The comprehensive cleaning, discovery and management of terminal assets is the premise of refined management and safe office production.
The difficulty lies in the complexity of device types (fixed, mobile, network devices, cameras, printers, etc.),
Changeable personnel roles give the device its own authority and visibility changes,
Finally, it is used for a long time, and the replacement of equipment and personnel makes it difficult to trace back time.
The problem focuses on
Mainstream asset discovery and management systems, technologies used, active scanning and passive traffic discovery each have flaws
- Active scanning cannot find unpowered and dormant asset devices
- Passive traffic analysis cannot find devices whose data has not passed through the core switch (because the service device of passive traffic analysis is connected to the core switch, see the figure below)
- Passive traffic analysis cannot find devices that were connected before the analysis
- The time relationship between equipment assets cannot be determined, so security risks cannot be assessed
Commonly used technical terms and concepts
- Terminal asset: the computer of the user unit. In the safety business, it is used to physically locate safety problems and find machines and operators in time
- ARP Address Resolution Protocol: A protocol for obtaining physical mac addresses based on IP addresses
- ARP table: IP and MAC address correspondence cache table in the switch
- SNMP OIDS: Device information tables cached in switches and routers
- NetFlow table: device external flow information cached in switches and routers
- DHCP service: dynamically assign IP addresses to devices that have just entered the network, and retain the information of all network devices. After the IP used by each device expires, you can renew the lease regularly.
- DNS service: resolve the domain name to an accessible IP, and retain the requested network information of the terminal device
- Network equipment: switches and routers. It stores ARP table, routing table, SNMP OIDS information, NetFlow table
- Service equipment: DHCP service and DNS service, etc., which store the network and machine information of the equipment
- Terminal equipment: computer equipment manufacturers, operating system manufacturers, commonly used software and usage time rules
- Active scanning: poll every terminal in the whole network, initiate a prefabricated network request, and judge the device information of the terminal according to the received response
- Passive traffic analysis: The mirror is connected to the core switch, and the access relationship and some device information are analyzed according to the traffic information of all devices in the network
Workflow for comprehensive discovery management
Discover
Based on 3 types of equipment (network equipment, service equipment, terminal equipment) and 2 types of behavior (active, passive) to obtain equipment machine information and network connection information. Especially the timing and outreach. Continuously monitor disconnected devices to get real-time information without interrupting business.
Integrate active and passive discovery information through network device information
Integrate traffic and device information through service information
It is characterized by
- Discovers down and dormant asset devices
- Discover devices whose network traffic does not pass through the core switch
- Discovery of connected devices before analysis
2 behaviors\3 devices | Internet equipment | service equipment | Terminal Equipment |
---|---|---|---|
Active scanning and acquisition (large range, rich information) | Device outreach time and location | Device network and machine information | Agents running on the device (such as antivirus software) |
Obtain comprehensive machine information, and you can choose not to use it without affecting user business | Passive monitoring (high real-time performance) | Network-wide traffic information | Device connection and disconnection |
Discovery principle:
- Actively obtain IP equipment and traffic information existing in network equipment and service equipment, and integrate the two information, information of the whole time period
- Passively obtain the traffic information of the whole network, the information of the current time period
- Compare to find devices that exist in active message #1 but not in passive message #2
- Analyze when traffic from these devices occurs
- It is judged that the occurrence time is temporary, but it has not appeared recently, it is not powered on and hibernated
- It is judged that the time of occurrence has existed before, but it has not appeared now, it was connected in the past, and it may no longer exist now
Classification
Classify according to device type, operating system, and time, and aggregate the network access relationship between different devices in time to enrich the context
Evaluate
- Identify security risks and assess compliance
- Ultimately gain situational awareness of cyber operational risk, assessing policy compliance and device security posture using comprehensive context
Summarize its characteristics
- Discover assets more comprehensively
- Discovers down and dormant asset devices
- Devices whose network traffic does not pass through the core switch
- Discovery of connected devices before analysis
- Easier to classify, based on spatial and temporal context
- More accurately assess compliance attainment and identify security risks
- No interruption and no impact on user business