The first cut at credential-less discovery is included in last Friday's "Stable 1" release, so it will be included in the next major release of our product.
What is credential-less discovery, anyway?
Well, it's not discovery by breaking and entering (hacking) our way into a device! Read on to learn more...
Credential-less discovery is the process of learning about network devices by passive means, without logging in or making dangerous queries. There are several techniques involved; these are discussed later in the post. A good way to think about the process is that it's a series of "educated guesses" about a device, based on this passively acquired information. Different kinds of devices (and applications running on them) have different patterns of this information, and we can use these patterns to detect them. However, credential-less discovery can't verify any of this information by logging into the device and querying it — so the educated guesses are the best it can do. Also, credential-less discovery can't tell if devices have multiple IP addresses, so each address will show up as a separate device.
Sometimes, however, these educated guesses are very useful. Two common cases:
- Exploring where normal discovery can't go: For a variety of reasons, your organization may need to inventory what's on a network segment but you don't have credentials to do it. This might occur during an acquisition, or when key personnel leave unexpectedly, because you have an urgent project that can't wait until you can get the credentials, because a facility didn't properly manage their network, or for many other reasons. In such cases, credential-less discovery will provide you with quite a bit of useful information — a list of computers, printers, network devices, etc.
- Devices that normal discovery can't classify: Your organization may have some devices on the network that our normal discovery can't identify and classify. Some common examples include IP phones, network printers that don't support SNMP, and digital photo frames. More exotic devices like network-enabled spaghetti extruders and numerically-controlled milling machines would also fall into this category. By enabling credential-less discovery, you may be able to have discovery automatically identify and classify even those spaghetti extruders.
So how does credential-less discovery work? Here are the techniques it uses:
- Open TCP port detection: Often the mere fact that a device is listening on a particular TCP port is enough to tell you something valuable about that device. For instance, a device listening on TCP port 135 is most likely a computer (of some sort) running Windows. Likewise, a device listening on TCP port 1521 is probably a computer running Oracle. You might know that your spaghetti extruder listens for commands on TCP port 37545 — which means you could use this to identify and classify them.
- Banner analysis: Certain server applications (SSH and FTP are good examples) send a "banner" to any client that simply opens a connection. The client doesn't have to query for this banner; it's just automatically sent. The banners often contain useful information, such as the vendor, the product, the version, etc. Credential-less discovery can make use of this information to help classify a device. For example, if the word "Cisco" appears in the SSH banner for a particular device, we can be pretty sure it's a network device (router, switch, firewall) of some type. If you have two types of spaghetti extruders (one for round noodles, one for flat noodles), you might be able to identify them from the banner they send out on TCP port 37545 when you open a connection to it.
- SNMP SysDescr analysis: Any SNMP device that has "public" for it's community string (or that you happen to have the actual credentials for) will return an OID called "SysDescr". This OID usually has all kinds of useful information in it, including make and model. It's easy to make a classifier that will detect and classify such devices. Your NC milling machine might have an SNMP agent, unbeknownst to you — and it may well provide you with enough information to identify and classify it.
- NetBIOS name resolution: Any IP address that responds to a NetBIOS query is either a Windows machine or something emulating a Windows machine. The domain or workgroup reported, or the NetBIOS name, may provide information that would let you classify the device. For instance, you may have digital picture frames running Linux with SAMBA for Windows-compatible file sharing, and they might all belong to the workgroup "DIGIFRM". A simple classifier would let you identify and classify all those things.
- DNS name resolution: Any IP address for which there is a DNS name is likely one that you'd care about. The name might even tell you what the device is. For example, perhaps all your NC milling machines have a DNS name that ends in "-ncmill". Once again, you can easily make a classifier to find and classify these.
Each of these techniques is fully configurable by you, and a complete set of configurable classification for CIs and (separately) for applications is availble for you. There are out-of-the-box examples, but this is an area where you can greatly extend the capabilities by customizing it for your environment.
Does this give you some ideas for use in your own environment? Check out Stable 1 on a test or development instance, and start investigating how credential-less discovery could be useful for you!
5 Comments
