The TL;DR : In a home network or small office environment where the devices present are ‘well known’ and fully accessible is it a reliable/acceptable/recommendable policy to try and restrict network access to only those devices and by what mechanism is this achieved?
Been following Lawrence Systems for years with intentions of getting home network running.
Finally starting and so have been trying to set up and understand network basics for a number of weeks and I’d really appreciate if someone could verify or correct the comprehension I’ve tried to establish thus far. I’m thinking I’m dancing around in the kind of questions a lot of people have when they’re starting out and know just enough to be dangerous. Are my following ‘notes’ largely true or wholly incorrect??
- A DHCP server is responsible for handing out IP addresses. If the devices connecting to a device hosting a DHCP Server have static IPs set on/within them, a DHCP server need not be running for them to connect…
- … so long as they’re connecting to the right subnet as setup on the routing device.
- A static mapping within a DHCP server is not the same as a static IP set on a device…
- The former is an instruction to a DHCP Server that says when device A (represented by a MAC address) asks for an IP, give them this one.
- The latter is the device not asking for an IP, and merely asserting it has the one you saved within it.
- Both approaches independently or in concurrent use, can lead to conflicts, where two devices try to use the same IP, so care should be taken in assignments.
- It’s good practice to set on-device the IP of things you want to be able to reach consistently i.e. at a known IP address (NAS, Managed Switch etc)
- It’s good practice if running a DHCP Server on the same subnet to create a pool that doesn’t include those device-set static IPs…
- AND to set a matching static mapping in the DHCP Server anyway as a form of ‘reservation’.
- Static Entries in ARP tables and Static Mappings in DHCP look like they’re same but they’re only related…
- The mapping is just an instruction as stated earlier; Dear DHCP, when MAC approaches you for an IP, give it this one.
- ARP table is used in the guts of routing. It is the router’s “state” data; the current understanding of the associations of MAC to IP addresses.
- If you want a consistent MAC/IP pairing, the DHCP can be setup to reliably give a particular MAC the same IP every time the MAC requests one, resulting in the ‘same’ entry appearing in the ARP table.
- In a router like
pfsense
you can therefore create a matching permenant ARP entry when creating a static mapping. - The mapping and entry however are discrete from one another; deleting the mapping or stopping the DHCP server does not remove the permenant ARP entry(s).
- So you can have a static mapping without a permenant ARP entry, and you can have a permenant ARP entry without a static mapping (or in fact a DHCP server at all).
- Permenant ARP entries can provide some degree of security, because a device only has access to a particular IP if it’s MAC matches the MAC/IP entry and the same combination is not occupied.
- A malicious device would have to…
- Spoof a listed MAC address
- Set itself to have the same IP as associated with that MAC address
- Connect when the device the original entry was intended for is not connected.
- Firewall rules target subnets and IP addresses, so access to a particular IP address (range of addresses) represents permitted traffic.
- In a home environment the machines connecting to the network are most likely a small, finite and known quanitity (e.g. two computers and a laptop), so giving them static IPs is trivial and it could be the case that a there’s no need for the D.ynamic C.onfiguration provided by DHCP.
- However any device that knew the subnet and a free IP, could get on the network by just setting it’s own IP statically (assuming it had some connection to the network).
- Permenant ARP entries do not prevent this because you can’t have a ‘permenant-only’ table; when the unwelcome device connected an ARP entry would be created for it and you can’t set an instruction that does not permit the entry’s creation.
- A DHCP server can be set to only hand out IPs to MACs it recognizes but a device can just use a static IP and not contact the DHCP server.
- Firewall rules tend to reference subnets over specific addresses within it. For example you say
safe
net can communicate withstuff
net. You could but typically don’t set up a rule for each expected IP inside ofsafe
net. - Thus even though you know what MAC addresses should be the only ones on
safe
net, and you only want those devices to accessstuff
net, neither DHCP, ARP or Firewall rules are particular designed to achieve this. - Additionally “particular device” security policy is not a valid approach because the way in which devices are identified can be spoofed anyway.
- Appropriate security instead relies on building layers. Some degree of preventing devices getting access to the network, some degree of MAC/IP lockouts within the network, some degree of password/key/permissions within the software and services of the network.
- Thus typically network security focuses on what devices on the network can do, not keeping unwanted devices off.
- In a home environment this means making sure you’re widget is on the right subnet/vlan with limitations on traffic between subnets/vlans.