Jump to content
RESET Forums (homeservershow.com)
schoondoggy

Home Network IP Address Scheme Best Practice

Recommended Posts

snapper

that article seems a bit shaky, with the exception of the use of permanent site-to-site vpns. 

 

 

I think you have misread it - it documents some cases where devices within 192.168 are targeted.

one can easily find their own ip and default gateway then there is no mystery.

 

On a  Windows machine maybe, however, you can't be sure that malware is written the same way, or even running on a Windows machine.

The recent example DDOS on Krebs security site used IOT embedded devices...

Edited by snapper

Share this post


Link to post
Share on other sites
nrf

so let's see, the iot device has an ip address and a default gateway, which it got through dhcp, so what difference does it make what range they are in? the dhcp server gave the device the values needed to hit the router. burning in one popular address into malware seems really like newbie programming skills...

Edited by nrf

Share this post


Link to post
Share on other sites
snapper

so let's see, the iot device has an ip address and a default gateway, which it got through dhcp, so what difference does it make what range they are in? the dhcp server gave the device the values needed to hit the router.

 

 

In this case it doesn't matter, but you are confused as there are 2 concepts here.

 

For the Mirai malware installed on compromised IoT devices, the DDOS payload packet is generated in code and an OS call is made to open a raw socket on the destination host. This relies on the underlying network infrastructure to route this request; the malware does not need to know what the IP address or DG is, just its destination address for the DDOS packet.

I used this as an example of a non-Windows compromise.

 

 

The second concept is that there is in existence (separate) malware that will target known default addresses in the 192.168 address space, so moving away from this range has some merit.

Using default values anywhere carries some risk, whether that risk is acceptable to you or not is only a decision on you can make.

I'm unwilling to take that risk (albeit it may be a small risk), so I rarely use default values, unless the reason for them is fully understood.

 

burning in one popular address into malware seems really like newbie programming skills...

 

Not at all - it shows the malware authors know their target devices and the default IP address range, so can tailor their attack accordingly.

Share this post


Link to post
Share on other sites
nrf

I won't be wasting my time acting on that tip. and when I do use off the shelf devices I never leave in the default ssid or password, those seem more effective actions to take.

Edited by nrf

Share this post


Link to post
Share on other sites
snapper

I won't be wasting my time acting on that tip. 

 

 

Sad that you think its a waste of time, but its your network and your risk.

Good luck.

  • Like 1

Share this post


Link to post
Share on other sites
ShadowPeo

Even an airgapped network is not secure, Just ask the techs at Natanz, its all about risk/reward ratios. I have for example got my clients servers on the same subnet as the hosts they serve, now I could subnet/VLAN them off and increase security, but I then have to deal with the routing of the data, therefore I do not bother (well not yet I am working towards a hybrid VLAN implementation). the Backups however are protected and do not use SMB as there is to great a risk of something happening to them with a CryptoLocker infection

  • Like 1

Share this post


Link to post
Share on other sites
snapper

Even an airgapped network is not secure, Just ask the techs at Natanz, its all about risk/reward ratios.

 

 

Definitely; its quite fun when with a client asking for the most secure system, explaining that its cheap to implement. They get disappointed when explain that its based on pen & paper only - no computers used  :ph34r:

Seriously, the biggest risk is the human factor - downloading random files off the net / clicking a phishing email / deleting data in error etc - are far more likely to happen than a target on their network (but obviously depends on the client!!)

... a CryptoLocker infection

 

I think this is the biggest issue right now; malware only needs to be lucky once; infosec needs to always be lucky all the time.

Share this post


Link to post
Share on other sites
itGeeks

I use random addresses, in the private range but not 192.168.*.*

Static devices will use static IP (again random) and dynamic will use DHCP from Sophos UTM. The static addresses are defined as hosts on Sophos as well, so they appear in the reports correctly.

 

This is an interesting read: http://routersecurity.org/ipaddresses.php

That was an interesting read, As luck would have it I am in full compliance already based on that article. I started changing the default subnet years ago when I was still a novice in networking and I never thought that action may have saved my networks from getting infected from some of these nasty viruses. The only thing I was guilty of was using .1 for my gateways but I have now changed that as well. That site you linked to also has some other very interesting reads, I will be spending some time reading up on security.

 

On closing I also change most of the default port numbers for services that I allow remote access to, The only exception is port 80, 443, most everything else gets changed.

 

Thanks for the great info.....

  • Like 1

Share this post


Link to post
Share on other sites
itGeeks

I think you have misread it - it documents some cases where devices within 192.168 are targeted.

 

On a  Windows machine maybe, however, you can't be sure that malware is written the same way, or even running on a Windows machine.

The recent example DDOS on Krebs security site used IOT embedded devices...

Just to add, How I read it it was not the entire range in the 192.168.x.x. It is mostly default subnets used by manufactures of routers. As has been said before, There is and always will be risks I idea is to limit the risks the best you can, I believe using none standard subnets is a very good proactive move in that direction.

Share this post


Link to post
Share on other sites
nrf

and do you disable SSID broadcast on your wifi devices? use MAC filtering on wifi?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...