Yanawut Suntornkij - stock.adobe
Discovering what's on your network is typically accomplished with ping sweeps. But there is a better way.
You want to know what's on your network. Your annual maintenance renewal audits continue to report devices that should be on your network, but you don't know where they are. Or you find devices that are not covered on the maintenance agreements, especially when an old device fails and you try to get the vendor to replace it or repair it.
The new world of virtual appliances has changed network device discovery and inventory needs. These systems are simply software packages running on an x86 platform. Software licensing mechanisms help, but it would still be nice to track these instances so you know the organization is compliant with vendor licensing requirements.
Dynamic workloads are also making network discovery more challenging. A system may be in one location today and running on a different physical system tomorrow. You need to be able to quickly find where an endpoint is located when the intrusion prevention system indicates that the endpoint is trying to communicate with a known external malware site.
Ping sweeps and their role
Ping sweeps are the default tool used for network device discovery. It is a simple mechanism that only requires the endpoints and network devices to support Internet Control Message Protocol echo request/reply packets. Network scanning programs, like Nmap, and many network management systems rely on ping sweeps. It is the mechanism of choice because the only information that is needed is the target IP address range.
The disadvantage of ping sweeps as a network discovery tool is they generate a lot of unnecessary network traffic. Every IP address in the search range is probed multiple times to permit Address Resolution Protocol (ARP) resolution. Addresses that are not in use are probed as well, and in many networks, that can result in a huge amount of additional processing.
Finally, ping sweeps also generate traffic from security systems safeguarding the network. That's because ping sweeps are also the mechanism that malware uses to discover neighboring devices.
With CLI or SNMP, there's a better way
There is a better alternative to ping sweeps, as long as you have access to network devices via a command-line interface (CLI), Simple Network Management Protocol (SNMP) or an API and the ability to create a script that can query network devices for some basic connectivity data. This means you'll need login or SNMP read-only credentials. The smart discovery mechanism starts with the IP address range to discover and at least one seed device -- typically, the local default router. The local router should be within the discovery address range.
Start with the seed device, and retrieve its local routing table. We're going to start with this table to discover the routing infrastructure. Identify all neighboring routers, which will appear as next-hop devices in the routing table. Note that you may need to handle multiple virtual routing and forwarding instances.
Record the addresses of those neighboring routers whose addresses are in the desired address space or routers that are advertising routes that are in the desired address space. Repeat this network device discovery process with each router that is within the search space or that is advertising routes to subnets within the search space. You now have a list of all routers in the space.
Next, for each router, retrieve its ARP table, and examine the Media Access Control (MAC) address vendor code to identify network device vendors. The network management access credentials can then be used to examine each possible network device to find its neighbors.
When a switch is identified, its forwarding address table should be retrieved. This table gets correlated with the ARP table of the routers that service that subnet to create a table that lists each IP address, its corresponding MAC address, virtual LAN ID and the interface name of the switch port to which it is connected. Adjacent switches will be identified in the bridging tables -- the bridge management information base if using SNMP. The bridging tables also provide the ability to create a diagram of the switch interconnections and the links that are blocking due to spanning tree.
So, does it work?
The above mechanism is used by Infoblox's NetMRI configuration software for network device discovery. It's much faster than ping sweeps for large address spaces, such as 10.0.0.0/8, which tend to be sparsely populated.
A large network space could be discovered in an hour. The fast discovery mechanism means it isn't expensive to run once a day, so it's easy to track all devices, including endpoints. This mechanism works well when you want to identify where a device is located and you have its IP address. The search only needs to identify the subnet and explore the switch infrastructure to find the switch interface to which a device is connected.
An inventory of connected devices is also helpful when maintenance has to be performed. If, say, a key switch has to be upgraded, you'll need to know who will be affected. Planning for moves and changes is also made more efficient if you know what devices are involved. By correlating interface utilization of endpoints with their subnet and location, you'll be able to identify servers that tend to pop up from time to time.