'%3e%3crect%20x='109.185'%20y='253.397'%20width='350.859'%20height='857.656'%20fill='white'/%3e%3cpath%20d='M274.77%20708.572H233.194V888.205H286.632C302.651%20888.205%20314.635%20883.711%20322.461%20875.088C330.287%20866.465%20334.322%20851.404%20334.322%20830.149V779.138C334.322%20752.539%20329.797%20734.2%20320.382%20723.997C310.966%20713.795%20295.681%20708.451%20274.77%20708.451V708.572Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M310.966%20610.558C320.015%20601.206%20324.539%20585.295%20324.539%20563.19V530.518C324.539%20490.559%20308.887%20470.519%20277.705%20470.033H232.949V624.768H269.512C287.977%20624.768%20302.039%20619.91%20311.088%20610.436L310.966%20610.558Z'%20fill='%23FF5C00'/%3e%3cpath%20d='M277.582%200C124.362%200%200%20123.399%200%20275.704V1069.3C0%201221.48%20124.239%201345%20277.582%201345C430.803%201345%20555.165%201221.6%20555.165%201069.3V275.704C555.165%20123.52%20430.926%200%20277.582%200ZM426.523%20833.064C426.523%20878.367%20414.539%20912.739%20390.817%20936.423C375.898%20951.241%20356.7%20961.322%20333.221%20966.909V987.677C333.221%201002.5%20320.993%201014.64%20306.075%201014.64C291.156%201014.64%20278.805%201002.5%20278.805%20987.677V971.888H232.949V987.677C232.949%201002.5%20220.721%201014.64%20205.803%201014.64C190.884%201014.64%20178.655%201002.5%20178.655%20987.677V971.888H170.218C150.53%20971.888%20140.625%20962.05%20140.625%20942.496V415.743C140.625%20396.188%20150.53%20386.35%20170.218%20386.35H178.655V357.201C178.655%20342.383%20190.884%20330.238%20205.803%20330.238C220.721%20330.238%20232.949%20342.383%20232.949%20357.201V386.35H278.805V357.201C278.805%20342.383%20291.034%20330.238%20306.075%20330.238C321.115%20330.238%20333.221%20342.383%20333.221%20357.201V388.78C333.221%20389.994%20332.977%20391.087%20332.855%20392.18C354.499%20397.524%20371.863%20406.512%20384.703%20419.386C406.469%20441.491%20417.597%20475.377%20417.597%20521.045V544.364C417.597%20604.363%20397.42%20642.743%20357.556%20659.14V660.719C403.656%20676.265%20426.646%20717.074%20426.646%20782.782V833.064H426.523Z'%20fill='%23FF5C00'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_1_174'%3e%3crect%20width='555'%20height='1345'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
- Choosing and securing your network equipment
- Change default logins and passwords
- Secure router configuration
- Reinforcing Wi-Fi network security
- Network segmentation
- Advanced DNS management
- Secure remote access via VPN
- Monitoring and detection
- Backup and resilience
As we discovered in the previous chapter, securing your home network is very important to protect your privacy, your personal data, and to guarantee your digital sovereignty.
After reviewing the theoretical basics, this chapter will guide you through clear, practical and effective steps to enhance the security of your local network.
Please note: The information provided here is general, as Plan ₿ Academy is aimed at an international audience. Depending on your local circumstances and your ISP, certain best practices may not be mentioned here, or may apply in a different way.
Choosing and securing your network equipment
The security of your home network starts with the right choice of hardware: the router, or in some cases a modem router. This device provides the link between your local network and the Internet. It therefore plays a central role in protecting your data.
It's important to choose modern equipment, maintained by its manufacturer, and compliant with recent security standards. Today (June 2025), it is recommended to opt for a device compatible with the WPA3 (Wi-Fi Protected Access 3) encryption protocol, which succeeds WPA2 and corrects several of its flaws. In particular, WPA3 improves resistance to brute-force attacks on Wi-Fi passwords, and introduces better isolation between network clients.
A Wi-Fi 6, Wi-Fi 6E or Wi-Fi 7-compatible router will give you improved speeds and, above all, native support for modern security technologies. Conversely, very old equipment, especially that no longer receives software updates, may contain known, unpatched vulnerabilities. They therefore represent a risk for your entire network, even if you configure them correctly. Compared with cell phones or computers, routers are equipment that we tend to keep for many years. However, it may be a good idea to replace them more regularly, in order to benefit from a more modern, more secure model.
Attention: As a general rule of thumb, the routers provided by ISPs may lack the essential update feature, as well as personalization capabilities. In some cases, ISPs may also have unrestricted access to the end user's internal network.
