Advice on Static IP Addresses

[ScarletKnight06]

I'm currently running a wireless network from a Linsys WRT54G connected to a router with Cox service. I have a MacBook Pro that is used as the primary household computer, as well as 2 Windows machines that we sometimes use when we're working from home, 2 iPhones, an iPad and an Apple TV.

Originally, everything was working fine (ie automaitcally obtaining IP addresses without any manual adjusting) until we added more and more devices. Then it became a sort of one-on, one-off game and I could not get all devices to work simultaneously. So, I went ahead and starting manually assigning static IP addresses to each device. The router's IP is 192.168.1.1, so I started at 192.168.1.101 and counted up, adding to the last set of numbers for each device (102, 103, etc). Each device now has a unique IP address, with the same Subnet mask and DNS number/domain.

Most of the devices have been working better since I manually assigned addresses, with the exception being the Apple TV. I have read on here many times that streaming video over Wifi is unreliable at best, but I have struggled to just get the Apple TV to reliably connect to the internet to stream music from my iTunes library. I am constantly rebooting it, and reconnecting to the wireless network.

I recently found a closeout deal on the Netgear WNDR3700 Wireless N router, which I have read good things about, on this site and others. I purchased and it should be here within a week.

My question is two-fold: 1) is manually assiging static IP addresses to each device the best course of action? Are there any other settings that I should be modifying to keep each device running smoothly? And 2) should I expect better performance out of the new router? Should I continue with the manual IP addresses with this device as well?

Thanks in advance for your help. I have already learned so much from your site. I look forward to your response.

 

[GregN]

My question is two-fold: 1) is manually assiging static IP addresses to each device the best course of action? Are there any other settings that I should be modifying to keep each device running smoothly? And 2) should I expect better performance out of the new router? Should I continue with the manual IP addresses with this device as well?

Thanks in advance for your help. I have already learned so much from your site. I look forward to your response.

There is no reason I can think of that a router would suddenly start having problems with DHCP. You might be having other issues (someone dabbling in router settings?).

That said, mixing and matching static and dynamic is not a problem, you should, as it appears you are, keep the ranges separate.

I do recommend using a set of addresses that is not so common, someone inside your network could easily guess the 192.168.1.x addresses, go with something like 192.168.42.x or even better 10.6.42.x


Let us know how the new router works out.

 

[ScarletKnight06]

Thanks for your response, GregN. So the addresses assigned to each device do not have to be similar to the address the router is operating on? I was under the impression that the first 3 sets of numbers had to be the same as the router, and the last set would differentiate the IP address of each device operating on that router. Other than unauthorized use by someone outside of my network, is there a benefit to changing these addresses? I live in a rural part of Arkansas, and don't believe many of my neighbors even have computers.

The reason I went to static IP addresses to begin with was that the router was automatically assigning addresses that looked nothing like the 192.168.1.1 that it was operating on. This was causing the devices to be totally unrepsonsive.

Again, thanks for the feedback and knowledge.

 

[GregN]

Thanks for your response, GregN. So the addresses assigned to each device do not have to be similar to the address the router is operating on? I was under the impression that the first 3 sets of numbers had to be the same as the router, and the last set would differentiate the IP address of each device operating on that router. Other than unauthorized use by someone outside of my network, is there a benefit to changing these addresses? I live in a rural part of Arkansas, and don't believe many of my neighbors even have computers.

The reason I went to static IP addresses to begin with was that the router was automatically assigning addresses that looked nothing like the 192.168.1.1 that it was operating on. This was causing the devices to be totally unrepsonsive.

Again, thanks for the feedback and knowledge.

The router should have an address like 192.168.42.100, there should be a setting for that on the initial configuration page. Your router address is best configured within the same range as your machines.

So, each node should have an address like 192.168.42.x (where x is 1 to 99, 101 t0 254 )

DHCP server running on the router assigns addresses within the range you've assigned, usually something like:

Starting address: 192.168.42.1
Maximum assigned IPs: 10 ( sometimes you entire the top of the range, so it would be 192.168.42.10, giving you a total of ten dynamically assigned addresses )


The router should also have a netmask for your config of at least: 255.255.255.0 ( the zero is where the machines live, the rest of the address is fixed )

This means you can have a maximum of 253 computers attached to the router ( subtract one for the router ), the first 10 are dynamic, the rest would be statically addressed.

Hope that helps

 

[stevech]

A popular home router convention is that the router with WAN gateway is x.x.x.1 of the subnet, on the LAN side.
Not a good idea to make it 100.

all the clients will, by design, send their WAN traffic to the router's LAN side address.

