When it comes to modern cybersecurity, many security analysts see the network as their friend, one of their strongest lines of defense. In reality, the network is just as often the enemy, hiding vulnerabilities and obscuring the information you need to defend your enterprise.
But by using existing–and often ignored–tools plus a few others, that network can again be a trusted ally.
Two Infoblox senior specialists–Bob Rose, Sr. Product Marketing Manager, DDI & Value-Added Services and Bob Hansmann, Sr. Product Marketing Manager, Network Security–did a podcast together where they explored how security can have far better visibility and, therefore, far tighter security and much easier compliance.
What did they discuss? Let’s start with DHCP error messages.
“Let’s say you get a DHCP server error message. It could be that the server fails in a network where you only have one DHCP server. Or it might be where all available addresses have been allocated. That’s another cause for DHCP failure. It could be that your network server failed,” Rose detailed. “It could be that there was a configuration change that affected the DHCP packet relay. You know that that happens on occasion. Or perhaps there’s another configuration mistake that happened during a new installation a little bit later.”
That’s all within the system, with technology not playing well with other technology. Then there are the many end-user hiccups, including glitches from IT.
“People are making configuration errors. Now there are products out there that will test your configuration. Those are still evolving because even as we were preparing to go live today, you’re talking about some tools that we all use. Consider the Facebook management platform. They just changed their whole UI, the platforms and those tools to do that,” Hansmann said. “They exist but they’re all in such a chaotic level of evolution, that we still have this configuration error problem. There are now vulnerabilities because somebody configured something wrong. So having just this management history here of knowing who did what, but it also applies if I trace the incident because of a vulnerability in some system where somebody changed something. I do need to know when and why, not so that we can figure out who to blame but so that we can learn from that and maybe put in steps to make sure it doesn’t happen again.”
A big part of the problem that starts to turn the network from friend to foe is complexity, Rose argued.
“Discovery is so important because it’s possible that there are IT silos that are out there that have shared access to integrated, authoritative databases or protocols, IP address, network infrastructure, devices and host connectivity, all of that information. You need to be able to see it and if you don’t, you have a security risk and you could have a service interruption risk. Even worse, if there are rogue devices, somebody can potentially get access through an unmanaged device, get into an environment and impact millions of customers,” Rose said. “If you have a comprehensive inventory of all of your data, all of your endpoints, you’re much much better able to see it to an analyze it to validate that your designs are right, that your provisioning is right to do troubleshooting, to manage and really deliver an effective core network service that’s up and running and performing at its highest level.”
That complexity can also be driven by business moves, especially mergers and acquisitions.
“In an enterprise environment, networks are really becoming a lot more diverse. They’re distributed, they’re multi-vendor. Companies are also dealing with mergers and acquisitions. And so now you’re dealing with more and more complexity. So how do you ensure that your network devices are secure and compliant and what do you do about it when you have a device that’s reached the end of support? It’s not being patched. It’s not being taken care of any longer,” Rose said. “Now your network is really at risk and open to attack. The challenge of tracking security vulnerabilities is huge. Field notices that you get from Cisco product security incident response team, or Juniper bulletins, managing those become a lot harder. It’s really a tedious and manual process. If you’re collecting and aggregating RSS feeds and emails and try to cross tabulate all the vulnerabilities across a multitude of device models and operating systems, that can be overwhelming. And patching is never a one and done thing. And so what you really need is an automated process that gives you continuous multi-vendor advisories and updates that have accurate and rich vendor agnostic device discovery.”
Another level of complexity is introduced through the massive number of file types, especially with data coming from various partners, above and beyond the M&A activity.
“The data can be really in a lot of different places and in a lot of different formats. Being able to automate collecting and aggregating that information is a big benefit. Not a lot of discovery tools do that but you know, it is done. Now I know what firmware version is needed and I can go out and manually check that, perhaps using my IPAM system. But it means I still have to do it. Having this automated just means that it just does it on a regular schedule or on demand, Hansmann said, “I hit a button and it just does it. That’s the level of automation that is needed.”
Rose added that hybrid discovery is also an important area.
“So many companies have traditional data centers, but they’re migrating now to virtualized environments or they’re migrating to the cloud. You really need full discovery across all of your environments,” Rose said. “You don’t want to go into their various instances. You want a single control plane and you want to be able to access that either on-prem or from the cloud.”