So make sure you systematically update your router's firmware. These updates correct vulnerabilities, add new features and enhance overall system stability. Some manufacturers offer automatic updates, but in some cases you'll need to check manually via your router's interface administration tool. As with your phone, computer, operating system and software, it's important to update your router regularly. You can make this part of your weekly routine - Every Sunday, for example - by drawing up a list of all the items you need to check and keep up to date.
Alternatively, you may enable auto-updates or at least auto-scan for new firmware updates if you prefer to act manually. While the auto-update feature may still pose a security threat, failing to update the router's firmware regularly will expose your local network to publicly known vulnerabilities.
Example: When purchasing your own router, it may be a good idea to look for established firms in the industry that have been providing routers on the market for a long time. For instance, Fritz!Box routers have a longstanding reputation as plug-and-play devices, well-suited for use in both family settings and small-sized companies. Their software update policy typically extends over several years.
If your router is no longer maintained but still works correctly from a hardware point of view, you may be able to install an alternative open-source firmware, such as:
- OpenWrt, a Linux distribution specializing in routers, offering great flexibility and regular updates
- pfSense and OPNsense, two FreeBSD-based (Unix-like) systems for x86 firewalls and routers
Note: Some ISPs supply their customers with bulk routers made by a single company that simultaneously provides many different ISPs around the world. You may find that in order to install one of the alternative firmwares on the router, someone else may have already discovered how to do it, even if they are on the other side of the world.
These systems enable finer control of firewall rules, outgoing and incoming connections, network segmentation (VLANs) and DNS management, but are aimed more at advanced users.
To sum up, I recommend to:
- Choose a recent router
- Keep your system up to date
- Consider alternative firmware if necessary
Change default logins and passwords
One of the most common (and dangerous) mistakes is to keep the default credentials provided by the router manufacturer, or to use a weak password.
Historically, default router credentials were highly insecure and often identical for all users, such as the well-known
admin/admin. These basic credentials were public, documented in user manuals and widely recorded in databases used by attackers. In this case, anyone detecting the presence of your router could attempt unauthorized access simply by testing these known combinations.Today, most manufacturers assign a unique, robust password to each router. However, even in this case, I recommend changing the default credentials. This reduces supply chain risks, and prevents the original password (sometimes printed on the router label) from compromising your security.
It is therefore imperative that you change your identifiers immediately after installing your router:
- The username (if available) of the administration interface
- And above all, the administration password, which protects access to all network configuration, as well as the Wi-Fi password
This password must be long (40 characters), complex (numbers, lowercase, uppercase and symbols), unique (not to be reused elsewhere), and random. I obviously recommend using a password manager to generate and store these credentials securely.
Warning: don't confuse the router's administration password (which protects access to its configuration) with the Wi-Fi password (which allows you to connect to the wireless network). These are two different elements, and both need to be changed.
Finally, some modern routers feature two management interfaces: A local interface web (accessible via an address such as
192.168.1.1) and a cloud interface (enabling remote management via the Internet). If the latter is enabled by default, I advise you to disable it if you're not using it, or reinforce its security with a strong password and possibly two-factor authentication (2FA) if available.Secure router configuration
The router is the heart of your home network. Its configuration plays an important role in the security of all connected devices. Unfortunately, many of the functions activated by default on these devices can inadvertently expose your network to external attacks. That's why it's important to carry out a complete review of the options activated, and disable those that are not strictly necessary for your purposes.
Some features should be avoided or systematically deactivated:
- UPnP (Universal Plug and Play):
This function enables the devices on your network to ask the router to open ports automatically. While this facilitates certain uses (online games, connected cameras, etc.), it also opens the door to malicious applications capable of modifying the network configuration without your authorization. UPnP is one of the main causes of unintentional exposure of internal services to the outside world.
- WPS (Wi-Fi Protected Setup):
Originally designed to simplify connecting devices to Wi-Fi without entering a password, this system is based on a PIN code that is often weak and easily attacked by brute force. I advise you to disable it.
- Remote access (Remote Management):
Some routers allow you to connect to their administration interface from the outside, via the Internet. This feature unreasonably increases your router's attack surface. Disable it completely, unless you have a specific need for remote management. Even then, always use a VPN.
- Obsolete or insecure protocols:
Disable any administration services that use plain-text protocols such as Telnet, FTP, unencrypted HTTP or SMBv1. These protocols ensure neither confidentiality nor integrity of exchanged data, and are frequently targeted by malware. If you need local or remote access, only use connections via HTTPS (encrypted interface), SSH or SFTP, as appropriate.
- Ping WAN / ICMP:
Some routers respond by default to ICMP requests sent from the outside (
ping command). This allows an attacker to check that your network is active and accessible. If you don't need it, disable this response in the router's firewall.Finally, remember to restrict access to the router's administration interface to trusted devices only, limiting its accessibility to specific IP addresses, if the interface so allows. Some firmwares, such as OpenWrt, offer very fine control over these parameters.
