Darknets for Application Service Providers

Despite mature technologies from firewalls to antivirus, and in the face of heightened user expectations and business needs, keeping your enterprise secure is harder than ever. Darknets offer an effective way to increate your security intelligence.

by Michael Smith

Despite mature technologies such as firewalls, intrusion detection and prevention systems, and antivirus, maintaining the security of large and complex networks is far more difficult than it was 10 years ago. Threat volume is rising, propagation speed is increasing, and attacks are becoming more elusive. Tracking compromised systems is also challenging, and actually mitigating problems often appears impossible.

At the same time, user expectations and competitive business needs are greater than ever regarding interoperability, connectivity, and immediate access to data.

With the security threat landscape changing daily, IT requires more innovative ways to complement their traditional approach to gathering threat intelligence. Ironically, security’s bright side may be on the “dark” side.

Application service providers (ASPs) usually deliver services through the Internet, increasing uncertainty about availability and response time. This uncertainty makes availability and response time obvious completive areas where ASPs are trying to gain and show competitive advantage in the marketplace. The implementation of a darknet is a solution that could help provide this type of advantage for a hosting provider.

What is a Darknet?

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. Simply put, a darknet is an area of routed IP address space in which no active services reside. While traditionally every client, server, and network device has a unique IP address for each network connection, a darknet is comprised of a range of addresses for which there are no associated valid services or hosts. Thus, the network is “dark.”

What makes a darknet a powerful security tool is that after initial tuning, any traffic entering it from any source is most likely hostile traffic. In contrast to a traditional network setup, wherein legitimate IP packets are routed to legitimate destination IP addresses and from legitimate source IP addresses, no legitimate packets should be sent to or from a darknet. Although some packets may enter as the result of misconfiguration, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code.

With the use of darknets, security administrators can spot scanning activity without using complicated analysis technology, which can tax already overburdened resources. Darknets can also reduce the occurrence of false positives. By significantly reducing the effort to analyze traffic while improving intelligence gathering, darknets are an efficient tool for providing organizations critical information to help them protect the security and availability of their information assets.

A darknet is an area of routed IP address space in which no active services reside. It may be simplest to consider this space as a contiguous block of address such as x.y.z.1-5, but when dealing with a large network it might provide better coverage if the addresses are spaced out. This is a little more cumbersome in terms of administration, but for the large enterprise it may provide better overall visibility. In an ASP environment, it may even make sense to have all unallocated IP addresses routed to the darknet. What makes a darknet a powerful security tool is that after initial tuning, any traffic entering it from any source is either hostile or the result of misconfiguration. This “low noise” characteristic is what makes the use of darknets very attractive for individuals trying to manage large infrastructures.

Security Considerations for the ASP

While a darknet certainly cannot be the only defensive strategy an organization employs, it can be a great early warning tool and can also serve to verify that there is no broadcast-based anomalous traffic in a network. ASPs can benefit greatly from darknets. By significantly reducing the effort to analyze traffic while improving intelligence gathering, darknets are an efficient tool for providing ASPs with critical information to help them protect the security, availability, and response time of their environment.

Application service providers must be able to act quickly once security issues are identified. In most cases, they must be able to immediately disable all or part of the functionality of the application quickly and effectively. However, in the world of the ASP, the discovery of potential security issues often occurs once it’s too late and cannot be addressed. This is commonly stated among many that are responsible for network and security monitoring as, “You don’t know what you don’t know.” A properly implemented darknet solution can help decrease the time that it takes for issues to be identified, while allowing the administrator to sleep more soundly knowing that the environment is being monitored 24x7.

Operational security functions of ASPs have been defined to include such areas as patch maintenance, alert processing, incident handling, and logical security architecture. Where does a darknet fit into this list? Darknet technology can be used in alert processing by being a source of low-noise events, as well as through correlation with other data sources such as firewall, IDS/IPS logs, and host logs.

A prospective client of an ASP should verify that basic security standards are being met by the ASP. How does a darknet help ASPs meet the security requirements of their clients? By allocating IP addresses to a dark space and monitoring them for any traffic, an ASP is making an architectural decision to proactively manage the traffic that passes over its environment, which brings advantages from both a security and network perspective.

Conclusion

Application service providers can benefit from implementing a darknet in many ways. They can use a darknet as a source of low-noise intelligence about the traffic that is on their network. They can use a darknet to correlate traffic that is seen via other monitoring efforts. One of the traditional obstacles to implementing a darknet is that it requires granular IP and route management. This should not be a problem for ASPs, as this is a requirement for them to offer services to multiple customers.

Today’s darknets offer organizations a powerful complement to traditional security solutions by providing advanced security intelligence with minimal effort and maximum impact.

Bibliography

- - -

Michael Smith is senior manager at Symantec Global Services. You can reach the author at Michael_Smith@symantec.com