Network discovery
About Network discovery
Nanitor collects data from its distributed agents and collectors. If there are unknown assets on your network(s) they pose a potential security risk. Nanitor has the ability to discover those unknown assets and display those devices in the asset inventory. Those unknown devices will be listed and handled as "rogue" devices in Nanitor. Additionally, these devices can be flagged as issues right off the bat and added to remediation projects.
This discovery happens at the agent very passively by just collecting the connection table from each device with an agent. By aggregating information about who is talking to you get a good view of what devices are active on the network, therefore discovering rouge devices. By installing agents on these rouge devices you bring them into the fold and they are no longer rouge. If they are truly rouge you know about them and can get them removed from the network.
Enable Network discovery
To be able to discover unknown network devices you need to enable this feature from the settings menu (Organization Management -> Settings). In the settings menu select the general tab.
Now check the "Enable Network Discovery feature".
Network Inventory
That is only the first step as you must confirm which network you want discovery to run on. Navigate to the Network inventory (Inventory -> Networks) that will list all captured networks by Nanitor. This will show a list of networks with the number of assets detected on each network.
You will need to decide for which network you want to enable the network discovery. The general advice and best practice are to enable all networks that interconnect at your company, even if it is through a firewall. Only disable networks you know are not connected with you in any manner. Since this discovery is performed by agents on machines it is possible that a laptop with an agent could pick up devices in a coffee shop or on a home network, so if you know a network is not in use in your org you can disable it. The safe approach and best practice is enabling all networks to enhance visibility. After all, you can't protect what you can't see.
On the Network inventory (Inventory -> Networks) screen, in the Network Discovery Column, click on the pencil for the row you want to enable network discovery on then select "yes" in the dropdown. Don't forget to save the selected choice by pressing the green arrow.
In the network inventory you will see:
- the number of rogue assets
- the number of total assets
The difference between the two numbers (total number of assets - the number of rogue devices) will tell you how many devices are watched by Nanitor (either with an agent or a collector).
Rogue devices issues
Nanitor will list all rogue devices in your IT environment if enabled. However, it will not raise an issue for that. If you want Nanitor to additionally create an issue for a discovered device you will need to set this setting from the Issue configuration menu (Organization management -> Settings -> issues) then set a check mark with "Rouge device discovered on the network".
The selected severity will determine the issue priority of a raised issue by Nanitor.
- Minor -> 1
- Medium -> 4
- High -> 7
- Critical -> 9
Rogue device issues are categorized as issues from type "Device" and get by default a prefix "Rogue device discovered"
Asset priority of Rogue devices
Rogue devices get by default an asset priority rating of 1. The asset priority will be lifted when there are other assets on the same network with a higher asset priority rating
Rogue devices hostname
All discovered rogue devices will appear in the asset list with an asset type "Rogue" and an asset state "Rogue"
Rogue devices have hostnames in the form: hostname (vendor) [hardware_address]
. The vendor is obtained from a list of known hardware addresses (MAC addresses), and the hostname is retrieved via reverse DNS lookup.
Depending on the information known about the device, the hostname can also be in following forms:
- No hostname is known:
vendor [hardware_address]
- No vendor is known:
hostname (Unknown) [hardware_address]
- Neither a hostname nor a vendor is known:
Unknown [hardware_address]