Our IT services firm is proposing a network reconfiguration to use the IP range 10.10.150.1 – 10.10.150.254 internally as they state the current IP scheme using manufacturer defaults of 192.168.1.x is "making it to easy to exploit".
Is this true? How does knowing / not knowing the internal IP scheme make a network more exploitable? All internal systems are behind a SonicWall NAT and firewall router.
This will add at best a very thin layer of "security by obscurity", as 192.168.x.y is a way more commonly used network address for private networks, but in order to use the internal addresses, bad boys have to be already inside your network, and only the most stupid attack tools will be fooled by the "non standard" address scheme.
It cost nearly nothing to implement this, and it offers nearly nothing in return.
Sounds like billable busywork to me.
Aside from the fact that many consumer appliances use the 192.168.x.x address space (which can be exploited, like anything else), I don't feel that really changes the security landscape of a corporate network. Things inside are locked down, or they aren't.
Keep your machines/devices on current software/firmware, follow best practices for network security, and you'll be in good shape.
Sounds like your IT firm wants some billable work to me.
The only legit reason I can think of to stay away from the 192.168.0.x or 192.168.1.x subnets are due to the likely hood of having overlapping subnets with vpn clients. This is not impossible to work around but does add some complication to setting vpn's up and diagnosing issues.
One big advantage to not using 192.168.x.x addressing is to avoid overlap with users' home networks. When setting up VPN it is a lot more predictable if your network is distinct from theirs.
I do not think this is likely.
Any exploit worth its weight will be using all three private subnet ranges for scanning.
Here are some references for your IT,
1.0.0.0/8and2.0.0.0/8!(sniff...sniff) I smell ... something. It seems to be coming from the direction of your IT firm. Smells like...baloney.
Switching subnets provides, at best, a figleaf of protection. Nevermind the rest of you isn't covered...
The days of hard-coded viruses is long past, and you'll find that malicious code is "smart" enough to look at the infected machine's subnet, and start scanning from there.
I would say it is not more secure. If they break into your router, it is going to show them the internal range anyways.
As another person said, only good reason to change from 192.168.1.x is if you are using VPN from home routers on the client side. It's the reason every network I administer has a different subnet because I and my client machines do VPN.
My guess would be that some drive-by router exploit scripts are hardcoded to go looking at the standard homerouter address. So their response is "security through obscurity"... except it's not obscure because depending on how the script works, it probably has access to the gateway address.
Really, it is just an urban legend.
Anyway, their reasoning might be as follows: assume, that the 192.168.x.0/24 range is used more commonly. Then, perhaps, the next assumption will be, that, were there a piece of malicious software on one of the PCs it would scan the 192.168.x.0/24 range for active computers. Disregard the fact, that it would probably use some Windows built-in mechanism for network discovery.
Again - it sounds like cargo-cultism for me.