Leveraging IPAM in your Security Program
Internet protocol address management (IPAM) is a task often reserved for the networking or telecommunications team, and most security practitioners are unaware of the treasure trove of information that exists in their own organization. What is this information and how can you, as a security practitioner, leverage it?
The need for management, planning and tracking of IP information becomes apparent as networks grow. Dynamic hypertext configuration protocol (DHCP) ranges and static IP addresses must be configured and updated to ensure network availability and performance. The simplest approach to addressing these challenges is through the use of spreadsheets. However, as organizations mature, this approach is quickly outgrown and the responsible team procures one of several IPAM solutions available in the market. The increase in operational efficiencies gained through the utilization of these tools reduces waste and helps the managing team focus on higher priority activities. While these tools handle a host of other functions, including Domain Name Service (DNS) management and DNS firewalling, we will focus our conversation on the benefits of IPAM.
The configuration and the process around system maintenance is a vital component to the success of any security tool. When security tools utilize network resources to conduct scans, monitor traffic and deploy endpoints, understanding assets is critical. Through leveraging the information available in an IPAM tool, configuration and maintenance can be simplified.
To ease the management challenges, tagging features are commonly integrated into IPAM tools. The tagging feature allows for engineers to tag IP ranges or static addresses with useful information such as location, application, business owner or custom fields. The use of export functions or application programming interfaces (APIs) allow administrators of security tools access the IPAM tag information. Utilizing these tags, processes can be implemented leveraging their information and integrating it directly into other tools. The execution of these processes can occur on an ad-hoc basis during initial configuration or maintenance, or be scripted to keep the tool in sync with changes in your environment. Examples of common use cases include:
- Creating asset groups based on location or application
- Targeting applications for vulnerability assessment
- Creating custom rules or triggers in SIEMs based on application
- Configuring event tuning based on application or device type
- Assigning events directly to business owners
- Developing deployment strategy
- Generating vulnerability or compliance reports based on business owner
Whether calculating risk in a governance, risk and compliance (GRC) tool or targeting assets to patch in your software update management (SUM) program, you must understand what is on your network. In these situations it’s not time to reinvent the wheel; reach out and collaborate with the individuals that manage this information every day!
Making It Better
Entering into a relationship with the owner of your organization’s IPAM solution cannot be a one way street. Information security will have access to a wealth of information that other teams are responsible for managing and maintaining. With different use cases for this data, information security professionals have the ability to uncover errors in tagging and other misconfigurations the IPAM tool owner may not have the resources to identify. Developing a relationship where security works in conjunction with the tool owner enables the organization to build an accurate IP management framework. The dissemination of this information throughout the organization matures the organization’s IT practices as a whole and can directly improve IPAM and security point solution’s performance.