Reinforcing Wi-Fi network security
The Wi-Fi network is often the preferred point of entry for intrusions into a domestic environment. Invisible to the naked eye but accessible from outside the walls of your home, it's an easy target for anyone within range.
The first important step is to choose the right encryption protocol. Always activate "WPA3-Personal", the latest and most secure standard. It not only protects the data exchanged, but also prevents certain known attacks.
The name of your Wi-Fi network, called "SSID" (Service Set Identifier), should remain neutral. Avoid including your name, address or router brand. A name like
MaisonDupont_WiFi6 already gives too much information to a potential attacker. Prefer a generic name, with no particular meaning. This limits the information available for passive tracking or social targeting.Another best practice is to create a guest network separate from your main network. This parallel network, often offered natively on modern routers, enables you to provide your guests with an Internet connection without them having access to your other devices (computers, printers, NAS, etc.). It also means you don't have to provide them with your main network password. To go even further, activate client isolation on this guest network: This will also prevent visitors from communicating with each other, further reducing the risks associated with compromised devices.
Finally, adjust the transmitting power of your Wi-Fi access point. By default, many routers emit a very strong signal, sometimes detectable well beyond your walls. This increases your exposure area. In your router's advanced settings, reduce the transmission power to the minimum required to cover your home. If your router allows it, you can also configure automatic Wi-Fi cut-off when not in use.
Network segmentation
One of the most effective strategies for reinforcing the security of a home network is segmentation. This involves dividing the local network into several independent sub-networks called "VLANs" (Virtual Local Area Networks). These VLANs make it possible to isolate different types of device or usage, even if they use the same physical hardware (router, cabling, Wi-Fi terminal, etc.).
Each VLAN functions as a small, autonomous network with its own communication rules. Exchanges between VLANs are blocked by default or strictly controlled. This prevents, for example, a compromised connected TV from reaching your personal computer or NAS. This approach is based on 2 of the fundamental principles of cybersecurity that we have already studied in previous chapters: Compartmentalization and least privilege.
In concrete terms, here are some examples of segmentation you could do:
-
A personal VLAN: For your trusted devices such as computers, smartphones or personal servers. This is the main segment where your sensitive data circulates.
-
An IoT VLAN: For connected objects (light bulbs, speakers, cameras, smart TVs, etc.). These devices are often insecure, less up-to-date, and a frequent target for attack. Isolating them considerably reduces the risk of an attacker using them as an entry point to your network.
-
A guest VLAN: Reserved for your friends or family when they come to stay with you. It gives access to the Internet, but no access to your private equipment.
Finally, this approach also offers advantages in terms of performance and management: It allows you to prioritize certain types of traffic, apply specific security rules depending on the VLAN (firewall, rate limiting, DNS filtering, etc.), and better monitor abnormal network behavior. It's a practice I highly recommend.
Advanced DNS management
DNS (Domain Name System) is the Internet service that translates human-understandable web addresses (e.g.
planb.network) into machine-understandable IP addresses. When a device on your network wants to visit a site, it queries a DNS server to obtain the address of the server to contact. By default, these DNS queries are often sent in clear text (unencrypted) to your ISP, enabling it (or a third party such as the government) to see all the sites you visit, even if their content is encrypted via HTTPS.To enhance your browsing privacy and block certain unwanted content right from the root, you can take control of DNS resolution within your home network. Start by replacing the DNS servers provided by default with more privacy-friendly alternatives such as :
-
Quad9: Includes blocking lists for malicious domains and keeps no long-term logs of names
-
Cloudflare DNS: Fast and committed to a strict no-logging policy
-
NextDNS: Highly customizable, with advanced filtering and statistics features
-
AdGuard DNS: Easy to configure, with ad blocking and tracker options
Next, activate a DNS query encryption protocol to prevent DNS queries from being intercepted or monitored. There are 2 main protocols for doing this:
-
DoH (DNS over HTTPS): Encapsulates DNS requests in the HTTPS protocol, making them indistinguishable from conventional encrypted web traffic
-
DoT (DNS over TLS): Creates a specific encrypted channel between your device and the DNS server
-
DoQ (DNS over QUIC): Transports DNS requests via the UDP-based QUIC protocol
In practical terms, DNS encryption and server switching can be implemented at various levels:
- At application level: Some software applications, such as the Firefox browser, allow you to configure DNS encryption protocols, such as DoH, directly. However, this solution only protects requests made via the application, and not the rest of your computer.
-
At operating system level: Some OSes natively integrate encrypted DNS support (DoT or DoH), which secures all DNS requests passing through the system's network stack. This does not, however, secure the entire computer or telephone: Applications can bypass this setting if they are configured to use a different DNS resolver or protocol.
