NST - IP Address and Subnet Masks (Lesson)

IP Address and Subnet Masks

Introduction

In this lesson, you will learn about the importance of IP addresses in network communication and how subnet masks and network segmentation play crucial roles in cybersecurity by controlling access and limiting potential damage from intruders or malware.

Network Reconnaissance

Cybercriminals first conduct passive reconnaissance to select a target. Once the target is chosen, the next step is to perform network reconnaissance on the organization using scanning tools either remotely or from inside the network. This is why cybersecurity professionals must always be vigilant and on the lookout for enemy network reconnaissance attempts!

An important rule of cybersecurity is that you have to know how something works before you can protect or attack it. Let’s review two prime rules of communication on a network you learned in a previous lesson!

  • Rule #1: Your device must be unique. Media Access Control (MAC) Address is a unique identifier for each networking device, also known as the physical address of a device.
  • Rule #2: You must belong to a network. Internet Protocol (IP) Address is a temporary identifier for each interface, unique among other connected devices on that network. It is also known as the logical address of a device.

IPv4 Addressing

You already know a little about IPv4 addressing from the previous lesson but here are more cool facts!

The IPv4 address format is 32 bits represented in four sections separated by dots, known as dotted decimal notation. For example, 192.168.55.32. Each section is called an octet, because it holds 8 bits and can hold a decimal number from 0 to 255, such as 10.0.255.27. You are probably wondering… why 255? Because if you add up the value of each bit, it comes to 255!

Remember binary code conversion? Binary 11111111 = 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = 255

An IP address is made up of 32 bits and has two parts, network and host. The network portion identifies the Local Area Network (LAN) – remember those? The host portion identifies the specific device.

However, the structure of the IP address depends on how the LAN is configured. The parts change depending on the network, so how do we know which part of the IP address belongs to the network number and which part belongs to the host number?

Subnet Masks

It is the subnet mask that informs the system which parts are network and which are host!  When a device receives an IP address it comes with a subnet mask that identifies the network part of the address. Any octet in the subnet mask that is filled with 255 will be part of the network identifier!

These are two examples of what the IP address configuration would look like:

Example: IP Address: 10.5.27.215 Subnet Mask: 255.0.0.0 Or IP Address: 192.168.113.2 Subnet Mask: 255.255.255.0

Therefore, the subnet mask identifies the network bits vs the host bits. Routers use the subnet mask to deliver packets to the correct LAN. More host bits in the subnet mask means more hosts in the network. The default subnet mask is used unless a network is divided into smaller networks.

Subnet mask

The numbers listed in the First Octet column refer to the beginning octet of an IP address. Note that 127 is missing intentionally. We will talk later about reserved addresses, so hold that thought...

The parts of the subnet mask that are all 1s = network part (in the table above, N refers to the network portion). In the first row, the subnet mask of 255.0.0.0 means that the first octet of the address, 8 bits, are being used to identify the network. Another way of looking at it is that the subnet mask is saying “Hey, hands off these 8 bits -- don’t use them for host addresses, they are being used already for net ID!”

The parts of the subnet mask that are all 0s = host part (in the table above, H refers to the host portion). In the third row, the subnet mask of 255.255.255.0 means there are only 8 bits available to create unique host addresses.

Example: A network that uses 197 as the first octet AND uses the default subnet mask of 255.255.255.0 would have these IP addresses to distribute to computers, printers, and other devices: 197.0.0.1, 197.0.0.2, 197.0.0.3… all the way up to 197.0.0.254! While the maximum value of an octet is 255, as we learned already, we will see a bit later that this digit cannot be assigned to hosts.

How Changing a Subnet Affects the Network

It is important to know that there is no requirement to use the default subnet mask. There are situations when a network administrator would configure a custom subnet mask. Here is how that would impact the network:

SameNetworkNot

  • When the subnet mask is 255.255.0.0, then the first two octets of the IP address identify the network. In the first example, both PCs will be in network 172.15.
  • When the subnet mask is 255.255.255.0, then the first three octets of the IP address identify the network. In the second example, PC #1 will be in the 172.15.24 network and PC #2 will be in the 172.15.50 network.

Subnet masks are how connection devices like routers and switches identify which host devices belong to a network.

Network Segmentation

By now you are probably wondering – what does this all have to do with cybersecurity? Custom subnets are typically used to create “segmentation” of the network. The network administrator can institute security by reducing the size of the network which will limit which devices can communicate with each other or how far malware/hackers can reach into the network! Cool, huh?

Network segmentation is customizing the size of a network through the use of subnet masks or specialized switches.

Cybersecurity Goal #1: Limit which internal departments can exchange information.
Example: In a school district, put the students in one network and the administration/finances in another network.

Cybersecurity Goal #2: Limit how far an intruder or malware can reach into the network. 
Example: A ransomware infection can only spread to devices in the LAN but will be stopped at the router.

Here are two analogies to help you understand network segmentation and why we are learning to segment a network with subnets. Ships and cars both use compartments, aka segments, to limit how far a threat can move and limit the impact on passenger safety.

Network Segment Analogies Example

Reserved Addresses

The network starting with 127 is reserved -- even though really the only address used is 127.0.0.1. This address is considered “home” because it is a loopback address used to test the Network Interface Card (NIC).

We use the loopback address to test devices by pinging 127.0.0.1. This means we send a test message to that address and it is as if I poked myself. If my response is “Ouch,” then we know that I am alive and in working order. If I do not respond to the poke, then there is something basically wrong (I am dead, in a coma, or asleep). The same thing is true for the NIC -- if I ping loopback and get no response, then either the NIC is physically defective or it has a corrupted configuration. A failed loopback test would mean the NIC needs to be replaced.

There's No Place Like 127

Cool Fact: There are actual doormats that say, “There is no place like 127.0.0.1.” Here is a cool gift idea for a techie friend or family member!

In every network, these host addresses are reserved and cannot be assigned to devices on a network:

  • Address with all 0s in the host bit positions = Network Identifier Address used to identify the network itself. Examples: 89.0.0.0, 156.30.0.0, 205.168.13.0
  • Address with all 1s in the host bit positions = Broadcast Address used for broadcasting packets to all the devices in a network. Examples: 64.255.255.255 or 182.112.255.255

You are probably wondering why… Remember that computers use zero as the very first digit in counting. So the first address in an IP network is zero and cannot be used for any device. It is used as the entrance to the network. Think of it as the main post office in your town, while IP numbers assigned to devices are like home addresses. If you try to assign that IP address to a computer, it will generate an error message – the same way that you don’t live at the post office, right?

The last address in any network is used for broadcast. Think of it as yelling at everyone in the network. To send the same message to every device in the network, you would have to address it to every single device by a specific address or you can use the broadcast address instead!

Reflection and Wrap-up

In this lesson, you have learned about the critical steps cybercriminals use in network reconnaissance, the significance of IP addresses for device identification and network membership, and the role of subnet masks and network segmentation in enhancing cybersecurity by managing network access and mitigating the spread of threats. Network segmentation may prevent a serious cyber incident, so do not risk more than you can lose!

[CC BY-NC-SA 4.0 Links to an external site.] UNLESS OTHERWISE NOTED | IMAGES: LICENSED AND USED ACCORDING TO TERMS OF SUBSCRIPTION - INTENDED ONLY FOR USE WITHIN LESSON.