I want to learn more about ensuring my home wifi network is as secure as I can reasonably make it. Are there any good online resources to dive into?

IF you only mean WiFi security.
There is not much too it.
Only allow WPA2-PSK(aka personal), some devices allow wpa3 now. Do not restrict to only WPA3, if that is an option, Many devices do not support yet.

Use a strong password that no one can guess.

Do not allow friends and people that do not live there to use it. Make sure your Family knows not to share the WiFi settings.

Disable WiFi WPS on the router.

IF you mean all your home network, the that is for sure a more involved project.
Separate networks for different classes of devices, the biggest one being IoT devices on their own segemnt that have zero or restricted access to your main network.

Steve Gibson's Security Now podcast have some episodes on home network segregation.

I guess I mean my primary concern is preventing, o a reasonable extent, unwanted intusions onto my home network.

We have the typical devices you find... latops, a few Fire type tablets, iOS devices, Roku's, some wifi smart plugs, a printer. and until recently a WD MyCloud (I recently removed it as it was end-of-life'd by WD). Oh, our house fan is also controlled via wifi exclusively.

My AP is an Ubiquiti UAP-AC-LR that was purchased about 5 years ago and has been pretty flawless.

Is there a way to provide wifi internet to guests in a somewhat secure method that is separate from the other parts of the network?

Great topic. I'm not an expert and always have this question.

I've started with product choices (modem, router) and have decided upon Motorola (which may be a misinformed decision). In any case, I stay away from TP-Link, Huawei and other prc companies. I also avoid Netgear now.

I do segregation and put IOT type devices on the weak link segment (as defined by older router; primary subnet is on a Moto router). One consideration for me was devices that will likely get compromised and which devices are okay to share that subnet. I'm rethinking that and may separate even critical devices (ie laptops) such that exposure will be limited in case a device gets breached. One problem though is sharing a common printer.

I'm trying to figure out on which subnet to place a security camera. I hate that it requires access to the internet but it seems unavoidable unless I want to spend thousands for a more CCTV like system. It's a security camera so doesn't seem like it should be on the weak link subnet. But then, I consider it a weak link itself so it doesn't seem like I should allow it on the primary subnet. So maybe a dedicated subnet?

I hate that these devices have devolved into the cheapest, easiest, made by/in prc, products. I'm sure this will work out well for us.

Yes, security cameras are also on my to do list, and I have a couple in a closet waiting for the project to get going, but I've been bullied into inaction by feeling somewhat overwhelmed with the best way to do it. Primarily I will use wired cameras but some wireless ones are not out of the realm of possibility. In that regards, my thoughts (however misguided they may be) would be to use a wholly different network... Any potential wifi cameras probably don't need the internet to function, just the internal wifi to get back to the software to use them... So a wholly separate wifi access point without internet access would solve that, I think. If I wanted to remote view them in the future I could provide internet access via wired connection, but that, I'm sure, opens up vulnerabilities that I'll have to explore when the time comes.

What I wonder now is if my IOT should be on a different SSID then the ioS devices and the laptops? The printer, as you say, is a complication. We print from both iOS devices and the laptops, so I guess it would have to share the network.

Further complicating it, the wifi plugs only work on a 2.4ghz? connection and everything else is on the 5?

I know I can learn, I just need the resource to trust to start the learning process. I'm better with someone walking me through it but my networking fluent friend recently fled CA. He's smarter than I, apparently, as I am still here.

Get a vlan capable switch and router/firewall.
and then you can vlan tag different networks into different WiFi networks (SSID) on your existing ubiquiti AP. Assuming you are programming it with their controller software, I am not sure about the feature set of a stand-alone mode UBNT AP. I use them like that in places but never more then the native vlan/single SSID.

I have 3 networks at home. Main Lan, Iot/Camera, Guest.
They all can access the Internet but in general not each other, except allowing LAN to go directly to the cameras. All 3 have their own SSID and password in the Access Point.

I like pfSense for firewall, I have a NetGate SG-1100, if you have 1Gb internet you will need to jump to the 4100 I think.

quote:

Originally posted by thumperfbc:
I guess I mean my primary concern is preventing, o a reasonable extent, unwanted intusions onto my home network.

We have the typical devices you find... latops, a few Fire type tablets, iOS devices, Roku's, some wifi smart plugs, a printer. and until recently a WD MyCloud (I recently removed it as it was end-of-life'd by WD). Oh, our house fan is also controlled via wifi exclusively.

My AP is an Ubiquiti UAP-AC-LR that was purchased about 5 years ago and has been pretty flawless.

Is there a way to provide wifi internet to guests in a somewhat secure method that is separate from the other parts of the network?

