Basics @Home
Introduction
Upgrade router firmware
Protect router management
Turn it off
Port forwarding
Routing audit
Small Organisation Intranet Routing Audit
Home/Lab Network Routing Audit
Services audit
Questions
Disable services when not needed
OpenWRT @Home
Introduction
Flash router with other firmware
DD-WRT
OpenWrt
Example: Flashing a TL-WR841N(D)
DropBear SSH public key authentication
Running SSH on another port
Whitelisting IP’s
Nethogs
Portknocking
Resources
Wireless @Home
Introduction
Reduce wireless signal strength
Change router defaults
Disable SSID broadcasting
Enable encryption
Use the strongest encryption protocol available
Notes on WPS
Check for WPS
Warnings
Unauthorised devices
Restrict by MAC address
Use certificate-based security
Router audit scripts @GitHub
Intranet router audit scripts
ISP-grade router audit scripts
Carrier-grade router audit scripts
Intranet
Introduction
What?
Why?
How?
Secured NAT router
Benefits
When and where is this useful?
Flash custom firmware (Replace stock OS)
Harden the firewall
Default-Deny policy
Restrict LAN → Router access
Block WAN ping & scans
Secure Router access
Change default credentials
Enable SSH (With Key Auth)
Restrict Web Admin access
Enable VPN-Only remote access
Set Up WireGuard (OpenWRT)
Block All WAN admin access
Monitor & log attacks
Enable logging
Intrusion Detection (Snort/Suricata)
Physical security
LAN segmentation
Benefits
Plan Your VLAN Structure
Configuring VLANs on a Router/Switch
Option A: Using a VLAN-Capable Router (e.g., pfSense, OpenWRT, Ubiquiti)
Option B: Using a managed switch
Apply Network Isolation (Critical Step!)
Test & verify isolation
ARP mitigations
Static ARP entries (prevent spoofing)
DHCP snooping + dynamic ARP inspection (DAI)
ARP monitoring tools
Port security (MAC filtering)
VPN/Encryption (Mitigate MITM impact)
Network segmentation (VLANs + Private VLANs)
ARP Spoofing detection tools
DNS mitigations
DNS Server audit trails & logging
Whitelist valid DNS servers
DNSSEC (DNS security extensions)
Block malicious DNS exploits
Monitor & detect suspicious DNS activity
Intrusion Detection Systems (IDS) for DNS
Block Unauthorized DNS Services
NFTables
For NAT
Snortbox as IDS
Promiscuous mode setup
Snort configuration for specific IP & port
Option 1: BPF Filter (pre-capture filtering)
Option 2: Snort Rule (post-capture Filtering)
Verify & run Snort
Port Mirroring/SPAN (If needed)
Beyond basic protections
Network segmentation & Zero Trust
Micro-Segmentation
Software-Defined Networking (SDN)
Advanced traffic monitoring
NetFlow/sFlow analysis
Encrypted traffic inspection
Endpoint & server hardening
Network Access Control (NAC)
Host-Based firewalls
Disable legacy protocols
Threat hunting & deception
Honeypots
Endpoint Detection & Response (EDR)
Physical & supply chain security
Secure Network Hardware
Firmware integrity checks
Logging & incident response
Centralized SIEM
Automated Response
Wireless Security (If applicable)
WPA3-Enterprise
Rogue AP detection
And more
Internet
Introduction
What?
Why?
How?
Critical internet-wide mitigations
Universal adoption of RPKI & BGPsec
QUIC/HTTP3 Encryption by default
Post-Quantum Cryptography (PQC) migration
Mandatory DDoS mitigation for all networks
IoT security standards
Decentralized identity (Beyond certificates)
AI-Powered threat detection
Global Cyber warfare treaties
Privacy-Enhancing technologies (PETs)
Ethical hacktivism legalisation
Why these mitigations matter
BGP hijacking mitigations
Deploy RPKI (Resource Public Key Infrastructure)
For Network Operators (AS Owners)
For ISPs & transit providers
Use BGPsec (Path Validation)
Implement Prefix Filtering & IRR (Internet Routing Registry)
Monitor BGP in Real-Time
BGP Monitoring Tools
Detect Anomalies via RTT & TTL
Collaborate with MANRS (Mutually Agreed Norms for Routing Security)
Deploy automated mitigation
ARTEMIS (Open-Source)
Cloudflare magic transit
ISP best practices
Certificate validation
Certificate Pinning (HPKP Replacement)
Expect-CT Header (Certificate Transparency Enforcement)
Certificate Authority Authorization (CAA)
Trusted Types (Browser-Level pinning)
Extended Validation (EV) certificates
Certificate Transparency (CT)
Multi-Perspective Domain Validation
ACME DNS-01 Challenges (Not HTTP-01)
Short-Lived Certificates (Automated Rotation)
Post-Quantum certificates (Future-proofing)
Deploying Resource Public Key Infrastructure (RPKI)
Prerequisites
Create ROAs (Route Origin Authorizations)
Log in to Your RIR Portal
Create a ROA
Configure RPKI Validation on Routers
Cisco IOS-XR
Juniper JunOS
BIRD (Linux)
Set Up an RPKI Validator (Optional)
Monitor RPKI status
Check ROA coverage
Test Prefix validation
Enforce RPKI in BGP Policies
Verify Deployment
Defending from DDoS
On-Premises mitigations
Network hardening
Rate limiting
Traffic scrubbing (DIY)
ISP/Transit Provider responsibilities
Cloud-Based protection (3rd Party)
Application-layer defences
Web Application Firewall (WAF):
Rate Limiting
Emergency response plan
GDPR compliance checklist
Step-by-Step GDPR compliance check
Data mapping & inventory
Legal basis & consent
User Rights (Articles 15-22)
Security Measures
Third-Party Compliance
Documentation & accountability
Free GDPR compliance tools
Adopting Post-Quantum Cryptography (PQC)
For Developers: Integrate PQC Libraries
For Sysadmins: Prepare for PQ migration
Enabling DoH/DoT in browsers
Firefox
Chrome/Edge
System-Wide DoT (Linux/macOS)
Verify DoH/DoT
Network mitigations
Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact
Index