Dynamic IP / Static IP. Security?

Hi there,

A quick question:

I once read that giving your PC a static IP would give me better
security on my wireless network.

The reason shpuld be that intrudes would have to guess my local IP
adress, before they could act as my computer on the network?

Is this really true?

I mean, If they (the crooks) have all kinds of software to rip the
MacAdress, and other stuff, then it should be a walk in the park to
guess something between 192.168.1.X --> Y

I think it is a little bit aesier ti manage a network were the IP
adresses are automatically distributed. F.ex. when I bring home my
computer from work. I's have to configure it to a specific adress
every time I need to connect here at home...

Or?!

--
Med venlig hilsen
Palle Jensen

(E-Mail Removed) (Palle Jensen) wrote in
news:(E-Mail Removed):

> I mean, If they (the crooks) have all kinds of software to rip the
> MacAdress, and other stuff, then it should be a walk in the park to
> guess something between 192.168.1.X --> Y

You're actually free to assign addresses in these ranges:

http://www.isi.edu/in-notes/rfc1918.txt
Address Allocation for Private Internets

3. Private Address Space

The Internet Assigned Numbers Authority (IANA) has reserved the
following three blocks of the IP address space for private
internets:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

My LAN at home is in the 10.x.x.x range.

--
Bert Hyman | St. Paul, MN | (E-Mail Removed)

On 18 Apr 2006 17:49:28 GMT, Bert Hyman <(E-Mail Removed)> wrote:

>> I mean, If they (the crooks) have all kinds of software to rip the
>> MacAdress, and other stuff, then it should be a walk in the park to
>> guess something between 192.168.1.X --> Y
>
>You're actually free to assign addresses in these ranges:
>
>http://www.isi.edu/in-notes/rfc1918.txt
>Address Allocation for Private Internets

Didn't know about that! I might make a few changes.

So what you are saying is that it IS a good security precaution to
assign static IP's to the PC's on the wireless network?


--
Med venlig hilsen
Palle Jensen

No, from a security perspective, static IPs provide little to no benefit.

However, if you have clients that have no reason to get dynamic IPs (e.g.,
desktops, print servers, etc.), then it can be helpful to assign them static
IPs that are outside of the dynamically-assigned range (e.g., 192.168.1.50
if your router starts assigning at and upwards of 192.168.1.100) so that you
do not have to search for their IP addresses every time you reset the router
and want to connect to them.

From a security perspective, the best thing to do is use WPA or WPA2
encryption with a reasonably long passphrase(use at least 20 characters -
provided that all of your wireless devices support it; use WEP otherwise -
but WEP keys need to be changed frequently because they can be gradually
determined from intercepted wireless traffic). And, be sure to use the
latest firmware on your router.

-Yves

"Palle Jensen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 18 Apr 2006 17:49:28 GMT, Bert Hyman <(E-Mail Removed)> wrote:
>
>>> I mean, If they (the crooks) have all kinds of software to rip the
>>> MacAdress, and other stuff, then it should be a walk in the park to
>>> guess something between 192.168.1.X --> Y
>>
>>You're actually free to assign addresses in these ranges:
>>
>>http://www.isi.edu/in-notes/rfc1918.txt
>>Address Allocation for Private Internets
>
> Didn't know about that! I might make a few changes.
>
> So what you are saying is that it IS a good security precaution to
> assign static IP's to the PC's on the wireless network?
>
>
> --
> Med venlig hilsen
> Palle Jensen

Palle Jensen wrote:
> On 18 Apr 2006 17:49:28 GMT, Bert Hyman <(E-Mail Removed)> wrote:
>
>
>>>I mean, If they (the crooks) have all kinds of software to rip the
>>>MacAdress, and other stuff, then it should be a walk in the park to
>>>guess something between 192.168.1.X --> Y
>>
>>You're actually free to assign addresses in these ranges:
>>
>>http://www.isi.edu/in-notes/rfc1918.txt
>>Address Allocation for Private Internets
>
>
> Didn't know about that! I might make a few changes.
>
> So what you are saying is that it IS a good security precaution to
> assign static IP's to the PC's on the wireless network?
>
>

It may stop the casual hacker that doesn't know anything. But if someone
who knows anything or has some thecnical expertise wanted to come at
your machines on the LAN from a wireless situation wired or wireless
machines using DHCP or static IP(s), they can do it. Do you think they
don't know about the information too?

