with your ISP’s help, you can set up two, actual, distinct networks.
All you need from your ISP is two IP addresses on your single connection. This allows you to use a switch to physically split the connection, and permits each router to get its own distinct IP address. This sets up two completely separate networks, isolated from one another.
Unfortunately, being able to get multiple IP addresses on a consumer-grade internet connection is rare, and also likely to confuse your ISP salesperson.
You can accomplish the same thing without a switch (or the confusion) by purchasing two completely separate internet connections from your ISP, or two separate internet connections from two separate ISPs.
But that seems like overkill.
Split the network by using a second router
If your router doesn’t support guest networks, and your ISP doesn’t support multiple IP addresses, and you don’t want to pay for a second separate internet connection, here is a way to jury rig a solution using two routers.
Normally, we plug the WAN side of a router into the internet, but it actually doesn’t have to be that way. You can plug your router into another router.
In this case, the internet feeds to router #1, which feeds the less-trusted guest or kids network. The WAN (or “internet”) side of router #2 is connected to the LAN side of router #1. Trusted computers are connected to router #2.
In this diagram, connections can only be established upwards, towards the internet. All the PCs in this diagram connect to the internet. Connections cannot be established downward, meaning that everyone is protected from connections attempting to come in from the internet. More importantly, the less-trusted network cannot establish connections into the trusted. (In theory, trusted PCs devices would be able to connect to less-trusted devices, but that’s generally impractical for a variety of reasons.)
You wouldn’t expect your fridge or television set to be a security or privacy risk, but now it’s quite possible. Internet-connected appliances are becoming more and more popular, and unfortunately, security seems to be only an afterthought.
The good news is that we’ve yet to hear about IoT devices being used to attack other devices on local networks; to date, attacks have used them to cause trouble on the public internet. However, it’s easy to imagine future scenarios in which the threat may strike closer to home.
When it comes to internet connected devices:
- Disconnect them from the internet if the functionality provided isn’t being used, or isn’t worth it. Most “smart TVs”, for example, continue to work just fine without being connected.
- If they are going to be connected, consider treating them as the “less trusted” devices we’ve discussed above. Connect them to your guest network, for example.
- If you must connect them to your trusted network, make sure the other devices sharing the network are appropriately protected.
In most cases, that “appropriate protection” takes the form of a firewall.
The computers and devices that share a network are not protected from each other. If your computers are all safely connected to a “trusted” network, they’re still vulnerable to each other. That network relies on trust, and if that trust is violated by accidentally installing malware, or doing something else risky, other computers on that network could be exposed.
That’s why almost all PCs now come with a built-in firewall, enabled by default. This provides important protection of each machine from everything else.
Software firewalls, such as Windows’ own firewall, are good — and, indeed, they’ve become progressively better with each release of Windows — but they’re still not the same caliber as the natural firewall provided by a router; you need both.
Software firewalls are perfect for protecting your machines from one another, however.