dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2610
share rss forum feed

Sajan Parikh

join:2011-03-05
Walcott, IA

[IA] Dedicated IP from Mediacom?

I've got the Ultra50 and on a residential account with 1 additional IP address.

I haven't called and asked yet. Usually I find the buzzwords to mention here before I call.

Does anyone here know if Mediacom can assign a dedicated IP address to a residential modem?

...when I say dedicated, I mean static. As in...it's tied to my MAC and doesn't change.



ZC_217

join:2010-02-07
Des Moines, IA

I know they offer statics for business accounts for a fee. If they do it for Res accounts I'm sure there will be a monthly fee for it.



MediacomChad
Mediacom Social Media Relations Team
Premium,VIP
join:2010-01-20
Gulf Breeze, FL
kudos:95
reply to Sajan Parikh

Unfortunately we do not offer static IP addresses for residential accounts.



IowaMan
Premium
join:2008-08-21
Grinnell, IA
Reviews:
·Mediacom

I don't understand that after all, it is just a "number" put into the system to get you online. Charge people $15 more if you want. After all, If business and residential go over the same coax, with the same equipment and have everything the same except a higher fee and better tech response time for business customer and the static otherwise there is no difference.
(Yes I know about the SLA's for fiber etc but I presume the OP is talking about ordinary cable internet)



lhollow

join:2010-12-02
IL
reply to MediacomChad

Is that because Mediacom doesn't want people setting up servers?

The OP could just use dyndns.org.


thedragonmas

join:2007-12-28
Albany, GA
kudos:1

said by lhollow:

Is that because Mediacom doesn't want people setting up servers?

The OP could just use dyndns.org.

odd thing that, when i had DSL thru bellsouth (before att got them) i had a static ip, cost? $4/mo residential. the TOS clearly stated no servers. so if it is because of that, then its, to be blunt, a very stupid reason.

i think its so they can push business class, who usually needs static ip's? folks working from home.

Sajan Parikh

join:2011-03-05
Walcott, IA
reply to Sajan Parikh

The reason I wanted a dedicated IP was..

I run a company and have many servers around the country and have firewalls set of course.

I've locked all of these servers down so only one IP address can access them. This is the IP address of a VPN I've set up in Chicago.

However this has become a SPOF, and while I'm setting up other VPNs and whitelisting those IPs as well...I thought I'd look into getting a static IP for my home so that I can whitelist that as well.

I certainly wouldn't mind paying extra.


jpatton

join:2010-04-07
Ames, IA

I've had this same issue with a couple computers I remote access at work. What I ended up doing was setting up a dyndns hostname for my home connection, then had a cronjob (scheduled task) to check the hostname's IP and update iptables (the firewall rules). It was a PITA to set up, and I do agree that it would be helpful to just be able to get a static IP. As demonstrated here, it's useful for more than just TOS-violating servers.



IowaGuy

@mchsi.com
reply to lhollow

lhollows is probably on to something that they just don't want people getting a residential connection but setting up mail servers and such on that type of connection.

I use DNSExit.com with the IP Updater. It can updated DNS records with your dynamic IP.

On a side note, I've had the same dynamic IP for at least a year. As long as your CPE device is on all the time, you can usually keep your IP.


Sajan Parikh

join:2011-03-05
Walcott, IA
reply to Sajan Parikh

Keep in mind, I'm not looking for an A record to stay updated with my current IP.

I'm looking for my outbound connections to be from the same IP.

These are two different things. So services like DynDNS and DNSExit are not applicable.

The cron jpatton is talking about may work, but with the amount of servers and iptable rules that are on each...make me weary of doing it that way.
--------------------------------------

I've had the same dynamic IP for a while as well. However that's certainly not something I can rely on.



ZC_217

join:2010-02-07
Des Moines, IA
Reviews:
·Mediacom
reply to Sajan Parikh

said by Sajan Parikh:

I've locked all of these servers down so only one IP address can access them. This is the IP address of a VPN I've set up in Chicago.

However this has become a SPOF, and while I'm setting up other VPNs and whitelisting those IPs as well...I thought I'd look into getting a static IP for my home so that I can whitelist that as well.

So are you connecting to this VPN in Chicago then to your servers? Would you be able to set up some sort of multi-homed hardware VPN tunnel?

Where I work, we have 2 Main Cisco 5540 ASA failover pairs and we have many many remote site offices set up with 5505 ASAs that build a VPN connection to either site but we use the EZVPN of Cisco that allows the main site to have Static IPs but the remote sites are able to have dynamic IPs.

I'm not sure you current topology of how you connect to your servers so this may completely be outside the realm of realistic possibilities.

Sajan Parikh

join:2011-03-05
Walcott, IA

Ah, no I may have been a bit unclear...

Currently, I'm connecting to VPN in Chicago then to server. That works great.

If that VPN fails though, I've no graceful way to connect to the server. That's where the whitelisted dedicated IP from mediacom would come in. I can just connect directly from my home.



ZC_217

join:2010-02-07
Des Moines, IA
Reviews:
·Mediacom

said by Sajan Parikh:

Ah, no I may have been a bit unclear...

Currently, I'm connecting to VPN in Chicago then to server. That works great.

If that VPN fails though, I've no graceful way to connect to the server. That's where the whitelisted dedicated IP from mediacom would come in. I can just connect directly from my home.

Ah, ok. You are trying to set the firewall your server is behind to allow a second connection in to access the server in the event of the VPN failing.

