Building Internet Computer Security
with Non-Routable IP Addresses
Internet security on your computer is probably the single most important security project you should undertake in order to prevent unauthorized access to your computer system. If you are relying solely upon a Norton or McAfee's firewall to secure your private information, this is not good enough. Whether you are on a network or a single computer, with DSL, Cable, or Dial-up, you should also be using a non-routable IP Address to secure your computer. This should be your first line of defense against Internet intruders.
In our last newsletter, we discussed security for your wireless network and I also made a short list of some things that you should do to protect your computer, one of which was using a non-routable IP address.
First let's find out what an IP address is. An IP Address stands for Internet Protocol (IP) Address. It is made up of four octets with each octet (each octet is 8 bits) using a number from 1 to 255, such as 184.108.40.206. A period is between each octet. For an example of what bits look like:
For the purpose of this discussion I am going to use a simple network configuration.
When you see a zero as an octet, this is a network number, picture it as a variable. If an octet is zero as in 220.127.116.11 then the address can be anywhere from 18.104.22.168 to 22.214.171.124. If there are two zeros as in 126.96.36.199 the IP address range is from 188.8.131.52 to 184.108.40.206. A IP address number ending in .255 or zero are reserved. A IP address can have a zero in in the second or third octet, but not the fourth, 255 can not be a fourth octet either. The zero and 255 in the fourth octet are broadcast numbers.
Although the IP address 220.127.116.11 to 18.104.22.168 exist, only 22.214.171.124 to 126.96.36.199 are usable IP address.
An IP address is the address of a computer or device on a network, the Internet is a network. You cannot have an IP address for a computer like 188.8.131.52. A device reads the zero when you want to refer to a range of IP addresses, such as when you are setting up a firewall or router. If your office has 200 computers you would set the firewall on the server to allow all of the computers' IP addresses to access the server by designating 184.108.40.206. The Subnet mask would have to be set to 255.255.255.0. A discussion of Subnet Masks is outside the scope of this document. More about Subnetting can be found at subnet.htm.
This will allow any computer having an IP of 220.127.116.11 to 18.104.22.168 to access the server. If your office machines used the IP address from .1 to .200 any outsider with an IP address of .201 to .254 can also access the server. Unless you add a rule for each IP address your office is not using.
The above example still is vulnerable from outsiders as it is a routable IP address. If an intruder used an IP address that was assigned to one of your computers which is currently off line, he would have access to your network, especially if you use a wireless router or a hacker does IP spoofing (faking and IP address). So you see that your security can easily be compromised.
This newsletter will discuss how to protect your computer(s) using non-routable IP addresses, how they work and why. Why? Because this is your first line of defense for Internet security.
Now I will attempt to explain in simple language what a non-routable IP address is. Picture a road map of the United States, you are located in Ohio and you want to visit me in Florida to see the damage from all those hurricanes. Your home has a street address - your computer has an IP address, you will need to take several side streets to get to a main highway - your computer's gateway. Now from the main highway you will go to the closest Interstate highway, maybe US 80. Take 80 to US 95, 95 to Vero Beach, now you will use the main roads to get to some side street, and you are there.
A non-routable IP address is for internal networking only, it cannot be used over the Internet. It would be the same as in the above sample road trip except when you get to Vero Beach and you get off the main highway, you find out that there are no side roads or maps to direct you to my street. You can only get to Vero Beach, but not to my street.
A network number that uses a zero in the last octet can be thought of as a street. If the last octet is a number from 1 to 254 it can be thought of as a house number on that street.
Your computer works the same way but instead of using a car and roads to get there, your computer uses the phone lines and IP addresses. To see this happen open a MS-DOS window and type in: Tracert cnet.com then press enter. You will see the first hop is your gateway and the last hop will be cnet.com. The second hop will be your gateway's gateway, the third hop is your gateway's gateway's gateway; and so on until you reach cnet.com's outer most gateway. Then the next to last hop will be cnet.com's gateway, and finally cnet.com itself.
Now you can open a MS-DOS window and type in: IPconfig /all to see your IP address and related information. So that you know how all this works, let's try Tracert, type in a MS-DOS window Tracert 192.168.x.y (where x and y are not numbers used on your private network). The trace will stop at your ISP's outer most gateway; this is a non-routable IP address. It is also the address to many other private networks on the Internet.
