February 18, 2009
Lions, Tigers, and…IP Addresses
For anyone who remembers their zoology, or has watched enough Animal Channel or National Geographic, the concept of large animal herds escaping predators by concentrating in tight groups should not be foreign. After all, there’s safety to be had in numbers. But have you ever asked yourself, “what about those poor animals on the edge of the herd?” Those poor water buffalo, gazelles, etc. that are caught on the edge are obviously very interested in reaching the interior of the herd. There be lions and tigers (figuratively of course; tigers do not roam the savannas!) in those bushes after all.
Now, standing back at a thousand-foot view we can gain a view of a writhing superorganism. The edges constantly in flux, collapsing inward towards the center whilst the interior is shuffled outward.
Zoology lesson aside, what does this have to do with IP addresses? Moreover, what does this have to do with information security?
Question: what prevents us from conceptualizing our IP addresses (more specifically, subnets) as herds? It would make sense that our lions and tigers (read: adversaries) lurk nearby- nearby being at the lower ends of our subnets. I’m not sure I’ve ever seen a piece of network-enabled malware or human take a binary search approach to network mapping as an example. No, logic would tend to dictate that any asset inventory effort begin at the logical starting point. For a subnet, that means .1 most commonly.
So, if our subnet is herd, wouldn’t it make sense then to “herd” them into the center of the range? Yes, I would avoid starting at the top of a range since that could logically also be the beginning and, within the context of our analogy here, serve as the same kind of herd edge as the true .1 beginning. It would also stand to reason to make the herd as large as possible I would put forth…none of those pesky, small class C’s! Now, what if I had truly dynamic IP capabilities? I don’t mean DHCP, rather a truly dynamic IP mechanism that was more akin to how dynamic rekeying works in IPSec or WPA2 technologies. Wouldn’t that (somewhat) resemble the natural ebbs and flows of a large herd? I think so.
In that kind of environment, how would an adversary ever close in on his/her prey? Moreover, how much longer would this extend any kind of autodiscovery attempt (port scanning, etc.) thereby allowing our IDS to kick in “sooner”. Good security is, afterall, a simple time trade-off calculation. I need to make sure it takes longer for “you” to compromise an asset than it does for me to detect “you”.
Yeah, there be lions and tigers here. Of course, the zoology analogy is intentionally simplistic- this a security blog and all- but I rather think there is an opportunity to re-examine how we manage our IP schemes and perhaps an opportunity for some new technology.