It sounds like you are conflating WiFi and internet.

WiFi is just a means to connect your devices together without wires. That’s it. Don’t give out the password and your network is secure.

Unless, you decide to connect your network to the internet. And of course, most devices we purchase today won’t function without a connection to the internet. I believe this is the security you wish to learn about. I’d like to as well.

As far as guest connections go, many if not most wireless access points allow you to set up connections on a wireless network that’s separate from your own network. Guest devices will have a different SSID, a different password, and be assigned a different set of IP addresses than your devices.

I’ll be looking for that book recommendation as well. I’ve tried to piece together how to secure my network by reading things on the internet, but I just don’t have the basic understanding of how it all works.

This YT channel seems to have a lot of good content on this subject.

https://www.youtube.com/watch?v=6ElI8QeYbZQ

Linked to one about segregating IoT devices.
Looks like hes using pfSense and UBNT gear.

one thing of note, in my opinion hidden SSIDs offer no added security and only cause issues for some devices.
Just set a good password and don't worry about it showing up in wifi lists on clients.

quote:

Originally posted by thumperfbc:
I guess I mean my primary concern is preventing, o a reasonable extent, unwanted intusions onto my home network.

eyrich mostly covered it, except you want to think in terms of "strong pass phrase," rather than "strong password." E.g.: "bizzie glumm marty typ0 byte" is much stronger than "gaiWah9boh&k".

TBH: If somebody knowledgeable really wants to get into your WiFi network they will eventually get into your WiFi network. So, in addition to hardening your WiFi network to the extent possible, you want to deprive them of anything interesting to do if the WiFi network is breached. That's known as "defense-in-depth."

Defense-in-depth means, for example, choose network devices wisely and ensure they, too, have strong credentials. In communicating with them via web browser, use HTTPS, rather than HTTP. If they have "telnet" ports: Close them.

quote:

Originally posted by thumperfbc:
Is there a way to provide wifi internet to guests in a somewhat secure method that is separate from the other parts of the network?

I don't know about your Ubiquiti AP. My EnGenius APs have guest network capability. It isolates guests from the private network, allowing them Internet access only.

quote:

Originally posted by thumperfbc:
What I wonder now is if my IOT should be on a different SSID then the ioS devices and the laptops?

"Different SSID" ≠ "different network."

quote:

Originally posted by thumperfbc:
The printer, as you say, is a complication. We print from both iOS devices and the laptops, so I guess it would have to share the network.

This raises the subject of a complication with the oft-recommended "Separate your iOT devices from your trusted network." If you do that then you won't be able to communicate with them.

E.g.: We have Apple mobile devices and Apple TV streamers. It's real handy, when you need to do text entry on an Apple TV, to connect to it with iOS/iPadOS "remote" capability, so you can use your mobile device's keypad for entry, rather than interminable scroll-click-scroll-click-scroll-click-scroll-... But, if we placed the ATVs on a separate network, that would go away.

Another example is the "Smart HQ" capability of our GE range, washer, and dryer. Tells us things like the oven preheat is done, the wash will be done in five minutes, the stuff in the dryer has been sitting there for thirty minutes, etc.

So I take a different, though, admittedly, rather less security-robust route: Everything on our LAN gets a specific IP address. Most via fixed assignments in the network's DHCP server. A few locally-configured static IPs. Different "classes" of network clients get put in different subnets within the network's larger subnet. (E.g.: Mobile devices in one subnet, appliances in another, network infrastructure in another, and so-on.)

Stuff I don't want accessing the Internet gets blocked by IP address or subnet at the border router. Some devices, such as our VoIP ATA, get restricted to certain destination netblocks to which I know they should talk.

Then I depend upon the aforementioned defense-in-depth to protect the various things on the network from one another.

The more secure way is put different classes of devices on separate VLANs, then have an internal router to route the things you want to be able to talk to one another. That's a lot more complicated, a lot more expensive, and has the disadvantage of blocking network device discovery protocols (MDNS/Bonjour), which will break some stuff.

quote:

Originally posted by thumperfbc:
Further complicating it, the wifi plugs only work on a 2.4ghz? connection and everything else is on the 5?

As long as they're in the same network subnet that shouldn't matter. (Btw: I don't really like the idea of WiFi home automation devices. Too much additional exposure for my comfort. Thus I use Lutron Caséta smart plugs and switches, which communicate with a single networked hub on a proprietary wireless network.)

Not sure if OP really means "wifi" or general internet security.

Maybe it's because I'm not in a densely populated area, but I've never worried about war-drivers (is that still a thing) getting into my wifi as much as I worry about rouge IOT devices that I might buy in a weak moment (cheap security cams included), and the possibility of hackers getting in through my firewall via the FIOS connection.

