What is NetBOM?
A NetBOM is a network bill of materials. It is a list of the Internet servers that a device needs to connect to. Currently, when we buy products, we connect them to our network and give them unfettered access to the Internet. This means that even if a device is behind a firewall, if it becomes infected with malware, the malware can connect out through the firewall to communicate with a threat actor. One way to limit this, it to create firewall rules that only allow the device to connect to the servers that it needs to connect to.
The NetBOM can be an important tool in implementing devices in a zero-trust environment.
The name is a play on the term SBOM which is a software bill of materials. An SBOM is an inventory for software that make up software components. This is similar to the list of ingredients that we see on food products, except the SBOM would list software components and their versions.
While an SBOM informs end users of the software and versions that are running on their devices, a NetBOM informs the end user of the Internet servers that the device needs to connect to.
What is in the NetBOM?
The NetBOM file includes:
-
Version number of the NetBOM file
-
Date of release
-
NetBOM server address(s) – this is where the device can get updates to the NetBOM
-
IP addresses and ports of Internet servers that are used by the device and an explanation of the purpose of the server
-
e.g. 9.9.9.9:9953, 9.9.9.9:53, DNS servers
-
-
Fully qualified domain name addresses and ports (if necessary) of Internet servers that are used by the device
-
e.g. https://dns.quad9.net/dns-query, tls://dns.quad9.net, DNS servers
-
The NetBOM could include addresses for:
-
NetBOM server
-
SBOM and vendor patch servers
-
cloud-hosting servers
-
time servers
-
advertising servers
-
mapping servers (e.g. Google Maps)
-
API servers
How is the NetBOM used?
Vendor:
NetBOM file:
-
The vendor includes the NetBOM file in the device before the device is sold.
-
The NetBOM file is signed with the vendor’s code signing certificate.
-
The device will not load a NetBOM unless the file is signed with the vendor’s code signing certificate.
-
If any changes are necessary, the vendor changes the NetBOM file and adds the new version to their NetBOM server
NetBOM server:
-
The vendor hosts a NetBOM server (e.g. netbom.domain.com) that serves updated versions of the NetBOM. This is important because some vendors may change hosting servers over time.
-
The NetBOM server uses the current standard for secure hosting (e.g. TLS/HTTPS)
-
The domain name used by the NetBOM server must be owned by the vendor
-
Hosting certificates must be registered to the vendor by a trusted third-party
-
End-User:
The end-user can use the NetBOM information to create rules in firewalls and security tools that will limit the ability of the device to only the Internet servers that are needed and approved by the vendor and the end-user.
Possible NetBOM Automation
Here are some possible ways to automate NetBOM which could be useful for small office and home use, where network security expertise is limited or non-existent.
-
A device can publish it’s NetBOM with the firewall.
-
A firewall would verify the validity of the NetBOM with the NetBOM server and create firewall rules based on the NetBOM.
-
Proxy servers could create rules based on the NetBOM
-
IPS and security tools can also create rules based on the NetBOM and report on anomalies.