Automate Subnet Discovery With Infoblox IPAM API - Part I

A simple way to ensure continuous visibility in your network

The lack of visibility into IT assets is a common problem faced by IT and security teams, as new applications and services storing sensitive information can be added without going through a formal IT process. This is known as “shadow IT”, and its occurrence has increased in recent years with the adoption of cloud-hosted services.

In this two part blog post, I will give a practical example of this issue, present the associated risks and then propose a simple solution. The code for the solution is available on GitHub

Infloblox IPAM

IPAM is Infoblox’s network administration solution. Its features include creating hosts records, IPv4 and IPv6 networks. IPAM provides the end user with a dashboard for administering and monitoring the network as well as an API.

In a typical setting, a network administrator will create a new IP network via IPAM or another network management solution. If the network was created via another product, the subnet will be discovered by IPAM via its NetMRI, discovery module.

The issue that arise from the lack of visibility

When a network is created, the reason is almost always to either add new hosts, often as new virtual machines, or connect existing assets to a new network.

Security operations teams should always be at least aware of such changes. This is because a newly added host may have an important purpose that will require operationalization.
For example, a new internally hosted source code version control system, such as Gitlab, will require frequent backups regular updates.

Even if the asset does not serve a corporate purpose, if there is no strict network segmentation, this host can be a weak link in the network map and be used by an adversary threat using lateral movement tactics, to try to access critical services. This problem extends to the case when an existing host is connected to a new network. It essentially increases the threat surface

Shortcomings from existing processes

In practice, it is hard for IT/security teams to always be aware of new network additions. Sharing the information currently relies on heavy processes, such as change management, that are not always followed. This is specially true for non-production environments.

On another note, over the last few years there has been an ever-growing interest in writing scripts to automate simple tasks. Their use ranges from collecting the list of active directory users, to automating backups and everything in between.

A simple script to remediate the problem

IPAM offers an API, WAPI, that allows making CRUD operations on the platform. The “retrieve” type of operations (R in CRUD) allows to get lists of subnets or hosts with a network interface in those subnets, collect detailed information about a particular host or subnet and many more operations.

We can leverage this to collect the list of networks, and add a logic to be aware of change. We will run the script a first time and save it locally. Then, via a cron job, we will fetch on a periodic basis a new list and compare what we obtained at time N-1 to the current list.

To conclude, in this first part we introduced the problem arising from the lack of visibility in the network infrastructure, and introduced at a bird’s eye view how the solution works.

In the second part of this article, I will present the key components of the script I wrote to provide a solution for this problem.