Use a More Sophisticated IP Address Scheme on Your Network

Posted At : August 14, 2019 10:56 PM | Posted By : Josh Adams
Related Categories: Router

Let's assume that your router's IP address is set as 192.168.0.1. Yours might be different and that's fine, I just need to assume something here for this post.

Generally, at least in home networking situations, routers are configured to have 255.255.255.0 for their subnet mask. So then, based on the previous assumption of 192.168.0.1 for your router's IP address, your router's local network is everything 192.168.0.x.

But in most routers, you're not constrained to that subnet mask of 255.255.255.0, you can use any valid subnet mask. I'll leave it to you to read up on subnet masks if need be, but I'll note that if you just change this to 255.255.254.0, now instead of your local network being just 192.168.0.x, you also have 192.168.1.x. What's cool about this is that now you can use 192.168.0.x and 192.168.1.x for different things and be easily able to tell at a glance what is what.

So what's a way you could utilize 192.168.0.x and 192.168.1.x separately? Well, for known devices on my network, I like to create DHCP reservations (as I detail in my post Use DHCP Reservations Instead of Static IP Addresses, you should use DHCP reservations, not static IP addresses). So then I could create DHCP reservations for all known devices with IP addresses in 192.168.0.x. And then I could set my DHCP server to utilize addresses starting at 192.168.1.1 and ending at 192.168.1.254. And at that point, I can tell at a glance if something is a known device (has a 192.168.0.x IP address) or an unknown device (192.168.1.x).

And if you like this idea, you can take it to the next level by using 255.255.252.0 as the subnet mask and now, using my previous 192.168.0.1 router IP address as the assumption, your local network is 192.168.0.x, 192.168.1.x, 192.168.2.x, and 192.168.3.x. And now you have 2 additional values available to use in the third octet. So now you could do something like this:

  • 192.168.0.x: use for DHCP reservations for your known devices (that don't fall into one of the following 2 categories).
  • 192.168.1.x: use for DHCP reservations for your known devices that need special access through the firewall. For WiFi calling, my experience is that you need an outbound rule for UDP ports 500 and 4500 (yes, you could turn on IPSec passthrough, but it's better to be more prescriptive about exactly what destination devices need that access).
  • 192.168.2.x: use for DHCP reservations for your known devices that should not have Internet access (for example, let's say you have a printer on your network that you want to be able to print to so you want to access it locally, but you don't want it exposed to the Internet). Then you create firewall rules to block Internet access to and from all of 192.168.2.x.
  • 192.168.3.x: make these the addresses your DHCP server utilizes.

And if you need to be able to use even more than 4 values in the third octet, just change your subnet mask and you can get 8, 16, 32, 64, 128, or even 256 of them.

And then hopefully your guest network can operate on an entirely separate set of IP addresses, maybe even use its own subnet mask so you can do this kind of thing for your guest network too and see at a glance what devices are known and unknown in your guest network (and yes, it can make sense to have known devices in your guest network; see my post Two Security Approaches You Should Be Taking on Your Network for more information on this subject).

Comments (91) | PDF | Send | del.icio.us | Digg It! | Linking Blogs | 6497 Views

Two Security Approaches You Should Be Taking on Your Network

Posted At : August 14, 2019 10:55 PM | Posted By : Josh Adams
Related Categories: Router,Creative Solutions

Routers these days are very sophisticated in regards to what they can do and you should take the time to configure yours to provide robust security. While not meant to be in any way comprehensive as to everything you should be doing from a security perspective on your router, this post offers 2 security approaches you should be implementing with your devices and router(s):

  1. Use the guest network for anything that doesn't need to talk to other devices on the network.

    Actually, if your router supports VLANs, using a VLAN for anything that doesn't need to talk to other devices on the nework is even better than using the guest network. For more information on this, see this excellent post.. But that post points out, most home routers do not, as of this writing, support VLANs. As such, utilizing a guest network is your best option on most home routers.

    A guest network sounds like something you would use only for your guests' devices, but this is too limited a view of a guest network; instead, you should think of your guest network as the place to put any device that doesn't need to talk to other devices on the network.