Where you need to go is to tha O/S on the computer and secuirty it or
harden it to attack. That's where the buck stops.

Duane

"Palle Jensen" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On 18 Apr 2006 17:49:28 GMT, Bert Hyman <(E-Mail Removed)> wrote:
>
>>> I mean, If they (the crooks) have all kinds of software to rip the
>>> MacAdress, and other stuff, then it should be a walk in the park to
>>> guess something between 192.168.1.X --> Y
>>
>>You're actually free to assign addresses in these ranges:
>>
>>http://www.isi.edu/in-notes/rfc1918.txt
>>Address Allocation for Private Internets
>
> Didn't know about that! I might make a few changes.
>
> So what you are saying is that it IS a good security precaution to
> assign static IP's to the PC's on the wireless network?
>
>
> --
> Med venlig hilsen
> Palle Jensen

The key point is whether or not your router ever got compromised.
If it did then the bad guys would be able to figure out your private router
based DHCP allocated IPs.
If you use statics it's way more difficult. Not theoretically impossible
though.
What they'd be able to do with that info depends on how you've configured
your router/LAN..
Really just another "layer" of indirection.
In the context of wireless only really makes any kind of sense from the
point of view of your neighbour/Joe Bloggs perhaps trying to access your
LAN.
From the point of view of Net based users trying to access your network -
the NAT functionality of your router / non-routable IPs effectively protects
you ( until you start opening up holes in your router that is ). That said,
don't get me started on router exploits/misconfigured routers etc...

The answer to your question is therefore yes it is a good idea - certainly
not a bad one.

S

On Tue, 18 Apr 2006 20:47:44 GMT, "Steve Berry" <(E-Mail Removed)>
wrote:

[snip..]

>The answer to your question is therefore yes it is a good idea - certainly
>not a bad one.

Thank you!
--
Med venlig hilsen
Palle Jensen

In news:(E-Mail Removed) Palle Jensen
<(E-Mail Removed)> wrote:

> On 18 Apr 2006 17:49:28 GMT, Bert Hyman <(E-Mail Removed)> wrote:
>
>>> I mean, If they (the crooks) have all kinds of software to rip the
>>> MacAdress, and other stuff, then it should be a walk in the park to
>>> guess something between 192.168.1.X --> Y
>>
>>You're actually free to assign addresses in these ranges:
>>
>>http://www.isi.edu/in-notes/rfc1918.txt
>>Address Allocation for Private Internets
>
> Didn't know about that! I might make a few changes.
>
> So what you are saying is that it IS a good security precaution to
> assign static IP's to the PC's on the wireless network?

Dunno really, but it couldn't hurt, and this way I always know the
address of each machine in the house :-)

I have turned off the DHCP server on my router and have turned on MAC
address filtering, but I think most important, I use WPA.

--
Bert Hyman St. Paul, MN (E-Mail Removed)

> If you use statics it's way more difficult. Not theoretically impossible
> though.

Way more difficult? Once past WPA/WEP etc, you just sniff packets and
there they are.

> In the context of wireless only really makes any kind of sense from the
> point of view of your neighbour/Joe Bloggs perhaps trying to access your
> LAN.

I disagree, in that context using an IP address scheme for security is
the last thing to bother with. Far easier to prevent Joe Neighbour from
connecting in the first place by using the security provision on the
wireless router.

David.

"David Taylor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) d.com...
>> If you use statics it's way more difficult. Not theoretically impossible
>> though.
>
> Way more difficult? Once past WPA/WEP etc, you just sniff packets and
> there they are.
>
>> In the context of wireless only really makes any kind of sense from the
>> point of view of your neighbour/Joe Bloggs perhaps trying to access your
>> LAN.
>
> I disagree, in that context using an IP address scheme for security is
> the last thing to bother with. Far easier to prevent Joe Neighbour from
> connecting in the first place by using the security provision on the
> wireless router.
>
> David.

Yeah I totally agree with you David - but the OP didn't ask that
I was only really getting at the point of not making the router any "weaker"
than necessary.
You are of course correct about encryption.

S