Asset Manager Technical Essentials

Asset Manager is a network visibility solution that provides organizations with a complete understanding of all connections and devices within an enterprise. The Command Center and Scout components share a common code base, operating system, support libraries, and versioning schema. All work together to uncover and provide enterprise security and operations teams with analytics on non-compliant network events, anomalous behavior, vulnerabilities, and threats.

Asset Manager excels at indexing an organization’s connected network space and leveraging that index to perform advanced breach analytics and cybersecurity threat detection. Its use is of critical importance in enterprise-wide vulnerability management programs, breach detection initiatives, cybersecurity programs, and in operationalizing network situational awareness. Asset Manager distinguishes itself by integrating with asset-, vulnerability-, incident-, and policy-management applications, supplying them with comprehensive foundational data and amplifying the scope of their protection. Customers choose to make Asset Manager an integral part of their enterprise security stack because it provides superior results and superior security intelligence, the broadest reach and most comprehensive network coverage in the industry, authoritative leak detection, enterprise-grade user management, and a visual way to grasp the significance of unusual events, trends, security gaps, threats, and misconfigurations.

About Scouts

Scouts participate in watching a network from remote outposts and channel their findings back to a Command Center for analysis. 

They can be controlled from the GUI, either from the Command Center or Scout itself, to do connection and upgrade operations.

Figure 1. Asset Manager Deployment Architecture

A standard installation comes with unlimited virtual Scouts, which are connected to the Command Center using TLS and TCP port 443 (see Figure 1).

From their remote vantage points, Scouts passively listen to network traffic via OSPF, BGP, ICMPv6, ARP, and DHCP. They also perform active interrogation using ICMP, TCP, SNMP, and UDP protocols. Passive and active interrogation work together to discover comprehensive data on a network in real-time.

About Asset Manager Indexing

Asset Manager uses this blend of passive listening techniques and active probing to crawl the network, identifying endpoints and network devices that are attached to the network. See Figure 2, which depicts Asset Manager indexing flow and the interplay between passive indexing (which listens to network traffic) and active indexing (which actively probes network devices).

When Asset Manager encounters a network device that can route traffic, it uses the route tables in the network device as the starting point for a new round of active discovery (i.e., "recursive discovery"). This method enables Asset Manager to discover networks and devices that are beyond the target space originally used to seed the scan.  Asset Manager repeats this process recursively until all devices that are alive on the network have been discovered and it continues this cyclical discovery process in real-time.

Figure 2. Asset Manager Indexing Flow

Passive Listening

Passive Discovery methodology involves a collector presenting itself as a non-routing router (receive only), listening to ARP traffic, and requesting OSPF and BGP updates as they occur. In this method, the collector does not route traffic, so passive discovery has no impact on network performance. Passive Discovery listens to Layer 2 broadcast traffic from ARP and DHCP. BGP and OSPF passive listening is accomplished via Layer 3 targeted Link State Advertisements from peer routers. Passive discovery interoperates with OSPF and BGP networks and is especially useful in the real-time discovery of network changes—even in very large networks in excess of 1 million devices.

Active Discovery

In Active Discovery, Asset Manager assumes the existence of a target destination (i.e., CIDR, IP, or device) without empirical evidence that it is actually there. In this type of discovery, ancillary network attributes are collected.  Active Discovery of targeted networks is especially useful in providing accurate visibility at the edges of the network. Interrogations of this type take a given destination device and employ SNMP and other protocols to probe the device.  Active Discovery yields a rich cache of data on network equipment—not only on the targeted equipment but also on newly discovered equipment and routes passed to active discovery from passive discovery

Zones & Collectors

Asset Manager is capable of monitoring one or more networks in separate containers, called zones. When configuring a zone, the user provides a list of CIDRs belonging to the zone. The user also defines the configuration of the indexing methods to be used such as Path Discovery, Port Discovery, and Host Discovery.  These configuration choices are defined in one or more collectors that define the overall collection methods for discovery within the zone.  Collectors allow precise control over the indexing of a zone.

Recommended Rescan Intervals

Each enabled Asset Manager collector has its own rescan interval. The rescan interval controls how often the collector attempts to perform its configured active indexing on any one IP or CIDR. When a collector is done performing a set of indexing activities, it queries the Command Center for the next set of CIDRs or IPs to target with active indexing. The Command Center checks the time each item in the target database was scanned. If the duration from time-last-scanned to the present exceeds the rescan interval, then the item (CIDR or IP) is added to the collector’s next set of targets. The system treats each CIDR and IP individually when determining the next time to scan such that network capacity is not affected by the issuing of discovery packets. This and all Asset Manager activity operates far below the threshold that would trigger intrusion-detection monitors.

