6

I'm thinking about getting a static external IP from my ISP to access my private network from outside (ssh, nas, etc.) without the need to use a dynamic DNS service. Are there any reasons in terms of security or just in general not to do this for a home network?

Intuitively, I think that having a dynamic IP provides me with a bit of security just by making the process of finding my current IP a bit harder. Is this true or is it trivial to find out my current dynamic IP anyway?

What about privacy concerns? If my IP is logged by a host owner, he knows my static IP forever. So virtually all my browsing behavior can immediately and forever be mapped to my person, is that right? Should I use a different IP for browsing from within the network?

schluchc
  • 472

4 Answers4

5

I think a dynamic IP is not more secure than a fixed one because probably nobody will try to find you specifically but any IP that answers. This can be your fixed IP or your Dynamic IP (if you open the ports and have servers behind them like ssh).

The unique difference is that your machine will always answer on the same IP so the attacker theoretically has more time but a lot of dynamic IPs do not change much and you fall in almost the same situation as a fixed one. Anyways, if you depend on time available to the attacker to defend your machine you are at big risk. It is better to at least ban the attacker IP after a few negated authentications.

So it is true a dynamic IP hides you a little better if someone is trying to attack your machine specifically but not against the majority of attackers who seek any available IP.

I've used fixed IPs and dynamic ones (with dynamic DNS) and the number of "attacks" is roughly the same. The difference is having a DNS pointing to your machine or not. With an IP not included in any DNS, the attacks are a lot lower than if you have a DNS pointing to it, dynamic or fixed.

laurent
  • 4,448
5

A static IP is usually just as secure as a dynamic IP, though a lot depends on:

  1. How 'dynamic' is the 'dynamic IP`. Over here (NL) a dynamic IP often stays the same for many months, or even years. In that case the difference is moot.
  2. Are you using a proxy or a VPN? If not your IP will show up in all communications with the outside world. Both if you have a dynamic IP and if you have a static IP. The only difference will be that it might easier to find who has a fixed IP at a specific time rather than who had a dynamic IP. (For the latter they would need top check the ISPs logfiles).

As to having a DNS name pointing at you: This is not really related to a fixed IP or not. It is true that most people who go though the effort of getting -a now rare- static IP also go though the effort of getting a DNS name. But there is nothing stopping you from getting a name for a dynamic IP (e.g. via DynDNS and similar services).

Edit: I seem to have skipped the “What about privacy concerns” part.

To answer that: There are often better ways to identify a person than using the IP address. Since an IP can be used by the whole family, guests etc etc. It does not point to a single person.

A single computer/browser on the other hand usually points to a specific person and identifying and tracking that person via cookies, via information stored via flash (aka supercookies) or via browser plugins (checking and remembering which ones are installed. Not via a trojan horse type plugin) is often a much bigger danger.

Hennes
  • 65,804
  • 7
  • 115
  • 169
1

It is inheirently less secure because you are now a stationary target. If someone really wants into your network, they know exactly where you live. However, as long as you have sufficent security in the form of firewall rules, it's not really any less secure than a dynamic IP, it's just easier to find you.

Lee Harrison
  • 2,127
1

Dynamic would be better, since you're talking about NAS etc. In the real world, the static IPs end up facing a fair amount of disruptive activities like ping-flooding, DoS for no apparent reason (happened to a friend of mine) etc.. DynDNS like www.no-ip.com should be great (free for 2 hosts).. The daemon is loaded at boot time and will keep updating your dynamic IP to the domain name.. However the more fragile part is maintaining the port forwarding rules, since on many routers they're not persistent across reboots/restarts...

PKM
  • 523