Static IP management

new static ip handling that is more secure and gets customer’s network organized nile's default architecture is built for security customers have devices that use static ip addresses, and nile supports it however, static ip is a security concern it can lead to ip conflicts, attempts to spoofing and if allowed without approval could open access to an inside attacker customer networks today are unorganized, and it teams often do not have a good static ip management they don’t know what's on their network historically nile is solving this by introducing better controls ⚠️ nile recommends using dhcp based ip addressing for devices in case of devices using static ip address today, consider moving them to using dhcp based ip and configuring ip reservation on the dhcp server for those mac addresses static ip drawbacks networks that allow the use of static ip addresses, introduces security risks static ip addressed devices – bypass first hop security ip spoofing increased potential for ip conflicts management complexity leading to unorganised networks! managing a network with static ip addresses can be more complex and time consuming this is especially true for larger networks, where assigning and maintaining each static ip address can be cumbersome ip address changes and device configuration each device on the network must be manually configured with the static ip address scalability issues it is time consuming and prone to errors, especially in large networks as your network grows, managing static ip addresses can become increasingly difficult static ip management in nile with nile's new way of managing statically ip addressed devices on the network, customers can mark these devices as approved static ip devices as part of the mab approval settings minimizes security risk customers have the option to approve devices as ‘statically ip addressed’ upfront devices that have not been marked as 'static ip' nile blocks statically ip addressed devices by default ease of management and organized network helps ‘organize’ the network from a previously ‘unorganized’ network, admins are better informed of newer static ip address devices that need to be added to the network eliminates or minimizes ip address conflicts since every statically ip addressed device has to be approved to be static ip scalability since the mac addresses that will use static ip addressed have to be marked as such explicitly during the mab settings or wireless access management settings, customers could upload a csv file of all mac addresses using static ip in their legacy network this also gets them organized for future migration to a 'dhcp ip reservation' based model, where the list of existing statically ip addressed mac addresses are available readily in the nile control center (customer facing nile portal) feature settings for new customers adding statically ip addressed device after logging in to the nile portal, go the settings icon > access mgmt click on ‘add device’, select static ip admins should specify a mac address or oui, segment is mandatory, geo scope has to be selected if bunch of mac addresses with same oui (for e g iot devices) plan to use static ip, ip address is not mandatory and ouis can be marked as 'static ip' that will allow any device with that mac address oui to use static ip address for highest level of security, admins are recommended to specify the ip address in use, if adding an approved mac entry if a mac address is mab approved, but not allowed to use a static ip , admins simply have to leave the ‘static ip’ box ‘unchecked’ – this will deny connectivity to the mac address even if it is approved in mab bulk upload a list of ‘approved’ mac addresses w/static ip can be bulk uploaded as well mab table has new ‘static ip ’ and ip address column (default hidden), admins can add them on demand level of security vs flexibility with the different options available to mark a mac address as using static ip and also specifying the ip address or simply specifying an oui that will use static ip, there are varying level of security to keep in mind the most secure option being specifying an approved mac address as 'static ip' + 'a particular ip address' it will use however, sometimes more flexibility is desired in cases such as bulk of iot devices from the same vendor using static ip, admins typically want to speed up the settings process by marking as oui as 'static ip' so that any device using a mac address with that oui will allowed connectivity while using static ip alerting customers can expect a comprehensive suite of alerting in cases where the static ip violation is detected by nile for e g if a mac address not marked as 'static ip' is detected by nile as using one, customers are alerted in the nile portal in some cases, nile would also block access to the device in violation of what has been configured by the admins below is a comprehensive table for conditions where an alert is sent to the customers in control center (nile portal) and under what conditions a device is also blocked from access the below table applies to mac addresses that are otherwise marked as 'approved' in the mab settings approved as static? static ip specified? nile detected action yes yes (highest security) device connects with different static ip block + alert yes yes device connects with a dhcp ip allow + alert yes no device connects with a dhcp ip allow + alert yes no device connects with static ip allow no na device connects with static ip block + alert no no device connects using a static ip that also does not belong to any of the configured subnets within any of the segments block + alert ❗the nile service block (nsb) version needs to be updated, for the new static ip management feature to work existing nile customers that are using the current static ip feature, they will be migrated by nile team please reach out to the support team with any questions brand new customers, that may not be on the right nile service block version and desire to use this new static ip management, reach out to the support team the nile team can get the nsb upgraded and enable the feature in the nile control central (customer facing nile portal)