Why Effective Visibility Must Go Way Beyond IP Addresses

By Evan Schuman, Security Writer

Network visibility is critical for cybersecurity and compliance, but that means going way beyond IP address tracking, given how many network layers are at issue.

As much as cloud usage is soaring and that presents a wide range of new issues, the reality is that most enterprise networks–to varying degrees–went to the cloud a very long time ago.

That includes discovering software-defined networks (SDN) such as Cisco ACI or SD-WANs including Cisco Miraki or Cisco Viptela. Remote sites in particular mean that enterprises must enhance and unify hybrid IPAM visibility.

In short, this allows for network staff to quickly search for IP addresses, find device names, what types they are, what vendors or models or versions or even chassis serial numbers they have. This all enables far greater forensic insights and context.

Those searches facilitate the critical goal of detecting and remediating rogue and/or compromised assets while also reconciling networks to any IPAM conflicts and collecting firmware information to help with updates and patches.

Easy Access

With cybersecurity defenses as well as compliance rules, it’s essential to have easy access to adhoc and standardized reports to have visibility into any access and to see if anything significant has changed. For example, when a staffer engages in some shadow IT and throws onto the network a router they picked up at Target that forces the question: Is it in compliance? Almost certainly not.

Another problematic network element are switches. Having deep and current visibility into the discovery of a switch port is an urgent need, especially with tracking free, available and unused ports or those that are connected to wired or wireless end hosts.

Delving into switches can deliver a world of helpful data, including IP and Mac addresses, the admin and operations status, the switch port description, VLAN configurations, their IDs, their names, the data VLANs, the voice VLANs, the beginning and ending of those ranges, along with metadata and metatags associated with switches and ports.

Today’s enterprise networks are inherently more complex, featuring a large number of vendors working off of multiple operating systems.

“IT needs visibility into all of that, along with the ability to convert IP networks and address into managed objects. Discovery needs to be a lot more than a simple ping sweep,” said Bob Rose, senior product marketing manager at Infoblox. “IT needs robust information on DNS, DHCP, host objects, devices (both physical and virtual), models, OS, versions, interfaces, along with current data on routers, subnets and VLANs.”

VLAN Advantages

That VLAN issue is critical given the sharply increasing number of assets and data moving to clouds controlled by third-parties, where IT may not truly know where the data and assets are physically located. But with the right systems in place, all of that information is still discoverable, especially in regards to VM instances. It’s not only being able to determine Layer 2 physical and Layer 3 logical devices, but to understand how these complex components actually are connected on the network.

That is because if IT understands how those elements are actually connected, it helps to manage the changes and the configurations both for traditional networks and virtualized networks using technologies like VRF (virtual routing and forwarding). VRF allows for multiple routing tables and multiple forwarding instances on the same router. All of this also gives visibility into end hosts connected to physical switches and that can deliver both a current view and an historical view. The historical view is essential for effective forensic investigations.

Too many security products today just share the information about this endpoint and this endpoint and this server. But they don’t typically answer the important question: how did the problem move between them? It’s important to know how they are connected because that’s when you start realizing that in order for it to get from Point A to Point B, it had to compromise something else. These threats will compromise devices, do what they need to do with them and then clean up after themselves and then move on. We’ve even seen some that were able to take advantage of a device because the firmware hadn’t been properly updated. Before they moved on, they updated the firmware. If you weren’t tracking your firmware revisions, you wouldn’t have known that.

How do you understand how the network constructs fit together so that you can see a topology view, visualize how those devices are connected and then drill down to see how specific devices are operating on your network. It’s all about being to have all of this information all in one place, in an IPAM database.

Another consideration is data-sharing. That’s why OpenAPIs are so useful, as they can give easy access to perhaps a threat-hunting tool, a SIEM or even SOAR for automation. The more context your systems have, the better it is for both cybersecurity and compliance.

Networks also need to track end of life and end of service of different types of devices. How can you eliminate device vulnerabilities with automated security and lifecycle management? Integrate with DNS, DHCP and IPAM.

(Source : Infoblox.com)

For reading more interesting trends, whitepapers and perspectives on cybersecurity, please visit Security Edge 

Comments (0)
Add Comment