Do Not Assign IoT Public IP Addresses

Recently, I stumbled backward across a number of organizations in the healthcare sector who have been assigning publicly addressable static IP’s to their IoT. Given the number of affordable, secure and encrypted RA tools available to both internal IT and MSP’s alike this is a maddening access solution that places organizations at substantial and unwarranted cybersecurity risk. In recent years, headlines about cyber security have become increasingly commonplace. Thieves steal customer social security numbers from big corporations’ computer systems. Unscrupulous hackers grab passwords and personal information from social media sites or pluck company secrets from the cloud. Getting hacked isn’t just a direct threat to the confidential data companies need. It can also ruin their relationships with customers, and even place them in significant legal jeopardy.  For companies of all sizes, keeping information safe should be a primary concern. Your technology and security posture must evolve to meet new threats even when it may be time intensive, costly or unpopular.

How Can I Tell?

IANA reserves the following IP address blocks for use only as private IP addresses:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

So, if the IP address assigned to your computer, server or IoT device does not look like that, odds are good it is a public IP and you verify that suspicion with this free tool: https://ipinfo.info/html/ip_checker.php

Expensive?

Using a public IP address for a single computer, server or IoT device can certainly simplify administration and setup. However, with supply and demand in mind, a dwindling global supply of public IP addresses has increased the prices that ISP’s are able to charge for them. If your organization absolutely “needs” separate, public IP address, be prepared to pay significant monthly fees and be aware that these prices will continue to rise steadily. Do you need (1) static IP, sure, (5) if you have a lot of on-prem infrastructures, sure maybe but a block of (25) or more…probably not. 

Securable?

Routers that connect a private network through a single public IP have a built-in safety mechanism: unsolicited transmissions from outside the private network are automatically stopped. Having a public IP directly assigned to a computer, server or IoT device, however, allows these requests to flow freely to that device. Such transmissions include spam and attempts to take control of the computer or device. As a result, using a public IP requires the implementation of a security strategy. Individual PCs need a virus scanner and a built-in firewall, while organizations may need to employ hardware firewalls and intrusion-prevention sensors. Is it possible to secure a device with an assigned publicly addressable IP? Sure.

Think of a publicly addressable static IP like putting a big flashing neon sign outside your front door that advertises you have valuables inside but it is ok because your door is locked. You can also think of a public IP address like a doorbell that hackers can easily ring and see if anyone is home. Then, if you open the door with the public IP address, you walk right into the office. Conversely, all the other doors when forced open lead to a waiting room where the burglar alarm is going off.

The main risk of using a public IP address is the same as the advantage: It allows anyone, anywhere to connect to your device directly from the Internet and that includes cybercriminals. As they say, when you connect to the Internet, the Internet connects to you, in this case directly. Attackers can then easily steal your data, blackmail you or change your Internet access settings, forcing the router to feed you phishing websites or spam where they can then phish for login credentials or more valuable intellectual properties.

Exploitable?

How do hackers know who to attack? For a start, there exist publicly available Internet services that regularly scan all IP addresses for vulnerabilities, making thousands of devices with exploitable bugs just a couple of clicks away. If cybercriminals want to get hold of not just anybody’s, but specifically your IP, they can do it when you use Skype, for example. Even when just visiting websites, your address is visible.

Incidentally, your public IP address can be used not only to hack into your private networks but also to carry out a DDoS attack, by bombarding you with packets from different devices simultaneously and overloading your Internet channel and router. In the corporate sphere, such attacks are often carried out against business competitors or disgruntled employees and customers intent on sabotaging your business operations by sabotaging your Internet connection.

Alternatives?

Public IP addresses are rarely the best or only option. LogMeIn, Splashtop, Teamviewer, and countless other remote access tools now offer cost-effective, secure and encrypted remote connections to computers, servers and IoT devices running Windows, macOS, Linux, and other operating systems. Virtual server hosting companies can provision multiple servers through a single network connection, saving IP addresses. If connecting two buildings, some ISPs can work with you to create a point-to-point connection. These connections use equipment to translate a signal over long distances without using IP addresses. You can use private IP addresses on either side of this leased link. 

Stay Protected!

The best way to stay protected is, of course, not to use a public IP address, especially if you are not certain that you need it. In the past, there was a much greater demand for public IP addresses but improved network technology, encryption and enterprise cloud computing have made those instances much fewer and farther between. Exposing on-prem servers and devices directly to the internet should be avoided at all costs.
So while your servers and IoT devices do not need external public IP addresses, routers do. It is essential that routers and the firewall(s) behind them are regularly patched and updated, as this generally fixes flaws, vulnerabilities, and weaknesses found in earlier versions.