In an enterprise network with thousands or even tens of thousands of devices, it seems like assets are constantly coming and going. When a site or department administrator sees a new device they are likely to be complacent and simply assume that it belongs to someone else in the enterprise rather than being suspicious of the rogue device.
Rogue or unknown devices that are added to the network are often missed in patch and security update deployments and they can be a constant source of headaches when it comes to trying to proactively protect and defend a large enterprise network.
If a security incident does occur, an updated and logically organized asset inventory, combined with a current and accurate network map will make response and forensic investigation that much simpler. If a 3rd-party or law enforcement agencies are involved they will need an overview of the network architecture and environment in order to conduct an investigation.
Policies should be written to define how new assets are added to the inventory and the steps that must be taken to include them on the asset inventory and network map prior to joining the network. But, no matter how foolproof that policy may be, it is virtually inevitable that new, rogue devices will eventually appear on the network.
To detect the rogue devices and fight to enforce the policy and ward off complacency, you can run periodic scans of the network using any of a wide variety of tools that can scan and report back information regarding the network and the devices attached. Many of the tools will report the IP address, MAC address, type of device or operating system and more. Below are a few tools you can consider for network mapping:
- LANsurveyor from Solarwinds
- Visio from Microsoft
- What's Up Gold from Ipswitch
- SuperScan from Foundstone
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security (http://netsecurity.about.com), providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security (http://www.tonybradley.com).