Done properly, IPAM can fill in the data gaps from DHCP
With enterprise cybersecurity under almost constant attack today, CISOs need a complete and current view of their entire global environment. Frankly, as useful as DHCP is, it simply can’t deliver that. Fortunately, IPAM can fill in many of those missing details to deliver a more complete discovery picture.
There are “a lot of limitations with DHCP and as devices become more important, almost more than user data in order to investigate and research threats or incidents on my network. I need to fill that gap. And that’s where discovery comes in,” argues Bob Hansmann, Sr. Product Marketing Manager at Infoblox.
One of Hansmann’s colleagues–Bob Rose, Sr. Product Marketing Manager, DDI & Value-Added Services, Infoblox–agreed, but stressed that the limits of DHCP can prove difficult to reconcile with effective security.
“You need to have an authoritative IP address database. And a lot of that is enabled by having the right kind of tools to pull in IP address data into a centralized database, whether it’s on prem, whether it’s virtualized, whether it’s in the cloud so that you have a single source of truth,” Rose said. “Connectivity is also really important to be able to ensure that the DHCP server and the DHCP client are connected to the same network and can exchange information frames.”
Rose added: “It’s possible that our IT silos have shared access to integrated authoritative databases or protocols, IP address network infrastructure devices and host connectivity, port data, all of that information. You need to be able to see it and if you don’t, you have a security risk. If you have comprehensive inventory of all of your data, all of your endpoints, you’re much better able to see it an analyze it to validate that your designs are right, that your provisioning is right, to do troubleshooting, to manage and really deliver an effective core network service that’s up and running and performing at its highest level.” Both Hansmann and Rose explored this issue in a recent InfoBlox video podcast.
Rose stressed that the mechanics of running enterprise environments today means that protection is important, but so is day-to-day management, which needs to be as automated as practical–or critical tasks will often not get done.
“Consider also IP lease management. DHCP servers typically grant IP addresses to clients for a limited timeframe. Those are called leases. And that’s really important. At the end of the day, the biggest benefit of having DHCP is that it’s a lot faster to set up a TCP/IP network. It’s a lot easier to manage because there’s no heavy lifting. The server automatically assigns the information and puts it so that IT staff don’t have to do that. IPAM gives you a lot of data,” Rose said. “That data is the IP address as well as the type of device, the operating system, the version, the username, the switch port, the access point, the physical location–all of that metadata that you get and that’s what’s needed. That’s what you get with discovery.”
The problem with both cybersecurity and network management is complexity, which is far worse than just a few years ago. On top of the on-prem/cloud and remote system issues, the number of third-party users needing extensive data access to sensitive information. (That is sensitive data as in intellectual property [IP] versus internet protocol [IP]. We do love our acronyms, even when they are the same letters.)
Then there is IoT and IIoT. “Consider all those devices like printers and things like that. They’re not users. They don’t have like a Windows OS and a version number. They have a firmware,” Hansmann said. “But once (malware) gets on a device, an end user’s device, they start spreading around and everything’s open game. They will spread to printers and routers. We’ve seen home device IoT like Ring doorbells, routers and other high-end devices.”
Beyond the lack of full visibility, another tricky part about DHCP are those frequent and mysterious error messages.
“You get a DHCP server error message. It could be that the server fails in a network where you only have one DHCP server. That’s kind of an obvious case, right? Others happen because all available addresses have been allocated. It could be that your network server failed. It could be that there was a configuration change that affected the DHCP packet relay. You know that that happens on occasion. Or perhaps there’s another configuration mistake that happened during a new installation – configuration mistakes or things that can really mess things up. And then of course, you’ve got Media Access Control MAC addresses, when filtering is enabled. And you have a new device that comes on and yet that’s not included in the server configuration. And one that’s probably near and dear to your heart is the reality of security where you look at DHCP and the server really has no secure mechanism for authentication of the client. It can then gain unauthorized access to an IP address by presenting credentials like client identifiers that belong to other DHCP clients. Another concern is DHCP fingerprinting. It’s not foolproof because it can be forged. Anyone can go in and forge DHCP frames with erroneous information without really impacting the process of providing an IP address. So all of those things kind of come into play. DHCP is a great tool and a very helpful protocol. The problem is that you just can’t completely rely on it all the time.”
Yet another issue is when devices get a little old and the network runs into either end-of-life (EOL) or end-of-sale (EOS) situations. “Now it’s not being patched. It’s not being taken care of any longer. Your network is really at risk and open to attack. So the challenge of tracking security vulnerabilities is huge. Field notices that you get, such as from Cisco product security incident response team or Juniper bulletins, managing those become a lot harder. It’s really a tedious and manual process,” Rose said. “If you’re collecting and aggregating RSS feeds and emails and trying to cross tabulate all the vulnerabilities across a multitude of device models and operating systems, that can be overwhelming. And patching is never a one and done thing. And so what you really need is an automated process that gives you continuous multi-vendor advisories and updates that have accurate and rich vendor agnostic device discovery.”
Patching is going to continue to be a cybersecurity headache. That is because patching has conflicting interests. On the “take it slow” side is IT’s need to make sure that a patch doesn’t cause problems with existing apps, systems and devices. On the “hurry up” side is the need to implement security patches as fast as possible, given that the bad guys know about the holes and will try and leverage those holes before enterprises have a chance to patch them.
Also, the pace of patches has accelerated at the same time that IT staff has gotten more burdened and, often, have fewer people.
“A lot of large enterprises years ago, they would only roll out patches once every maybe three months. And I talked to one that they only did it twice a year when patches were rolled out because they would get them and put them through rigorous internal testing,” Rose said. “That was to try and make sure that this patch doesn’t break a certain program or something like Javascript or Java itself. I remember getting updates for that and it broke our internal communication tool. But companies can’t wait six months now to apply patches. A new problem has come out where I knew one company that got a patch. They tested it. It was going to take them several days because it was for something that they used for a lot of tools that were integrated with each other. They spent late hours and got it done, but by the time they hit the button to roll out the patch using their patch management tool, there had been a new patch. And so the patch that got rolled out was not the one they tested, but the one that had been (just) rolled out. They couldn’t figure out (why things were breaking) until somebody looked at the IPAM data. And they said “Hold it. The firmware version is not the one we approved.”