It’s certainly a question I can help with, but placing implicit trust in automated discovery of devices won’t necessarily provide you with all the answers you may require. We’ve all probably read a business related article about the risks of a “know everything” attitude – you will get it wrong from time to time, and ultimately you will waste opportunities to learn from elsewhere or feed into other learning processes. There are plenty of parallels that can be drawn with network discovery systems if used in isolation without a good process surrounding it.
Secondly, we need to stop worrying about the unknowns – or at least the known unknowns anyway!
We can use discovery and profiling mechanisms to identify device types on the network using a combination of DHCP snooping, CDP, SNMP, NMAP, WMI etc. This will give us a good indication of what’s there – however it won’t specifically answer whether we actually want it there, or whether it’s actually yours! It sounds obvious, but it’s a good idea to know what you actually want on the network – what’s actually needed for the business to function?
From the output of the discovery phase it’s then necessary to verify the devices you want on the network against known records; asset management records etc. These will be classified as Known Devices with an associated device classification. The remaining devices can now be listed as unknown, but not all unknowns are equal - there are known unknowns and unknown unknowns!
We can identify device types based on their fingerprint, and assuming we want these type of devices on the network we can initially classify them as known unknowns – i.e. we know about them, but don’t specifically trust them. Once these devices have been thoroughly checked based on location, switch-port etc. we can classify them as being both Known along with a record against the Device Type. They can then be granted the appropriate level of access when they connect.
That just leaves a list of devices that we haven’t seen or verified and don’t immediately fall into a list of those we want to connect. If these new or “unknown unknown” devices attempt to connect then we can immediately inform the security team of their attempted connections. It’s then up to the security team to either investigate their device classification and whether they should be treated as trusted devices and allowed to connect or put them into a disabled state to prevent future attempts to connect.
In this way, the only unknown unknowns on the network are those devices that are yet to connect…
For more check out Herman Robers (@hrwlan) video:
