Versions Compared

Old Version 4

changes.mady.by.user Mark Unwin

Saved on

compared with

New Version Current

changes.mady.by.user Mark Unwin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

New with in Open-AudIT 4.1.0, we have introduced  introduced Device Seed discoveriesDiscoveries. This is another type of discovery, where you provide the IP of a single "seed" device. This device is audited, and any IPs it knows about are then added to the list of IPs IP's to be audited. And Then, those devices are audited and any IPs they know of are also added to the IP list to be discovered. And on and on...list of IPs for auditing. This process then continues within the parameters configured by the user.

Device Seed Discoveries are This is a good option if you know that your network consists of a range of subnetssubnet's, but you're unsure what they are. Point Seed the discovery at with a local router and watch the discovery fly!

But wait - we don't want it getting out of control, so what can we do to limit this craziness? Well, I'm glad you asked *.

We have several attributes available when you create this new type of discovery to limit it.

Obviously we need the Seed IP. We also ask you for a subnet. Along with this subnet, you have an option to restrict discovery to only that subnet. This works well when (for example) you know you have several subnets that are /24's but you're just not sure what they all are. Make the discovery subnet a /16 and restrict it to that subnet. Your discovery won't go crazy trying to discover every IP it finds. It will restrict itself to only those IP's (and hence subnets) that exist inside the /16.

We also have an option to restrict discovery to private IP addresses only. So you won't try to discover the internet (smile). You can of course try to discover the internet, but you'll only get as far as a device with credentials you can talk to. Typically your gateway router. It will connect to your ISP, but you won't have credentials available for your IPS's device. Hence it won't find any more IPs and will stop there.

Discovery is smart enough to only add a new IP to the list if it hasn't already been found this discovery run. So you won't discover the same device multiple times.

One item to be aware of that I've experienced. My routers ARP cache is quite long lived. Using the standard "must respond to ping" option, everything works as expected. If I disable this (hence try to discover every IP, regardless of it responding to a ping) then devices that are in the routers ARP cache, but not actually connected at the time are added to the discovery. This is also the expected result, but may be "surprising" if you don't realise what's going on.

Along with those basic options, we also allow you to ping scan the defined subnet before running the discovery proper. Obviously I don't recommend doing this when you're using a /16, but for individual /24's it works great.

The usual discovery options are also present for SNMP, SSH testing, nmap rules, etc. Just like a regular discovery.

How does it find "known IPs"? See below. In all cases you will need credentials to talk to the device.

your network unfold before your eyes.

Parameters

You can limit the Device Seed Discovery to fall within a strict set of parameters, including:

  • Restrict to Subnet
  • Restrict to Private

These parameters enable you to audit only what is useful and relevant to you, saving processing time and allowing you to discover your network in an orderly manner. 

We also have an option to Ping Before Scan (important for routers with long lived ARP caches). This is usually a good idea.

All regular discovery options are also available for use in Device Seed Discoveries.

Summary

The Device Seed Discovery type is the newest highly-effective method for network crawling, giving you the ability to target your network as narrowly or as broadly as you need. It's fast, it works and it's great.

If you have an Open-AudIT Enterprise license, as well as Open-AudIT 4.1.0 or newer, you can try a Device Seed Discovery today. 

If you don't have an Enterprise license, or need to update your software, you can learn more about doing both here.

...

Technical Details FAQ

How does a Device Seed Discovery find known IPs?

Provided you have the correct credentials, Device Seed Discovery works as follows: 

  • For SNMP devices, OIDs for:
    SNMP devices - SNMP OIDs for
    • ipNetToMediaPhysAddress (1.3.6.1.2.1.4.22.1.2)
    , ipNetToPhysicalPhysAddress
    • ipNetToPhysicalPhysAddress (1.3.6.1.2.1.4.35.1.4.3.1.4)
    and atPhysAddress
    • atPhysAddress (1.3.6.1.2.1.3.1.1.2)
    • ipRouteEntry (1.3.6.1.2.1.4.21.1.1)
  • For SSH devices - :
    • "arp -an" and "netstat -rn" commands.
  • For Windows - devices:
    • "arp -a"

This gives us a reasonably good coverage. Obviously your switches and routers will see the most IPs, so it's important to have SNMP access to those.

So now you can effectively crawl your networks and only target those devices that are connected at the time of discovery. It's fast, it works, it's great.

...

    • commands.