2

As we all know, routers that you buy from the store come preset to hand out IP addresses using DHCP, generally on one of three networks: 10.0.1.1/24, 172.16.0.1/24, and 192.168.1.1/24. I personally restrict DHCP to a smaller range and use DHCP reservations based on MAC address to make touching network devices through SSH, RDP. etc. easier. I am about to re-IP my network (to de-conflict it with my lab setup), and I got to thinking, is it more secure to use a random network within the private IP space (e.g. 10.143.97.1/24 or 172.26.248.1/24) than using the defaults that nearly every networking company uses?

I think the answer is somewhere between "maybe" to "no, but it couldn't hurt." While I would think that it would make it harder for someone with malicious intent to get to the router admin page, I also realize that anyone with wireshark can see the source/destination IPs, so they can figure out the network topology (at least the wireless part of it) that way. MAC filtering, a strong passphrase, and encryption all help secure the network, so I don't think using a random network would necessarily help, but I don't see it hurting either.

Craine
  • 349
  • 2
  • 14
  • I think everything you mentioned is a complete waste of time except for a strong passphrase, also you didn't mention WPA2... I assume you know WEP is completely and totally worthless. – rook May 20 '12 at 00:13
  • Yes I know WEP is completely worthless, not my first rodeo. However, I don't feel that MAC filtering is a complete waste of time. It helps keep out the WiFi thieves in my neighborhood. I understand that people can spoof MAC addresses, but if they are simply trying to steal WiFi, then they are more likely to just move on then go to the trouble of spoofing. – Craine May 20 '12 at 00:23
  • 2
    sorry, but mac address filtering is not a security measure by any stretch of the imagination. Its like saying child proof locks keep out thieves. – rook May 20 '12 at 00:29
  • 5
    Child proof locks keep out children. WiFi thieves generally equal children on a technical expertise level. Would I rely solely on MAC filtering to keep my network secure? Of course not, that would be ludicrous. But I never said that I would. I use it as another, additional method of securing my network. You know, that whole defense in depth thing? Short of running Cat5e throughout my home, I will use whatever means I can to keep people off of my network. – Craine May 20 '12 at 00:38
  • 2
    Honestly, I think it's a bad idea to consider absurdly weak security mechanisms as part of a "defense in depth". It will only be the strong mechanism(s) that are actually protecting you. Thinking of them bundled with the weak ones gives you a misleading view and distorts your priorities and understanding. If you're not secure without the weak mechanisms, you're not secure with them either. They only do no harm provided you don't adjust your assessment of your security based on their presence. That is, they are only non-harmful if you ignore them. – David Schwartz May 20 '12 at 21:19
  • 2
    I'd argue that MAC address filtering is a good way to keep yourself from becoming low-hanging fruit. The script-kiddies will move along and be much less of an annoyance. Even if it's not a security measure, it's a way to increase the amount of time you have to focus on investigating/preventing real attacks. – Polynomial May 21 '12 at 14:55

4 Answers4

7

The security measures which are the primary subject of your question here (MAC filtering, non-standard IP addressing) basically equate to "security through obscurity". They are very weak against a dedicated attacker, and so should not be relied upon as the only security functions in your system.

That said, even security through obscurity has its place in a proper defense-in-depth approach. Anything you can do to make it harder for an attacker to compromise your system, while not having too much impact on the usability of the system, may be considered worthwhile.

My own home setup uses all of the things you've mentioned, and then some:

  • MAC address filtering
  • Non-standard network ID (doesn't even end in .0)
  • Restricted (smaller than /24) subnet
  • Reserved DHCP addresses for all registered devices
  • WPA2 security on the Wi-Fi network
  • 63-character random-generated PSK
  • WPS disabled on the APs

Those last three items, plus reasonably strong physical security on the house, are the real things keeping unauthorized users off my network from the LAN side. As long as WPA2 remains fairly secure, nobody's going to be sniffing my traffic over the air let alone joining my network any time soon. If there ever comes a time that WPA2 is broken, and a suitable replacement is not available, I'm fairly comfortable that any wireless attacker (unless they are deliberately targeting me personally, or specific data residing on my network) is likely to move on to another victim before they bother trying to get into my network.

