Why Effective Visibility Must Go Far Beyond IP Addresses


By Evan Schuman, Security Editor

Network visibility is essential for cybersecurity and compliance, but it means going far beyond tracking IP addresses, given the number of network layers involved.

While cloud usage is skyrocketing and presenting a wide range of new issues, the reality is that most enterprise networks, to varying degrees, moved to the cloud a very long time ago.

This includes discovering software-defined networks (SDNs) such as Cisco ACI or SD-WAN, including Cisco Miraki or Cisco Viptela. Remote sites in particular mean enterprises need to improve and unify hybrid IPAM visibility.

In short, it allows network personnel to quickly look up IP addresses, find device names, what types they are, what vendors or models or versions or even chassis serial numbers they have. All of this allows for much greater forensic information and context.

These searches facilitate the critical goal of detecting and remediating malicious and/or compromised assets while reconciling networks with any IPAM conflicts and gathering firmware information to facilitate updates and fixes.

Easy access

With cybersecurity defenses as well as compliance rules, having easy access to ad-hoc and standardized reports is essential to have visibility into any access and see if anything important has changed. For example, when a staff member engages in shadow computing and throws a router he picked up from Target on the network, which begs the question: is it compliant? Almost certainly not.

Another problematic network element are switches. Having in-depth, up-to-date visibility into switch port discovery is an urgent need, especially with tracking free, available, and unused ports or those connected to wired or wireless end hosts.

Digging into switches can provide a world of useful data, including IP and Mac addresses, admin and operations status, switch port description, VLAN configurations, switch IDs, names, Data VLANs, voice VLANs, the start and end of these ranges, and metadata and meta tags associated with switches and ports.

Today’s enterprise networks are inherently more complex, with many vendors working from multiple operating systems.

“IT needs visibility into all of this, as well as the ability to convert IP networks and addresses into managed objects. Discovery should be more than just a ping sweep,” said Bob Rose, senior director of product marketing at Infoblox. “IT needs reliable information about DNS, DHCP, host objects, devices (physical and virtual), models, operating systems, versions, interfaces, as well as current data on routers, subnets, and VLANs.”

VLAN Benefits

This VLAN issue is critical given the sharp increase in the number of assets and data transferred to third-party controlled clouds, where IT may not really know where the data and assets are physically located. But with the right systems in place, all of this information is still accessible, especially when it comes to VM instances. It’s not just about determining physical Layer 2 and logical Layer 3 devices, it’s also about understanding how these complex components are actually connected across the network.

Indeed, if the IT department understands how these elements are actually connected, it helps to manage changes and configurations for both traditional networks and virtualized networks using technologies such as VRF (virtual routing and forwarding) . VRF allows multiple routing tables and multiple forwarding instances on the same router. All of this also gives visibility into the end hosts connected to the physical switches which can provide both a current view and a historical view. The historical view is essential for effective forensic investigations.

Too many security products today simply share information about this endpoint and this endpoint and this server. But they usually don’t answer the important question: how did the problem move between them? It’s important to know how they are connected, because that’s when you start to realize that to get from point A to point B, he had to compromise something else. These threats will compromise devices, do what they need to do with them, then clean up after themselves, then move on. We have even seen some who were able to take advantage of a device because the firmware had not been properly updated. Before moving on, they updated the firmware. If you weren’t keeping up with your firmware revisions, you wouldn’t have known.

How do you understand how the network constructs fit together so you can see a topology view, visualize how these devices are connected, and then drill down to see how specific devices perform on your network. It’s about having all this information in one place, in an IPAM database.

Another consideration is data sharing. This is why OpenAPIs are so useful, as they can give easy access to a threat hunting tool, SIEM or even SOAR for automation. The more contextual your systems are, the better it is for cybersecurity and compliance.

Networks must also track the end-of-life and end-of-service of different types of devices. How can you eliminate device vulnerabilities with automated security and lifecycle management? Integration with DNS, DHCP and IPAM.

To read more interesting cybersecurity trends, white papers and insights, please visit Security Edge




Comments are closed.