Can SN discovery internal as well as external IP's and if so, what will I need to make sure all assets are discovered

kevinmalone · ‎12-29-2014

I am trying to set up SN discovery within Eureka and I have assets on both sides of the firewall (internal and external) and want to know if SN can discovery both and if so, what should I look for to ensure I will get all assets?

prdelong · ‎12-29-2014

SN can discover hosts as long as it can target those IPs. For your particular case, I would recommend setting up a MID server outside the firewall -- likely in your DMZ -- as well as one, or more as necessary, inside your firewall. While it is possible to configure the firewall to allow all traffic through the firewall and then to the SN instance, it's just easier to maintain the MID server along with any security concerns.

I will chip in one more note. Typically the security on DMZ assets is much stricter than things on the internal network. Oftentimes the security team will not want these assets configured to allow Discovery traffic and queries. This is often where the project owner needs to decide to push for access or simply maintain the devices manually in the CMDB.

Mark Stanger · ‎12-29-2014

SN discovery can discovery anything from any IP address range. You'll just need to set up a MID server on each network segment you want to discover. Because the MID server always reaches out to your SN instance (which, if hosted by SN is public), it just needs standard access over port 443 to talk to your SN instance and the SN instance doesn't ever need to be able to communicate back. If your SN instance is on-premise, you'll need to establish VPN connectivity between each MID server location and your SN instance location. Just like any other discovery, you'll need the appropriate rights from each MID server to access and interrogate all of the devices you're discovering.

StephenHey · ‎12-30-2014

If you cannot set up a device in your restricted space, you may also be able to VPN through to the DMZ and then whitelist that VPN NIC. On the MID server, set up route tables that will pass through that address if the target is the restricted space. OpenVPN is a piece of software that can help you do this.

To answer your last question: How do you know if you got it all? Discovery will show you that some IPs will be 'alive', but not 'classified' or maybe just 'active.' In other words, a port scan reveals some active 'denies', but you otherwise can't get in. For those, you know you have an issue. For IPs that don't respond to you at all, you wont' be able to tell just by using discovery that something is there and you're not finding it. You'll need to work with whomever owns assets in that space to cross reference with what they think should be there.

If the purpose of discovery is to find things because no one has that definitive list already, then you might not be able to 100% guarantee discovery found everything. You'll probably need to fall back on 'tribal knowledge' from your sys admins.

JBark · ‎12-30-2014

The 3 previous posts are very good answers for setting up your MIDs.

The biggest issue I've seen for total coverage has been the user account that the MIDs use for discovery have to have Local Admin on Windows and at least SUDO on Nix. Ideally if you are on a Windows domain, you add that MID user account to domain admins, but that rarely gets past AD Security folks

It took some rather intense discussion to get all that ironed out in my environment and you should start addressing that before you look to building out your schedules.