Network Discovery

---

Network discovery is the processes and tools that facilitate identification of hosts present on a network or subnet and their communications.

• also called visibility
• necessary to:
  • confirm that servers and clients are in the correct VLANs or subnets
  • to identify rogue or unauthorized machines

IP Scanning

An IP scanner is a tool that performs host discovery and can establish the overall logical topology of the network in terms of subnets and routers.

• can be lightweight standalone open source or commercial tools
  • e.g., Nmap, Angry IP, PRTG
• enterprise network management suites also perform IP scanning
  • combine with asset or inventory information about each host
  • this full functionality is called IP address management (IPAM)
  • suites that integrate with DHCP and DNS servers are referred to as DHCP, DNS, and IPAM (DDI)
• Host discovery is a basic type of IP scanning that only attempts to determine whether an IP address is up
  • many host discovery techniques
    • some best at discovering a large number of legitimate hosts quickly
    • others optimized for identifying rogue hosts attempting to hide
    • most basic techniques use:
      • ping, arp, and traceroute tools
    • some suites use Simple Network Management Protocol (SNMP) queries
      • can report more detailed information about interface statistics
    • enterprise suites can query local DHCP and DNS servers for information
    • security-oriented scanners can use specially crafted probes to locate hosts that might be configured not to respond to pings
  • scans can be ad-hoc or regularly scheduled
    • if adversary knows the schedule, can minimize activity during those times
    • ad-hoc is better at detecting unauthorized activity
  • some scans can disrupt network performance or host reliability