What Is a Zone?

A zone is any set of devices you want to monitor as a unit, for example, a subnet, an enclave, or a business unit. Typically, an organization contains multiple zones.

Zones control user access and delimit the scope of information that can be displayed on the map. Regarding access, a zone may grant one set of users access to the New York zone but not the London or Zurich zones.Regarding mapping, only elements belonging to a particular zone can be mapped together. When defining a zone, include devices and/or CIDRs you want to see on a single map as members of the same zone. There are often many zones in an enterprise, so give each a distinguishable name. Set criteria defining zone membership (e.g., unifying features and purpose) and standardize your naming conventions.

Within the zone container, Asset Manager keeps you continuously apprised of network assets and activity: what's there, what's there but inactive, what's there but shouldn't be, what's behaving, what's misbehaving, what can get in from outside, what can get out from inside, what's sound, and what's vulnerable to exploitation. Indexing assets discovered within a zone is central to reducing your network's risk profile and vulnerability to exploitation.

In Asset Manager, and as a best practice, assign sets of connected devices (subnets) to a single zone. Assign isolated segments to separate zones. The benefit of this practice becomes apparent when you map zones:  When you group segmented zones by the first octet of the IP address, isolated segments with no connectivity between them display as a single cloud entity. You can validate that the subnets are in fact isolated from each other by regrouping the zone more granularly---by second or third octet.

Zones delimit the scope of information that can be displayed on an Asset Manager map. To map a particular network view, all elements belonging to that view must be contained in a single zone. When planning a zone definition, be sure to include elements you want to see on one map as members of a single zone. Also, be thoughtful about how you name them. There are usually many zones in an enterprise, so it's a good practice to name each zone based on its unifying features and purpose. Set criteria defining zone membership and standardize your naming convention.

After you have defined and planned your zones, configure them in Asset Manager.  Here's an overview of the  process:

  1. In Settings > Zonesadd a zone and name it.

  1. In Settings > Zones > Zone Networks, define zone members in terms CIDR blocks, subnets, and IP address space.
    This definition is expressed as Known, Eligible and Internal lists.

Known - Enables you to define and label devices via associated CIDR blocks as "known" for reporting and analysis purposes. The Known list has no affect on discovery or indexing. It is associated with reporting results only. Think of theKnown list as "networks your company knows about and has under active management."

Eligible -The Eligible list is the set of networks you give Asset Manager permission to probe. If a network you didn't know about was discovered via SNMP, for example, you might choose to add that network to the Eligible list to ensure that it is included in subsequent explorations. When you enable TargetDiscoveredRoutes in Host Discovery,  Asset Manager discovers all devices within the Eligible network discovery space. When you enable TargetDiscoveredRoutes in Path Discovery, Asset Manager traces to all of the Eligible networks and can display the findings in a map. SNMP, Port, Profile, and Leak indexing can be configured to run on eligible discovered devices.
 

Internal - Enables you to define and label devices via associated CIDR blocks as "Internal" for the purposes of reporting, mapping, and analysis. The Internal list is your enterprise's private address space (i.e., these packets cannot be transmitted through the public Internet.) The Internal list affects reporting only. It does not impact discovery.

Asset Manager is designed to keep you continuously apprised of zone assets and activity: what's there, what's there but inactive, what's there but shouldn't be, what's behaving, what's misbehaving, what can get in from outside, what can get out from inside, what's sound, and what's vulnerable to exploitation.

Managing discoveries and making decisions about how to define and categorize "discovered unknowns" is a central engagement with Asset Manager.  It's how enterprises close the gap between what is known about a network and what is unknown. It the process by which the risk profile of unmanaged networks is reduced along with their vulnerability to attack.

Over time, this categorization process diminishes. As it does, the quality of your network asset management and network vulnerability management increases. Ultimately, your company's use will enable your network to be fairly and accurately understood and well-managed.