{"id":2557,"date":"2020-07-28T09:18:09","date_gmt":"2020-07-28T13:18:09","guid":{"rendered":"https:\/\/zzzptm.com\/wordpress\/?p=2557"},"modified":"2020-07-28T09:18:09","modified_gmt":"2020-07-28T13:18:09","slug":"check-all-your-rfc-1918-ranges","status":"publish","type":"post","link":"https:\/\/zzzptm.com\/wordpress\/?p=2557","title":{"rendered":"Check ALL Your RFC 1918 Ranges&#8230;"},"content":{"rendered":"\n<p>Let me set the scene: a&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/customer\">customer<\/a>&nbsp;asks about being able to&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/track\">track<\/a>&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/users\">users<\/a>&nbsp;that bring up&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/unauthorized\">unauthorized<\/a>&nbsp;VMs on&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/windows\">Windows<\/a>&nbsp;machines. He explains that he&#8217;d like to look at the 192.168.0.0 RFC range to see how many addresses we see in that range. That&#8217;s OK by me, all I have to do is add that to the scope of the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/networks\">networks<\/a>&nbsp;we track&#8230;<\/p>\n\n\n\n<p>At that moment, we only looked at 10.0.0.0\/8. I added the 192.168.0.0\/16 range and we watched the new&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/devices\">devices<\/a>&nbsp;pop up into the discovery window.<\/p>\n\n\n\n<p>And then we watched as those devices started to churn&#8230; the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/ip-addresses\">IP addresses<\/a>&nbsp;stayed the same, but the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/mac\">MAC<\/a>&nbsp;addresses kept changing. Loads of&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/netgear\">Netgear<\/a>, Arris, Cisco-Linksys, Belkin,&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/tp-link\">TP-Link<\/a>&nbsp;devices&#8230; what was causing all this?<\/p>\n\n\n\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/res.cloudinary.com\/peerlyst\/image\/upload\/c_limit,dpr_2.0,f_auto,fl_lossy,h_495,q_auto,w_640\/v1\/post-attachments\/shock2_hgdqv9\" height=\"495\" width=\"640\"><em>The horror! The horror of the home networks!<\/em><\/p>\n\n\n\n<p>And then it dawned on us: these were all teleworker home networks bleeding into the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/corporate-network\">corporate network<\/a>&nbsp;estate! The&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/traffic\">traffic<\/a>&nbsp;to and from 192.168 networks wasn&#8217;t&nbsp;<em>supposed<\/em>&nbsp;to be routable, but here it was, coming and going and getting picked up on the SPAN&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/session\">session<\/a>&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/monitoring\">monitoring<\/a>&nbsp;north-south traffic at the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/datacenter\">datacenter<\/a>&nbsp;gateway.<\/p>\n\n\n\n<p>192.168.1.1 and 192.168.0.1 were the addresses that changed MAC addresses most frequently. No surprise there, as those are default&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/gateways\">gateways<\/a>&nbsp;on oh-so-many home&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/networking\">networking<\/a>&nbsp;products. 192.168.1.254 changed less often, as that was the default&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/gateway\">gateway<\/a>&nbsp;on Arris&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/routers\">routers<\/a>&nbsp;used for AT&amp;T broadband networks (I used to have one, so I know) and only a handful of other home devices. I saw Nest&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/controls\">controls<\/a>, Roku streamers,&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/gaming\">gaming<\/a>&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/systems\">systems<\/a>, the works. And all of this was exposed to the customer&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/network\">network<\/a>, and all of the customer network was exposed to these environments.<\/p>\n\n\n\n<p>Granted, there was going to be a mess as far as being able to route to any&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/endpoint\">endpoint<\/a>&nbsp;for much time, but the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/ip\">IP<\/a>&nbsp;addresses that were less commonly used were also the ones with the most persistent MAC addresses and connections. The biggest concern was that the customer did allow any guest traffic on the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/wired\">wired<\/a>&nbsp;network &#8211; but here were untold numbers of guest devices, the kind that don&#8217;t usually show up on&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/byod\">BYOD<\/a>&nbsp;networks!<\/p>\n\n\n\n<p>Moral of the story? Those teleworker devices for home&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/office\">office<\/a>&nbsp;networks are part of your perimeter. Make sure you keep an eye on those points of entry, as well as the big one you pay the&nbsp;<a href=\"https:\/\/www.peerlyst.com\/tags\/isp\">ISP<\/a>&nbsp;for.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Let me set the scene: a&nbsp;customer&nbsp;asks about being able to&nbsp;track&nbsp;users&nbsp;that bring up&nbsp;unauthorized&nbsp;VMs on&nbsp;Windows&nbsp;machines. He explains that he&#8217;d like to look at the 192.168.0.0 RFC range to see how many addresses we see in that range. That&#8217;s OK by me, all I have to do is add that to the scope of the&nbsp;networks&nbsp;we track&#8230; At that [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-2557","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2557","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2557"}],"version-history":[{"count":1,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2557\/revisions"}],"predecessor-version":[{"id":2558,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/2557\/revisions\/2558"}],"wp:attachment":[{"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zzzptm.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}