I once read that giving your PC a static IP would give me better security on my wireless network.
The reason shpuld be that intrudes would have to guess my local IP adress, before they could act as my computer on the network?
Is this really true?
I mean, If they (the crooks) have all kinds of software to rip the MacAdress, and other stuff, then it should be a walk in the park to guess something between 192.168.1.X --> Y
I think it is a little bit aesier ti manage a network were the IP adresses are automatically distributed. F.ex. when I bring home my computer from work. I's have to configure it to a specific adress every time I need to connect here at home...
No, from a security perspective, static IPs provide little to no benefit.
However, if you have clients that have no reason to get dynamic IPs (e.g., desktops, print servers, etc.), then it can be helpful to assign them static IPs that are outside of the dynamically-assigned range (e.g., 192.168.1.50 if your router starts assigning at and upwards of 192.168.1.100) so that you do not have to search for their IP addresses every time you reset the router and want to connect to them.
From a security perspective, the best thing to do is use WPA or WPA2 encryption with a reasonably long passphrase(use at least 20 characters - provided that all of your wireless devices support it; use WEP otherwise - but WEP keys need to be changed frequently because they can be gradually determined from intercepted wireless traffic). And, be sure to use the latest firmware on your router.
It may stop the casual hacker that doesn't know anything. But if someone who knows anything or has some thecnical expertise wanted to come at your machines on the LAN from a wireless situation wired or wireless machines using DHCP or static IP(s), they can do it. Do you think they don't know about the information too?
Where you need to go is to tha O/S on the computer and secuirty it or harden it to attack. That's where the buck stops.
The key point is whether or not your router ever got compromised. If it did then the bad guys would be able to figure out your private router based DHCP allocated IPs. If you use statics it's way more difficult. Not theoretically impossible though. What they'd be able to do with that info depends on how you've configured your router/LAN.. Really just another "layer" of indirection. In the context of wireless only really makes any kind of sense from the point of view of your neighbour/Joe Bloggs perhaps trying to access your LAN. From the point of view of Net based users trying to access your network - the NAT functionality of your router / non-routable IPs effectively protects you ( until you start opening up holes in your router that is ). That said, don't get me started on router exploits/misconfigured routers etc...
The answer to your question is therefore yes it is a good idea - certainly not a bad one.
Way more difficult? Once past WPA/WEP etc, you just sniff packets and there they are.
I disagree, in that context using an IP address scheme for security is the last thing to bother with. Far easier to prevent Joe Neighbour from connecting in the first place by using the security provision on the wireless router.
Yeah I totally agree with you David - but the OP didn't ask that I was only really getting at the point of not making the router any "weaker" than necessary. You are of course correct about encryption.
(Roadrunner purged this thread, so this more of a reply to the original poster.)
If you keep everything always connected, then it does add another layer.
I use MAC filtering, along with dynamically (DHCP) assigned "static" IP's. (Everything pulls IP's by DHCP, but each MAC always gets the same IP assigned.)
Yes, MAC's can easily be spoofed -- but ...
My routers only allow one instance of each MAC address to be connected at a time and everything is always connected. The DHCP IP pool only has a number of IP's for number of devices that connected. Everytime I get something new, I add the MAC address to the filter and tag on another IP to the pool.
If someone wanted to get on my WLAN, providing they could first break WPA-EAP, they would have to physically disconnect one of the already connected devices to spoof it's MAC address because the routers won't allow more than one instance per MAC.
So, in that regards, I consider it a worthwhile layer of security...
You have to set IP address, network mask, gateway address, and name servers. This takes under a minute. Admittedly, I'm not allowed to bring home computers from work (I have one permanently assigned here), and home computers are not allowed into the building at work, much less allowing them to attach to our networks. None the less, the setup is quite simple.
More likely, it's a configuration issue with your news reader. I had no problem pulling up all 14 articles in the thread - most full service news-servers retain articles for six or more months.
Then what is the benefit of using DHCP? Ease of configuration? You have to configure the server, I have to configure three tiny files on the host - takes longer to type the file names than to enter the data.
Yes, that's why we no longer depend on MAC or IP address as a means of authentication, and haven't done that since the early 1990s. None the less, using static addresses reduces the risk of the most blatant stuff from the mind of a nine-year-old (yes, some of it _is_ that easy).
Got news for you - that's true of _any_ network. If two systems try to answer the same packet, everyone involved knows immediately, and that's when I call Guido to discuss the matter with the malefactors. You know Guido, he's the 7'4" guy who isn't smiling.
Seriously, at work, it takes less than two minutes to have the security guards AND the network administrator at the PC that is spoofing a MAC address. That's a number of buildings with over 2000 systems on the wires.
See Section 7 of RFC2131 (the current standard for DHCP), or the last page of the earlier standard RFC1542. They've known it's a security risk since the early 1990s. Using static addressing does improve security by some small amount, but unless EVERYTHING is encrypted with unique keys, nothing is perfect... but then, you knew that, right?
It won't. Just one of the many wireless security myths.
No. They can get what they need to know by guessing, trial and error, and/or sniffing.
Generally true, although software is available to reconfigure your networking to different "profiles."
I'm afraid it's a false sense of security -- there are a number of ways for that to be defeated, including man-in-the-middle attacks (e.g., de-authentication) and denial-of-service attacks on wireless clients. Bottom line is that MAC filtering is pretty much worthless, and thus more trouble than it's worth.