 

[GregN]

One is the Loneliest Number....

Not a good idea to make it 100.

Why? 100, 200, 254, 222, 79 would all work the same. What is the advantage to .1? Unless you are using a very tight netmask.

I use 100, and have for years ( the secret is out ), easy to remember and if I'm hacked it isn't where it often defaults to, the .1 position. Making your address 192.168.1.1 just makes things easier for an interloper. Also change my default router userID and password for the same reason.

 

[jdabbs]

Why? 100, 200, 254, 222, 79 would all work the same. What is the advantage to .1? Unless you are using a very tight netmask.

Keeping the gateway the same as the default is a good idea in case of router issues. If the config is reset (firmware update, malfunction, etc) the systems with a static IP will still have connectivity. It is also good to have the static IPs assigned to not overlap with the default DHCP scope for the same reason.

 

[GregN]

Keeping the gateway the same as the default is a good idea in case of router issues. If the config is reset (firmware update, malfunction, etc) the systems with a static IP will still have connectivity. It is also good to have the static IPs assigned to not overlap with the default DHCP scope for the same reason.

As a convention ( we can agree it is a convention? ) I don't find it compelling. If I have router problems, or it is reset, firmware loaded, etc. I want to know, not just have things continue to work.

The reason the Stuxnet worm was effective was due to conventions like this one.

How odd we disagree about this, huh.

Other than flouting convention as some crazed rebel, Pretty positive the I advice I gave the Scarlet Knight is sound.

 

[jdabbs]

Personally, I would prefer heads up as well. For Grandma though, that information is meaningless. Almost everyone would be better off with a system that fails gracefully. I love my Grandma, but she'd beat me if I told her I could have avoided a two day outage with a little forethought.

I think a Stuxnet reference is a bit of a stretch, unless you would like to elaborate further.

 

[GregN]

Personally, I would prefer heads up as well. For Grandma though, that information is meaningless. Almost everyone would be better off with a system that fails gracefully. I love my Grandma, but she'd beat me if I told her I could have avoided a two day outage with a little forethought.

I think a Stuxnet reference is a bit of a stretch, unless you would like to elaborate further.

Stuxnet

The Seimens centrifuges communicated using specific obscure configured ports, and .dlls ( in the conventional place under windows ) for command and control. That way the worm could target those centrifuges, and leave other equipment alone.

More significantly the core of the attack took place because of a default password for the SCADA database.

It also used MITM to subvert error reporting, it presumed the monitoring software was listening at the conventional port.

Simpliest Configuration is the best configuration

I understand the argument, to extend it a bit further then, leaving the wireless connection unprotected/secured would insure grandma's wireless didn't go down when the configuration is reset. Not the best thing I think you'd agree.

MITM attacks often rely on these sort of conventions ( some of the simpler router attacks count on 192.168.1.1 ).

I generally choose as a best practice not to use defaults when possible - are you saying that if I were to RJ45 into your home network, I'd find the router at 192.168.1.1, and using say admin/admin, gain access to your router?

Isn't it easier to see all your shared files if your network exists on 192.168.1.x and your Workgroup is conventionally named MSHome or WORKGROUP?

( You're talking to a guy that avoids using C:\Program Files )

 

[keenanj]

you can mix static with DHCP devices without problem as long as its done correctly. Yor router has a DHCP range set like 192.168.1.50 to 192.168.1.100 make sure your static devices start outside this range.

There is no performance difference between the two.

I think the problem is a wek WiFi chipset in the apple tv .

If the new router does not fix the issue you need to use a ethernet to wifi bridge connected to your apple tv.

The engenius ecb3500 is a good one.

http://www.keenansystems.com/store/catalog/product_info.php?cPath=2&products_id=258

 

[jdabbs]

Stuxnet

The Seimens centrifuges communicated using specific obscure configured ports, and .dlls ( in the conventional place under windows ) for command and control. That way the worm could target those centrifuges, and leave other equipment alone.

More significantly the core of the attack took place because of a default password for the SCADA database.

It also used MITM to subvert error reporting, it presumed the monitoring software was listening at the conventional port.

Simpliest Configuration is the best configuration

I understand the argument, to extend it a bit further then, leaving the wireless connection unprotected/secured would insure grandma's wireless didn't go down when the configuration is reset. Not the best thing I think you'd agree.

MITM attacks often rely on these sort of conventions ( some of the simpler router attacks count on 192.168.1.1 ).

I generally choose as a best practice not to use defaults when possible - are you saying that if I were to RJ45 into your home network, I'd find the router at 192.168.1.1, and using say admin/admin, gain access to your router?

