Asset Manager Technical Essentials
Asset Manager is a network visibility solution that provides organizations with a complete understanding of all connections and devices within an enterprise. The Command Center and Scout components share a common code base, operating system, support libraries, and versioning schema. All work together to uncover and provide enterprise security and operations teams with analytics on non-compliant network events, anomalous behavior, vulnerabilities, and threats.
Asset Manager excels at indexing an organization’s connected network space and leveraging that index to perform advanced breach analytics and cybersecurity threat detection. Its use is of critical importance in enterprise-wide vulnerability management programs, breach detection initiatives, cybersecurity programs, and in operationalizing network situational awareness. Asset Manager distinguishes itself by integrating with asset-, vulnerability-, incident-, and policy-management applications, supplying them with comprehensive foundational data and amplifying the scope of their protection. Customers choose to make Asset Manager an integral part of their enterprise security stack because it provides superior results and superior security intelligence, the broadest reach and most comprehensive network coverage in the industry, authoritative leak detection, enterprise-grade user management, and a visual way to grasp the significance of unusual events, trends, security gaps, threats, and misconfigurations.
Scouts
Scouts participate in watching a network from remote outposts and channel their findings back to a Command Center for analysis.
They can be controlled from the GUI, either from the Command Center or Scout itself, to do connection and upgrade operations.
A standard installation comes with unlimited virtual Scouts, which are connected to the Command Center using TLS and TCP port 443 .
From their remote vantage points, Scouts passively listen to network traffic via OSPF, BGP, ICMPv6, ARP, and DHCP. They also perform active interrogation using ICMP, TCP, SNMP, and UDP protocols. Passive and active interrogation work together to discover comprehensive data on a network in real-time.
Indexing
Asset Manager uses this blend of passive listening techniques and active probing to crawl the network, identifying endpoints and network devices that are attached to the network. See Figure 2, which depicts Asset Manager indexing flow and the interplay between passive indexing (which listens to network traffic) and active indexing (which actively probes network devices).
When Asset Manager encounters a network device that can route traffic, it uses the route tables in the network device as the starting point for a new round of active discovery (i.e., "recursive discovery"). This method enables Asset Manager to discover networks and devices that are beyond the target space originally used to seed the scan. Asset Manager repeats this process recursively until all devices that are alive on the network have been discovered and it continues this cyclical discovery process in real-time.
Passive Listening
Passive Discovery methodology involves a collector presenting itself as a non-routing router (receive only), listening to ARP traffic, and requesting OSPF and BGP updates as they occur. In this method, the collector does not route traffic, so passive discovery has no impact on network performance. Passive Discovery listens to Layer 2 broadcast traffic from ARP and DHCP. BGP and OSPF passive listening is accomplished via Layer 3 targeted Link State Advertisements from peer routers. Passive discovery interoperates with OSPF and BGP networks and is especially useful in the real-time discovery of network changes—even in very large networks in excess of one million devices.
Active Discovery
In Active Discovery, Asset Manager assumes the existence of a target destination (i.e., CIDR, IP, or device) without empirical evidence that it is actually there. In this type of discovery, ancillary network attributes are collected. Active Discovery of targeted networks is especially useful in providing accurate visibility at the edges of the network. Interrogations of this type take a given destination device and employ SNMP and other protocols to probe the device. Active Discovery yields a rich cache of data on network equipment—not only on the targeted equipment but also on newly discovered equipment and routes passed to active discovery from passive discovery
Zones & Collectors
Asset Manager is capable of monitoring one or more networks in separate containers, called zones. When configuring a zone, the user provides a list of CIDRs belonging to the zone. The user also defines the configuration of the indexing methods to be used such as Path Discovery, Port Discovery, and Host Discovery. These configuration choices are defined in one or more collectors that define the overall collection methods for discovery within the zone. Collectors allow precise control over the indexing of a zone.