-
At network level: DNS encryption can be applied to the entire local network via router configuration. Once again, a router configured for DoH/DoT only sees traffic that is actually sent to it. So a browser configured to contact a remote resolver directly escapes this control. To reduce these loopholes, you need to block port 53 in clear text and restrict unauthorized DoH/DoT destinations via the router's firewall.
Also, ISP-supplied modem routers don't always support these features. In the event of router limitations, there are several alternatives. You can install a manually encrypted DNS client on each device, add a personal router behind the ISP's (capable of handling DNS encryption) or deploy a local DNS server (for example, on a Raspberry Pi) responsible for encrypting and redirecting DNS requests to a secure resolver.
To take things a step further, you can also set up a local DNS filtering solution such as Pi-hole or AdGuard Home.
These tools act like a small DNS server inside your network, blocking requests to domains known to host advertising, browser trackers, phishing or malicious sites. These tools also allow you to create your own blocking lists or customize filtering according to the devices connected.
Secure remote access via VPN
In some cases, it's useful to be able to access your home network when you're on the move: Consult files on a NAS, use a Bitcoin and Lightning node, access a self-hosted server, or administer your network. However, this remote connection must be secure.
The first tip is to never directly open a port on your router to access a device (e.g. via RDP, SSH or FTP), as this exposes that service to the entire Internet, which constitutes a vulnerability. Automated attacks targeting open ports are numerous.
The solution I recommend is to use a VPN (Virtual Private Network), i.e. an encrypted tunnel between your remote device (computer, smartphone, etc.) and your local network. Once connected to the VPN, you can access your home's resources as if you were physically there, and in a secure way.
The two main solutions for private customers are:
- WireGuard: Modern, fast and lightweight
- OpenVPN: Older, but very mature and configurable
Here's a complete tutorial on Tailscale, an easy-to-configure VPN solution that uses WireGuard:
You can host this VPN directly on a compatible router, on a small computer (such as a Raspberry Pi) or on a dedicated server at home. You can also install it as a client directly on any device.
But a VPN isn't just for remote access. You can also use a classic VPN client on your devices to encrypt all your outgoing traffic, even when you're away from home (public Wi-Fi, hotel, university, etc.). In this case, your device connects to a third-party VPN server (commercial or self-hosted), which then relays your connections to the Internet. This hides your real IP address from the ISP, protects your data from local spying and avoids certain forms of censorship.
Finally, it's also possible to set up a VPN directly on your router, allowing you to protect all the devices in your home without having to install a VPN client on each of them.
Monitoring and detection
Once your network has been properly configured and segmented, it's important to go beyond passive security. Active monitoring of your local network can detect abnormal behavior, unauthorized connections or signs of intrusion. The aim is to spot problems early, before they cause damage.
The first step is to centralize security logs. Every device connected to the network generates logs containing information on connections, errors or suspicious activity. Rather than consulting these logs individually, I recommend sending them to a server capable of grouping, sorting and analyzing them. Solutions such as Graylog or Elastic Stack (ELK) allow you to aggregate these logs into a graphical interface where you can search for specific events, create alerts or visualize network activity.
Next, carry out regular active scans of your local network, for example with Nmap. This will give you an overview of all the devices on your network, and the ports they have opened. If you identify an unknown device or an unusual service, this could be the sign of an attack.
To go even further, you can install an IDS (Intrusion Detection System), or even an IPS (Intrusion Prevention System). These tools, such as Suricata or Snort, monitor network flows in real time and detect signatures of known attacks (port scans, injections, suspicious connections, etc.). The IDS warns, while the IPS can automatically block certain actions.
Finally, monitoring bandwidth consumption is also a good indicator of abnormal activity. If a device suddenly consumes a lot of data for no apparent reason, this may betray an unauthorized download, a data leak, or even a compromised device. Tools such as ntopng or vnStat enable you to view incoming and outgoing flows by device.
Backup and resilience
Even with a perfectly secure network, hardware failures, configuration errors or unforeseen events (power failure, power surge, hard disk failure, etc.) can cause data loss or interrupt your services. To guarantee the continuity of your digital environment and avoid starting from scratch in the event of a problem, it's important to implement a backup and resilience strategy.
Start by regularly backing up the configuration of your network equipment, especially the router. These configuration files can often be exported via the administration interface. Keeping a copy allows you to quickly restore a functional system in the event of a device reset or replacement. I also recommend encrypting this backup.
Finally, to improve your network's resilience in the event of power failure, invest in a UPS. This device provides backup power for a few minutes in the event of a power failure, allowing you to continue using the Internet or ensuring that critical devices (NAS, router, Wi-Fi access point, etc.) shut down cleanly. Some models can also send an automatic shutdown command to connected devices when they detect that the battery is low.
By following these few steps, you'll build a robust, secure network environment that respects your privacy.
Quiz
Quiz1/5
scu2026.2
Which service replaces ISP DNS to protect the confidentiality of web requests?