Personal Network Layer Security
security network smalltechYou can’t do much these days without connecting to the Internet. Unfortunately this means exposure to:
- getting hacked by randoms
- corporate malfeasance
- government malfeasance
Your network channels are probably the first thing you should thing about securing. There are lots of other things you should do as well, but most of them are worthless without at least some network security. There is no 100% foolproof approach, so I’m ordering this by bang-for-your-buck (in terms of time and/or money).
15 minutes + $0
No time or money? Do any or all of these tasks, if they apply to you.
- Change your router’s admin password
- Ensure your wi-fi is set to use WPA3 only
- Install a Free VPN on your mobile devices Android | iOS
1-2 hours + $0-100
Have a little more time and/or cash?
Switch to a Subscription VPN
Why: Software VPNs are a great piece of security kit. They partially anonymize your traffic by providing you a random exit address and encrypting traffic between you and the VPN provider, hiding it from local snoops and your ISP. They can aid you in region-switching, which is useful for eking more value out of streaming services. Paying for it can be worth the money: unlimited bandwidth means you can use the VPN more liberally, and when paying you usually get an ad-free experience with more exit locations, which is an improvement over most free-tier VPN services.
There are a lot of no-log, privacy-friendly options that are also modestly priced.
Upgrade to WPA3-Capable Wi-Fi Router
Why: Anything prior to WPA3 (WPA2, WAP, WEP) is crackable in practice, not just in theory. Someone can sit within range of your setup and get directly onto your network, with direct access to your devices. WPA3 encryption is, in this regard, the most important feature of your router. If your router doesn’t support it, pay for an upgrade.
Rotate Your Wi-Fi Password
Why: WPA3 is the best generally available wi-fi encryption option in 2025, but can still be compromised or worked around. Changing your password periodically can potentially mitigate some of the available attacks. Do it:
- immediately, if you lose a device that was connected to your network
- immediately, if currently weak (shared, short, dictionary or based on personal info)
- immediately, if upgrading to WPA3 from WEP/WPA/WPA2
- semi-annually, to prevent brute-force attacks
Stock Up on RF/Faraday Bags
Get an RF/faraday bag to store smart phones and other radio-enabled devices when not in use.
Why: Cell phones and other mobile devices can be tracked over networks in several surprising ways. You might think flipping into Airplane Mode is enough to fix that. But that is a software switch and can be overridden. Also some apps collect data while offline and then upload it when back on (GPS/location apps). You might think turning off your phone will help. But some modern mobile devices do not completely disable their radios when turned off to support E911 and anti-theft features, (or due to malware) and since you can’t easily take the battery out, they remain available to the network.
A viable option is to just put your device in a metal bag to block signals from getting in or out of the phone. They are cheap. Buy a few, test them to be sure they work, then stuff a spare in your purse or glove box.
Multi-Day + $100-1000
Extra cash lying around? Paranoid? Want a project to work on? These might suit you.
Burner Phones + SIMs
Why: Flip phones + prepaid, if used and sourced properly, potentially augment privacy. They are relatively cheap, so you can more easily refresh hardware/IMEI. You can usually remove the battery to kill the radio. If you don’t use them to sign in to any personally-identifying accounts, they are less traceable than a smart phone, though not untraceable; they are more for avoidance of corporate surveillance than they are for dodging the government.
Install a Wired Network
Why: If you have a physically secure place to install a switch and the ability to run cables, having a wired network can prevent access to your network by people who don’t have physical access to your space. It makes it harder for creepy neighbors and unmarked vans to get on your network. It does come with the minor inconvenience of having to plug things in.
You can still maintain a hybrid wi-fi network for wi-fi-only devices and guests; a guest network can still be configured to reach the internet, but not reach your more trusted wired network, on which you’d keep your network storage, kids’ PCs, security cams, and other sensitive devices.
Install a Home VPN
Why: If you don’t want an ongoing VPN subscription cost, and you have internet at home, you can self-host your VPN there. This has other benefits besides cash savings:
- access your home net from while mobile without any third-party intermediary
- hide traffic from your mobile provider or any third-party VPN (but not your home ISP)
Contrast this with the thid-party VPN scenario where you hide traffic from your home ISP but not the third-party VPN provider. It depends which arrangement you prefer, or which options you want available to you. You can also substitute “home” for “third-party cloud”, with the same considerations about who can and can’t see your traffic in that scenario.
To host your own VPN, you’ll need a PC that is capable of running the VPN server and can stay on all the time using a static IP address, as well as a router that can map incoming traffic to that machine using port forwarding.
Good options: Wireguard | OpenVPN Community Edition
Upgrade to Privacy-Forward Network Hardware
Why: Privacy-forward hardware can provide peace of mind, either through company ethos or supply chain management, or both. Here are some consumer/affordable brands that sell on privacy and/or supply chain congnizance:
Upgrade to Open Network Firmware
Why: Popular open-source firmware alternatives, if they support your hardware, can have security advantages from broad community attention and stewardship. Open firmware can also support more features that the stock firmware might otherwise lock down or simply not provide. Here are some examples of open-source firmware that works on SOHO hardware (this is not an exhaustive list):
Separate Your Edge Router
Why: Separating your edge router from your WAN “modem” (i.e. prefering not to have an integrated cable/DSL/cellular modem in an ISP-provided router) provides you with better control over security, functionality, and upgrades. Dedicated routers are usually more sophisticated and powerful than all-in-one devices, and are more likely to be free from restrictions on features and use.
Optimize Your WAN Modem
Why: “Modems” for cable (DOCSIS) and DSL are the most common interface. However, these are usually unavoidably proprietary and have poor security characteristics (e.g. 56-bit DES). Your notion of your trust perimeter should still end before your modem, if you have one. Even still, it might feel better to own your own rather than lease from the ISP.
- Get a modem that can actually deliver all the bandwidth you’re paying for in your ISP plan/contract
- Prefer a standalone modem bridged to a router that is under you control
- Buy your modem from a reputable 3rd party instead of from the cable company (involves calling the cable company to get it working)
Anything Else?
I’ll do more posts on DNS, compute, browsing and more… let me know if I missed anything important related to network. mast | email