The term “Network Assessment” is interpreted many different ways. Definitions range from routers to laptops or servers in the datacenter. I’ve been involved with assessments for devices that utilize device management login methods through TACACS, RADIUS or Local Authentication. To be clear, I’m talking about routers, switches, IPS/IDS appliances, VPN concentrators, Wireless Access Points, Firewalls, etc. I’m not referring to systems with operating systems such as laptops, desktops, printers, servers, etc. The reason is the assessment goals, login methods, and tools for routers are typically different than scanning laptops and server operating systems.
Regardless of the tool, generally the process can be broken down into three steps. Step one is seeing the devices on the network. This can be accomplished by importing a list of IP addresses such as a .CSV file, scanning a defined IP address range, utilizing SNMP V1, V2, or V3 or leveraging a scanning protocol such as NMAP. I recommend leading with a known IP list since it’s the quickest method and doesn’t require scanning. I stay away from scanning techniques with testing protocols such as NMAP since it could negatively impact end devices. Best practice is adding a single device of different categories before moving forward with a large range of devices.
Step two is verifying your assessment tool has drivers for the devices it’s capturing. Drivers tell the tool what login method to use without rolling through a bunch of different vendor access scripts along with how to associate polices with matching devices. It’s key to update your tools prior to kicking off a network assessment.
After identifying the devices the final step is accessing them. The common methods are Telnet and SSH. Without the previous steps, you won’t know where or what you are logging into. It’s best practice to leverage TACACS / RADIUS accounts and accessing one device prior to launching a large capture. The last thing you want is a bunch of failed attempt creating security logs.
network assessment tools I’ve used are Netformx, EMC Voyence, SolarWinds, Network Compliance Manager/Opsware, 360’s Manchester and sometimes Cisco LAN Manager for %100 Cisco networks. It’s hard to judge which is best since each have their strengths and usually a combination is used to gain a complete picture. In general, my team attempts to inventory the network down to the serial numbers, identify end of sale/life hardware, check compliance standards, look for vulnerabilities both in hardware and software and verify advanced technology capabilities such as power over Ethernet (POE) for VoIP readiness. With properly tuned tools and best practices, my team can capture networks exceeding ten thousand nodes in a day. 90% of delays are caused by not setting expectations correctly meaning customers are not prepared to deliver requested information. Spending extra time reviewing the assessment process with all IT members along with providing detailed documentation will save you time and headaches.