Dynamic IP / Static IP. Security?

Hi there,

A quick question:

I once read that giving your PC a static IP would give me better security on my wireless network.

The reason shpuld be that intrudes would have to guess my local IP adress, before they could act as my computer on the network?

Is this really true?

I mean, If they (the crooks) have all kinds of software to rip the MacAdress, and other stuff, then it should be a walk in the park to guess something between 192.168.1.X --> Y

I think it is a little bit aesier ti manage a network were the IP adresses are automatically distributed. F.ex. when I bring home my computer from work. I's have to configure it to a specific adress every time I need to connect here at home...

Or?!

Reply to
Palle Jensen
Loading thread data ...

snipped-for-privacy@gmail.com (Palle Jensen) wrote in news: snipped-for-privacy@4ax.com:

You're actually free to assign addresses in these ranges:

formatting link
Allocation for Private Internets

  1. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

My LAN at home is in the 10.x.x.x range.

Reply to
Bert Hyman

Didn't know about that! I might make a few changes.

So what you are saying is that it IS a good security precaution to assign static IP's to the PC's on the wireless network?

Reply to
Palle Jensen

No, from a security perspective, static IPs provide little to no benefit.

However, if you have clients that have no reason to get dynamic IPs (e.g., desktops, print servers, etc.), then it can be helpful to assign them static IPs that are outside of the dynamically-assigned range (e.g., 192.168.1.50 if your router starts assigning at and upwards of 192.168.1.100) so that you do not have to search for their IP addresses every time you reset the router and want to connect to them.

From a security perspective, the best thing to do is use WPA or WPA2 encryption with a reasonably long passphrase(use at least 20 characters - provided that all of your wireless devices support it; use WEP otherwise - but WEP keys need to be changed frequently because they can be gradually determined from intercepted wireless traffic). And, be sure to use the latest firmware on your router.

-Yves

Reply to
Yves Konigshofer

It may stop the casual hacker that doesn't know anything. But if someone who knows anything or has some thecnical expertise wanted to come at your machines on the LAN from a wireless situation wired or wireless machines using DHCP or static IP(s), they can do it. Do you think they don't know about the information too?

Where you need to go is to tha O/S on the computer and secuirty it or harden it to attack. That's where the buck stops.

Duane :)

Reply to
Duane Arnold

The key point is whether or not your router ever got compromised. If it did then the bad guys would be able to figure out your private router based DHCP allocated IPs. If you use statics it's way more difficult. Not theoretically impossible though. What they'd be able to do with that info depends on how you've configured your router/LAN.. Really just another "layer" of indirection. In the context of wireless only really makes any kind of sense from the point of view of your neighbour/Joe Bloggs perhaps trying to access your LAN. From the point of view of Net based users trying to access your network - the NAT functionality of your router / non-routable IPs effectively protects you ( until you start opening up holes in your router that is ). That said, don't get me started on router exploits/misconfigured routers etc...

The answer to your question is therefore yes it is a good idea - certainly not a bad one.

S
Reply to
Steve Berry
[snip..]

Thank you!

Reply to
Palle Jensen

Dunno really, but it couldn't hurt, and this way I always know the address of each machine in the house :-)

I have turned off the DHCP server on my router and have turned on MAC address filtering, but I think most important, I use WPA.

Reply to
Bert Hyman

Way more difficult? Once past WPA/WEP etc, you just sniff packets and there they are.

I disagree, in that context using an IP address scheme for security is the last thing to bother with. Far easier to prevent Joe Neighbour from connecting in the first place by using the security provision on the wireless router.

David.

Reply to
David Taylor

Yeah I totally agree with you David - but the OP didn't ask that I was only really getting at the point of not making the router any "weaker" than necessary. You are of course correct about encryption.

S
Reply to
Steve Berry

Dynamic or static.. make no difference to security.. none whatsoever..

Eg: this is my local ip - 10.1.1.100 netmask 255.255.255.0 You can get my public ip from the headers of this message.. makes no odds.

To connect to a dynamic ip you can use any of the free dyanmic ip tools available eg:

formatting link

Reply to
Doz

(Roadrunner purged this thread, so this more of a reply to the original poster.)

If you keep everything always connected, then it does add another layer.

I use MAC filtering, along with dynamically (DHCP) assigned "static" IP's. (Everything pulls IP's by DHCP, but each MAC always gets the same IP assigned.)

Yes, MAC's can easily be spoofed -- but ...

My routers only allow one instance of each MAC address to be connected at a time and everything is always connected. The DHCP IP pool only has a number of IP's for number of devices that connected. Everytime I get something new, I add the MAC address to the filter and tag on another IP to the pool.

If someone wanted to get on my WLAN, providing they could first break WPA-EAP, they would have to physically disconnect one of the already connected devices to spoof it's MAC address because the routers won't allow more than one instance per MAC.

So, in that regards, I consider it a worthwhile layer of security...

Reply to
Eric

You have to set IP address, network mask, gateway address, and name servers. This takes under a minute. Admittedly, I'm not allowed to bring home computers from work (I have one permanently assigned here), and home computers are not allowed into the building at work, much less allowing them to attach to our networks. None the less, the setup is quite simple.

More likely, it's a configuration issue with your news reader. I had no problem pulling up all 14 articles in the thread - most full service news-servers retain articles for six or more months.

Then what is the benefit of using DHCP? Ease of configuration? You have to configure the server, I have to configure three tiny files on the host - takes longer to type the file names than to enter the data.

Yes, that's why we no longer depend on MAC or IP address as a means of authentication, and haven't done that since the early 1990s. None the less, using static addresses reduces the risk of the most blatant stuff from the mind of a nine-year-old (yes, some of it _is_ that easy).

Got news for you - that's true of _any_ network. If two systems try to answer the same packet, everyone involved knows immediately, and that's when I call Guido to discuss the matter with the malefactors. You know Guido, he's the 7'4" guy who isn't smiling.

Seriously, at work, it takes less than two minutes to have the security guards AND the network administrator at the PC that is spoofing a MAC address. That's a number of buildings with over 2000 systems on the wires.

See Section 7 of RFC2131 (the current standard for DHCP), or the last page of the earlier standard RFC1542. They've known it's a security risk since the early 1990s. Using static addressing does improve security by some small amount, but unless EVERYTHING is encrypted with unique keys, nothing is perfect... but then, you knew that, right?

Old guy

Reply to
Moe Trin
[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

I'd say fairly easy, but still a pain in the ass, and a likely opportunity for error. Better to use multi-configuration software.

I know of many news services that don't retain that much history. Regardless, it is available on Google Groups.

DHCP works automatically, provides a single point of management, and thus reduces the chance of error, in addition to being more convenient.

Reply to
John Navas

It won't. Just one of the many wireless security myths.

No. They can get what they need to know by guessing, trial and error, and/or sniffing.

Yep.

Generally true, although software is available to reconfigure your networking to different "profiles."

Not really.

I'm afraid it's a false sense of security -- there are a number of ways for that to be defeated, including man-in-the-middle attacks (e.g., de-authentication) and denial-of-service attacks on wireless clients. Bottom line is that MAC filtering is pretty much worthless, and thus more trouble than it's worth.

Reply to
John Navas

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.