The only real down-side to these extra security measures is that it can be a bit of a hassle to get new devices onto the network - especially smartphones and tablets. For most people, adding a new device goes like this:

  1. Select Wi-Fi network, enter PSK from memory, hit "connect".
  2. (There is no step 2.)

For me, it goes something like this:

  1. Log in to the router's configuration page
  2. Figure out how to obtain the MAC address from the new device. Add it to the MAC address filter on the router. If there aren't any slots left in the filter (it seems Linksys routers are limited to 32), pick an idle device to remove from the filter to make room.
  3. Pick an IP address to assign to the device, add it to the DHCP reservations on the router. If no IPs are free, pick an idle IP to un-reserve and reassign.
  4. If the new device is a laptop or desktop, plug in thumb drive, copy and paste PSK to the new system, click connect. If it's a smartphone, tablet, or other limited-function device, load the text file with PSK on my laptop, enter the 63-character random PSK manually on the new device, and click connect. Repeat this step until successful.

So, adding a new device can be tricky - occasionally to a problematic degree. Fortunately, it's not something that happens often. Other than this, the added security measures really have no impact on the usability of the network for authorized users.

What do all of these extra measures actually buy you? Perhaps just a warm fuzzy feeling. Is it worth it? That's for you to decide.

Iszi
  • 27,127
  • 18
  • 101
  • 163
  • 1
    About the only thing different between your network setup and mine is the PSK, mine isn't 63 characters long. It's long, but not quite that long. And my steps for adding a new device pretty much run the same as yours. While I wasn't intending for there to be a discussion on MAC filtering, I was thinking that the original topic (IP addressing) would be one of those things that adds another layer of "security through obscurity." Something by no means intended to be used on its own, but in combination with everything else may grant you a little more security. Or just more warm and fuzzies. – Craine May 20 '12 at 05:22
  • "They are very weak against a dedicated attacker, and so should not be relied upon as the only security functions in your system." Can you make efforts to install multiple layers of protection without the sentiment that it will significantly help security? I believe that an effort generates its own psychological reward: the sentiment that whatever one does what useful. It is thus IMO very difficult not to believe that this will significantly improve the security situation. So I think that it will in some way be relied on. Even for a nuclear plant I would not do this "in depth" thing. – curiousguy May 21 '12 at 00:21
3

While having a "random" local network subnet will not normally help you against an attack, there have been both CSRF attacks and trojan or virus-driven attacks that expect a certain local network configuration. The expected configuration is, in almost all of these cases, is to have the gateway at either 192.168.0.1 or 192.168.1.1.

While it's very unlikely that you will ever see any security benefit to using some different local network setup, it isn't a bad idea to pick a less-commonly-used subnet anyway. This becomes particularly clear if you ever try to connect your network to a VPN.

tylerl
  • 83,435
  • 26
  • 152
  • 232
  • "The expected configuration is, in almost all of these cases, is to have the gateway at either 192.168.0.1 or 192.168.1.1." It may be possible to access the gateway configuration via its public IP address. – curiousguy May 21 '12 at 00:30
  • @curiousguy Or use "smart" CSRF attacks that poll for HTTP port 80 on 192.168.x.1 addresses in sequence. – Polynomial May 21 '12 at 14:53
  • Randomizing your configuration doesn't protect against what's possible, it offers some level of protection against what's common, which is a different sort of thing altogether. – tylerl May 21 '12 at 22:54
1

You're right, a random network address won't hurt. If you want to avoid clashes with any other IP addresses look at RFC5735 for other ranges which shouldn't clash with valid Internet IPs, but won't clash with other standard internal ranges either.

Also using something non-standard will protect you from scripts or other threats trying to alter the configuration of your router through XSS/XSRF.

Arguably MAC address filtering will help, as it raises the bar for the attacker being able to change the MAC address of their equipment - although there's an argument for not using it and instead monitoring your network for new MAC addresses as a sign of intrusion.

Nick
  • 11
  • 1
0

Since you seem to be in a place to entertain thought experiments on network security, perhaps you'll be interested in adding more security to your WLAN take a look at Server and Domain Isolation.

This implementation ensures that all network connections are authenticated by PKI based certificates. Anyone who isn't a member of that PKI is disallowed.

It's really neat stuff and MSFT has been using it internally since at least 2006.

makerofthings7
  • 50,918
  • 55
  • 261
  • 556