Just a thought, can your firewall at your server location be set up to accept software VPN client connections? It would allow you a second path in, would be more secure than just a firewall rule allowing a dedicated IP in and then it wouldn't matter what IP you'd get from your ISP. Allows access from anywhere while still being secure.

Sajan Parikh

join:2011-03-05
Walcott, IA

1 edit

That would essentially be me keeping a port open, wouldn't it?

The only problem with that is that it would accept the connection from any IP address and the security would rely on the authentication.

Which is perfectly fine and may end up what we do. However, I was much rather looking to dropping the packet completely if it wasn't from the handful of IPs (our VPNs + Dedicated Mediacom IP) that I would whitelist.

Please correct me briefly and point me in the right direction if I misunderstood. It's 8AM and I haven't slept. :P.



ZC_217

join:2010-02-07
Des Moines, IA
Reviews:
·Mediacom

You wouldn't really be leaving a port open per se. It would respond to connections from any IP address, but you can use internal security authentication. I understand not wanting your firewall to respond to anything from untrusted sources but if you have good internal security policies you should be ok.

The way we use our software VPNs is in order to authenticate with the VPN and establish connectivity is to log into the VPN Client with internal Radius logins that must comply with IT Security policies. So you still have to have the right credentials for the firewall to even respond with anything other than requesting login.

Not knowing what kind of business it is, I don't know what level security is required, but I can't see allowing software VPNs opening your firewall up to anymore issues. If you don't have the right credentials it then simply drops the traffic. And you still have access to your servers no matter what your IP is.



OldCableGuy

@communications.net
reply to Sajan Parikh

Security as you've described is extremely insecure. Source IP can be spoofed extremely easy and then all your iptables rules are completely null and void. Why not just set up SSH keys like everyone else since the end of the 20th century and be done with it? There is no way to break a 2048 bit SSH key and you can configure SSH to only allow your key to connect.


Sajan Parikh

join:2011-03-05
Walcott, IA

It's not an either/or proposition. We of course use SSH Keys, but again that is for the authentication. I was looking for a way to drop the packet completely if it was from an uknown source...before SSH keys would even come into play.

Also, access to this server isn't simply by SSH. So the other software that we're connecting to on the server doesn't use SSH authentication, which is why this is being done on the firewall.

However, I think I'm going to just keep doing it the way I have been. Rather than getting a static IP from Mediacom, I'll just setup other VPNs in other geographic locations. That should give me the same redundancy.

Plus other people that work for me around the world all have static IPs that are whitelisted...so I shouldn't ever get into a situation where I'm completely locked out of my system.

If I do...I guess I'd just need to drive out to each datacenter or call their remote hands.
----------------------------------------

I should be fine, would still have preferred a static IP from mediacom for $6-8/mo though.


Sajan Parikh

join:2011-03-05
Walcott, IA
reply to Sajan Parikh

I should note that I do have plans to throw a hardware firewall in the future, where these static IPs would be useful.



OldCableGuy

@communications.net
reply to Sajan Parikh

Obviously you don't know this but you can tunnel anything through SSH so you put one SSH server in the DMZ connect to that and then tunnel to everything you want to administer. No static IP addresses required, secure enough for PCI, and SOX audits. Problem solved, nuff said.


Sajan Parikh

join:2011-03-05
Walcott, IA

lol, that's how I have it setup now. The point of this thread is for what happens if that SSH server goes down.



OldCableGuy

@communications.net

Round Robin DNS to a pool of SSH servers? Load balancing frontend? Just spitballing ideas of how to do this correct instead of some static IP kludge.

Expand your moderator at work

Sajan Parikh

join:2011-03-05
Walcott, IA

1 edit
reply to OldCableGuy

Re: [IA] Dedicated IP from Mediacom?

To be honest, the other solutions your spitballing are more kludge than static IP.

If I had a business account with Mediacom, I'd use a static IP. That's how I have it with other providers, and that's how businesses with Mediacom do it.

Asking for a static IP is not a workaround, that is THE solution. Just the status of my account prohibits me from getting one from Mediacom.

Edit: When I say that is "THE" solution, I don't mean in terms of overall security.

I'm talking about getting a static IP is what anybody would do first before any sort of DNS round robin.

Expand your moderator at work


OldCableGuy

@communications.net
reply to Sajan Parikh

Re: [IA] Dedicated IP from Mediacom?

So what happens when you're traveling and don't have access to your static IP?

Your lack of planning tells me you have not thought this through much at all if at all, period.

Also you clearly have never heard of IP spoofing, I could send packets to your device forged as any IP on the net if I wanted to.

What you're suggesting is the same as turning off all encryption on your wifi and doing MAC filtering, laughable security at best.


Sajan Parikh

join:2011-03-05
Walcott, IA

said by OldCableGuy :

So what happens when you're traveling and don't have access to your static IP?

Your lack of planning tells me you have not thought this through much at all if at all, period.

Also you clearly have never heard of IP spoofing, I could send packets to your device forged as any IP on the net if I wanted to.

What you're suggesting is the same as turning off all encryption on your wifi and doing MAC filtering, laughable security at best.

I'm not sure if you're read the thread...but I'm not looking to replace my already existing VPNs and VLANs to simple iptables IP blocking.

Also, I'm not entirely sure where your attitude comes from.

My simple question was if Mediacom could provide me a static IP. Can source IPs be spoofed..yes, does that mean nobody should use them as a security layer even if it adds very little benefit? No.