There are a few IP addresses that are reserved for private (non-routable) networking, 192.168.0.0, 10.0.0.0, and 172.16.0.0 through 172.31.0.0. Remember that the zeros can be any number from 1 to 254. The most common private network is 192.168.0.0. The ranges are 10.1.1.1 - 10.255.255.254, 172.16.1.1 - 172.31.255.254, 192.168.1.1 - 192.168.255.254 .
Let's assume you set your computer's IP address up as 192.168.8.26, the same network as my private network, you still cannot get to my machine using 192.168.8.27 using a Tracert or other means over the Internet. The Internet does not recognize these non-routable addresses. So if your home network is on the Internet and you are using non-routable addresses, no one from the outside world can get there. Only the machines on your network will be able to access your private network.
OK, so how do we get this accomplished? There are two ways, we can either setup one computer to connect to the Internet and have all the other computers on the network connect to this machine to get to the Internet using a second network card or 2 IP addresses to the same card. Not all versions of Windows will allow you to assign more than IP address. This method is using one computer to be the router. The second way which is even better, is to use a router, this way you do not need to have a single machine designated for Internet access.
If you use a dial-up connection, you can purchase a dial-up router for about $100.00 and up. If you use a DSL or Cable you can purchase a router for about $25.00 and up. Even if you only have one computer a router is the way to go, giving you that non-routable IP address for Internet security.
I use a router for my local network connection and the gateway to my ISP, the router has a built in firewall. I have a static routable IP address assigned to the WAN (wide area network) side of the router so it can talk to the outside world. I have a private network IP address (non-routable) assigned to the LAN(Local area network) so that all incoming requests stop at the router. The router also has a DHCP server so it can assign a IP address to each of my computers. However I have the DHCP server disabled so that I can manually assign IP address to each of my computers. This is important especially on a wireless network, as you will see.
Setting up the correct Subnet Mask in the router will determine how many connections the router will accept on the LAN side. The LAN is your computer's side of the router. I need 6 connections so I use a Subnet Mask of 255.255.255.248. More about Subnet Mask. The router will allow any IP address from 192.168.8.2 to 192.168.8.6 to pass through, 192.168.8.1 is my gateway address. All other IP addresses will be blocked. As you see, not all my computers are on the Internet at the same time, I am only allowing 5.
If I used a wireless router this would help stop a neighbor from accessing my network, as all the IP's assigned are used. If I only have two computers on line my wireless router could be available to a neighbor. But I use a hard wire network, so my network is secure from outsiders, because my router also blocks spoofing.
A non-routable IP is a great firewall as is, and this protection is on top of the firewall in the router. I also use Zone Alarm on all my machines, but it doesn't stop anything coming in, the router does this. Zone Alarm only stops the unwanted out going packets on my computer.
Now let's setup a non-routable IP address on your machine, after you have setup your router and have rebooted. If you use the DHCP server and a dynamic IP address on your router, you're done; since most routers have a non-routable IP address on the LAN side. If not you will need to get the IP address of your router, this is your gateway. Let's assume it is 192.168.10.1
On Windows 9x and ME go to Start - Settings - Control Panel - Network, in the window select your TCP/IP->Network Card. Click on Properties - Specify an IP Address and enter in 192.168.10.x (X being any number from 2 to 254). In the Subnet mask window enter 255.255.255.0 or the Subnet mask for you network. Click on the Gateway tab and add the IP 192.168.10.1. Save your setting and reboot.
On 2000, XP 2003 go to the Control Panel - Local Network Connection - Properties and select Internet Protocol ( TCP/IP) and the click on Properties. Select Use the following IP Address. Enter the information as mentioned for Windows 9x. Click on Advanced and add the 192.168.10.x and the Subnet mask of 255.255.255.0 or the Subnet mask for you network in this window, save your setting and reboot.
One last thing you should know, using a non-routable IP address protects you from the outside world. It does not protect you from a key logger or other spyware that is on your machine. I will discuss how to secure your computer from information being sent out in a future newsletter.