    These days there are all sorts of IoT (Internet of Things) devices that we don't access directly but rather we interact with via a cloud services. Got a smart thermostat on your network? How about a smart plug? Maybe a smart scale? Chances are that you don't directly access these devices but rather you access a cloud services to interact with these devices. Well, if that's the case, why would you want these devices to be able to talk to other devices on the network? Put them on your guest network: they'll still have access to the Internet, they just won't have access to other devices on the network. Now, you may be thinking "well, just because I don't need them to access other devices on the network doesn't mean I care if they can access other devices on the network." Well, you should care: unfortunately, devices do become compromised from time to time and if someone gets into one of yours, you don't want him/her to use that access to gain additional access to network traffic and/or devices on the network. So: guest network for anything that doesn't need to be able to talk to other devices on the network.

    And you know what would make it even better? If the guest network were on a completely separate router from your main network! If you really want to isolate the devices on your guest network as much as possible from your main network then you use 2 routers and the first (the one connected to the outside world, which most commonly would mean to your router) has the guest network on it and the second (which is connected to the WAN of the first) has your main network on it. Then even if a bad actor gains access to your guest network or to a device on it, he/she would have to gain access from the outside to your second router in order to compromise your main network.

  2. Disable access to/from the Internet for anything that doesn't need it.

    This one goes right along with the one above: in the same way that you don't want to give access to other devices on your network to anything that doesn't need it, you don't want to give Internet access to any device that doesn't need it. Have a printer on your network? Does it need Internet access? Chances are that it does not: chances are that you only need to be able to send print jobs to it on your local network. In the last item, I pointed out that unfortunately, devices do become compromised from time to time and in that case the point was to protect everything else on the network from a device that becomes compromised; here the goal is to protect a device from becoming compromised in the first place, which is especially important considering that if you need to talk to it (in this example, send print jobs to it) then you can't put it in the guest network which means that if it does become compromised then it's that much easier for the attack to gain additional access to network traffic and/or other devices on the network. So: turn off access to/from the Internet for anything that doesn't need it.

    Okay, great! But how do you do that? Well, the mechanism will vary from router to router, but in general the approach to use is going to be to create firewall rules. You will likely need a firewall rule that blocks all access from all ports from the outside (that is, the Internet) to a device and then a second firewall rule that blocks all access from all ports from a device to the outside. And you'll need such rules for every device on your network, so it might end up being a lot of rules. However, if you follow the guidance in my post Use a More Sophisticated IP Address Scheme on Your Network, you can create (if your router supports it) a rule for the entire octet you use for these devices.

Comments (116) | PDF | Send | del.icio.us | Digg It! | Linking Blogs | 6384 Views

Use DHCP Reservations Instead of Static IP Addresses

Posted At : August 14, 2019 10:54 PM | Posted By : Josh Adams
Related Categories: Router,Networking

I was in an online discussion recently in which the other party talked about using static IP addresses on his/her devices. And I told that person this: the only time I can conceive of there being a need to utilize a static IP address on a device is if the device doesn't support DHCP, which would be a very rare situation.

As long as a device supports DHCP, the best way to get that device to utilize a known and consistent IP address is to utilize DHCP with the device and a DHCP reservation in the DHCP server (which in most home networks would be a function of the router). You want to have the sever (in this case, the router) dictating to the clients rather than having the clients dictating to the server. In so doing, you centralize your IP address control in the DHCP server instead of decentralizing that control to the devices. There are so many reasons this is the best approach:

  • It allows you to change your network address scheme in one place should you want to do so. And it's all seamless for the clients: you make the change on the DHCP server and that's it, you don't have to change anything on the client side.
  • You can move clients to another DHCP-enabled network (which is pretty much any network) without reconfiguring them. If you take a device to another network, it will just pick right up and work because it's set for DHCP.
  • You don't have to track the IP addresses your devices are using, your router does that for you. This means you will never have IP address conflicts. With static IP addresses, you could put multiple devices on the same IP address which would cause network issues. Not only that, you have to account for the IP addresses of your devices using static IP addresses in DHCP anyway (that is, you have to make sure that your DHCP server doesn't give out these addresses to other devices), so why not just have your DHCP server give out those addresses in the first place?
  • With many routers, you can address your devices by hostname and not just by IP address because the DHCP server registers those hostnames. Then that gives you even more flexibility. For example, while I have no intention to ever change the IP addresses of the cameras on my network, I can if I want to because all my viewer apps address those cameras by hostnames and so a change to the IP addresses those cameras are using will be completely transparent to my viewer apps.

Comments (36) | PDF | Send | del.icio.us | Digg It! | Linking Blogs | 5832 Views
BlogCFC was created by Raymond Camden. This blog is running version 5.9.002. Contact Blog Owner