Honestly any war-drivers here would get flushed out by the neighborhood watch anyway But I still use decent WiFi security, strong passwords etc, just in case.

By the way, if you don't know the term, "War-drivers are (were), people who would drive around neighborhoods looking for unsecure wifi they can hack into. They have to be within your wifi zone (normally fairly close to your house) for them to do any damage.

quote:

Originally posted by radioman:
Not sure if OP really means "wifi" or general internet security.

^^^^ Agree
One thing I've learned is to get clarification of the problem before submitting solutions.
Not that any of the above solutions aren't accurate but are they relevant?
I guess I prefer a more efficient path to a solution.

quote:

Originally posted by radioman:
Not sure if OP really means "wifi" or general internet security.

I think I meant both, but don't have the knowledge base to articulate it very well...

I think the wifi was covered above ensigmatic to a large degree... good password that is tightly controlled. I recently installed Bitdefender and it tells my my wifi at home isn't safe... probably due to a relatively simple password (no, no Password or any iteration of it ). I can update that to something stronger. It'll be a pain to update all of the various IOT but that is ok. It is worth it, I'm sure.

I'll have to research how to set-up a guest ssid with my Unifi AP specifically. I imagine it is capable of doing it in a way that prevents access to other devices on the network, I'll just have to research that. I imagine there are some articles or videos on it.

Eyrich - thanks for the Youtube link. I'll explore that channel.

Ensigmatic, i have questions about what you said about using static IP addresses for you various IOT devices... but I need to process the info more first... Regarding the home automation, the only ones we have are a couple of wifi plugs that run the Christmas lights during the appropriate season... I think that once they are programmed they might continue to do their job even if their connection is terminated... I'll check that. I suppose the house fan controller is probably considered a home automation thing, and that is something we use all the time with no hard wired way of activating it.

Thanks for the discussion... please continue to add to it. I'm fairly technically savvy but just never delved into networking much. I feel I just need a few shallow pools to wade in until I start picking up some of the basics... the problem I have is that often I come across videos that assume a bit too much knowledge for me to make good use of them for the moment.

quote:

Originally posted by smschulz:

quote:

Originally posted by radioman:
Not sure if OP really means "wifi" or general internet security.

^^^^ Agree
One thing I've learned is to get clarification of the problem before submitting solutions.
Not that any of the above solutions aren't accurate but are they relevant?
I guess I prefer a more efficient path to a solution.

Perhaps a better question to have asked... where should I start if I want to begin learning about the foundations of home network security? I'm not afraid to dive into technical material, as long as I start at an appropriate level and build from there.

Is the first step factory resetting my current equipment and then starting fresh so I know how it was done?

Current set-up is a cable modem that is connected into a typical home-grade wifi router (I can't even remember the brand at the moment). This route has the wifi turned off. Then the Ubiquiti is connected to the router with a POE injector inline.

So should I just start there? I remember things better when I do it myself, so this seems like a good place to start. Thoughts?

I prefer to have my own router in behind the service providers equipment.

We did install ATT Fiber this week, speeds approaching 1GB on their router hard wired,
EyePhone hit 690/660 unreal...

Anywho, I run two in house routers, One Orbi and One Netgear.

The Orbi is for wireless items such as Nest, Ring, Blink Camera system, TV's Ipads and Phones. Most of the "guests" are family so their devices are on that network as well.

This is done mainly because switching providers would require the update of every single device with new network credentials. Moving the ORBI to the new ATT Router requires no setup, plug it in, it connects and all devices are still active.

The other router is for the office printers, computer and wifes company Laptop, nothing else.

This keeps both separate, and people off our network.

Just activated a guest for the one guy that comes over and wants to attach his phone to the wifi when we have a cigar meet, up to now my response was "is you cellular network down" as in, no.

quote:

Originally posted by ensigmatic:

quote:

Originally posted by thumperfbc:
Is there a way to provide wifi internet to guests in a somewhat secure method that is separate from the other parts of the network?

I don't know about your Ubiquiti AP. My EnGenius APs have guest network capability. It isolates guests from the private network, allowing them Internet access only.

quote:

Originally posted by thumperfbc:
What I wonder now is if my IOT should be on a different SSID then the ioS devices and the laptops?

"Different SSID" ≠ "different network."

I can’t remember off the top of my head if it also requires having a Ubiquiti router or not, but in general, Ubiquiti networking equipment supports guest SSIDs with access control portals and no local network access.

With a Ubiquiti router, you can also do stuff like multiple SSIDs associated with multiple segregated VLANs and all the usual enterprise bells and whistles.