Home Networks

Home Networks: This page is intended to provide an overview of Home Network Architecture and accepted best practices to help enhance your home’s security posture. The page focuses on a cable modem (Comcast) or router (Verizon FIOS) based gateway.

The principles described apply whether your network is serviced by a cable modem, router, 5G cellular or fixed wireless solution from your Internet Service Provider.

Home Network Structure

The Gateway is a boundary device that separates different security domains; here, it defines your Home Network through the WiFi definition and the built in Firewall is the boundary point between your Home Network and the Internet.

  1. Gateway device (blue box) may be provided by Verizon or Comcast or purchased at retail

  2. WiFi is defined by frequency (like a TV channel = green/red areas)

  3. Devices connect to Home Network through WiFi (no wire) or wired (physically connects device to the router or modem with a cable). Some devices only work on one frequency (for example, the Green 2.4 GHz Network); others can move automatically or may be assigned to only one frequency.

  4. WiFi is like a voice - it needs to be heard to be useful; Gateway in home placement helps, and segregation provides useful isolation. Minimum support should be WiFi 6 (5e, 7 or 8) for WPA3 encryption

Mesh Routers Added to Bedroom, 1st Floor and Basement

A Mesh Network can improve network reach across the home (even into the yard). Devices are available at retail. The diagram above shows the Gateway (Cable Modem in Bridge Mode) outside the Home Network boundary defined by the Mesh 1st Floor Router with built in Firewall. Technically, the Cable Modem in Bridge Mode is no longer a Gateway.

Mesh Routers communicate with each other to establish the best path for any given device to communicate. For example, TV 1 connects to Mesh 1st Floor Router and TV 2 connects to Mesh Basement Router, but both TV’s are on the SAME Network. The second mobile phone is shown across both 2.4 GHz and 5 GHz Main - because it can connect to either frequency (remember that 5 GHz is faster, but 2.4 GHz has longer reach so the device may switch from one to the other as the user walks outside in the yard).

Network Separation: there is only frequency separation above; however, Computers and Phones can be further separated from other devices in the home by creating additional network(s) (described lower on this page).

Network Segregation

The Gateway can define additional WiFi Networks (such as IoT or Guest) with separate WiFi passwords. The devices in your home can then be assigned to any defined network. Any given network along with all of the devices on that network establish the primary “threat surface” of that network. The Security System Base is shown directly wired to the Gateway.

Some devices in your home are considered more security sensitive than others because of the information they have or the services they access. A computer used for banking is more sensitive than a SmartTV used to watch movies or television shows.

  1. Best Practice is to separate your sensitive devices such as Mobile Phones and Computers from other devices. In the diagram, the phone and computer can be on either 2.4 GHz or 5 GHz Main Networks. ALL other devices are forced to use only the 2.4GHz or 5GHz IoT Networks creating network isolation, and helping with security by reducing the threat surface.

  2. Many IoT devices (SmartTV, SmartSwitches, Appliances and other WiFi enabled devices) do not get software updates after they are sold or may be vulnerable right out of the box.

Home Networks and Gateway Configurations

Bucks County Home Networks Security Services focus on the Gateway (Router/Cable Modem), Home WiFi, Computer, Mobile Phone and User Account Settings; however … with over 25 years with cable architecture and working with the largest cable and telco operators in the United States (and Canada, Mexico, and South America), Bucks County Home Networks can help with TV, Cable, or Streaming Services Device configurations as well (which may reduce monthly cost, help with home network set-up, or channel/service navigation).

NOTES: Your home internet setup depends on both your Internet Service Provider (ISP) (such as Comcast, or Verizon FIOS) and the gateway (either provided by the ISP or purchased separately). The gateway (which could be a router, cable modem, or mesh system) is a demarcation point between your home network and the internet. If you want to compare Internet Service Providers to potentially save money on your monthly internet bill, https://www.whistleout.com/Internet/United-States is one site to check. Typically, the lowest speed plan in Bucks and Montgomery Counties is more than sufficient for most people to stream TV and provide enough speed for everyday internet use. Any performance problems will very likely not be related to, nor improve, with a faster speed from your ISP.

Home Networks: Your sensitive devices (computer, mobile phone) can be on a Main network, IoT devices on the IoT network; Guest is optional (for any visitors asking to connect). IoT devices include TV streaming devices, home assistant speakers, security cameras, sensors, controllable lights, switches and appliances. They each represent a potential ingress point to the network which they are on. Segregation and isolation reduces the threat surface (paths of attack) to your most sensitive devices. Be aware of changes in your network performance and investigate appropriately. Separating and limiting the number of WiFi devices on either 2.4 GHz / 5 GHz or Main / IoT / Guest can be helpful for both security and WiFi performance. For example, a streaming service (SmartTV or streaming device) could connect to your 5 GHz IoT network while all the rest of your IoT devices (i.e., security cameras) connect to your 2.4 GHz IoT network and your computer and mobile phone connect to your Main (2.4 GHz and 5 GHz) networks.

Device purchases: The Manufacturer and supported functions matter. For example, WPA3 (the current recommended encryption algorithm) is supported in WiFi 6 and later (including WiFi 6e, 7, and 8 devices). Buying a WiFi 6 Mesh Network may provide a current encryption algorithm at a lower price, but it is likely the device will not receive future manufacturer security updates as often or as long as devices supporting a more current standard such as WiFi 7.

Gateways (Routers, Cable Modems, Mesh) Advice: Segregate networks (Main, IoT, Guest). Replace outdated devices that do not receive vulnerability updates from the manufacturer because of age. Update firmware (auto) and reset the device weekly (often can be scheduled), change default password, enable the firewall and current algorithms (use WPA2/WPA3, disable WEP, WPS), periodically check the list of connected devices and offline clients, disable remote management and outdated protocols, isolate devices (limit cross device communications), disable SIP ALG and UPNP port forwarding.