Static IPv4 Addresses as Part of a Security Policy

What’s an Address?

At the most basic level, a public IP address is a unique numerical identifier assigned to a device connected to the Internet. Since it is unique, an IP address enables the identification and communication among devices worldwide. The format of these numbers is simple. There are about 4 billion of them possible within the prescribed system.

That underlying system, the Internet Protocol (IP) suite, was developed as a simple alternative to the complex Open Systems Interconnect protocols of the late 1970s. It has matured to meet the needs of today’s organizations with two versions, private addresses, shared addresses, and multiple types of Network Address Translation (NAT). The first widely-used IP protocol is the fourth one developed: IPv4 (Internet Protocol version 4).

IPv4 is used both as a global identifier and as location labels within closed systems. As such, some addresses from among the four-plus billion created were set aside for this local use. Since they are local, they can be used in multiple systems so long as they do not communicate outside their private network. They are re-usable. Thus, IPv4’s private addresses are only unique on their local network. When a device with a private address needs to connect with an address on the internet, the data packets it creates are rewritten to come from the local network’s router’s globally unique address. Multiple users and devices can be behind each unique address.

Types of NAT

NAT or Network Address Translation is the technology that presides between a private network and the broader internet.

Not all NATs are the same. NAT wasn’t standardized, so each vendor has their own implementation and they don’t all do the same thing. In fact, even the terminology isn’t consistent.

NATs for home and office networks can be grouped into three broad categories.

  • Static NAT provides a 1-to-1 relationship between an internal and external address. This kind of NAT was developed to help networks avoid renumbering when they changed access networks.
  • Dynamic NAT maps a pool of internal addresses, normally private addresses, to a pool of globally unique addresses. The mapping between private addresses and globally unique addresses can change. Because the mapping is dynamic, sessions need to be started from devices on the inside.
  • Port Address Translation, or NAT Overload, is when a pool of private addresses is mapped to a single globally unique address. Port numbers are used to  map which traffic belongs to which internal IP address. This is the most common kind of NAT and is the default on most consumer equipment.

None of these approaches is a firewall. While they can be components in a comprehensive security approach, they are just tools and do not provide security on their own.

NATs used by access networks are generally known as Carrier Grade NAT (CGNAT) or Large Scale NAT. They are used to serve more subscribers than the provider has unique IPv4 addresses for. They use a special shared block of 4 million IPv4 addresses. These are mapped to a small block of globally unique IPv4 addresses.

The ratio varies but 25 subscribers per unique IPv4 address is common.

Security Factors

Most organizations require their users to authenticate with two factors. But when users have administrative access to important systems, more factors can be required and checked. Some examples include:

  • Access from a known location
  • Access via a VPN
  • A second factor to authenticate
  • Get a specific IP address
  • Time of day

In combination, these are known as Multi-Factor Authentication. For instance, an ordinary user working from home, might need to access corporate resources via a VPN and authenticate with a password and second factor, like a TOTP code, a physical token, or a Passkey.

But the access granted to privileged users often requires additional factors in a security policy.

Some organizations require privileged access to originate from a static, or fixed, IPv4 address at their home and not a dynamic address. A similar, but less strict rule, is to geolocate the IP address and not allow access from the wrong city or country. That helps reduce the possibility of stolen credentials being used elsewhere.

Access providers advertise fixed IPv4 addresses when selling to network administrators

Privileged users might be assigned a static IP address, from a separate pool, by the VPN. Only allowing administrative access from that pool of addresses limits who can make changes and simplifies auditing changes.

Some organizations only allow changes at specific times. They limit external access to privileged systems outside those windows.

Managing Addresses by User

Privileged users often get static IPv4 addresses from a specific pool so access to the management interfaces of key systems can be restricted. One way of doing this is using Access Control Lists based on IP address.

IP Address Management (IPAM) systems are a part of this set of controls. They set out how addresses are assigned in your network and can be connected to systems that record actual assignment and use.

Record Keeping and Audit

Configuring controls for accessing privileged systems is only helpful if their effectiveness is reviewed and areas for improvement are identified as the world changes.

Logs must be kept so you know that privileged users are only connecting from specific addresses or locations, and are assigned addresses from a specific pool. Similarly, administrative changes should be logged and compared against change control logs.

Evaluating logs against policies and testing the effectiveness of security controls is an important part of assessing the effectiveness of security policies.

Contact Us

Blog Directory

A listing of thoughts and reflections on the IPv4 industry and marketplace.

News & Insights

Reports, announcements and industry news.

Checklists

Buyer Checklist

A step-by-step guide to our marketplace and transferring addresses.

Seller Checklist

A straightforward guide to the procedure.