What is network discovery?

What is network discovery? 

Network discovery is a process that includes finding and documenting all computing resources that connect to an organization's network, registering those assets that are expected to connect to the network, and mapping how they interact with each other to provide IT services. 

Network discovery tools scan the network, creating and maintaining network maps that show the assets and their connections to one another. This is determined by transactions, IP address schemes, and other information. These maps visually represent network segments and work with monitoring systems to display conditions that indicate outages or performance problems. 

Network discovery will collect information about the following:

• Physical network structure 

• Virtual computers and networks

• Devices on the network, including network switches, firewalls, servers, printers, and end-user devices like computers and mobile devices

• Logical and physical relationships between devices

• Information about device configuration

Discovery tools use a combination of probes and sensors or network traffic patterns to help with network discovery. Probes and sensors are software that explore the network and devices attached to it, collecting and storing information in a centralized management system. Traffic patterns enable network discovery tools to discover the relationships between devices, connecting the devices on a network topology map.

Why is network discovery important?

Network discovery is a critical component of a robust operations function. As cyber-attacks continue and networks become more complex, control of the computing environment relies heavily on understanding and controlling the corporate network and devices that connect to it. Additionally, increased network complexity makes it more difficult to troubleshoot performance and availability issues or to prioritize event and incident response.

There are several key areas where network discovery is essential:

Asset management: The ability to discover and document information about any device that connects to a network makes it possible to build an accurate asset management database, enabling organizations to manage assets both financially and operationally. This is a crucial advantage to network discovery and forms the basis for support and security management. While organizations have tried to avoid building an asset and configuration management program due to the expense and effort, network discovery tools have made it easier, and overarching operational complexity has made it more of a mandate than before.

Security: By creating an asset inventory of all authorized computing resources, including mobile devices as a baseline for their network, administrators gain control over the network. They can be alerted whenever an unauthorized device attempts to gain access or when access from a new IP address is attempted. Automated policies can be leveraged to determine if that attempt was made by a known, authorized user or device at a new IP address which may indicate a potential security breach. These capabilities make it possible to secure the enterprise more effectively in a BYOD (bring your own device) or hybrid workplace. As hybrid work environments increase in scale, securing the corporate network is only possible with an understanding of its expected configuration. Network discovery also identifies open ports, so they may be disabled before they can be hijacked in an intrusion attempt.

Performance: Network discovery and monitoring tools help identify bottlenecks. The topology maps created by network discovery tools assist administrators in determining the services affected by these bottlenecks and changes that could be made to the network design to alleviate them. When application performance issues are identified, network discovery tools can assist in troubleshooting the root cause, even at the application level.

Support: Hybrid, virtual, wired, and wireless networks create a new complexity in managing network operations and topology. This makes it more difficult to troubleshoot performance and other issues quickly and effectively. With network discovery and topology maps, administrators can see the connections between components and identify potential network issues impacting performance or availability. Network monitoring tools that work with network discovery software can also determine the health of end-user devices and infrastructure and alert technicians when support may be needed, enabling a more proactive approach to support. They may also help IT administrators connect to a device remotely to address issues.

Network discovery in practice

Network discovery tools use several network protocols to discover network topology:

SNMP, Simple Network Protocol: A standard internet protocol that enables the collection and organization of data about a device. The information is then stored in a management information database or MIB for future use by administrators and network management tools. This protocol is used extensively by network discovery and monitoring tools, and the Internet Engineering Task Force (IETP) sets the standard.

SNMP defines and utilizes three components to manage networks:

• Managed devices: infrastructure and end-user devices

• Agents: software that runs on managed devices to assist with network discovery or monitoring

• Network Management Station (NMS): software that controls the network's management, i.e., the monitoring or discovery software

LLDP, Link Layer Discovery Protocol: This network protocol enables the collection of data in an ethernet network across all vendor or equipment types (it is vendor-neutral) and is used for discovery in wired networks, including the discovery of network topology. The IEEE (Institute of Electronics and Electrical Engineers) operates the standard, which manages the ethernet network protocol. Device and network information discovered using LLDP is also stored in a MIB for further user.

Ping: A standard utility that enables systems or personnel to test a device's presence (or reachability) on the network and the time it takes the device to respond. Ping works on virtually all operating systems and is embedded in most network management systems or software. It can help provide up/down status and latency.

Network discovery tools use agents or centralized software to scan all devices on a physical network or capture information about appliances when they connect virtually. This information can be extensive, including the device's name and network address, and diving more deeply into device configuration attributes. Using the network protocols described, data can be gathered about how devices connect to the network and each other, enabling the creation of network topology maps. This information is used to help manage the network and its devices.  

These activities can be performed via scheduled scans or auto-discovery using IP scans, ping, and polling. For example, a physical network segment might be scanned to discover information about devices connected to it, or device information may be gathered when the device connects to the network. Most network discovery tools use a combination of these strategies to discover and document the network. 

Network discovery tools can help automate this process and can be either active or passive. Active discovery tools scan network devices and ping them, but because they broadcast to devices can also consume bandwidth and cause performance issues. This is why many organizations set up a schedule to manage discovery at times that don't interfere with operations or work on scanning small network segments. Passive network discovery tools use logs to collect and store logs from devices, keeping the data in management systems. Many discovery tools will use a combination of these strategies to discover the network structure and track information about the devices that connect to the network.

For network tools that rely on an agent, the agent reports back to the central management system and works on network gear, servers, and end-user devices across several different operating systems. The downfall of using agents for network discovery is that the agent needs to be deployed to each network device. Agentless discovery is based on software run from centralized management systems but may be more limited in the information collected. 

Creating a network discovery program

There are several primary steps involved in creating a network topology map during network discovery:

Determine the scope and approach: For large organizations, the scale of network discovery can be vast and difficult to achieve rapidly. The best way to undertake a network discovery program is with an agile approach, beginning with the most critical segments and expanding until the network is fully discovered. High-level map design will also need to be established, with the ability to dive more deeply into network segments when required. 

Select/implement the tools to be used: While there was a time when network maps could be drawn and maintained by hand, this is no longer the case. It takes a great deal of effort to document networks manually, and wireless networks create uncertainty that requires automated network discovery to ensure an accurate network map is created. Network discovery approaches and the required features should be documented, and tool selection should be based on these requirements. 

Perform discovery: Once the software is implemented, initial network discovery can be deployed, then maps for various network segments created per the program's initial plan. Best practices to consider when getting started with network discovery include the following:

• Document the high-level configuration and approach before beginning. This will help configure discovery tools for the phased approach.

• Work with security teams with infrastructure owners to ensure that system logins are available when needed. As this aspect can take some time, it's beneficial to include security teams and infrastructure administrators from the onset of planning to ensure alignment with the program.

• Configure discovery settings and passwords, then test before initiating live discovery. This will help discovery run more efficiently.

• Take care to avoid duplicate scans. Some organizations may be doing network and security vulnerability scanning, or inefficient configuration can lead to duplication of scanning efforts. Communication and documentation are crucial to avoiding this. If security vulnerability scanning is already taking place, consider integrating systems to leverage information discovered by these alternative discovery tools. Vulnerability scanning software can provide device configuration information to the network management software.

There are several phases within the network discovery process:

• Scanning: initial discovery of the devices found on the network

• Classification: determination of the device type, collection of attributes about the device

• Identification: determination of whether the device is new or already in inventory

• Exploration: a collection of the detailed attributes about the device's hardware and software versions

The depth of attributes that the network discovery software can collect will determine how effectively the network can be administered and how far automation can be leveraged to assist in maintaining device health.

Optimize and maintain: Network discovery and topology mapping is an ongoing process. The organization needs a documented program that indicates how frequently scans will be performed for each segment or class of equipment and how exceptions will be handled. Many applications now use artificial intelligence features to help identify areas of concern and notify network administrators. These could include missed devices or segments and other gaps in the discovery process.

 Helpful features in network discovery tools

Many approaches and capabilities will ultimately be driven by the tools selected for the job when planning for automated network discovery. There are several features to compare when selecting network discovery tools, combining all the strategies mentioned here. When choosing a network discovery tool, consider the following criteria:

• Ability to perform scheduled scans of the physical network or on-demand scanning or discovery when a new device connects to the network or when a known device connects from a different IP address range

• Dashboards that enable administrators to manage by exception, including information on new devices and general information about devices

• Ability to create the network topology maps as an outcome of network discovery, including relationships between devices

• Relationship mapping based on traffic patterns and physical connections between devices

• Remote access capabilities

• Management tools such as wireless heat maps showing coverage of wireless access points and network performance monitors are also helpful

The choice of a network discovery tool will depend on the organization's size and the network's complexity. It may also rely on tools already used in the organization and integration needs. Managed Service Providers (MSPs)  may need additional capabilities that enable them to quickly onboard new clients and configure discovery to run for their network, segregating data between client environments and providing security rules to ensure that MSP personnel see only client data only for their customers. Even if the program does not include network management, using network discovery tools to discover all devices and build an inventory can be extremely useful to MSPs.

Network discovery may be found in enterprise management platforms, leading to more efficient operations as it integrates the consumption of networ

• Total device management: Network discovery provides connectivity information, which, combined with patch history and error logs for the device, provide machine learning algorithms with robust data to determine the device's health against a device profile. This enables administrators to manage by exception, extending their reach. Combined with device profiles, discovery and tracking of device information also make it possible to identify devices that don't meet configuration standards, enabling correction of these issues before they cause service interruptions.

• Improved audit capabilities: Network discovery down to the attribute level makes it possible to identify unauthorized infrastructure changes and alert personnel. These can be a potential security break or personnel making changes without prior authorization. This level of audit becomes possible by having change authorization records in the same platform as network configuration information.

• Improved security: While patch management and network discovery tools both increase the ability to prevent intrusion, combining these in a single tool makes vulnerability management and intrusion detection easier by providing a single management console.k discovery information with other service management processes. For example, solutions that provide remote monitoring and management and professional services automation features may also include network discovery tools that work with their other applications. This provides a single console from which personnel can manage all enterprise operations and support functions. Benefits of this approach include:

Regardless of the approach taken, network discovery is one of many components of an enterprise management strategy. It involves understanding the computing environment and how individual components work together to deliver IT services. It provides the most basic layer: finding and documenting all pieces that use network resources and how they use them.