Networking, security & backups in 2024

I made a couple of upgrades to our home network recently so I thought I’d map it out and talk about it a little.

Home network

About a year and a half ago we bought a house. One of its major selling points (at least for me) was that it came pre-wired, with ethernet cables already installed in the walls.

Here’s how I used that to set up our home network – one that provides high quality wired or Wi-Fi internet access in all rooms, bathrooms, and outside areas.

Network diagram titled ‘Home network’. The diagram shows four room locations, one roaming location, and wired ethernet cables in the wall of the house. The garage is where the internet is connected via an NBN modem is. That room also has a router, switch, NAS, and printer – all of which have wired connections. The downstairs living room has a network switch, TV, UHD player, and home theatre – all of which have wired connections. The upstairs retreat has a Wi-Fi extender + switch and TV, UHD player, and home theatre. All but the home theatre have wired connections. The upstairs home office has a desktop with a wired connection. Finally, we have some roaming phones, tablets, laptops, etc that are connected via Wi-Fi.

I had two main goals when planning this network:

  • Put all bandwidth-heavy activities on the wired network. This includes things like 4K media streaming to our TVs and the backing up of large media files from my desktop to the NAS. Doing that leaves the Wi-Fi network free for our laptops, phones, and smart home gadgets.

  • Make sure our work laptops are a single wall away from a Wi-Fi access point. Both Nadia and I work from home at least two days a week and both of us do lots of video conferencing. So our work laptops (which we use upstairs) need to have access to a strong Wi-Fi signal.

Happily I was able to achieve both of those goals.

With this set-up Nadia and I can do simultaneous video conferencing for work without any issues. And I can do things like download hundreds of gigabytes of computer game data to my desktop without interfering with the TV show Nadia that is streaming downstairs.

New router and a UPS

A couple of weeks ago I replaced our ailing primary router (all its ethernet ports had died) with a Synology WRX560. And because our secondary router is a Synology RT2600ac with the latest firmware installed, I’ve been able to configure that as an extender. So now we have a mesh Wi-Fi network throughout the house.

Finally, this weekend I put our primary router, NBN modem, and NAS behind a CyberPower UPS. I’m pretty sure our previous router developed its issues because of recent power surges and outages. This UPS has automatic voltage regulation so it’ll protect our primary networking devices (and NAS) while also giving us about an hour of back-up battery power.

Protecting our data and network

With everything always connected, I need to make sure our devices and gadgets are secure. I do this using the Swiss cheese model of layered network security.

All security layers have some holes (like a slice of Swiss cheese does) but, by adding multiple layers with differently-arranged holes, you can minimize the chance of anything getting through.

In our case we have protections at the router layer, operating system layer, and browser layer.

Screenshot of a diagram titled ‘Security strategy’. The diagram has three columns with icons for browser, operating system, and router. Each column is split into incoming and outgoing directions, with risk mitigation measures listed under each one. The router column has active threat protection, two-factor authentication, and auto lock-out under incoming; and it has Cloudflare DNS under outgoing. The operating system column has active threat protection, full drive encryption, and 3-2-1+ backups under incoming; and it has NextDNS under outgoing. The browser column has password manager, two-factor authentication, DNS over HTTPS, HTTPS-only, and uBlock origin under outgoing.

Incoming controls

Active defense against incoming attacks is managed through threat protection at the router and operating system levels.

Passive defense is managed by using things like full drive encryption (which means upgrading to Windows 11 Pro so we can use BitLocker) and a comprehensive back-up strategy (more on this in a minute).

Outgoing controls

Since malware and ransomware attacks are often triggered by what you do in your browser, we use layers of outgoing security to protect against this:

  • Our primary router is configured to use Cloudflare’s DNS service,

  • our operating systems (in our computers, phones, and tablets) are all configured to use NextDNS, and

  • our web browsers all use uBlock Origin and a bunch of other security and privacy-forward configurations.

Finally, all our online accounts use unique, long, randomly-generated passwords that are managed by the Bitwarden password manager. And we have two-factor authentication set-up (using Aegis) on all the accounts that offer this feature.

Recovering from a disaster

If, in spite of all those protections, things do go horribly wrong – or maybe if there’s a fire or natural disaster – our last line of defence is a comprehensive back-up strategy.

A 3-2-1 back-up strategy – the least you should be aiming for – says you need to have:

  • 3 copies of your data,

  • on 2 different mediums,

  • with at least 1 copy in the cloud.

We have a 4-4-2 back-up strategy with:

  • 4 copies of our data,

  • on 4 different mediums,

  • with 2 copies in the cloud.

