@pcit_2023 I assume you're providing IP addresses through DHCP on the Firewall to your LAN clients? You can try to set the Lease Time in the relevant dynamic DHCP scope to 2880 (2 days) and hope that your clients not requesting the old IP over and over again.
I believe that Windows clients sending DHCP Option 50 with the old IP as preferred address again, so they might stick with it.
Only option would be on the client to do an "ipconfig /release" and "ipconfig /renew".
This isn't something you can enforce firewall-side, if the client re-requests the same IP then the Sonicwall will oblige if it can.
Might be easier to leave everyone on DHCP, then out of hours every evening change the firewall LAN IP to a new subnet, and then by the morning all clients will have new IPs ;-)
Hi @BWC ,you're correct. We are running DHCP on our firewall and I already did set the lease time to 2880 but upon checking, the IP of the computers did not change.
Hi @Arkwright , what do you mean by leave everyone on DHCP?
Hi @Larry , this is for security purposes as per my boss. To prevent computers from getting an external attack, just in case :)
@pcit_2023 I see no security benefit in changing client IPs every two days, because your IPs are natted at the gateway anyways.
As mentioned before, Windows Clients sending DHCP Option 50 and requesting the same IP over and over again, did you verified what happens when you do a :
ipconfig /release
ipconfig /renew
Is it still the same IP, if not, you might need to script this somehow.
My suggestion was slightly facetious, but your stated objective of improving security is a waste of time. Assuming you're using IPv4 and NAT [because that describes 99% of corporate setups] then no matter what the device IP is, it will appear to the outside world as the same.
If you are using IPv6 then maybe, there is some tiny theoretical benefit to rotating your IPs to stop your public address space being enumerated, but I'd class this one as "security through homeopathy".
what do you mean by leave everyone on DHCP?
Have all the clients use DHCP to assign IP addresses
Just to chime in now that you've provided context.
As stated, there is no (meaning zero) point in changing internal network IP addresses. Whatever IP address you end up (randomly) assigning still has to be associated with a MAC address. Those addresses are constant, so there's no advantage through this misguided attempt at security by obscurity.
If the goal is to prevent any lateral movement of a malicious actor within your corporate network, you need to use an effective MDR/EDR solution. SonicWall provides that with the Capture Client offering, which pairs SentinelOne and the power of your firewall. You can read more about that product here: https://www.sonicwall.com/products/firewalls/security-services/capture-client/
Hi @BWC, @Arkwright and @Larry thank you for the insights and suggestions. I will check those and will learn it as I'm a beginner when it comes to handling our network security. :)
I really appreciated your response to my query by the way. Thanks again guys! :)
Answers
@pcit_2023 I assume you're providing IP addresses through DHCP on the Firewall to your LAN clients? You can try to set the Lease Time in the relevant dynamic DHCP scope to 2880 (2 days) and hope that your clients not requesting the old IP over and over again.
I believe that Windows clients sending DHCP Option 50 with the old IP as preferred address again, so they might stick with it.
Only option would be on the client to do an "ipconfig /release" and "ipconfig /renew".
I hope this puts you in the right direction.
--Michael@BWC
This isn't something you can enforce firewall-side, if the client re-requests the same IP then the Sonicwall will oblige if it can.
Might be easier to leave everyone on DHCP, then out of hours every evening change the firewall LAN IP to a new subnet, and then by the morning all clients will have new IPs ;-)
@pcit_2023 - OK, I'll bite. Why do you - or someone you work for - want to do this? What purpose is this supposed to achieve? I'm curious.
Hi @BWC ,you're correct. We are running DHCP on our firewall and I already did set the lease time to 2880 but upon checking, the IP of the computers did not change.
Hi @Arkwright , what do you mean by leave everyone on DHCP?
Hi @Larry , this is for security purposes as per my boss. To prevent computers from getting an external attack, just in case :)
@pcit_2023 I see no security benefit in changing client IPs every two days, because your IPs are natted at the gateway anyways.
As mentioned before, Windows Clients sending DHCP Option 50 and requesting the same IP over and over again, did you verified what happens when you do a :
Is it still the same IP, if not, you might need to script this somehow.
--Michael@BWC
My suggestion was slightly facetious, but your stated objective of improving security is a waste of time. Assuming you're using IPv4 and NAT [because that describes 99% of corporate setups] then no matter what the device IP is, it will appear to the outside world as the same.
If you are using IPv6 then maybe, there is some tiny theoretical benefit to rotating your IPs to stop your public address space being enumerated, but I'd class this one as "security through homeopathy".
what do you mean by leave everyone on DHCP?
Have all the clients use DHCP to assign IP addresses
Just to chime in now that you've provided context.
As stated, there is no (meaning zero) point in changing internal network IP addresses. Whatever IP address you end up (randomly) assigning still has to be associated with a MAC address. Those addresses are constant, so there's no advantage through this misguided attempt at security by obscurity.
If the goal is to prevent any lateral movement of a malicious actor within your corporate network, you need to use an effective MDR/EDR solution. SonicWall provides that with the Capture Client offering, which pairs SentinelOne and the power of your firewall. You can read more about that product here: https://www.sonicwall.com/products/firewalls/security-services/capture-client/
Hi @BWC, @Arkwright and @Larry thank you for the insights and suggestions. I will check those and will learn it as I'm a beginner when it comes to handling our network security. :)
I really appreciated your response to my query by the way. Thanks again guys! :)