Networking, security & backups in 2024

I made a couple of upgrades to our home network recently so I thought I’d map it out and talk about it a little.

Home network

About a year and a half ago we bought a house. One of its major selling points (at least for me) was that it came pre-wired, with ethernet cables already installed in the walls.

Here’s how I used that to set up our home network – one that provides high quality wired or Wi-Fi internet access in all rooms, bathrooms, and outside areas.

Network diagram titled ‘Home network’. The diagram shows four room locations, one roaming location, and wired ethernet cables in the wall of the house. The garage is where the internet is connected via an NBN modem is. That room also has a router, switch, NAS, and printer – all of which have wired connections. The downstairs living room has a network switch, TV, UHD player, and home theatre – all of which have wired connections. The upstairs retreat has a Wi-Fi extender + switch and TV, UHD player, and home theatre. All but the home theatre have wired connections. The upstairs home office has a desktop with a wired connection. Finally, we have some roaming phones, tablets, laptops, etc that are connected via Wi-Fi.

I had two main goals when planning this network:

  • Put all bandwidth-heavy activities on the wired network. This includes things like 4K media streaming to our TVs and the backing up of large media files from my desktop to the NAS. Doing that leaves the Wi-Fi network free for our laptops, phones, and smart home gadgets.

  • Make sure our work laptops are a single wall away from a Wi-Fi access point. Both Nadia and I work from home at least two days a week and both of us do lots of video conferencing. So our work laptops (which we use upstairs) need to have access to a strong Wi-Fi signal.

Happily I was able to achieve both of those goals.

With this set-up Nadia and I can do simultaneous video conferencing for work without any issues. And I can do things like download hundreds of gigabytes of computer game data to my desktop without interfering with the TV show Nadia that is streaming downstairs.

New router and a UPS

A couple of weeks ago I replaced our ailing primary router (all its ethernet ports had died) with a Synology WRX560. And because our secondary router is a Synology RT2600ac with the latest firmware installed, I’ve been able to configure that as an extender. So now we have a mesh Wi-Fi network throughout the house.

Finally, this weekend I put our primary router, NBN modem, and NAS behind a CyberPower UPS. I’m pretty sure our previous router developed its issues because of recent power surges and outages. This UPS has automatic voltage regulation so it’ll protect our primary networking devices (and NAS) while also giving us about an hour of back-up battery power.

Protecting our data and network

With everything always connected, I need to make sure our devices and gadgets are secure. I do this using the Swiss cheese model of layered network security.

All security layers have some holes (like a slice of Swiss cheese does) but, by adding multiple layers with differently-arranged holes, you can minimize the chance of anything getting through.

In our case we have protections at the router layer, operating system layer, and browser layer.

Screenshot of a diagram titled ‘Security strategy’. The diagram has three columns with icons for browser, operating system, and router. Each column is split into incoming and outgoing directions, with risk mitigation measures listed under each one. The router column has active threat protection, two-factor authentication, and auto lock-out under incoming; and it has Cloudflare DNS under outgoing. The operating system column has active threat protection, full drive encryption, and 3-2-1+ backups under incoming; and it has NextDNS under outgoing. The browser column has password manager, two-factor authentication, DNS over HTTPS, HTTPS-only, and uBlock origin under outgoing.

Incoming controls

Active defense against incoming attacks is managed through threat protection at the router and operating system levels.

Passive defense is managed by using things like full drive encryption (which means upgrading to Windows 11 Pro so we can use BitLocker) and a comprehensive back-up strategy (more on this in a minute).

Outgoing controls

Since malware and ransomware attacks are often triggered by what you do in your browser, we use layers of outgoing security to protect against this:

  • Our primary router is configured to use Cloudflare’s DNS service,

  • our operating systems (in our computers, phones, and tablets) are all configured to use NextDNS, and

  • our web browsers all use uBlock Origin and a bunch of other security and privacy-forward configurations.

Finally, all our online accounts use unique, long, randomly-generated passwords that are managed by the Bitwarden password manager. And we have two-factor authentication set-up (using Aegis) on all the accounts that offer this feature.

Recovering from a disaster

If, in spite of all those protections, things do go horribly wrong – or maybe if there’s a fire or natural disaster – our last line of defence is a comprehensive back-up strategy.

A 3-2-1 back-up strategy – the least you should be aiming for – says you need to have:

  • 3 copies of your data,

  • on 2 different mediums,

  • with at least 1 copy in the cloud.

We have a 4-4-2 back-up strategy with:

  • 4 copies of our data,

  • on 4 different mediums,

  • with 2 copies in the cloud.

Screenshot if a graphic titled ‘Back-up strategy’. The screenshot shows backups from a desktop. There are constant, selective back-ups to a cloud sync location; hourly, selective back-ups to a cloud backup location; and hourly, comprehensive back-ups to a NAS backup location.

How I do it

I use Sync.com to maintain a constant, synchronized copy of all my important files in the cloud. This gives me two copies, on two different mediums, with at least one copy in the cloud.

I then use Arq to simultaneously (a) backup a selection of key files to a cloud storage bucket and (b) backup all my files (which includes large, replaceable media files) to our network attached storage (NAS) at home. So that’s two more copies, on two additional mediums, one of which is in the cloud.

Naturally all these files are encrypted before leaving my computer and access to the NAS and all those cloud services is protected with unique, long, random passwords and two-factor authentication.

Keeping up with our needs

Doing all this takes time and effort, and it doesn’t come cheap. But so much of our lives is online these days that the cost of inaction – and the risk of losing that much of our lives – is much higher than the cost of doing everything I’ve talked about above.

It wasn’t always like this for us, of course. Our cost and effort has kept pace with what we’ve been able to afford along the way. We’re just privileged to be in a position where we can do something this sophisticated and automated. (Gone are the good old days of backing up to multiple 3½ inch floppy disks and, later, USB sticks.)

I hope, regardless of your personal set-up, that you too are doing the best you can to keep yourself connected, but protected.