How to scan your network and build an asset inventory
Network discovery is the process of identifying and detailing every IT, OT, and IoT device connected to your network physically, virtually, remotely, or in the cloud. The process of auditing, cataloging, and tracking assets is essential for configuration management, capacity planning, and risk reduction programs. As a result of discovery, you can create an asset inventory to feed into systems–like CMDBs, SIEMs, ITAMs, ITSMs, and IPAMs–for a comprehensive view of your network.
Network discovery helps you uncover the unknowns and gives you full visibility into your environment through your asset inventory. With new assets coming online all the time, like consumer IoT devices, it becomes harder to identify everything on your network. On top of that, you need useful information that tells you what the device is–not just its MAC address or operating system.
Organizations need a centralized, authoritative source to reference–particularly when trying to answer critical questions, like:
To be able to answer these questions, network and asset discovery tools must be able to get visibility into all devices on your network–without credentials and endpoint agents.
As the number and types of devices coming online are rapidly growing, organizations are struggling to effectively discover and inventory their network. Some organizations rely on a combination of solutions–like their vulnerability scanners and network performance monitoring tools–and are manually tracking their assets through spreadsheets. This process doesn’t scale, and the results are incomplete.
Larger organizations may use their network performance and security tools for discovery, and feed that data into their configuration management database (CMDB). On top of that, CMDBs also have their own discovery capabilities, which will find a variety of devices and automatically update your configuration items (CIs). However, CMDBs are tough to deploy, and only find assets that can be discovered through authenticated scanning. This provides limited visibility into most IoT systems and networks that are more than a hop away.
Although vulnerability scanners and CMDBs have discovery capabilities, these solutions weren’t designed for discovery. They’re purpose-built for things like performance monitoring, vulnerability scanning, configuration management, so their discovery methods won’t provide a comprehensive view of all of your assets.
There are other IT asset management tools out there, but again, most rely on credentials or endpoint agents to effectively inventory and map networks. Deployment is complex, and results don’t include unmanaged devices.
There are several approaches for finding devices on the network. Because network inventory is an important part of many other IT and security functions, many vendors have network discovery “built in to” their solutions. These tools include port scanners, vulnerability scanners, CMDBs, network performance monitors, and endpoint detection and response solutions. However, because asset inventory is not their main goal, their discovery capabilities are limited. These solutions don’t provide enough granularity and accuracy to provide a complete picture of all the assets on the network.
Network discovery solutions typically fall into one of four buckets:
Each method has benefits and challenges, depending on what your network looks like and organizational needs are. Keep reading to learn more about each method, but here’s a high-level comparison of the methods.
|Unauthenticated network scans||Authenticated network scans||Agent-based network discovery||Passive network monitoring|
|Visibility for managed and unmanaged devices||X|
|Easy to deploy||X|
|Safe and secure||X||X|
Unauthenticated scans, like the name suggests, don’t use credentials to scan the network. Instead, they typically perform port scans to identify devices and services.
The first step of unauthenticated scanning involves contacting each IP on the network, on every port, to find active devices with open ports. The next step is fingerprinting, which is the process of identifying information about a device by communicating with it. Device responses provide a bit of information that can be used to put together a device profile. For example, a device could be fingerprinted as running Ubuntu 18.04 with an open port 22 running OpenSSH 7.4.
Network discovery tools, like runZero, look at other sources, such as SNMP community strings and ARP caches. This approach typically requires one runZero scanner to be set up per routable network. However, heavily segmented networks may require the deployment of multiple scanners.
runZero looks at all ports and information on a device together to fingerprint the device, which tends to make its data more accurate and have higher fidelity. For example, runZero will actually tell you that a device is a Synology NAS, manufactured in 08-2018, with a specific firmware version and serial number.
On the other hand, the command line tools nmap and masscan evaluate each port individually to identify a service–not the actual device. Masscan works well when scanning very large network segments and public internet ranges, but it has relatively restricted port ranges, so the results don’t have a lot of granularity.
To fingerprint specific ports or devices, nmap sends malformed IP traffic, which can potentially destabilize fragile devices, such as printers, IoT devices and OT environments. To avoid this issue, runZero sends only properly formed network traffic and then sniffs its own traffic.
Authenticated network scans, typically employed by vulnerability scanners, use credentials to log in to the devices they’re scanning. This allows them deeper visibility into the device, such as the registry and file system. Vulnerability scanners can tell you the operating system and version for a device, like Ubuntu Linux 18.4, but they can’t tell you anything about the hardware that it’s running on, like its brand and version. For network discovery and asset inventories, knowing that a device is a Synology NAS is more meaningful than just knowing it’s a Linux-based system.
For network discovery, you need to be able to find all devices on the network, not just the managed ones. Authenticated scans only help you discover managed devices; they cannot authenticate to and discover unmanaged devices.
Penetration testers love authenticated network scanners because they can put a device on the network that listens for the next scanner that connects to it. When it does, the device will be able to collect credentials from authenticated scans and provide access to the managed devices on the network. From a network security perspective, authenticated scanning has some major, potential drawbacks.
Well-known authenticated network discovery tools include LANsweeper, Virima, and Device42. While authenticated scans work well for assets you know about, they are unable to identify anything that it doesn’t have credentials for. These tools will leave those asset fields empty, requiring input from the IT team for details.
Agent-based network discovery requires you to install an agent on each device. Solutions that leverage agents can inspect processes, file systems, memory, and the Windows registry to infer software installed on devices, as well as detect malware. While this is useful, they can only detect devices that have installed agents. This means that a large part of your network, and the devices that post the biggest risks–unmanaged devices–are not discovered. Unmanaged devices pose the biggest risk to your network because they are by definition not included in patching cycles or monitored.
The goal of your network discovery approach should give you complete visibility of your assets. By missing unmanaged assets, you have no visibility into IoT, legacy, and guest devices.
Examples of tools that employ agent-based discovery include:
Passive network monitoring sniffs traffic on the network. To monitor the network, these solutions need to tap SPAN ports, which can be very difficult to set up in complex networks.
With passive monitoring, solutions can only hear devices that talk on the network. Devices that don’t generate traffic, or actively communicate on an open port, can’t be discovered with this approach. For example, if an orphaned device does not create network traffic, or an IoT device does not actively communicate on an open port, passive scanning cannot detect it.
Passive scanning solutions include Zeek, Nessus Network Monitor, and Armis. Generally, passive scanning is safe to implement across your network, but the solutions are really difficult to deploy. And ultimately, they can’t provide a full picture of your network because they can miss devices that don’t actively communicate on open ports.
As you can see, there are quite a few ways you can perform network discovery. The method you use determines the breadth and level of fidelity you can obtain for your asset inventory. Since your asset inventory is the foundation for your IT and security programs, it’s worth exploring how unauthenticated, active discovery scanning can provide better asset visibility across your network.
runZero’s approach to active, unauthenticated discovery scanning provides the foundation you need for asset inventory, attack surface reduction, and incident response programs.Start your trial