on 19-07-2021 10:36
Hi guys
I am using the Deco M5 mesh with my Virgin Hub 3 in modem-only mode.
I mya be being paranoid, but I am not confident in the level of security currently afforded by my network.
What top tips, given my set up could one recommend to optimise security here?
Ideally, Deco would ask me to approve any devices that come onto the network - is this possible at all?
Many thanks
Z
on 19-07-2021 10:43
on 19-07-2021 10:55
I gather whitelisting of devices on the M5 has been requested but it's not yet a feature;
https://community.tp-link.com/us/home/forum/topic/203350
You can blacklist by MAC address
on 19-07-2021 10:58
Use the highest wireless security mode that all your devices support.
on 19-07-2021 12:51
You can only get better security, other than the ways mentioned, by installing a “proper” router and running a Radius server.
on 19-07-2021 13:41
@zudecke I mya be being paranoid, but I am not confident in the level of security currently afforded by my network.
Well, might be worth reading up on the pros and cons of MAC filtering (device whitelisting) as there's some good arguments that against the sort of attacker who might target your wifi that would be little or no defence on a domestic grade system. As an attacker also needs to hack your password, if they can do that then I would expect the packet sniffing technology to steal and duplicate a whitelisted MAC address won't be the slightest problem. Modern wifi is pretty secure aganst casual misuse, against determined attack it is inherently not very secure unless subject to active enterprise grade security controls (and sometimes not even then).
However, if you're still of the opinion that you need more security, and MAC filtering is what you want, then you either need to sell the M5 and buy a mesh system in which you do have confidence, or put the M5 in access point mode and connect with a router that does allow whitelist MAC filtering between the hub and the mesh. And you maybe looking at a small business router for those sort of controls, or dabbling in third party firmware like Merlin.
All depends on who you're worried about. GCHQ and their international mates can walk through the security on most systems like it isn't there and there's nothing you can do about that. Casual bumblers looking for unsecured wifi will move on if there's any password. The slightly more determined will only look for really old security protocols such as WEP or basic WPA. So the subset you're able to defend against is somebody who is technically savvy, understands wifi technology, has access to packet sniffing technology, yet can't spoof a MAC address, and is within physical range of your wifi signal. If they can do that but they can spoof a MAC address then they'll still be able to bypass any MAC filtering.
In all honesty, you could probably improve your wifi security more simply by disabling the 2.4 GHz signal, since the much lower range of 5 GHz reduces the range at which an attacker could connect. If they're not specifically targeting you, the most rudimentary measures (like WPA2 or 3, and a good strong password) will put them off to go and search easier targets. If you are being specifically targeted, your only true security is to turn off wifi altogether.