24

Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is "making it to easy to exploit".

Is this true? How does knowing / not knowing the internal IP scheme make a network more exploitable? All internal systems are behind a SonicWall NAT and firewall router.

Michael Glenn
  • 651
  • 9
  • 13
  • Thought I would add this question: http://serverfault.com/questions/33810/odd-routing-issue-after-ip-change It seems this outlines some problems you may have if you were to go this route. – Joshua Nurczyk Jun 30 '09 at 19:12
  • 23
    If you don't have an NDA with the IT services company, can you name and shame them? Then everyone here can avoid them due to their lack of clue and a desire to create billable work that achieves nothing – goo Jun 30 '09 at 19:44
  • Fire them they are "not smart".. – dc5553 Apr 27 '12 at 12:13

16 Answers16

55

This will add at best a very thin layer of "security by obscurity", as 192.168.x.y is a way more commonly used network address for private networks, but in order to use the internal addresses, bad boys have to be already inside your network, and only the most stupid attack tools will be fooled by the "non standard" address scheme.

It cost nearly nothing to implement this, and it offers nearly nothing in return.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • 7
    +1 for "costs nothing offers nearly nothing". I'd question whether or not such a change might not be more of a pain in the a$$ than its worth but if you're REALLY, REALLY concerned... go ahead and use a non-standard IP range. Just be sure to change your default router passwords and ports... because otherwise its just embarrassing. *grin* – KPWINC Jun 30 '09 at 17:45
  • 23
    Depending on the size of your network, I'd argue that the cost is much greater than nothing. If you really want to bake the consultants noodle, tell him that you believe that predictability is a foundation of information security, and implementing this change will make the network less secure because it will require you to alter many access control lists and other technical security controls. – dr.pooter Jun 30 '09 at 18:03
  • 1
    I agree with dr.pooter on this one. This is a very large change to your infrastructure, with damn near no real benefit. For a medium sized environment and higher, the logistics (and risks) of this are ulcer invoking. – Scott Pack Jun 30 '09 at 18:06
  • 1
    Another agreement. The change only "costs nothing" on a completely DHCP network that requires no static IP addresses (usually means no servers on the network). It costs headaches and lots of time otherwise. – Joshua Nurczyk Jun 30 '09 at 18:15
  • 1
    +1 Agreed. I would be wary of anyone who goes to lengths to implement something for the sole purpose of security by obscurity. – squillman Jun 30 '09 at 18:26
  • I can think of 1 reason they're correct: someone brings in their own router/switch, and it starts handing out 192... IP addresses on its own DHCP. Can be a bitch to find sometimes. If everyone's on the 10 network, the damage will be minimal. Its not much of a security issue (unless they bring a wireless router in). – gbjbaanb Jun 30 '09 at 23:22
30

Sounds like billable busywork to me.

Aside from the fact that many consumer appliances use the 192.168.x.x address space (which can be exploited, like anything else), I don't feel that really changes the security landscape of a corporate network. Things inside are locked down, or they aren't.

Keep your machines/devices on current software/firmware, follow best practices for network security, and you'll be in good shape.

Geoff Fritz
  • 1,727
  • 9
  • 11
  • 13
    +1 for the "billable busywork" observation. Someone needs to pay their lease up for the year and got creative with their client proposals. =) – Wesley Jun 30 '09 at 17:49
  • 3
    +1 - Perhaps next the burglar alarm company will suggest that you try and paint the exterior of the building in camouflage colors to ward off burglars! Security through absurdity... – Evan Anderson Jun 30 '09 at 18:58
10

Sounds like your IT firm wants some billable work to me.

The only legit reason I can think of to stay away from the 192.168.0.x or 192.168.1.x subnets are due to the likely hood of having overlapping subnets with vpn clients. This is not impossible to work around but does add some complication to setting vpn's up and diagnosing issues.

3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • 1
    Yep, this is the only reason I usually choose strange networks like 10.117.1.0/24 for offices that may have users VPNing into them. – kashani Jun 30 '09 at 22:25
  • @kashani That is a sensible practice. So sensible in fact, that if you want to use private addresses in IPv6 it is even mandated in [RFC 4193](https://tools.ietf.org/html/rfc4193) to put 40 random bits into the prefix. – kasperd Apr 18 '16 at 21:07
9

One big advantage to not using 192.168.x.x addressing is to avoid overlap with users' home networks. When setting up VPN it is a lot more predictable if your network is distinct from theirs.

