Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is "making it to easy to exploit".
Is this true? How does knowing / not knowing the internal IP scheme make a network more exploitable? All internal systems are behind a SonicWall NAT and firewall router.
This will add at best a very thin layer of "security by obscurity", as 192.168.x.y is a way more commonly used network address for private networks, but in order to use the internal addresses, bad boys have to be already inside your network, and only the most stupid attack tools will be fooled by the "non standard" address scheme.
It cost nearly nothing to implement this, and it offers nearly nothing in return.
Sounds like billable busywork to me.
Aside from the fact that many consumer appliances use the 192.168.x.x address space (which can be exploited, like anything else), I don't feel that really changes the security landscape of a corporate network. Things inside are locked down, or they aren't.
Keep your machines/devices on current software/firmware, follow best practices for network security, and you'll be in good shape.
Sounds like your IT firm wants some billable work to me.
The only legit reason I can think of to stay away from the 192.168.0.x or 192.168.1.x subnets are due to the likely hood of having overlapping subnets with vpn clients. This is not impossible to work around but does add some complication to setting vpn's up and diagnosing issues.
One big advantage to not using 192.168.x.x addressing is to avoid overlap with users' home networks. When setting up VPN it is a lot more predictable if your network is distinct from theirs.
I do not think this is likely.
Any exploit worth its weight will be using all three private subnet ranges for scanning.
Here are some references for your IT,
1.0.0.0/8 and 2.0.0.0/8!
(sniff...sniff) I smell ... something. It seems to be coming from the direction of your IT firm. Smells like...baloney.
Switching subnets provides, at best, a figleaf of protection. Nevermind the rest of you isn't covered...
The days of hard-coded viruses is long past, and you'll find that malicious code is "smart" enough to look at the infected machine's subnet, and start scanning from there.
I would say it is not more secure. If they break into your router, it is going to show them the internal range anyways.
As another person said, only good reason to change from 192.168.1.x is if you are using VPN from home routers on the client side. It's the reason every network I administer has a different subnet because I and my client machines do VPN.
My guess would be that some drive-by router exploit scripts are hardcoded to go looking at the standard homerouter address. So their response is "security through obscurity"... except it's not obscure because depending on how the script works, it probably has access to the gateway address.
Really, it is just an urban legend.
Anyway, their reasoning might be as follows: assume, that the 192.168.x.0/24 range is used more commonly. Then, perhaps, the next assumption will be, that, were there a piece of malicious software on one of the PCs it would scan the 192.168.x.0/24 range for active computers. Disregard the fact, that it would probably use some Windows built-in mechanism for network discovery.
Again - it sounds like cargo-cultism for me.
Manufacturer defaults are always more exploitable as they are the first options that will be attempted, but the 10 range is also a very well known private range, and - if 192.168 doesn't work - will be the next one tried. I'd call "bull" on them.
Both ranges are "private" addresses and equally well known. Get someone else to look after your IT.
Knowing which address range you use internally is of absolutely no advantage. Once someone has access to your internal network they can see what addresses you use. Up to that point it's a level playing field.
I am not a network guy...but as a Linux person, I don't see how that would make any difference. Swapping one internal Class C to another doesn't really do anything. If you are on the network, you will still get the same access regardless of what the IP addresses are.
There may be a tiny difference from the perspective of people who don't know what they are doing bringing in their own wireless routers that would default to 192.168.0/32. But it is really no more secure.
Many of today's threats come from inside through careless users executing malware. Although it may not offer much protection, I wouldn't completely dismiss it as urban legend.
It would be called security through obscurity if the protection relied on the obscurity alone (like putting secret document on a public web server with "random" folder name), this clearly is not the case.
Some scripts may be hardcoded to scan 192.168.1.x range and spread its own copy. Another practical reason is that home routers are typically configured with that range, so it may conflict when you set up vpn from the home machines, sometimes causing accidents.
If an attacker is in position to compromise your internal network, they're in position to know your IP range.
It's sort of like this: If the only protection you're using is your IP address range, I can plug an unconfigured machine into the switch and learn your network configuration in a couple of seconds, just by ARP requests. This is essentially busywork if the only reason behind it is "security".
All pain, no gain.
Using one addressing class over another offers no real security above and beyond what is already implemented.
There are three major types of privatized IP address classes:
Class A: 10.0.0.0 - 10.255.255.255 Class B: 172.16.0.0 - 172.31.255.255 Class C: 192.168.0.0 - 192.168.255.255