Recommended Rescan Intervals
Each enabled Asset Manager collector has its own rescan interval. The rescan interval controls how often the collector attempts to perform its configured active indexing on any one IP or CIDR. When a collector is done performing a set of indexing activities, it queries the Command Center for the next set of CIDRs or IPs to target with active indexing. The Command Center checks the time each item in the target database was scanned. If the duration from time-last-scanned to the present exceeds the rescan interval, then the item (CIDR or IP) is added to the collector’s next set of targets. The system treats each CIDR and IP individually when determining the next time to scan such that network capacity is not affected by the issuing of discovery packets. This and all Asset Manager activity operates far below the threshold that would trigger intrusion-detection monitors.
Table 1 provides the rescan intervals recommended for use in small, medium, and large networks. Notice that rescan intervals do not apply to the passive, “listen-only” discovery types because they do not issue discovery packets.
Indexing Type |
Rescan interval for SMALL networks (fewer than 200,000 devices) |
Rescan interval for MEDIUM networks (200,001-500,000 devices) |
Rescan interval for LARGE networks (500,001-1,000,000 devices) |
---|---|---|---|
Broadcast |
Not applicable |
Not applicable |
Not applicable |
OSPF |
Not applicable |
Not applicable |
Not applicable |
BGP |
Not applicable |
Not applicable |
Not applicable |
DNS |
Not applicable |
Not applicable |
Not applicable |
Host |
120 Minutes |
240 Minutes |
480 Minutes |
Path |
240 Minutes |
480 Minutes |
720 Minutes |
SNMP |
480 Minutes |
720 Minutes |
1440 Minutes |
Port |
180 Minutes |
360 Minutes |
600 Minutes |
Device Profile |
180 Minutes |
360 Minutes |
600 Minutes |
Leak Path |
180 Minutes |
360 Minutes |
600 Minutes |
Table 1. Asset Manager Recommended Rescan Intervals
Indexing Protocols
Table 2 outlines Asset Manager indexing methods and the ports and protocols associated with each.
Indexing Type |
Purpose & Protocols |
Protocol # (PN) or Ports |
---|---|---|
Passive Discovery |
Index real time network change by passively participating in control domain using OSPF, BGP, ICMPv6, ARP, DHCP, DNS |
|
Path Discovery |
Actively index forwarders and paths using ICMP, TCP, UDP, DNS via TTL-tracing, responses |
|
Host Discovery |
Actively index devices attached to network via ICMP, TCP, UDP, DNS, SNMP interrogation and Responses |
|
Device Profile Discovery |
Actively fingerprints the indexed census of devices on the network using TCP (OS detection), CIFS, HTTP/S, SNMP |
|
Port Discovery |
Actively index ports by using TCP SYN/ACK response |
|
Leak Path Discovery |
Actively index leak-paths that exist in the L3 routed domain between network segments using Asset Manager proprietary TCP packet spoofing |
|
Table 2. Asset Manager Ports and Protocols
Table 3 provides typical Asset Manager metrics and results based on actual field deployments. Your organization’s counts may vary from these depending on how Asset Manager is configured and your network architecture and available bandwidth.
Metric |
Results |
---|---|
Typical number of Asset Manager Scouts |
8-10 Scouts/Command Center |
Rescan interval (minutes) |
Minimum: 1 minute Default: 120 minutes Maximum: infinite (disabled) |
Max rate (packets/second) |
2000 packets/second <1% of 100Mb/s |
Time to baseline network |
Asset Manager indexed 300k devices in 12 hours on startup At one particular customer, Asset Manager indexed ~40,000 devices within 1 hour on startup. |
Time to discover new device |
With access to broadcast (e.g., BGP): within 1 minute With access to DHCP or DNS: within 5 minutes With no access to broadcast: within rescan interval |
Leak Path Identification |
If Leak Path exists prior to initial device identification: 5 minutes If Leak Path exists after initial device identification: rescan interval |
Table 3. Typical Implementation Parameters