Listen to this Post
Introduction:
Subnetting is often dismissed as a tedious networking exercise, but for SOC analysts it’s a core security control. Every time you see a source IP in a log, your ability to instantly decide whether that traffic is allowed, suspicious, or malicious depends on understanding where network boundaries lie. Subnetting transforms an IP address from a random number into an actionable clue about trust zones, lateral movement, and containment.
Learning Objectives:
– Apply CIDR notation and subnet masks to instantly classify internal vs. external traffic in SIEM alerts
– Use subnetting to detect anomalous lateral movement and misconfigured private IP communications
– Design network segmentation strategies that limit blast radius after a compromise
You Should Know
1. From IP to Actionable Intel – Reading the Subnet Mask Like a SOC Pro
The post nailed it: an IP has two parts – network and host. The subnet mask tells you where the line is. For a SOC analyst, that line answers the most critical question: Is this communication supposed to happen?
Step‑by‑step guide to reading logs with subnetting:
1. Identify the source IP and destination IP from your SIEM (Splunk, QRadar, etc.).
2. Determine the subnet of the source – e.g., if the source is `192.168.1.45/24`, the network is `192.168.1.0`.
3. Check if the destination belongs to the same network – same network = local traffic; different network = routed traffic.
4. Flag violations – a private IP (RFC 1918: `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`) talking to a different private range without a legitimate route is suspicious.
Linux command to calculate subnets on the fly:
Install ipcalc if missing sudo apt install ipcalc Debian/Ubuntu Calculate network details for a given IP/CIDR ipcalc 192.168.1.45/24 Output shows Network, Netmask, Broadcast, Host range For a quick check of whether two IPs are in the same /24 ipcalc 192.168.1.45 255.255.255.0
Windows PowerShell equivalent:
Convert IP and mask to network address $ip = [bash]"192.168.1.45" $mask = [bash]"255.255.255.0" $network = [IPAddress]($ip.Address -band $mask.Address) Write-Host "Network: $network"
2. Detecting Lateral Movement with Subnet Awareness
Attackers who breach one host will pivot internally. Your job is to spot a host talking to a subnet it never visited before. Subnetting makes that possible.
Step‑by‑step guide – building a baseline and spotting outliers:
1. List all subnets that each internal asset normally communicates with (e.g., print servers on `10.0.10.0/24`, file shares on `10.0.20.0/24`).
2. Monitor first‑time subnet connections – a workstation talking to the database subnet `10.0.30.0/24` at 3 AM is a red flag.
3. Use CIDR matching in SIEM searches – Splunk example:
index=firewall src_ip=192.168.1.45 | where cidrmatch("192.168.0.0/16", dest_ip)
4. Automate alerts when internal traffic crosses a segmentation boundary (e.g., from `192.168.1.0/24` to `192.168.2.0/24` without a business reason).
Real‑world use case: A compromised web server (`10.0.1.5/24`) tries to reach the domain controller (`10.0.100.10/24`). Subnet analysis tells you these are different /24 networks – likely lateral movement. Block at the firewall ACL or micro‑segmentation policy.
3. Hardening Cloud Environments with Subnet Segmentation
Cloud VPCs (AWS, Azure, GCP) are built on subnetting. Each subnet can be a security zone – public, private, database, cache. Misplaced resources are a common misconfiguration.
Step‑by‑step guide – cloud subnet hardening:
1. Design your CIDR block – avoid overlap with on‑prem networks. Use `/16` for the whole VPC (e.g., `10.10.0.0/16`).
2. Carve smaller subnets for each tier:
– Public load balancers: `10.10.0.0/24`
– Web servers: `10.10.1.0/24`
– Application servers: `10.10.2.0/24`
– Databases: `10.10.3.0/24` – no direct internet access
3. Apply network ACLs and security groups to enforce that only web servers can talk to app servers, and only app servers to databases.
4. Use AWS VPC Flow Logs to detect cross‑subnet traffic that violates your intent.
Example AWS CLI to list subnets in a VPC:
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-12345" --query 'Subnets[].[CidrBlock,AvailabilityZone]'
4. Linux Commands to Map and Troubleshoot Subnets
SOC analysts often jump on a Linux jump box to investigate. Here are the essential subnet‑aware commands.
List all interfaces and their subnets:
ip addr show or legacy ifconfig -a
View the routing table – shows which subnets are directly connected:
ip route show Example output: 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.10
Trace the path to an IP and see where subnet boundaries are crossed:
traceroute -1 8.8.8.8 The hop where the private IP changes to a public IP tells you your egress subnet.
