Auditing a Home Network

Doug Palmer

An audit is a pretty simple concept. We’re just taking an accounting of everything in our home network to make sure all of our ducks are in a row. You can only begin to secure a system once you know everything there is to know about it. Think of it as strict self-reconnaissance. In practice, however, it can prove to be a arduous endeavor. Even home networks can start to become complex when various services are being run for entertainment or security or convenience or whatever.

The challenging thing is knowing whether you’ve checked everything you need to check. Have you asked all the right questions? That’s why I’m putting this list together. This list of questions to answer is far from exhaustive, but it’s a good start and I’ll be updating it periodically. This way, I can continue to document the process and add new specifics as I learn and grow.

Each question should be answered as thoroughly as possible. This means being specific about the information given in a response. Responses may sometimes be simple lists or a small simple fact; MAC addresses, for example. Responses to other questions may require a paragraph or chart of some sort.

There’s a question about what “normal network traffic looks like”. Don’t answer “Good”. This is meant to be evaluated over a period of time through targeted data collection, cleaning, and analysis. It’s the only real way to guarantee a well thought out data driven response. The security stack described here is designed to help answer open-ended questions like these more thoroughly. If we can accurately define what normal traffic looks like, we can more easily pick out anomalies.

• Devices
  • Networking devices like router(s), wireless access point(s), switches?
  • IoT/“Smart devices”?
  • What is the MAC address and vendor of each device?
  • What OS is each device running?
  • What ports/services are exposed on each device? Only exposed locally?
  • Which devices communicate externally?
  • Which devices communicate with each other internally?
  • Do We trust all these devices? (classify as untrusted if you don’t know)
  • How are untrusted devices kept isolated?
• What kind of vulnerabilities do all these devices and services have?
• Updates
  • Are updates tracked?
  • Is there a package manager?
  • manual or automatic?
  • is anything deprecated or EOL?
  • Any supply-chain risks?
• Network Configuration
  • What is the OS/Firmware version of networking devices?
  • What Services are being run?
  • Is there segmentation?
    • Subnets
    • VLANs
  • firewall?
    • What are the rules?
    • Control access across and between all VLANs?
  • What DNS is being used? Google or Cloudflare? Unbound, perhaps? Pi-Hole?
  • DHCP? Static Assignments? How is it configured?
    
• Logging
  • Is there logging enabled?
  • What devices?
  • What Services?
  • Where are logs stored? central log server?
• Netflow?
• What other telemetry or metadata can be gathered?
• Blocklists?
  • Do these have logs?
  • Are they up-to-date?
  • firewall?
  • DNS?
• Authentication & Identity
  • SSO?
  • password complexity/entropy
  • public key cryptography
  • admin interfaces?
  • default credentials?
• Data
  • What data exists?
  • How sensitive is the data?
  • Where is it stored? (Server, backups, etc)
  • Who can access it?
  • Is it encrypted in transit and at rest?
  • Are backups isolated? cold? hot?
  • Is any of this data accessible from a network or device that should not have access?
    • For example, IoT devices or restricted VLANs having visibility of and access to the NAS would be bad.
• Exposure
  • Any services exposed to the internet?
  • VPN?
  • Reverse Proxy?
  • Port forwards?
  • UPnP or NAT-PMP enabled?
  • is remote administration exposed?
  • SSH?
  • Cameras?
• Network Baselines
  • What does normal traffic look like?
  • What times of day?
  • typical bandwidth patterns?
  • typical DNS queries?
• Monitoring/Dashboards/alerts?

Some of these questions should be answered in the form of a report, while others should be answered in the form of a CSV full of normalized data points. The audit itself is not a single report or dataset, but rather a collection of reports, figures, and datasets that can be used to enumerate weakness, plan for hardening, and track historic changes.