Security question/static vs dynamic 3

[justsomedude67]

I have a small company with about 8 computers that all get their ip's from a router via DHCP. One computer is the domain controller running 2000 server SP4.
We have our internet connection via DSL. Right now we do not have a static ip for our LAN. I would like to get one so that I can easily remote to the server to work on it from home. Are there any security drawbacks to having the LAN on a static IP as opposed to dynamic. Thanks.

 

[bofhrevenge2]

Well yes on a basic level a hacker that became aware of your IP would only know for a short time if you are on a dynamic IP. If you draw attention to yourself and your LAN is accessible from a static IP then you will need to be sure your setup is secure. Remember that anything you can see from home can be potentially seen by anyone else.

You would be wise to find out what kind of protection your ISP provides and at least investigate a firewall solution of your own.

"Sometimes, a cigar is just a cigar." - Sigmund Freud

 

[GazNew]

Surely your DHCP server is already static? There is no need for your remaining systems to be static; leave them as dynamic and get DNS to instruct them about your gateway system (another dedicated IP server). Even in the case of static IP it is better to use DHCP and reserve the address against MAC addresses. This then means that you can in fact restrict access to given addresses and therefore reduce the risk of hacking since the hacker would need to know not only your IP addresses but also which IP goes with which MAC and then be able to set their MAC to the same setting - not easy!

 

[bofhrevenge2]

I might of misunderstood but i don't think so, i believe justsomedude67 is saying that the incoming IP from the ISP is dynamic and so you cannot access it externally as it changes. Dynamic DNS is an option here but most ISP's will allow a static IP on request.

"Sometimes, a cigar is just a cigar." - Sigmund Freud

 

[GazNew]

Oops, you're right. His ISP is providing an IP address via it's own DHCP and as such it can move. It was the use of the term LAN in terms of static IP that I was remarking on and not having your gateway on a static IP address only.

Yes, make a request to your ISP. They may see this as a conflict with their own interests but many do provide such access to businesses. We in fact had to have a secondary service provider to allow this to occur (having a very large corporate supplier providing the main internet access).

Sorry for my earlier error.

 

[sab4you]

it wouldnt matter either way.

once your compromised by a hacker, they could easily set up a beacon to notify your address and connection details - as many of them do to IRC channels.

As for static vs dynamic, if your company doesnt need it, then no biggie...or it just costs a couple $ a month for it. Your other choice is get a dyndns service and simply use a dynamic DNS name to connect to your work - thats how I connect to my home computer all the time

check out

http://www.dyndns.org

for details. To summarize, you run a program on your network which checks your IP address. I then forwards this IP address to the dynamic DNS site and updates your custom DNS entry such as mycomputer.dyndns.org. When you connect to your work, you use the custom mycomputer.dyndns.org address...

 

[justsomedude67]

THanks for all input. I was kind of thinking along sab4you's lines already, that if a hacker wants to compromise your DSL network they could do it whether it was on a static or dynamic IP. I guess I was wondering if it would be easier to locate and in turn more likely to be hacked if it was on the same IP all the time as opposed to being on an IP that changes every few weeks. Also, hardly any attention is drawn to this network, as it is a very small company.

 

[bofhrevenge2]

Well if you didn't have a static route and you had tight control over your setup (having 8 clients i imagine it is the case) then it is very difficult for a hacker to get any kind of foothold or find a good use for your setup. Having a permanent routable address however opens up a far greater permanent attack surface, this is prime real estate for a hacker or criminal gang that may want to use your setup to conceal all sorts of illegal info. This is becoming increasingly popular these days.

Small companies don't tend to have security departments monitoring this kind of activity like a large company so hackers can get away with their activity for longer. That is why they are becoming a bigger target for hackers these days, however unlikely this may be you did ask for opinions.


"Sometimes, a cigar is just a cigar." - Sigmund Freud