Isn't it easier to see all your shared files if your network exists on 192.168.1.x and your Workgroup is conventionally named MSHome or WORKGROUP?

( You're talking to a guy that avoids using C:\Program Files )

You are conflating "have a configuration compatible with defaults" with "leave a system at defaults" (Stuxnet relevance hinges on it).

I am not necessarily advocating simplicity. Where you saw an option to eke out a little bit of additional security, I opted for resiliency. Why?

Is a more secure solution preferable to one lesser so? Common sense would suggest yes. In practice though, security often comes at the expense of usability. I could refrain from telling Grandma the WPA2 passphrase for her router, which would allow me to personally vet every wireless device she wanted to give access to. Is Grandma safer? Absolutely. Is this a major inconvenience, which may be unwarranted? Yes. Is this additional security and administrative burden worth the almost extortionate amount of hugs and kisses I would exact for performing such a service? Probably not.

If the maximum amount of security possible isn't always the right answer, what is? Security professionals are frequently tasked with making this call. To quantify their decision, a tool called risk asessment is used. Let's say Grandma wants to maximize her hugs received. Every time her computer gets infected, she loses 20 hugs from her grandchildren (who are angry at getting spammed). Personally vetting each system will completely eliminate the possibility of infection, but it comes at a cost: she loses one hug from each grandchild that can't connect their iPhone via WiFi (because I am not available at the time). In addition, I demand 15 hugs for my services. I love garlic, and my breath reminds people of that fact, so for accounting purposes my hugs are negative hugs.

Risk is estimated by taking the amount of possible damage and multiplying it by the likelihood of it occurring. If Grandma receives 10 visits a month from her grandchildren, a 5% chance of infection from every iPhone connected, and a 20 hug penalty for infection, her overall risk is 10 hugs a month.

How does my security solution stack up? There is a 0% chance of infection. However, there is a primary cost of 15 garlic hugs and an incidental cost of (-10/mo) from her untethered grandchildren; the overall cost is 25 hugs a month.

Considering that my services will result in more lost hugs than without it, a security professional would be hard pressed to recommend it to Grandma.

All of this needs to be taken into consideration when determining the appropriate level of security. So when you suggest that I would choose to not enable security on a wireless connection, I really can't give you a 100% yes/no answer. Is the increased risk from running an open connection outweighed by the benefits? If so, absolutely. Admin passwords are more clearcut, but the same thought process applies. There will be very few authorized users that need access to Grandma's router config, and by taping the password to the underside of the router I can mitigate the problem of other techs lacking access. Less secure? Absolutely. Acceptable compromise? Yes.

What you are advocating with changing IP subnets and workgroup names is security through obscurity. It gets a bad rap, but as with any security measure, its merit should be gauged by comparing implementation costs with its effectiveness.

How difficult do you think it would be to find the gateway on your network?
How effective is changing your workgroup name? How difficult is it to find out which one is in use?
Have environment variables thwarted your efforts? Where does %programfiles%\ point to?

 

[GregN]

You are right, it is a cost vs benefit analysis.

Defaults are an attack vector.

There is a probability curve associated with each vector. ( your risk assessment )

So what is the cost versus the risk/probability that a default will result in an attack?

Cost of security often lies on some spectrum of inconvenience. Remembering passwords, waiting for decryption, having to reconfigure appliances when they fail, paying x dollars.

The argument I made, and think is sound reasoning, is that the default of 192.168.1.1 is an established attack vector, one that script kiddies can take advantage of. And given the huge number of folks that use that default, a pretty rich one at that. ( How to Hack Millions of Routers Simple Man in the Middle Attack )

More importantly, the cost of the hassle of configuring your router at other than 192.168.1.1 on that spectrum of inconvenience is, I would argue, smaller than that of configuring WPA2 encryption.

Used to have a friend who said, "There is no stopping a monomaniac." I believe this to be true. But for most folks, and for most javascript/browser based attacks, they can be deterred through this kind of inconvenience. The chances of an attack by a monomaniac are low, a floating generalized attack is much higher.

Stuxnet in part relied on a default password, that had it been changed would have stopped or severely slowed the attack. Changing that password was highly inconvenient.


My network may only be a small degree ( thank you pfSense/HAVP/Snort/Squid, non-defaults, better than avg passwords ) more secure than a standard network, but that is enough to deter I would guess 70+ percent of most attacks, hopefully higher.

Cost was small, benefit fairly high. Confidence is good.

The cost of configuring your grandma, may be much higher, who am I to say?