Network Security Field Notes: Start Here

Network security is not one product, one firewall rule, one antivirus agent, or one dashboard. It is a set of habits and layers that make a network harder to abuse, easier to monitor, and faster to recover when something goes wrong. The TechGeeks security section is going to focus on practical security for real environments: home labs, small businesses, ISP operations, PisoWiFi deployments, WordPress sites, routers, switches, servers, and cloud services.

This post is the starting point. It explains the security model we will use across future articles and gives you a realistic first checklist you can apply before buying anything.

Security Starts With Knowing What Exists

You cannot protect what you cannot see. Before talking about advanced tools, start with an inventory:

• Routers, firewalls, switches, and access points.
• Servers, NAS devices, cameras, printers, and controllers.
• Cloud accounts, DNS providers, hosting accounts, and SaaS services.
• WordPress sites, plugins, themes, admin accounts, and backups.
• ISP devices, CPE equipment, tower gear, and customer-facing portals.
• Admin laptops and phones used to manage everything else.

An inventory does not have to be perfect on day one. It just needs to exist and improve over time. A simple spreadsheet is better than a mystery network.

Identity Is The New Edge

Old network security thinking focused heavily on the perimeter. Firewalls still matter, but identity is often the real control point now. If an attacker gets an admin password, a Google account, a WordPress account, a router login, or an SSH key, the network edge may not matter much.

At minimum, protect important accounts with:

• Unique passwords stored in a password manager.
• Multi-factor authentication wherever possible.
• Separate admin accounts instead of using daily accounts for administration.
• Removed accounts for former users, contractors, and old test logins.
• Documented recovery methods that do not depend on one person.

For small environments, identity cleanup is often the highest-value security work because it removes easy paths attackers love.

Segment The Network

Flat networks are convenient until something gets compromised. Segmentation limits the blast radius. A guest phone should not reach a server. A camera should not reach accounting machines. A PisoWiFi customer should not reach router management. A lab VM should not have the same trust as production infrastructure.

Common segments include:

• Management: routers, switches, access points, controllers, hypervisors, and admin interfaces.
• Trusted users: staff devices or family devices that need normal access.
• Guest: internet-only access with client isolation.
• IoT and cameras: limited access, usually only to required services.
• Servers: controlled inbound and outbound access.
• Customer access: PisoWiFi or ISP customer networks separated from operations.

Segmentation is only useful when paired with firewall policy. VLANs create lanes. Firewall rules decide who can cross lanes.

Firewall Rules Should Be Boring And Clear

A good firewall policy is not a giant pile of exceptions. It should be readable. Start with default deny between sensitive segments, then allow only what is needed. Name rules clearly, group them by purpose, and remove temporary rules when the temporary need ends.

For example, management interfaces should usually be reachable only from an admin segment or VPN. Servers should expose only required ports. Customer networks should be internet-only unless there is a specific reason. DNS should be controlled so clients use the resolver you expect.

Logging Turns Guesswork Into Evidence

Security without logs becomes storytelling. You need enough visibility to answer basic questions:

• Who logged in?
• From where?
• What changed?
• Which device is scanning or making unusual outbound connections?
• Which firewall rules are being hit?
• Which WordPress admin actions happened recently?

You do not need a full enterprise SIEM to start. Router logs, firewall logs, WordPress login logs, DNS logs, and basic uptime monitoring already provide useful clues. The key is to collect them before the incident.

Patching And Backups Are Security Controls

Patching closes known holes. Backups make recovery possible. Both are security work. A network with perfect firewall rules but no backups is still fragile.

Use a routine:

• Track firmware and plugin updates.
• Update during planned windows when possible.
• Back up configurations before updates.
• Keep offline or protected backups for critical systems.
• Test restores, not just backup creation.

For WordPress, this means keeping plugins lean, removing unused plugins, updating the active ones, and keeping a clean recovery path. For routers and firewalls, it means exporting configs after meaningful changes.

Have An Incident Plan Before You Need It

An incident plan does not need to be complicated. It should answer:

• Who decides when something is an incident?
• Who has admin access?
• How do we isolate a device or segment?
• Where are backups?
• How do we preserve logs?
• Who needs to be notified?

During an incident, emotions run hot and time feels compressed. A short plan gives you rails to run on.

The First Ten Things To Do

1. List every admin account.
2. Turn on multi-factor authentication for critical accounts.
3. Remove unused WordPress plugins, themes, and users.
4. Back up router, firewall, switch, and website configs.
5. Separate guest, customer, IoT, server, and management traffic.
6. Restrict management access to admin networks or VPN.
7. Enable useful logging on firewalls, routers, and WordPress.
8. Patch the systems that face the internet.
9. Document public DNS, hosting, and registrar access.
10. Write a one-page recovery plan.

Future security posts will go deeper into each of these areas. We will cover firewall examples, VLAN security, WordPress hardening, VPN access, log review, backups, malware cleanup, secure remote access, and practical threat modeling for small networks and ISP-style environments.