Network mapping flat-out stinks — and I would still rather do this than asset inventory. Auto-discovery is now a third-party purchase, and it is, at best, a simple network management protocol (SNMP) manager designed to give you a visual of red and green lights correlating to machines communicating with a device. Unfortunately, it leaves you with many unanswered questions.
Do you know why your domain controller is logging in to other servers? Do you know why servers are talking to other servers, minus a proxy of any sort? There is a better way to find these answers and still keep your network mapping: Use network mapping as the underlay of your communication flows.
Network visibility is part of understanding risk. As always, technology risks are business risks. As security professionals, we do not own the risk, we just manage it. But if we cannot see the network, how do we see the risk?
Network Mapping Is Broken
Honestly, I’m tired of looking at outdated network maps created with a manual networking mapping tool. I’m tired of visiting places and asking for a diagram of the network, only to find out it doesn’t exist or it’s outdated. I cannot fathom not having this information — and a spreadsheet of IP addresses and subnet masks is not a valid substitute. Could would please just get it right for once?
SNMP mapping of a network is fine as a starting point, but it is not what a security practitioner should rely on. There are several limitations to using SNMP: First, it is a snapshot of what is reported; it is not an actual map of who is communicating with whom. You will also need to configure your respective band, or that network segment where you SNMP traffic is located. I see it in two places: the production network and the management network.
The last major piece is the SNMP manager. I am not knocking SNMP managers, but we have to look at the security definition of SNMP: security not my problem. I am aware of the user-based security model (USM) and the transport security model (TSM). When using one of the products, you must configure your security posture to meet the demands of good SNMP hygiene.
Don’t Stumble Blindly Through the Network
While you’re at it, configure your security devices to understand what is the norm. Do you know how much traffic you must weed through to find items that give you actionable content? Don’t sift through SNMP garbage too. As cool as these tools are, they do not provide any security to your organization — they only tell you that your manager is receiving SNMP traps.
You have to see your network to understand it; the more you see, the more you understand. Managers love pictures, but what if you could give them a movie? If a picture is worth a 1,000 words, just think what a movie would provide. I’m talking about a live-action view of what is really happening on the network.
I talked in an earlier blog entry about the fog of war, crystal balls and the ability to see the battlefield. The discussion there was about what network tools tell you versus what you should be seeing. Now we are going a level deeper. Years ago, a couple of products offered a network visual, which was a static map that was created as you created objects. I loved that. Even though it was static, it gave a representation of what was happening in your network. It would have been incredible to make that live-action as well.
More Effective Network Mapping
Now let’s stop the history lesson and get to the present day. What if I could show you on a map what your communication channels actually looked like? What if I could, in real time, show you what your firewall rules looks like? What if you could simulate a change and see what would happen? How about the ability to see your protocol information on segments, the number of clients and who is pushing what to whom?
In the future, do not get rid of SNMP mapping; instead, overlay your flow map over the SNMP map. What does it look like? Does your written policy look like the SNMP map? Does it look like your flow communications map? I bet it doesn’t. Communication flow overlaid a network map will expose when those entities are talking — no more and no less. Your SNMP map shows they are in different enclaves that should not be talking. Does the policy allow this?
The possibilities of what you could fix, implement and change for the better are endless. But you can do damage as well. Bad actors hide in the shadows, and this strategy helps stop hidden communications and expose items we would normally overlook. Combine your network mapping with data from your security information and event management (SIEM) system and feed it from an endpoint management platform — this is how we find problems and diagnose issues.
Knowledge is power. Sharing that knowledge across your organization builds a more robust team, fosters better security posture, reduces response time and increases anomaly detection. Effective network mapping provides an outlet to gain this information and boost the security of the system as a whole.