Screenshot if a graphic titled ‘Back-up strategy’. The screenshot shows backups from a desktop. There are constant, selective back-ups to a cloud sync location; hourly, selective back-ups to a cloud backup location; and hourly, comprehensive back-ups to a NAS backup location.

How I do it

I use Sync.com to maintain a constant, synchronized copy of all my important files in the cloud. This gives me two copies, on two different mediums, with at least one copy in the cloud.

I then use Arq to simultaneously (a) backup a selection of key files to a cloud storage bucket and (b) backup all my files (which includes large, replaceable media files) to our network attached storage (NAS) at home. So that’s two more copies, on two additional mediums, one of which is in the cloud.

Naturally all these files are encrypted before leaving my computer and access to the NAS and all those cloud services is protected with unique, long, random passwords and two-factor authentication.

Keeping up with our needs

Doing all this takes time and effort, and it doesn’t come cheap. But so much of our lives is online these days that the cost of inaction – and the risk of losing that much of our lives – is much higher than the cost of doing everything I’ve talked about above.

It wasn’t always like this for us, of course. Our cost and effort has kept pace with what we’ve been able to afford along the way. We’re just privileged to be in a position where we can do something this sophisticated and automated. (Gone are the good old days of backing up to multiple 3½ inch floppy disks and, later, USB sticks.)

I hope, regardless of your personal set-up, that you too are doing the best you can to keep yourself connected, but protected.

Medibank data breach

Finally got the email [1] from Medibank saying that my old membership data with them was stolen by cyber criminals.

Screenshot of an email with the heading ‘An important update from Medibank’.

The email reads: “Dear Ameel, We’re deeply sorry to inform you that some data relating to your former membership has been stolen in the recent cybercrime event. This email details what specific membership data was stolen, outlines actions you can take to safeguard your online identity, and the services available through our Cyber Response Support Program”.

The email then goes on to list what categories of data have and have not been stolen. The data stolen is name, gender, date of birth, email, address, phone number, policy number, and passport number. The data not stolen is credit card and banking details, and health claims data.

I left Medibank in 2009 so, with the exception of my name, gender, and date of birth [2], all the other data they have one me is now outdated and irrelevant.

And while it’s not great that various cybercriminals now have this data, in the broader scheme of things ‘tis but a flesh wound. After all, there’s not much that cybercriminals can do with a single old residential address, an old pre-paid phone number, and an expired Pakistani passport number :)

(Why Medibank kept all my customer data thirteen years after I closed my account with them is a whole other issue, of course. *sigh*)

[1] I got the email from them on 15 November 2022.

[2] You can find all this about me using open-source intelligence gathering anyway — like by looking through my social media feeds and seeing when my friends have wished me ‘happy birthday’, for example.

Poor spammers

They make all that effort to add random spaces in words so automated SMS spam filters don’t block their attempted spam/phish…and then the spam filters effortlessly figure it out and block their messages anyway.

(งಠ_ಠ)ง

Crappy online banking security

You’re always only one SIM-jacking event away from losing control of your bank account.

Screenshot of a smartphone text messaging app that shows four text messages. All the messages read: “Don’t share this code with anyone, including NAB. Your security code is XX for Internet Banking password reset”. That six digit numerical code designated by XX changes in each message.

It’s 2022 and still banks don’t offer time-based, one-time tokens (like when you look up a code from Google Authenticator) as your second factor when authenticating with them. It’s embarrassing.

Log in alerts FTW

Log in alerts are such a useful feature. It’s eye-opening to see just how frequently people try to break into your accounts!

Alerts like these also drive home the importance of using two-factor authentication. I have that turned on everywhere. Seriously, you should too.

Screenshot of an email from Instagram that reads “Sorry to hear you’re having trouble logging into Instagram. We can help you get straight back into your account.” and then a button that says “Log in as ameelkhan”. Below that is text that reads “You can also reset your Instagram password”.

Instagram also offers an incredibly useful additional security feature: a list of emails they’ve sent you in the last 14 days.

Malicious actors can send fake log in alerts that are actually phishing emails. You can check this sent-email list in your account settings to verify if the email you’ve just received is real or not.

Screenshot from the Instagram website. The page’s title is ‘Emails from Instagram’. The text below this reads: “Security and login emails from Instagram in the last 14 days will appear here. You can use it to verify which emails are real and which are fake.” Below that is a list of emails, all with the subject “ameelkhan, we’ve made it easy to get back on Instagram”. Each item on this email list also has a timestamp so you can tell when it was sent.

Firefox extensions for privacy and security

A post called ‘A Few Simple Steps to Vastly Increase Your Privacy Online’ by Keith Axline has been making the rounds of the internet recently. It’s really good; you should read it.

