Static IP management
New Static IP handling that is more secure and gets customer’s network organized
Nile's default architecture is built for security. Customers have devices that use static IP addresses, and Nile supports it. However, static IP is a security concern. It can lead to IP conflicts, attempts to spoofing and if allowed without approval could open access to an inside attacker.
Customer networks today are unorganized, and IT teams often do not have a good static IP management. They don’t know what's on their network historically
Nile is solving this by introducing better controls.
⚠️ Nile recommends using DHCP based IP addressing for devices. In case of devices using static ip address today, consider moving them to using DHCP based IP and configuring IP reservation on the DHCP server for those mac-addresses
Networks that allow the use of static ip addresses, introduces Security Risks
- Static IP addressed Devices – bypass first hop security
- IP Spoofing
- Increased potential for IP conflicts
Management complexity leading to UNORGANISED NETWORKS!
- Managing a network with static IP addresses can be more complex and time-consuming
- This is especially true for larger networks, where assigning and maintaining each static IP address can be cumbersome
- IP Address changes and Device configuration - Each device on the network must be manually configured with the static IP address
Scalability issues
- It is time-consuming and prone to errors, especially in large networks
- As your network grows, managing static IP addresses can become increasingly difficult
With Nile's new way of managing statically IP addressed devices on the network, customers can mark these devices as approved static ip devices as part of the MAB approval settings.
Minimizes security risk
- Customers have the option to approve devices as ‘statically ip addressed’ upfront
- Devices that have NOT been marked as 'static ip' Nile blocks statically IP addressed devices by default
Ease of management and organized network
- Helps ‘organize’ the network from a previously ‘unorganized’ network, admins are better informed of newer static IP address devices that need to be added to the network
- Eliminates or minimizes IP address conflicts since every statically IP addressed device has to be approved to be static ip
Scalability
- Since the mac addresses that will use static ip addressed have to be marked as such explicitly during the MAB settings or wireless access management settings, customers could upload a csv file of all mac addresses using static ip in their legacy network
- This also gets them organized for future migration to a 'dhcp ip reservation' based model, where the list of existing statically ip addressed mac addresses are available readily in the Nile Control Center (customer facing Nile Portal)
Adding statically IP addressed device
- After logging in to the Nile Portal, go the Settings icon > Access Mgmt
- Click on ‘Add Device’, Select Static IP
- Admins should specify a mac-address or OUI, segment is mandatory, Geo scope has to be selected
- If bunch of mac-addresses with same OUI (for e.g. IoT devices) plan to use static IP, IP address is not mandatory and OUIs can be marked as 'static ip' that will allow any device with that mac address OUI to use static ip address
- For highest level of security, admins are recommended to specify the IP address in use, if adding an approved mac entry.
- If a mac address is MAB approved, but NOT allowed to use a static ip, admins simply have to leave the ‘Static IP’ box ‘unchecked’ – this will deny connectivity to the mac address even if it is approved in MAB
Bulk Upload
A list of ‘approved’ mac addresses w/Static IP can be bulk uploaded as well
MAB table has new ‘Static IP ’ and IP address column (default hidden), admins can add them on-demand
With the different options available to mark a mac-address as using static ip and also specifying the IP address OR simply specifying an OUI that will use static IP, there are varying level of security to keep in mind. The most secure option being specifying an approved mac-address as 'static IP' + 'a particular IP address' it will use. However, sometimes more flexibility is desired in cases such as bulk of IoT devices from the same vendor using static IP, admins typically want to speed up the settings process by marking as OUI as 'static IP' so that any device using a mac-address with that OUI will allowed connectivity while using static IP.
Customers can expect a comprehensive suite of alerting in cases where the static ip violation is detected by Nile. For e.g. If a mac-address NOT marked as 'static IP' is detected by Nile as using one, customers are alerted in the Nile Portal. In some cases, Nile would also block access to the device in violation of what has been configured by the admins.
Below is a comprehensive table for conditions where an alert is sent to the customers in Control Center (Nile Portal) and under what conditions a device is also blocked from access.
The below table applies to mac-addresses that are otherwise marked as 'approved' in the MAB settings
Approved as Static? | Static IP specified? | Nile Detected | Action |
|---|---|---|---|
Yes | Yes (Highest security) | Device connects with different static IP | Block + Alert |
Yes | Yes | Device connects with a DHCP IP | Allow + Alert |
Yes | No | Device connects with a DHCP IP | Allow + Alert |
Yes | No | Device connects with static IP | Allow |
No | NA | Device connects with static IP | Block + Alert |
No | No | Device connects using a static IP that also does not belong to any of the configured subnets within any of the segments | Block + Alert |
❗The Nile Service Block (NSB) version needs to be updated, for the new static IP management feature to work. Existing Nile Customers that are using the current Static IP feature, they will be migrated by Nile team. Please reach out to the support team with any questions. Brand new customers, that may not be on the right Nile service block version and desire to use this new Static IP Management, reach out to the support team. The Nile team can get the NSB upgraded and enable the feature in the Nile Control Central (customer facing Nile Portal)