  • 2
    +1: This is one of two good reasons to change (the other is needing more addresses in the subnet). – Richard Jul 06 '09 at 09:19
8

I do not think this is likely.
Any exploit worth its weight will be using all three private subnet ranges for scanning.

Here are some references for your IT,

nik
  • 7,100
  • 2
  • 25
  • 30
7

(sniff...sniff) I smell ... something. It seems to be coming from the direction of your IT firm. Smells like...baloney.

Switching subnets provides, at best, a figleaf of protection. Nevermind the rest of you isn't covered...

The days of hard-coded viruses is long past, and you'll find that malicious code is "smart" enough to look at the infected machine's subnet, and start scanning from there.

Avery Payne
  • 14,536
  • 1
  • 51
  • 88
6

I would say it is not more secure. If they break into your router, it is going to show them the internal range anyways.

Jack B Nimble
  • 1,505
  • 1
  • 10
  • 13
3

As another person said, only good reason to change from 192.168.1.x is if you are using VPN from home routers on the client side. It's the reason every network I administer has a different subnet because I and my client machines do VPN.

dmoisan
  • 447
  • 2
  • 6
2

My guess would be that some drive-by router exploit scripts are hardcoded to go looking at the standard homerouter address. So their response is "security through obscurity"... except it's not obscure because depending on how the script works, it probably has access to the gateway address.

Tom Ritter
  • 3,197
  • 5
  • 27
  • 30
2

Really, it is just an urban legend.

Anyway, their reasoning might be as follows: assume, that the 192.168.x.0/24 range is used more commonly. Then, perhaps, the next assumption will be, that, were there a piece of malicious software on one of the PCs it would scan the 192.168.x.0/24 range for active computers. Disregard the fact, that it would probably use some Windows built-in mechanism for network discovery.

Again - it sounds like cargo-cultism for me.

shylent
  • 812
  • 11
  • 22
2

Manufacturer defaults are always more exploitable as they are the first options that will be attempted, but the 10 range is also a very well known private range, and - if 192.168 doesn't work - will be the next one tried. I'd call "bull" on them.

Maximus Minimus
  • 8,987
  • 2
  • 23
  • 36
2

Both ranges are "private" addresses and equally well known. Get someone else to look after your IT.

Knowing which address range you use internally is of absolutely no advantage. Once someone has access to your internal network they can see what addresses you use. Up to that point it's a level playing field.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
1

I am not a network guy...but as a Linux person, I don't see how that would make any difference. Swapping one internal Class C to another doesn't really do anything. If you are on the network, you will still get the same access regardless of what the IP addresses are.

There may be a tiny difference from the perspective of people who don't know what they are doing bringing in their own wireless routers that would default to 192.168.0/32. But it is really no more secure.

Alex
  • 6,603
  • 1
  • 24
  • 32
1

Many of today's threats come from inside through careless users executing malware. Although it may not offer much protection, I wouldn't completely dismiss it as urban legend.

It would be called security through obscurity if the protection relied on the obscurity alone (like putting secret document on a public web server with "random" folder name), this clearly is not the case.

Some scripts may be hardcoded to scan 192.168.1.x range and spread its own copy. Another practical reason is that home routers are typically configured with that range, so it may conflict when you set up vpn from the home machines, sometimes causing accidents.

Eugene Yokota
  • 1,919
  • 3
  • 17
  • 12
1

If an attacker is in position to compromise your internal network, they're in position to know your IP range.

It's sort of like this: If the only protection you're using is your IP address range, I can plug an unconfigured machine into the switch and learn your network configuration in a couple of seconds, just by ARP requests. This is essentially busywork if the only reason behind it is "security".

All pain, no gain.

Matt Simmons
  • 20,396
  • 10
  • 68
  • 116
0

Using one addressing class over another offers no real security above and beyond what is already implemented.

There are three major types of privatized IP address classes:

Class A: 10.0.0.0 - 10.255.255.255 Class B: 172.16.0.0 - 172.31.255.255 Class C: 192.168.0.0 - 192.168.255.255

sledge
  • 147
  • 5
  • 3
    Sigh. Class based routing has been irrelevant for years. What you actually mean is that there are three private subnets for use. – Mark Henderson Jul 01 '09 at 02:45