Does using static IP means WLAN is secured?

[mattrush]

Hi I have set up a wireless network using static IP. I have changed the password of my router and its SSID but not yet enable WEP. Friend of mine say it's not necessary as having static IP means others are unable to access your network and surf for free. Does this mean my network is secure? Do I still need to enable WEP? Thanks

[prouton]

Static IP versus dynamically assigned IP (receiving connection settings from a DHCP server) will have very little affect on security. The only people you'll stop are those that are mistakenly connecting to your router because it's running unsecured. Did you change the subnet range it's using, because if you didn't then it's using one of a couple standard ranges that consumer routers are set to by default.

And no, you don't need to enable WEP security, you need to enable WPA security.

[104456]

You might want to enable MAC blocking too whilst not totally secure it would require the outsider to use the same MAC address as one of your allowed systems and adds one more hinderence to their unauthorised access.The use of a static IP address is irrelevent to the security of your wireless network.

[TropicalBound]

Your friends are mistaken. A static IP actually makes it easier for people to break in. They don't have to waste the extra four or five seconds scanning for your address. Since it never changes, they always know where to go....

[alphanumeric]

Your friend was probably thinking that if you disabled the wireless routers DHCP and used static IP's it would make it harder for people to connect. It's probably a good idea, but it won't even come close to making your network secure. You would also need to block all the unused ip addresses and or use mac filtering. There is some good advice in the previous posts.

[mattrush]

Thanks for all your reply. As I am a newbie in this wireless networking stuff, can anyone please explain how having a static IP does not come close to a secure network? My friends theory is static IP is harder to obtain= secure network. TropicalBound mentioned it is actually easier to obtain, so who theory is correct?

[mattrush]

Your friend was probably thinking that if you disabled the wireless routers DHCP and used static IP's it would make it harder for people to connect. It's probably a good idea, but it won't even come close to making your network secure. You would also need to block all the unused ip addresses and or use mac filtering. There is some good advice in the previous posts.

My DLink DI-624+ router require me to input all my mac address when setting up the static IP, is this mac filtering or do I have to do it separately? How do I block all unused IP addresses?

[alphanumeric]

Looking at it from the internet side, a PC wired to the internet, a dynamic IP address is better than a static one. If you WAN IP address never changes then you are a sitting duck. The hacker can just keep trying different exploits and or passwords on the same PC. If you get a new IP every time you reboot or connect you are at least a moving target. On the wireless side if you are using dynamic IP's then DHCP has to be enabled. If DHCP is enabled and using the default IP scope, all somebody has to do is turn on there wireless device and they will be issued an IP address for the lan side. They will be part of your network and able use your router to connect to the internet. If you turn off the DHCP your router won't hand out IP addresses. Anybody trying to connect would have to setup a static IP. For somebody that knows what they are doing, that wouldn't stop them for long. That's why you want to filter by MAC address. Then only your computers can connect. Changing the ip scope that the router is using will help also. You definitely want to enable WEP.

[alphanumeric]

My DLink DI-624+ router require me to input all my mac address when setting up the static IP, is this mac filtering or do I have to do it separately? How do I block all unused IP addresses?

Yes I believe that is MAC filtering. Only those MAC address will be able to connect. They are likely tied to the corresponding IP address too. I don't have a wireless setup so I don't have any hands on experience with setting them up. I may have put my foot in my mouth but I believe you can filter or block IP address in some routers. I've heard it discussed, depends on the router I guess. My router can't do it. I don't have wireless so somebody would have to break into my house, configure a static IP and connect to my router.

[prouton]

Limiting the range of IP addresses:
If the DHCP server is turned on, you can specify how many total IP addresses to assign, starting from some arbitrary point in the subnet range. However, to really limit the number of IP addresses the router will recognize, you have to narrow the subnet mask. This is a bitmask, and is by default typically set to "255.255.255.0". Wherever a bit is turned on, the IP address must also have that bit turned on in order to be recognized by the router. The default value above (with the last section group being zero) allows for 255 recognized IP addresses. A subnet mask of "255.255.255.252" would allow for only 3 valid IP addresses. The numbers are written in decimal, but you have to think in binary for it to make sense. To make things a little harder for a snooper, you could limit the IP addresses to three, but not start at the bottom - "255.255.255.159" for example.

