General discussion


Static IP Security

By ranwinz_57 ·
I was recently made aware of a large LAN that uses static IP addressing rather than DHCP. The reason given was that static IPs provide more security than DHCP. I've never heard this before and can't myself think of any reason why this should be so. Can anyone explain it to me?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Firewall Rules

by wls In reply to Static IP Security

I suspect that there are various services that are run from well known places on the network. They most likely use that knowledge in order to clamp down the firewall around certain boxes.

Collapse -

re: static ips

by Keyboard Kowboy In reply to Static IP Security

If a company has a network setup with static IPs, neither of these IPs are routeable. Which is good because outside networks can't access any clients within the network (ie: file servers). Also it doesn't cost anything.

Collapse -

Use DHCP wherever you can

by davidpmartin In reply to Static IP Security

Static IPs providing more security than DHCP? If anything, it is the other way around. If a company was to use DHCP and provide constant release and renewal of DHCP leases, unless a bad guy had a sniffer on the network all the time, it would be hard to guess which client uses which IP address.

In fact, using Static IPs all the time does not make sense from a security standpoint, especially if you do not have a firewall. The internet is constantly being scanned, and if a Static IP is being used, its that much easier for a hacker to come back and try to exploit the ports on static IPs.

My rule - use a firewall, of course, but all clients get DHCP by default, and all servers are put on static IPs - the static IPs for the servers areonly because we require permanant address translations through the firewall because services required by computers connecting to us through our firewall from the outside.

Static IPs everywhere? - sounds like a LAN administrator that needs job security :-)

Dave Martin, CSS1, CCNP, CCDP, MCSE, Network+
System and Network Engineer, SAIC

Collapse -


by Keyboard Kowboy In reply to Use DHCP wherever you can

"Static IPs everywhere? - sounds like a LAN administrator that needs job security :-)"

Where did that come from?

Collapse -

Tongue in cheek comment

by davidpmartin In reply to ????

Was a little humor aimed at the LAN admin who recommended static IPs everywhere - for a large network I can't EVEN imagine doing this. Sorry if you don't have my same sence of humor

Collapse -

DHCP internal problem

by sbnetsec In reply to Static IP Security

I had a case with DHCP where a vendor came to my organization and pluged in his laptop and grabbed an IP address and did so many thing in my LAN.
But with static IP any visitor will come to you first and ask.
That's the only case I experienced.
Ihope this help.

Collapse -


by James R Linn In reply to DHCP internal problem

I used to work for a huge telecommunications company. They used, ay least until I left, static addresses.

Thinking was that with so many spare jacks, so many contractors, temps etc., security inside the network was potentially a problem. And of course they had been exploited previously both in their voice and data networks.

It also helped them control internal groups which put up their own servers onto the network, forcing them to put them into data centres.

But for those of us who hadto travel site to site it was a big pain.


Collapse -

This is legitimate

by davidpmartin In reply to DHCP internal problem

I guess this would work - but why what the person able to -- do things on your LAN? -- unless you were using an OS that did not require authentication on everything. As hostile as the IT world (esp the internet is becoming), I cannot imagine not having a secure NT, W2K, or Secured UNIX OS as the foundation for the LAN. I have had people use DHCP on my network to grab IPs - but they were unable to do anything else because the could not authenticate to the domain. If you really want to lock you LAN down, then use port security at a Cisco Switch based on MAC addresses. That way you will know even when a computer is moved to another port.

Collapse -

That's a great answer but...

by a_albua In reply to This is legitimate

I totally agree with you. In general static and dynamic both have their advantages and disadvantages but that's not all the security issues you can consider in a network. DHCP is always prefered the question is if you can not afford a cisco switch how would you authenticate users while you're using Windows only environment? In my case any visitor to the company would plug his laptop and get access to the Internet for free which we don't like since the user is not defined anywhere... What programs can authenticate users while keeping high performance network. MS Proxy Server in most of the cases is slow because it does other things like filtering sites etc...

Collapse -

Network traffic analyzer

by sbnetsec In reply to That's a great answer but ...

One of the problems a sophisticated visitor can do in your LAN when using DHCP is he can use Network traffic analyzer to collect your users passwords and other sensitive info.
Implement a security policy (no visitor is allowed to use his own laptop without a permission from IT dept.)

My solution will be using private IP (workstations) and NAT or a switch.

Related Discussions

Related Forums