Table 1 provides the rescan intervals recommended for use in small, medium, and large networks. Notice that rescan intervals do not apply to the passive, “listen-only” discovery types because they do not issue discovery packets.

Indexing Type

Rescan interval for SMALL networks (fewer than 200,000 devices)

Rescan interval for MEDIUM networks (200,001-500,000 devices)

Rescan interval for LARGE networks (500,001-1,000,000 devices)

Broadcast

Not applicable

Not applicable

Not applicable

OSPF

Not applicable

Not applicable

Not applicable

BGP

Not applicable

Not applicable

Not applicable

DNS

Not applicable

Not applicable

Not applicable

Host

120 Minutes

240 Minutes

480 Minutes

Path

240 Minutes

480 Minutes

720 Minutes

SNMP

480 Minutes

720 Minutes

1440 Minutes

Port

180 Minutes

360 Minutes

600 Minutes

Device Profile

180 Minutes

360 Minutes

600 Minutes

Leak Path

180 Minutes

360 Minutes

600 Minutes

Table 1. Asset Manager Recommended Rescan Intervals

Asset Manager Indexing Protocols

Table 2 outlines Asset Manager indexing methods and the ports/protocols associated with each.

Indexing Type

Purpose/Protocols

Protocol # (PN) or Ports

Passive Discovery

Index real time network change by passively participating in control domain using OSPF, BGP, ICMPv6, ARP, DHCP, DNS

  1. PN 1, 89
  2. TCP 179
  3. UDP 67, 68, 53

Path Discovery

Actively index forwarders and paths using ICMP, TCP, UDP, DNS via TTL-tracing, responses
Index network infrastructure devices, route tables, ARP tables, switch TCAM, VLANs using SNMP, LLDP

  1. PN 1
  2. TCP 80, 443
  3. UDP 53, 161, 162
  4. User-definable ports

Host Discovery

Actively index devices attached to network via ICMP, TCP, UDP, DNS, SNMP interrogation and Responses

  1. PN 1
  2. TCP 80, 443
  3. UDP 53, 161, 162
  4. User-definable ports

Device Profile Discovery

Actively fingerprints the indexed census of devices on the network using TCP (OS detection), CIFS, HTTP/S, SNMP

  1. TCP 80, 443, 445
  2. UDP 161, 162

Port Discovery

Actively index ports by using TCP SYN/ACK response

  1. User definable list or all (e.g. port scan)

Leak Path Discovery

Actively index leak-paths that exist in the L3 routed domain between network segments using Asset Manager proprietary TCP packet spoofing

  1. PN 1
  2. UDP 161, 162
  3. User definable

Table 2. Asset Manager Ports and Protocols


Table 3 provides typical Asset Manager metrics and results based on actual field deployments. Your organization’s counts may vary from these depending on how Asset Manager is configured and your network architecture and available bandwidth.

Metric

Results

Typical number of

Asset Manager Scouts

8-10 Scouts/Command Center

Rescan interval (minutes)

Minimum: 1 minute

Default: 120 minutes Maximum: infinite (disabled)

Max rate

(packets/second)

2000 packets/second

<1% of 100Mb/s

Time to baseline network

Asset Manager indexed 300k devices in 12 hours on startup

At one particular customer, Asset Manager indexed ~40,000 devices within 1 hour on startup.

Time to discover new device

With access to broadcast (e.g., BGP): within 1 minute With access to DHCP or DNS: within 5 minutes

With no access to broadcast: within rescan interval

Leak Path

Identification

If Leak Path exists prior to initial device identification: 5 minutes

If Leak Path exists after initial device identification: rescan interval

Table 3. Typical Implementation Parameters

Asset Manager Traffic

Asset Manager can generate several different types of traffic. There is also traffic between the Command Center and Scouts. There may be traffic from the client browser, through the Portal and onto the Command Center and Scouts. There is also Asset Manager discovery on a customer network. All of the traffic between and among Asset Manager Portals, Command Centers, and Scouts is transmitted securely using TLS-encrypted Websockets and TCP port 443. Any attempt to access a Asset Manager component using an HTTP request is redirected to HTTPS.

This section provides more detail on the protocols and ports involved, types of encryption supported, and quantity of traffic generated.

