🕸️NeDi - SNMP poller: Network Based Asset and Topology Discovery Tool 🚀

🕸️NeDi - SNMP poller: Network Based Asset and Topology Discovery Tool 🚀

Ever wondered how networks seamlessly manage thousands of devices? It's all about the fundamentals of network discovery, and NeDi is leading the charge!

·

5 min read

There are some fundamentals to network discovery and although there are tools available, this article will discuss the generic concepts. An example of such a tool is 👉 NeDi. I used it at iBurst where it polled thousands of devices using a HP Microserver running ubuntu, however it works perfectly with debian.

Showcase Video

The video above is a showcase of the implementation of NeDi. This is a great tool to not only view the configuration and topology of a network but can assist greatly when troubleshooting a network. It is a tool that can answer many of the checks in this network troubleshooting checklist. As a network management tool it far outstrips 99.2% of commercial offerings currently out there. It is available as a open source download and runs on the sniff of an oil rag (or the server equivalent - an HP Microserver - with 8GB of RAM). Here is the server below:

Typically, a network inventory of all connected devices will provide an active asset list of all usable equipment. This is equipment that is accessing an organizations networks and can include multi-function printers, servers, desktops, voice equipment, wireless devices, sensors, switches, routers, firewalls and WiFi access points.

A network inventory is obtained by doing an active poll using a tool of the equipment using either standard networking protocols, specialized discovery protocols as well as information inherently available in network equipment used for connectivity.

The network inventory provides a basis on which assets used for connectivity can be verified and validated.

Requirements

The requirements to conduct a network discover are:

  • Network discovery server requires IP access to all network equipment;

  • A Network server is required for each group of approximately 30 000 network connected devices. The server is an Intel NUC appliance that has the form factor of an A5 page with a height of no more than 10cm. For the stated requirement, this would need to be an i7 processor with 8GB of RAM and preferable an SSD;

  • VPN connectivity to manage the network discovery server via the cloud using a tool such as Wireguard.

Key information

To fully complete a network discovery requires the following additional key information is required:

  • Seed IPs of core network switches and routers located in data centre;

  • CLI access to network equipment using SSH or TELNET;

  • SNMP community strings; and

  • Scanning of well-known protocol ports.

Mined information

A network discovery will mine information from network connectivity equipment:

  • IP subnet scans. This becomes problematic when firewalls are placed in the path of network equipment resulting in failed polls;

  • Routing tables such as OSPF or BGP tables;

  • ARP tables which are typically available on routers (default gateway of IP subnet);

  • MAC tables which are available on switches and identify the interface being used. This is correlated to the correposing ARP table entry to determine a network device's IP address;

  • Device neighbours using LLDP or CDP. This is a protocol automatically available on all modern-day network equipment and can identify equipment even if it’s not in the immediate layer 3 connectivity domain of an organisation.

In some cases, when restrictive incoming firewall rules prevent discovery then a proxy polling appliance needs to be inserted within the network to perform discovery.

Analysis

Most networks have been discovered the following analysis can be conducted:

  • Creation of network maps. Best practices in Information Security (Info Sec) require that the IT engineers responsible for network security maintain a current map or diagram of their network topology. Info Sec professionals have long taught that the first step in any vulnerability management program is to discover and identify all the assets in a network and to understand their role. For example, PCI DSS Requirement mandates that the following exists: “Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.” Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures. Full standard is available from PCI Security Standards Council, LLC at www.pcistandards.org;

  • Determine servers and top activity on network;

  • Inventory of all network equipment including Location, Manufacturer, Serial numbers and Versions.

Methodology

The high level discovery methodology is as follows:

  1. Network discovery server is installed with network discovery tool;

  2. Server installed within organisations network with access to network connecting equipment such as routers, switches and firewalls;

  3. VPN access to the server is provisioned;

  4. Initial network connecting equipment is seeded in the tool, typically the core switches and routers in the organisations data centre;

  5. Invalid CLI access, failed community strings and restrictive firewalls rule sets are identified;

  6. Change management is implemented to correct identified discovery problems;

  7. Tool is scheduled to re-initialize network discovery;

  8. The process is repeated until a significant portion of the network inventory has been listed to an acceptable level of accuracy;

  9. The network inventory is validated by physical inspection including verifying geographic location, inspection of equipment including photos and replacement costs and equipment lifetime investigated;

  10. Network diagrams are created for devices;

  11. Preliminary risk assessment is completed of network inventory; and

  12. Network documentation is completed and signed off.

The high level analysis methodology is as follows:

  1. Network link capacity and usage is documented;

  2. Network performance is determined and documented;

  3. Network errors and faults are determined and documented;

  4. Intermediate risk assessment is completed of analysed network metrics; and

  5. Network Analysis documentation is completed and signed off.

Ronald Bartels ensures that Internet inhabiting things are connected reliably online at Fusion Broadband South Africa - the leading specialized SD-WAN provider in South Africa.

👉 Learn more: Contact Fusion

Originally published on LinkedIn by Ronald Bartels: