I completed a week of Cisco Certified Network Associate (CCNA) training and passed the exam. I learned an interesting bit about how to quickly subnet. I would like to focus on how to subnet quickly without a calculator. For blue teamers, this skill is useful for implementing and evaluating segmentation. For red teamers, it can be useful for determining the number of potential live hosts in subnets that don’t follow the typical /24 size. We will first start off with a review of segmentation and then move into subnetting.
Segmentation is splitting a computer network into subnetworks to improve performance and security. Implementing separate and isolated segments limits the exposure between systems storing sensitive data, systems servicing Internet resources, and other internal systems. Without segmentation (a “flat” network), an attacker who compromises one area of your network can have unfettered access to systems across the enterprise. With all devices running on the same network, you could also run into network issues such as slow speeds and collisions.
These issues can be mitigated by implementing segmentation with multiple controls at multiple layers. The more controls, subnets, and segments you have, the harder it becomes for a malicious user to move laterally through a network. In addition, these demarcation points provide the organization with more points of monitoring and therefor visibility into their network.
Implementing access control lists (ACLs) can limit what networks and hosts can “talk” to each other. Applying the principle of least privilege is a recommended best practice. For example, the Customer Service subnet does not need access to the Accounting FTP server or anything else in their network. This access should be blocked with an ACL. You may be thinking, “Why don’t we just use ACLs and keep everything in one network?” This method usually makes your ACLs much more complicated than they need to be and doesn’t provide the extra security of a separate subnetwork.
ACLs are primarily enforced by firewalls, which should be placed where you change security zones, not just at the network perimeter. So, to use another example, your PCI security zone should have a firewall between it and the rest of the network. Having these firewalls in place keeps your more critical zones secure while you can implement monitoring and logging of those ingress/egress points.
Segmentation is usually accomplished by implementing one, or some combination of the following solutions:
- Virtual Local Area Networks (VLANS)
- Layer 3 devices
- Software-Defined Networking (SDN)
- Variable Length Subnet Mask (VLSM)
VLANs are implemented by switches and are great at containing broadcast domains, limiting flooding of packets on the switches, and logically grouping end stations. VLANS limit your broadcast domains and prevent systems from flooding the entire network when they attempt to find the destination for a communication. Grouping multiple end stations into a VLAN logically segments the network at layer 2. Endpoints on different VLANs are unable to talk to each without routes between the VLANS. This adds a security layer to the infrastructure that can prevent malicious attackers from being able to compromise every host in that section of your network. Layer 3 devices, such as a Layer 3 switch and router, can apply inter-subnetwork ACLs to keep the firewall ACL list neater.
SDN is an interesting newer technology that is growing now that virtualization and cloud computing are increasingly popular. It also goes hand-in-hand with the “micro-segmentation” concept. SDN and micro-segmentation look more at the application layer instead of the source address and port and destination address and port that traditionally serve as the foundation for segmentation via ACLs. This allows you to segment and control traffic in a more focused sense rather than just seeing a user’s host IP to destination IP over a given port 5222. For example, with micro-segmentation you can see that user “jdoe” at workstation SRV1, who is part of the Server Admins group, is trying to connect via SSL over port 5222 to the SQL server.
Finally, VLSM allows you to set up logical divisions at layer 3 in a flexible manner. This keeps your network addressing clean and helps put some order to your network (in regards to Class B and A ranges). VLSM also allows you to conserve IP space and better utilize your IPv4 addresses. VLSM improves security, since it becomes easier to limit traffic to subnetworks as you break the network into logical divisions. This helps you maintain better and less complex ACLs. If you know the address of the subnet that doesn’t need access, instead of labeling every host you can then just use that subnet. As the popular saying goes, “complexity is the enemy of security.”
How to Quickly Subnet
VLSM and efficient use of IPv4 address space takes us to subnetting. Subnetting is easier to accomplish than you may think. I usually start with this chart:
128 64 32 16 8 4 2 1
128 192 224 240 248 252 254 255
The first row in this chart represents the 8 bits that make up an octet of IP address/subnet mask. The second row is a continuation of that from left to right and will aide in calculating the mask portion. With this in mind I will tell you how to find the six elements you need to subnet: the subnet mask, network address, first host IP, last host IP, broadcast address, and the next network of host. Let’s start with the example address of 172.16.12.5/20.
Since the /20 twenty is the network prefix, we will first determine what Octet that we are working in. /20 is greater than the /16 notation of class B networks, but is less than the /24 notation of Class C networks. Since /20 falls between /16 and /24, we will be working in the 3rd octet as shown below:
xxxx xxxx.xxxx xxxx.xxxx xxxx.xxxx xxxx
You can see the first row on the chart above reflects the decimal representation of the 8 bits in one octet, with the second row being a representation of moving left to right on a higher scale. To incorporate our /20 mask, we will add an additional row counting from the Class B /16 bit until we hit /20 bits for our current mask, aligning the /20 above the /16.
You can verify the magic number in the equation below. Just hold on to that number for now.
When you subtract the third-row number from 256 you get our magic number, which correlates to the second row (256 – 240 = 16). From here, it is very easy to find the subnet mask.
Look at the third row and match the number under 16, which is 240. Since we are working in the third octet the subnet mask is 255.255.240.0. To find the network we can just look at the host bits (Which are all bits after the 4 bit in the third octet) and put 0s in all categories.
Network Bits Host Bits
We have 12 bits for our host, so that is where we will put our 0s. This will turn out to be 172.16.0.0 for our network. The first host IP is easy as well since all we must do is add 1, making it 172.16.0.1. Now the broadcast is just as easy, since all we do is fill the rest of the host bits with 1s. If you can keep this chart in your head, you will see that for the third octet we can only reach 15 max. Because in the third octet half of the bits are used in the network mask, leaving 4 for the hosts.
128 64 32 16 8 4 2 1
X X X X 1 1 1 1
We will add all the numbers that have a 1, so:
8 + 4 + 2 + 1 = 15
So, our broadcast address is 172.16.15.255. Making our last usable host, which is one below the broadcast address, 172.16.15.254. The next network address would essentially be one added to the broadcast and since in we can’t go over 255 we increase by another number, from 15 to 16. See how the magic number from before appears again? The next network range would be 172.16.16.0-172.16.31.255.
There are multiple techniques and approaches to subnetting, but this is the one that works best for me. I hope it has made subnetting easier for you as well. If you want to give it a try yourself check out this page for more reading.