Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
6
Helpful
7
Replies

which IP address scheme is the most secured?

Maivakov
Level 1
Level 1

‎04-05-2024 07:01 PM - edited ‎04-07-2024 05:13 AM

Assume Wifi infrastructure user and management port use the same class A

10.128.0.0/9 <- user use or management use if most secured?

10.192.0.0/10 <- user use or management use if most secured?

10.0.0.0/25

10.0.0.0/26

10.0.0.0/8

which should be and should not be used for user IP address and management port IP address?

if more secured , does it mean user can only use more specific IP address and more narrow and smaller set of IP address subnet?

Labels:
0 Helpful
7 Replies 7

Kasun Bandara
VIP
VIP

‎04-05-2024 07:39 PM

@Maivakov hi, my personal advice is, there is nothing called most secured IP range. all IPs are scannable if you allowed access. use ACL, Firewalls, VLANs to isolate your network according to trust level. use zero trust model.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-05-2024 08:19 PM

There is no such thing as a "secured IP address scheme".

Even air-gapped network get compromised.

Maivakov
Level 1
Level 1
In response to Leo Laohoo

‎04-06-2024 03:53 AM

But, which assignment of choices of IP address scheme can give more difficulty to invaders ?

0 Helpful

liviu.gheorghe
Spotlight
Spotlight
In response to Maivakov

‎04-06-2024 04:04 AM

Security doesn't come from a certain IP addressing scheme like @Kasun Bandara and @Leo Laohoo pointed out. It really comes from the policies you have in place, like the password policy, and from the hardware and software tools you use enforce the security policies and also report on security events.

Regards, LG
*** Please Rate All Helpful Responses ***

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Maivakov

‎04-06-2024 07:58 PM - edited ‎04-06-2024 09:18 PM

@Maivakov wrote:

But, which assignment of choices of IP address scheme can give more difficulty to invaders ?

(Obviously someone did not read my response.)

Oh, my sweet summer child.  You know nothing about the cold.

I'm going to have to be very brutal:  Whoever gave the statement "what is the most secure IP address" has provided a trick question to test someone's "mettle". 

Even a standalone machine, a machine without an IP address, can get compromised.

Rich R
VIP
VIP

‎04-07-2024 01:18 AM - edited ‎04-07-2024 04:00 AM

@Maivakov I think you're missing the point of all the replies - there is no IP range that is "more secure" than another range.

There are a bunch of arguments you could make to try to argue that one way or another but they're all ultimately rubbish (smoke and mirrors) because they make no difference at all to a determined intruder.  It goes without saying that your management and users should be in separate VLANs and on separate subnets, but which subnet you use makes little difference.  Ideally management should be completely out of band and completely inaccessible to WiFi users.  You can use features like "DHCP required" to ensure wireless users only get IPs from the WiFi subnet and unicast RPF on the next hop (default gateway) router to absolutely exclude IP spoofing from those users.  That should be combined with every other security feature (including ACLs and firewalls and the other things mentioned above) to achieve what's known as defence in depth.  This means you don't rely on any single feature or protection mechanism, you assume any of them can be compromised, so you use all you have available so that even if one or some are compromised the rest continue to provide protection at every level possible.  That's how you make it "more difficult" for an intruder.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Maivakov
Level 1
Level 1
In response to Rich R

‎04-07-2024 05:15 AM

I am not penetration tester, I am confused that there are no routing between two different subnet, how come this possible?

which network course teach air gapped network can also be invaded ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card