Cybersecurity threats have placed the onus for secure implementations very much on installers and integrators. Most professional networked security devices and systems will include configuration options that allow edge devices to be hardened, but there is more that engineers can do to reduce the attack surface of a system. One under-used option is the implementation of limited subnet masking.
For many installers and integrators, the subnet mask in IP configurations is something that doesn’t generate a high degree of consideration. The vast majority of systems will have a default subnet mask value set, and in most mainstream applications this enables the correct levels of communication. Few look further into subnet masking because there seems to be little point. If it works, then there’s no reason to delve any deeper into the subject.
Part of the reason for this attitude revolves around the way that subnet masking is taught in the world of IT training and education. Too often the use of subnet masks is discussed regarding the management of binary values rather than the reason masks are applied and how that can be used to better manage security.
Every IP address is made up of two parts: the network address and the node address. The role of the subnet mask is to separate these two elements. Because the network and node portions of an IP address are not consistent, the subnet mask is required to make sense of the address.
Many educational resources address subnet masks in relation to how networks are divided for work groups or departments, and often the focus is on ensuring that each sub-network can support a sufficient number of devices.
Understanding the construction
A subnet mask makes use of a 32-bit number. It is made up of four octets numbered 0-255, representing a binary value. Each octet of a subnet mask defines whether that portion of the IP address is for the network or for devices. The network address is identified by a binary value of 1, while the device address is identified with a value of 0.
By way of a simple example, a subnet mask of 255.255.255.0 shows that the first three octets represent a series of values set at a binary value of 1 (255 being the total), with the last octet being comprised fully of binary values of 0. Therefore, the last octet defines how many devices can be supported on that sub-network. IP addresses ending in .0 are reserved for subnet identification and .255 are used for broadcast, so this means that where a subnet mask of 255.255.255.0 is set, a maximum of 254 nodes can be supported.
It is worth noting that is a system requires more than 254 nodes, typically the subnet mask will be set as 255.255.0.0. This allows more than 65,500 nodes to be supported.
A potential threat
One issue with a system supporting many more nodes than are actually required is that an unauthorised person could add devices to the system, via the unused addresses. By then taking control of the rogue device, it could be possible to affect the performance of the system or access its data.
The average security system will not have a need for 254 nodes. The few larger systems with greater requirements that do will not require more than 65,000 nodes. As such, the spare addresses in sub-networks can create something of a potential risk.
Subnetting can also be implemented to effectively isolate parts of a system. Some experts recommend giving each group of devices, such as cameras, a dedicated subnet. This should then only communicate with the subnet of recording devices. Management devices should also have a dedicated subnet.
Taking things further, users can be split into logical groups and these can be given dedicated subnets too. This then allows simpler implementation of IP filtering and firewall rules.
Using multiple subnets enables both a reduction of unused addresses and a higher degree of control over different parts of the security system.
Splitting things down
Values in subnet masking are predominantly either 255 (all binary values set to 1) or 0 (all binary values set to 0). However, that does not mean that values are limited to these two figures. In many applications the implementation of basic subnets works well enough and is easily understood. However, when considering cybersecurity and critical systems such as security, safety and building management, the flexibility of CIDR subnetting offers additional options.
This allows a range of values to be used as a part of subnet masking: 0, 128, 192, 224, 240, 248, 252 and 255. These allow the creation of 1, 2, 4, 8, 16, 32 or 64 subnets respectively. Therefore, a system with the subnet mask 255.255.255.128 will effectively create two sub-networks, each capable of supporting up to 126 nodes.
Similarly, a subnet mask configured as 255.255.255.192 will create four sub-networks, each capable of supporting up to 62 nodes.
It is worth remembering that each subnet must have two addresses reserved; the first address is used for network identification and the last address is reserved for broadcast. Therefore a subnet mask of 255.255.255.252 will create 64 sub-networks with four addresses each, but only two devices can be supported.
Dividing a system into a series of sub-networks does require planning. It is important to consider how the system will be split down. Usually the best approach is to group devices by type and limit their connections to only other devices that they need to talk to. For example, cameras only need to be linked to recording devices. The same approach should be taken with regard to users. Operators and administrators can be separated onto different subnets.
A wide range of subnet calculators can be accessed on-line, or downloadable versions could be used on a mobile device. These can help simplify the process and provide information that might be requested by the end user or their IT department.
While the use of sub-networks can enhance overall system security, it does also have other benefits which may increase system performance to some degree, dependent upon the network.
For example, network speed can be increased and congestion reduced. Broadcast packets transmit information to all connected devices. Where a large number of nodes are in use, switching performance can be impacted. Broadcast packets will therefore be transmitted to devices that aren’t relevant for the task being performed.
With subnetting, that information is limited to the sub-network. Because the installer or integrator can limit traffic to a specific sub-network, this can help reduce any potential congestion on other parts of the network.
Importantly, this degree of separation also means that if a device is compromised (either in the security system or on another part of the corporate network), its ability to control other system elements is greatly reduced.
Subnetting is not, by itself, a cybersecurity solution. In some applications, it might not even be necessary. However, when implemented in combination with other device- and network-hardening policies it can help to reduce the risks and threats that a security system faces.