Asset Manager Technical Essentials

Asset Manager is a network visibility solution that provides organizations with a complete understanding of all connections and devices within an enterprise. The Command Center and Scout components share a common code base, operating system, support libraries, and versioning schema. All work together to uncover and provide enterprise security and operations teams with analytics on non-compliant network events, anomalous behavior, vulnerabilities, and threats.

Asset Manager excels at indexing an organization’s connected network space and leveraging that index to perform advanced breach analytics and cybersecurity threat detection. Its use is of critical importance in enterprise-wide vulnerability management programs, breach detection initiatives, cybersecurity programs, and in operationalizing network situational awareness. Asset Manager distinguishes itself by integrating with asset-, vulnerability-, incident-, and policy-management applications, supplying them with comprehensive foundational data and amplifying the scope of their protection. Customers choose to make Asset Manager an integral part of their enterprise security stack because it provides superior results and superior security intelligence, the broadest reach and most comprehensive network coverage in the industry, authoritative leak detection, enterprise-grade user management, and a visual way to grasp the significance of unusual events, trends, security gaps, threats, and misconfigurations.

Scouts

Scouts participate in watching a network from remote outposts and channel their findings back to a Command Center for analysis.

They can be controlled from the GUI, either from the Command Center or Scout itself, to do connection and upgrade operations.

A standard installation comes with unlimited virtual Scouts, which are connected to the Command Center using TLS and TCP port 443 .

From their remote vantage points, Scouts passively listen to network traffic via OSPF, BGP, ICMPv6, ARP, and DHCP. They also perform active interrogation using ICMP, TCP, SNMP, and UDP protocols. Passive and active interrogation work together to discover comprehensive data on a network in real-time.

Indexing

Asset Manager uses this blend of passive listening techniques and active probing to crawl the network, identifying endpoints and network devices that are attached to the network. See Figure 2, which depicts Asset Manager indexing flow and the interplay between passive indexing (which listens to network traffic) and active indexing (which actively probes network devices).

When Asset Manager encounters a network device that can route traffic, it uses the route tables in the network device as the starting point for a new round of active discovery (i.e., "recursive discovery"). This method enables Asset Manager to discover networks and devices that are beyond the target space originally used to seed the scan. Asset Manager repeats this process recursively until all devices that are alive on the network have been discovered and it continues this cyclical discovery process in real-time.

Passive Listening

Passive Discovery methodology involves a collector presenting itself as a non-routing router (receive only), listening to ARP traffic, and requesting OSPF and BGP updates as they occur. In this method, the collector does not route traffic, so passive discovery has no impact on network performance. Passive Discovery listens to Layer 2 broadcast traffic from ARP and DHCP. BGP and OSPF passive listening is accomplished via Layer 3 targeted Link State Advertisements from peer routers. Passive discovery interoperates with OSPF and BGP networks and is especially useful in the real-time discovery of network changes—even in very large networks in excess of one million devices.

Active Discovery

In Active Discovery, Asset Manager assumes the existence of a target destination (i.e., CIDR, IP, or device) without empirical evidence that it is actually there. In this type of discovery, ancillary network attributes are collected. Active Discovery of targeted networks is especially useful in providing accurate visibility at the edges of the network. Interrogations of this type take a given destination device and employ SNMP and other protocols to probe the device. Active Discovery yields a rich cache of data on network equipment—not only on the targeted equipment but also on newly discovered equipment and routes passed to active discovery from passive discovery

Zones & Collectors

Asset Manager is capable of monitoring one or more networks in separate containers, called zones. When configuring a zone, the user provides a list of CIDRs belonging to the zone. The user also defines the configuration of the indexing methods to be used such as Path Discovery, Port Discovery, and Host Discovery. These configuration choices are defined in one or more collectors that define the overall collection methods for discovery within the zone. Collectors allow precise control over the indexing of a zone.

Recommended Rescan Intervals

Each enabled Asset Manager collector has its own rescan interval. The rescan interval controls how often the collector attempts to perform its configured active indexing on any one IP or CIDR. When a collector is done performing a set of indexing activities, it queries the Command Center for the next set of CIDRs or IPs to target with active indexing. The Command Center checks the time each item in the target database was scanned. If the duration from time-last-scanned to the present exceeds the rescan interval, then the item (CIDR or IP) is added to the collector’s next set of targets. The system treats each CIDR and IP individually when determining the next time to scan such that network capacity is not affected by the issuing of discovery packets. This and all Asset Manager activity operates far below the threshold that would trigger intrusion-detection monitors.

