Enterprise networks have gotten so complex that that any
single person rarely knows exactly what is connected to them. That could
become an issue, particularly if someone introduces an infected PC or
if disaster strikes and a portion of the network goes south.
The solution is a variety of network discovery tools and
techniques, some simple and cheap, others less so, to keep up with
your knowledge of what’s on the network.
A combination of security threats, legal compliance issues, and
general troubleshooting complexity have motivated a growing number
of security consulting firms to look more closely at network
discovery as a bona fide practice area. But before you rush out and
hire someone, take stock of the skill set you have in your existing
IT organization, figure out a budget for the activity, and realize
that network discovery has multiple dimensions (this is security,
after all) and not just a one-stop shopping experience.
Larry Dietz, Research Director for The Sageza Group, in Union
City, Calif., thinks there are several things to consider.
“First, there is a basic hardware and software inventory of what
the client thinks he has out there. If you discover things that the
client doesn’t know about, then the client will think you are a
genius. Second, you need to find unauthorized hardware, such as
servers, wireless access points, and endpoints that users have
brought into the building and running on the network. Again,
whatever you can dig up is gravy.”
The Basics, And Beyond
The key takeaway here is that you need to get started, and there
are a wide variety of asset-tracking tools available. Microsoft’s
SMS, Landesk Asset
Manager and Symantec/Altiris’
Juice all are enterprise-wide tools that can capture a wide
variety of hardware and software types and be useful for IT
managers who want to ensure that they have sufficient software
licenses for the number of users, or that their corporate-owned PCs
But these tools just evaluate the basic elements, and don’t
really provide information on things like what is happening on the
network, who is bringing in personal laptops from home, and
staffers who are connecting to rogue wireless access points either
by design or mistake. For these situations, you need one or more
network analysis tools to be able to see your traffic patterns.
WildPackets.com’ OmniPeek, Network General’s Sniffer and
Visualizer product lines and Wireshark.org (formerly called
Ethereal) are all great tools for doing this, but require a
significant investment in training to operate them properly.
“Ideally, you would like to gather this data once and reuse it
for a variety of IT purposes,” says Dennis Drogseth, an analyst
with Enterprise Management Associates.
Such purposes go beyond mere discovery and could include
optimizing applications performance, network troubleshooting, and
handling compliance issues.
Part of any solid understanding of what is happening on your
network is knowing when something has changed, and being able to
react to these changes when error messages pop up or users start
calling with connection problems.
A good place to learn more about this is a site called
NetPerformance.com, and in particular this posting on
change management. The site also has materials on using the
analysis tools and offers training classes as well in their
Another great source of tools for network analysis is
SolarWinds. The site sells a product called Engineers
Toolset that is available in a very affordable version for less
The final dimension is to examine your Web presence, including
looking for unauthorized but viable Web sites that IT doesn’t know
about, or potentially harmful, hostile or adversarial sites such as
those that may be run by ex-employees or those of competitors that
provide links to questionable external sites, or blogs that mention
privileged corporate information.
“This could lead to a whole series of services, such as
vulnerability assessments, patch management, and data forensics,”
What tools are available? A good place to start is to use the
free scanning tools available from either SPIdynamics.com or
Qualys.com. Both companies offer 30-day free licenses to try out
their products, along with more extensive training classes for
using the paid versions.
Another place is the self-training materials that can be found
at the Open Web Application Security
Project. It has samples for how to discover and harden Web
servers, and very detailed examples of typical Web exploits too. It
is a great place to learn more about overall Web security, as well
as what you need to do to track down other kinds of Web problems.
And sometimes just doing Google searches can be an effective means
of finding a particular site of a disgruntled ex-employee.
One tactic is to educate your C-level executives, such as
workshops sponsored by the Secure Software Forum. (The full
schedule can be found here.
These workshops provide a good overview of some of the problems
around software security issues, part of which is discovering which
applications are running over your enterprise network. The forum is
jointly sponsored by Microsoft and SPIdynamics.
Brian Cohen, SPIdynamics’ CEO, suggests hiring established
security firms that are doing traditional vulnerability assessments
of operating systems and networks and looking to expand their
offerings into the Web presence area. The key is having a solid
grounding in Internet security, and being able to do regular scans
to ensure that changes to a Web site haven’t opened up new
“Business managers have lots of problems they need to
investigate – compliance, security, and just general network
operations. They need to be able to analyze what’s happening on
their network and collect the evidence for taking action,
regardless of which application (email, IM, Web mail, etc.) is
involved,” says John Bennett, VP of Marketing for WildPackets
As you can see, doing network discovery has many different
dimensions, tools, and cuts across a variety of skills. But as
Bennett says, “IT forensics itself is simply a new category of
must-have technology that is appropriate for any business manager
Article courtesy of eSecurity Planet