Traffic Between Client Browser & Asset Manager Components

Traffic between the client browser and Asset Manager application is conducted over HTTPS, typically on port 443. Traffic between the client browser and Command Center can also be proxied through the Portal. This eliminates the need for per-browser connections to the Command Center. A single firewall opening permits the Portal to handle all communications to connected Command Centers. Organizations that cannot (or prefer not) to access Command Centers directly due to firewall or policy restrictions, appreciate having this alternative means of access.

The amount of traffic between the browser and Asset Manager is almost entirely dependent on the level of user activity.

  • Protocols/Ports: HTTPS:443
  • Cryptographic Protocol: TLS v 1.1 and 1.2
    • Ciphers: DHE-RSA-AES256-SHA, AES256-SHA, DHE-RSA-AES192-SHA, AES192-SHA, DHE-RSA- AES128-SHA, AES128-SHA

Traffic Between Command Center & Scouts

By design, the amount of traffic between Command Centers and Scouts is relatively small. It consists of only scan configuration information and the results of scanning. On a Scout connected to a Command Center and performing light scanning such as a /16 of space, Asset Manager generates approximately 240 Bytes/sec of traffic (i.e., approximately 1.4 Packets/sec). This scales with the number of devices that Asset Manager discovers and generally stays well below 2000 Bytes/sec. The traffic between the Command Center and Scouts is TCP traffic, and therefore adjusts to the characteristics of the link between Scout and CommandCenter.

  • Protocols/Ports: HTTPS:443
  • Cryptographic Protocol: TLS v 1.1 and 1.2
    • Ciphers: DHE-RSA-AES256-SHA, AES256-SHA, DHE-RSA-AES192-SHA, AES192-SHA, DHE-RSA- AES128-SHA, AES128-SHA

Discovery Traffic

Asset Manager discovery generates packets of multiple protocols and types: ping, DNS lookup, SNMP requests, and traceroute, among others. These packets use various protocols: ICMP, TCP, SNMP, and UDP. The packets are of varying sizes in the range of 52 to 1445 octets. The types of packets and protocols used are configurable by the user as part of defining a zone configuration.

Users control the quantity of packets generated by Asset Manager by setting the allowed packets- per-second for the interface. Recommended settings are 500 to 5000 packets-per-second. This value is set at the network interface level (not at the collector level) so that the packets per second entering a customer network applies to a given interface. This setting serves as a “flow controller” for Asset Manager-generated traffic per interface. All collectors that use a particular interface are subject to the packet rate set for that interface. This is the most reliable means of controlling (i.e., limiting) traffic volume from Asset Manager.

Additionally, the number of packets Asset Manager transmits is influenced by the “rescan interval” defined at the collector level. Rescan intervals set how often specific IP addresses are targeted.

They do NOT define the overall cycle at which a collector is “in action.” For example, if a collector is created with a rescan interval of 120 minutes, that defines that each IP address is to be revisited every 120 minutes. It does not mean that the collector runs for a period of time and then is quiescent for 120 minutes. Asset Manager is always running, as determined by the size of the target network and the rescan interval at which each IP in that target network is interrogated. For example, in a network of 5 devices with a rescan interval of 120 minutes, little-to-no traffic would be generated by Asset Manager for a period of time because the 5 devices would be interrogated in just a few minutes. They would not be revisited until the 120-minute rescan interval had elapsed.

Deployment of Asset Manager Components

Asset Manager administrators can deploy a Command Center or Scout system to a virtual machine and initialize it using this process.

This series describes how to fully deploy a new Asset Manager Command Center and Scouts on a VMware platform. 

  1. If you already have an installed Asset Manager system to upgrade, please refer instead to the Upgrade Process page.
  2. For information on other platforms to which Asset Manager can be deployed, please see the Supported Deployment Platforms page.
  3. For written deployment procedures (not video), scroll down.
  4. To increase the disk space for a Asset Manager system, see Increasing Disk Space in Azure.

  1. Deploy a Command Center



  2. Configure the Command Center



Pages in this chapter:

Full Deployment of a Asset Manager Command Center & Scouts
  1. Get Ready
    Fulfill prerequisites, system, and browser requirements.

  2. Download the Installation Package
    Log in to Asset Manager's secure SFTP site for the installation bundle.

  3. Allocate System Resources
    Provision your hypervisor/virtual machine manager (VMM) with resources.

  4. Open the Asset Manager OVA
    Unpack a virtual Asset Manager.

  5. Initialize Asset Manager
    Initialize your Asset Manager system from its command-line interface (CLI).

  6. Activate Your License
    Procure and import a license-key file, then activate it.