Network Discovery: New Category of Essential Products

Enterprise networks have gotten so complex that it is rare that any single person knows exactly what is connected to them. That could become an issue, particularly if someone brings an infected PC or if disaster strikes and a portion of the network goes south.

The solution is a variety of network discovery tools and techniques, some simple and cheap, others less so, to keep up with your knowledge of what's on the network.

A combination of security threats, legal compliance issues, and general troubleshooting complexity have motivated a growing number of security consulting firms to look more closely at network discovery as a bona fide practice area. But before you rush out and hire someone, take stock of the skill set you have in your existing IT organization, figure out a budget for the activity, and realize that network discovery has multiple dimensions (this is security, after all) and not just a onestop shopping experience.

Larry Dietz, research director for The Sageza Group, in Union City, Calif., thinks there are several things to consider .

"First, there is a basic hardware and software inventory of what the client thinks he has out there. If you discover things that the client doesn't know about, then the client will think you are a genius. Second, you need to find unauthorized hardware, such as servers, wireless access points, and endpoints that users have brought into the building and running on the network. Again, whatever you can dig up is gravy."

The Basics, And Beyond

The key takeaway here is that you need to get started, and there are a wide variety of asset-tracking tools available. Microsoft's System Center , Landesk Asset Manager , and the products Symantec acquired from Altiris are all enterprise-wide tools that can capture a wide variety of hardware and software types and be useful for IT managers who want to ensure that they have sufficient software licenses for the number of users, or that their corporate-owned PCs are accountable.

But these tools just evaluate the basic elements, and don't really provide information on things like what is happening on the network, who is bringing in personal laptops from home, and staffers who are connecting to rogue wireless access points either by design or mistake. For these situations, you need one or more network analysis tools to be able to see your traffic patterns.

WildPackets.com's OmniPeek and NetScout's Sniffer and Visualizer product lines and are great tools for doing this, but require a significant investment in training to operate them properly.

"Ideally, you would like to gather this data once and reuse it for a variety of IT purposes," says Dennis Drogseth, an analyst with Enterprise Management Associates.

Such purposes go beyond mere discovery and could include optimizing applications performance, network troubleshooting, and handling compliance issues. Part of any solid understanding of what is happening on your network is knowing when something has changed, and being able to react to these changes when error messages pop up or users start calling with connection problems.

A good place to learn more about this is a site called NetPerformance.com. The site also has materials on using the analysis tools and offers training classes as well in their use.

Another great source of tools for network analysis is SolarWinds. The site has a product called Engineers Toolset that sells at the low end of the price range for network analysis tools.

The final dimension is to examine your Web presence, including looking for unauthorized but viable Web sites that IT doesn't know about, or potentially harmful, hostile or adversarial sites such as those that may be run by ex-employees or those of competitors that provide links to questionable external sites, or blogs that mention privileged corporate information.

"This could lead to a whole series of services, such as vulnerability assessments, patch management, and data forensics," says Dietz.

What tools are available? A good place to start is to look for 30-day free licenses to try out scanning tools, along with more extensive training classes for using the paid versions.

Another place is the self-training materials that can be found at the Open Web Application Security Project. It has samples for how to discover and harden Web servers, and very detailed examples of typical Web exploits too. It is a great place to learn more about overall Web security, as well as what you need to do to track down other kinds of Web problems. And sometimes just doing Google searches can be an effective means of finding a particular site of a disgruntled exemployee.

One tactic is to educate your C-level executives, by looking for workshops or passing along articles and Web sites of interest.

Brian Cohen, who was SPIdynamics' CEO before the company was acquired by HP , suggests hiring established security firms that are doing traditional vulnerability assessments of operating systems and networks and looking to expand their offerings into the Web presence area. The key is having a solid grounding in Internet security, and being able to do regular scans to ensure that changes to a Web site haven't opened up new vulnerabilities.

"Business managers have lots of problems they need to investigate -- compliance, security, and just general network operations. They need to be able to analyze what's happening on their network and collect the evidence for taking action, regardless of which application (e-mail, IM, Web mail, etc.) is involved," says John Bennett, VP of Marketing for WildPackets Inc.

As you can see, doing network discovery has many different dimensions, tools, and cuts across a variety of skills. But as Bennett says, "IT forensics itself is simply a new category of must-have technology that is appropriate for any business manager today."

This article was adapted from Internet.com's CIO Update Web site.