Table 1 provides the rescan intervals recommended for use in small, medium, and large networks. Notice that rescan intervals do not apply to the passive, “listen-only” discovery types because they do not issue discovery packets.

Indexing Type	Rescan interval for SMALL networks (fewer than 200,000 devices)	Rescan interval for MEDIUM networks (200,001-500,000 devices)	Rescan interval for LARGE networks (500,001-1,000,000 devices)
Broadcast	Not applicable	Not applicable	Not applicable
OSPF	Not applicable	Not applicable	Not applicable
BGP	Not applicable	Not applicable	Not applicable
DNS	Not applicable	Not applicable	Not applicable
Host	120 Minutes	240 Minutes	480 Minutes
Path	240 Minutes	480 Minutes	720 Minutes
SNMP	480 Minutes	720 Minutes	1440 Minutes
Port	180 Minutes	360 Minutes	600 Minutes
Device Profile	180 Minutes	360 Minutes	600 Minutes
Leak Path	180 Minutes	360 Minutes	600 Minutes

Table 1. Asset Manager Recommended Rescan Intervals

Indexing Protocols

Table 2 outlines Asset Manager indexing methods and the ports and protocols associated with each.

Indexing Type	Purpose & Protocols	Protocol # (PN) or Ports
Passive Discovery	Index real time network change by passively participating in control domain using OSPF, BGP, ICMPv6, ARP, DHCP, DNS	PN 1, 89 TCP 179 UDP 67, 68, 53
Path Discovery	Actively index forwarders and paths using ICMP, TCP, UDP, DNS via TTL-tracing, responses Index network infrastructure devices, route tables, ARP tables, switch TCAM, VLANs using SNMP, LLDP	PN 1 TCP 80, 443 UDP 53, 161, 162 User-definable ports
Host Discovery	Actively index devices attached to network via ICMP, TCP, UDP, DNS, SNMP interrogation and Responses	PN 1 TCP 80, 443 UDP 53, 161, 162 User-definable ports
Device Profile Discovery	Actively fingerprints the indexed census of devices on the network using TCP (OS detection), CIFS, HTTP/S, SNMP	TCP 80, 443, 445 UDP 161, 162
Port Discovery	Actively index ports by using TCP SYN/ACK response	User definable list or all (e.g. port scan)
Leak Path Discovery	Actively index leak-paths that exist in the L3 routed domain between network segments using Asset Manager proprietary TCP packet spoofing	PN 1 UDP 161, 162 User definable

Table 2. Asset Manager Ports and Protocols

Table 3 provides typical Asset Manager metrics and results based on actual field deployments. Your organization’s counts may vary from these depending on how Asset Manager is configured and your network architecture and available bandwidth.

Metric	Results
Typical number of Asset Manager Scouts	8-10 Scouts/Command Center
Rescan interval (minutes)	Minimum: 1 minute Default: 120 minutes Maximum: infinite (disabled)
Max rate (packets/second)	2000 packets/second <1% of 100Mb/s
Time to baseline network	Asset Manager indexed 300k devices in 12 hours on startup At one particular customer, Asset Manager indexed ~40,000 devices within 1 hour on startup.
Time to discover new device	With access to broadcast (e.g., BGP): within 1 minute With access to DHCP or DNS: within 5 minutes With no access to broadcast: within rescan interval
Leak Path Identification	If Leak Path exists prior to initial device identification: 5 minutes If Leak Path exists after initial device identification: rescan interval

Metric

Results

Typical number of

Asset Manager Scouts

8-10 Scouts/Command Center

Rescan interval (minutes)

Minimum: 1 minute

Default: 120 minutes Maximum: infinite (disabled)

Max rate

(packets/second)

2000 packets/second

<1% of 100Mb/s

Time to baseline network

Asset Manager indexed 300k devices in 12 hours on startup

At one particular customer, Asset Manager indexed ~40,000 devices within 1 hour on startup.

Time to discover new device

With access to broadcast (e.g., BGP): within 1 minute With access to DHCP or DNS: within 5 minutes

With no access to broadcast: within rescan interval

Leak Path

Identification

If Leak Path exists prior to initial device identification: 5 minutes

If Leak Path exists after initial device identification: rescan interval

Table 3. Typical Implementation Parameters