Quick script to check if two IPs are in the same /24:
!/bin/bash ip1=192.168.1.45 ip2=192.168.1.200 net1=$(echo $ip1 | cut -d. -f1-3) net2=$(echo $ip2 | cut -d. -f1-3) if [ "$net1" = "$net2" ]; then echo "Same /24 subnet"; else echo "Different subnets"; fi
5. Windows Tools for Subnet Analysis in an Enterprise SOC
Windows environments dominate many internal networks. Use built‑in tools to validate subnet assignments and detect anomalies.
Find your own subnet configuration:
ipconfig /all Look for IPv4 Address and Subnet Mask
View the persistent routing table (Windows):
route print -4 The "Network Destination" column shows subnets the host knows about.
PowerShell to test if an IP is in the same subnet as your machine:
$myIp = "192.168.1.45"
$myMask = "255.255.255.0"
$targetIp = "192.168.2.10"
function SameSubnet($ip1, $mask, $ip2) {
$net1 = [IPAddress]($ip1.Address -band $mask.Address)
$net2 = [IPAddress]($ip2.Address -band $mask.Address)
return $net1.Equals($net2)
}
SameSubnet ([bash]$myIp) ([bash]$myMask) ([bash]$targetIp)
6. Exploitation and Mitigation – How Attackers Abuse Subnet Misconfigurations
An overly large subnet (e.g., `10.0.0.0/16` for all internal servers) means a single compromised workstation can ARP scan the entire /16 and find every asset. That’s a defender’s nightmare.
How attackers exploit weak segmentation:
– ARP poisoning works across the same broadcast domain (entire /16 if no VLAN isolation).
– Credential dumping from one host can be used to hop to any other host in the same flat network.
– Ransomware spreads faster when subnet boundaries are absent.
Mitigation steps:
– Enforce /24 or smaller subnets for user workstations.
– Place critical servers (DC, backup, database) in their own isolated subnets with strict ACLs.
– Use PVLANs or micro‑segmentation (e.g., VMware NSX, Illumio) to further restrict east‑west traffic.
– Monitor for ICMP redirects or gratuitous ARP that might indicate subnet spoofing.
Linux command to detect ARP spoofing on your subnet:
sudo arp-scan --localnet Compare MAC addresses – duplicate IPs with different MACs = possible spoof.
What Undercode Say
– Subnetting is a containment strategy, not a math exam. Once you stop calculating binary and start visualizing trust boundaries, every alert becomes clearer.
– Your first question on any internal traffic should be “Do these two subnets ever need to talk?” If the answer is no, you’ve found either a misconfiguration or an intrusion.
Analysis (≈10 lines):
The original post by William Gokah resonates because it reframes subnetting from a dry certification topic into a daily SOC weapon. Many analysts can recite `/24 = 256 addresses` but freeze when a log shows `192.168.1.45 → 10.0.0.5`. That cross‑subnet traffic is a perfect example of why you need CIDR instinct. The post’s emphasis on “placing the traffic” is exactly what detection engineers code into rules – you can’t write “detect lateral movement” without understanding subnet boundaries. Moreover, the mention of private IP ranges acting as flags shows awareness of RFC 1918 as a baseline for trust. The missing piece, however, is practical tooling: how to automate subnet checks in Splunk ES or use Zeek to flag cross‑subnet connections. That’s where the real value lies for a SOC analyst moving from theory to triage.
Expected Output
Prediction:
– +1 More SOCs will adopt “subnet‑aware alerting” as a standard detection layer, reducing false positives from legitimate intra‑subnet noise while catching lateral movement earlier.
– +1 Cloud native security tools (e.g., AWS GuardDuty, Azure NSG flow logs) will add built‑in anomaly detection for cross‑subnet traffic that deviates from historical baselines.
– -1 Attackers will increasingly target subnet misconfigurations in hybrid clouds – especially overlapping CIDR blocks that break routing and expose internal services to unintended networks.
– -1 Over‑reliance on subnet alone without identity or behavioral context will lead to missed attacks that stay within the same /24 (e.g., compromised file server pivoting to the workstation segment).
– +1 The rise of eBPF‑based observability (Cilium, Tetragon) will enable real‑time subnet policy enforcement at the kernel level, making traditional firewall ACLs obsolete for east‑west traffic.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Gokahwilliam Comptia](https://www.linkedin.com/posts/gokahwilliam_comptia-networkplus-socanalyst-ugcPost-7469077477777219584-uVho/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