Limiting access by MAC address
These can be spoofed on the adapter side, so that provides only a small hindrance.

Limit access by turning on WEP encryption
It's been broken, it been demonstrated to be broken, you can find articles on the internet to tell you exactly how to get around it. It's only benefit is to stop accidental access by an outsider.

Limit access by turning off the SSID/not broadcasting the SSID
The SSID is still being sent in the clear by the router, it can just make it a little more difficult for allowed people to connect. WinXP Wireless Configuration may not see the router, but most snooping software will see it.

Setting a static IP on the LAN side of the router configuration
This isn't related to security even in myths. The purpose of setting static IP's in the router (on the LAN side, not the WAN side), and the reason you must supply the MAC address of the adapter, is to ensure that when computers restart they get the same IP address every time -- no matter who started up first, second, etc. This is necessary when you are port forwarding internet addresses/ports to particular computers inside your firewalled network.

Setting static IP's in the adapter's properties, that correspond to the subnet mask and router's LAN IP address, is the only thing your friend could have been referring to as a "security" measure. But again, it really doesn't make anything secure, just increases the hindrance level.

If you're going to take the position that a cheap lock is better than no lock, and you can't be bothered to get a good lock, then go ahead and turn off DHCP, filter by MAC address, and limit the subnet mask to only as many addresses as you've got computers. Me, I recommend WPA, WPA, WPA if you're going to turn on the wireless capability.

[mattrush]

Thanks alphanumeric & Prouton for your explaination. Now I know static IP address= secure network is a myth.
Prouton, I am not able to implemnet WPA as my wife's T40 on board intel wireless card is wireless "b" so it does not support WPA. I try to update it under "properties" but no updates are available. So does it mean I have to stick with WEP unless I use an external 802.11g adaptor/cardbus?

[jmwills]

If you want a totally secure wireless network, here's the way to do it:

Turn it off, plain and simple. There is NO way to totally secure a wireless connection. all you can do is mitigate risk by disabling the SSID broadcast, using at least 128 bit encyrption thru WPA, and MAC filtering and still you will not be totally secure, only eliminated from the "low hanging fruit" crowd.

[prouton]

...Prouton, I am not able to implemnet WPA as my wife's T40 on board intel wireless card is wireless "b" so it does not support WPA. I try to update it under "properties" but no updates are available. So does it mean I have to stick with WEP unless I use an external 802.11g adaptor/cardbus?

On the Lenovo/IBM website, I found drivers for the Intel PRO/Wireless LAN 2100 3B Mini PCI adapter that include WPA support under WinXP and Win2K.

The full list of adapters/drivers used across the Thinkpad T40 line can be found here .

If you're running a version of Windows earlier than Win2k/WinXP I don't know if WPA is supported -- I didn't read through all of it.

------------

As for the only secure wireless network being a turned off network, that's only true in the most extreme sense. WPA hasn't been acknowledged as having been cracked yet, although I don't doubt that sometime in the future it will be. If you want wireless functionality now, then WPA is the way to go. If you need "secret" or "top secret" security, then you're not going to be using wireless. Heck, I remember when using mainframes and terminals that a terminal wasn't "secure" unless the coax was run inside a metal conduit -- and that was inside a secured building!

[jmwills]

Well, you can run secure transmissions over wireless, it's called VPN but we don't like to even think about that but the brass wants to be portable.

[mattrush]

If you want a totally secure wireless network, here's the way to do it:

Turn it off, plain and simple. There is NO way to totally secure a wireless connection. all you can do is mitigate risk by disabling the SSID broadcast, using at least 128 bit encyrption thru WPA, and MAC filtering and still you will not be totally secure, only eliminated from the "low hanging fruit" crowd.

That's what I am currently doing when I am not using the internet. However I still want my network to be secured whenever I am online.