How do you defend what you don’t know exists? In IT, this is more than just an existential question, or fuel for a philosophical debate. The existence of a complete network inventory—or the lack thereof—has a real-world impact on an organization’s ability to secure their network. Establishing and maintaining a network inventory is both a technological and a business process problem, and serves as an excellent example of the importance of open standards to a modern organization.
Consider for a moment NASA’s Jet Propulsion Laboratory (JPL). In April 2018 the JPL experienced a cybersecurity event. Upon investigation, it was determined that this was caused by someone smuggling an unauthorized Raspberry Pi onto the premises and connecting it to the network.
This incident triggered a security audit, and the results of that June 2019 report were, though not unexpected, still rather disappointing. The auditors’ biggest concern was that the JPL didn’t have a comprehensive, accurate picture of what devices were on its networks, nor did it know whether or not those devices were authorized to be there.
This lack of an up-to-date and automated network inventory led to a successful hack of the JPL via the unauthorized Raspberry Pi. Some key quotes from the audit are worth considering: “JPL uses a web-based application known as the Information Technology Security Database (ITSDB) … to add a property item into the ITSDB, a system administrator must request a tag number from a JPL assets representative. The system administrator subsequently must request the property item be imported into the ITSDB before linking it to a specific IT security plan. This ITSDB update is to be performed weekly.”
More concerning in the report, however, was this: “Specifically, we found that 8 of 11 system administrators responsible for managing the 13 systems in our sample maintain a separate inventory spreadsheet of their systems from which they periodically update the information manually in the ITSDB. One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information. Consequently, assets can be added to the network without being properly identified and vetted by security officials.”
We would humbly submit that a network inventory system so unwieldy that systems administrators feel the need to use spreadsheet-based manual workarounds is demonstrably unhelpful. Network inventories do not have to be this difficult.
Automation and open standards
Discovering what’s connected to a network isn’t always easy. Many devices that occupy your networks don’t respond to ping. Devices can be configured not to use DHCP servers, so you won’t see them grab an address. Indeed, many devices emit few—if any—packets, or they spoof the MAC addresses of other devices on the network, and thus can be incredibly hard to detect.
Even an entirely passive network device can learn a lot about a network just from watching broadcast traffic. On many networks, an astonishing amount about network architecture can be learned just from sniffing poorly configured SNMP, in which devices broadcast information that really should be point-to-point.
But every device that connects to a network must connect to something: a switch, a router, a Wi-Fi access point, a Zigbee IoT Gateway … something. Creating a reliable network inventory starts with network access devices that use open protocols, open standards and support multiple types of automation. With the ever-growing number of connected devices, automation is no longer an option, and it’s useful not only to gather a list of what’s what, but to act upon the connection of unknown devices to the network.
Cumulus NetQ visibility tool provides a network-wide view of all switches, their health, what’s connected to them and what traffic is transiting those switches. In addition to discovering what’s connected to a switch, the health of switches themselves needs to be assured, and here NetQ also provides a solution.
Cumulus Linux, being based on a well-known platform, makes it easy to do even more, as well as to integrate Cumulus switches into existing IT inventory, automation and orchestration solutions. It’s important not only to ascertain when something has been connected to a switch port, but to act on that information.
Network administrators can use their scripting language of choice to get a list of connected ports, interrogate any devices that may be connected to those ports, examine traffic transiting that port and quarantine uncooperative devices by shunting them to secure VLAN. In addition, agents for other network event monitoring and inventory solutions in use by IT teams can run on [t1]Cumulus Linux switches, dramatically expanding the range of network monitoring and inventory solutions with which Cumulus switches can integrate.
Discovering what’s connected to a network, and then acting upon that information is something that will be different for every organization. Every organization will have a different mix of technologies in use, thus requiring a different set of tools and approaches to monitoring, managing and automating their network.
Proprietary networking gets in the way. It’s more important than ever that network devices actively participate in not only identifying what’s connected to them, but in automating the response to something unexpected being plugged in. Cumulus Linux can help.