In that post Keith recommends several privacy-related browser extensions. I use most of those, too, so I thought I’d follow up on my ‘Staying safe and private online’ post from a few weeks ago with the list of Firefox extensions I use to increase my online privacy and security.

Firefox extensions website.png

Block trackers from following your around the web

Privacy Badger by EFF Technologists: blocks trackers from following you around the web and seeing which websites you visit.

Decentraleyes by Thomas Rientjes: blocks creators of shared internet content (which lots of websites use) from tracking you every time you download their content.

CanvasBlocker by kkapsner: stops some trackers from using JavaScript to ‘fingerprint’ your browser.

Facebook Container by Mozilla: stops Facebook from tracking you around the web — essentially, lets you use Facebook and its related sites (like Instagram) in a private browser container that’s separated from the rest of your browser.

uBlock Origin by Raymond Hill: blocks ads and adware (ie malware in ads).

Keep your connections to websites encrypted whenever possible

HTTPS Everywhere by EFF Technologists: tries to upgrade all your website connections to ‘https’, which is an encrypted connection.

Stop potential security leaks when you use a VPN

Disable WebRTC by Chris Antaki: stops your true IP address from being leaked when streaming media through a VPN.

Create and manage excellent passwords

LastPass Password Manager by LastPass: generate long, unique, random passwords and then keep them secure.

Am I Mullvad.png

Take things up a notch by using a Virtual Private Network (VPN)

This isn’t a Firefox extension but, for completeness’ sake I thought I’d mention that my VPN of choice is Mullvad by Amagicom AB.

When you connect to the internet with Mullvad, we ensure that the traffic to and from your computer is encrypted to the highest standards even if you are using a public WiFi network at a cafe or hotel.

We keep no activity logs, do not ask for personal information, and even encourage anonymous payments via cash or one of the cryptocurrencies we accept. Your IP address is replaced by one of ours, ensuring that your device's activity and location are not linked to you.

If you want a really comprehensive VPN comparison, by the way, check out That One Privacy Site. One of the reasons I went will Mullvad is because that’s the only VPN listed on this site that has earned its ‘GOOD’ rating for privacy, features, and technology.

Staying safe and private online

I do lots of things to keep myself as secure and private as I can online – so many that I figured I’d make a list.

Securing my devices

  • make sure all my devices are fully encrypted – that includes all phones, tablets, laptops, and external hard drives (plus some USB sticks)

  • make sure all my data is backed up – and where it’s backed-up it is encrypted at rest (my cloud backup tool of choice is Arq and I use a local Synology NAS and Google Coldline as my backup locations)

  • make sure I have USB recovery drives for my all Windows installs

  • make sure my computer is kept proactively and reactively secure using anti-virus and anti-malware tools (my AV tool of choice is the pre-installed Windows Defender and my anti-malware tool of choice is Malwarebytes)

Securing my internet connection

  • configure my router to use a secure, private DNS server (CloudFlare’s 1.1.1.1 or Google’s Public DNS 8.8.8.8)

  • configure my Android phone to use a secure, private DNS server when on 4G (on the latest Android phones go to: Settings > Networks & Internet > Advanced > Private DNS)

  • use a VPN whenever I’m on an even slightly insecure network – on both my laptop and smartphone (my VPN provider of choice is Mullvad)

  • turn on my router’s guest network (with network isolation) and connect all my non-computer internet-connected gadgets (TV, Blu-ray player, cable set top box, etc) through that

  • use an advanced router that supports enterprise-level intrusion prevention (in my case I use a Synology router and their Intrusion Prevention app)

Securing my browser

Update: Check out my follow-up post for my list of ‘Firefox extensions for privacy and security’.

Securing my online accounts

  • use a password manager to generate and store long, secure, unique passwords for all my accounts (my password manager of choice is LastPass)

  • use two-factor authentication to keep as many of my accounts as possible secure (check the excellent Two Factor Auth List to see which accounts and services you can set up two-factor authentication for)

  • keep a regular, close eye on the data that various online services and social networks have on me by going through their ‘security check-up’ processes (eg Google’s excellent Privacy Check-up)

  • check all my email addresses on Have I Been Pwned to see which online services that I have an account with have had their user data stolen – also sign up to their ‘Notify me’ service to get an alert every time any of my email addresses is found in a newly stolen user data set

Always be learning

  • keep up with the latest in security via things like the Security Now podcast, several blogs, and a bunch of security-related mailing lists

  • check the EFF’s Surveillance Self-Defense website for the latest guides

  • consider switching to “ethical, easy-to-use and privacy-conscious alternatives” to social media networks, online services, and software using the comprehensive (and growing) list on switching.social