Network Management Protocol (SNMP), and other vehicles, software retrieves MAC addresses and other information that can be reconciled with the organization’s asset inventory.
Going further, effective organizations configure free or commercial network scanning tools to perform network sweeps on a regular basis, such as every 12 hours, sending a variety of different packet types to identify devices connected to the network. At a minimum, the network scan sends traditional ping packets (ICMP Echo Request), looking for ping responses to identify a system at a given IP address. In addition to traditional pings, scanners can also identify devices on the network using TCP SYN or ACK packets. Once they have identified IP addresses of devices on the network, the better scanners provide robust fingerprinting features to determine the operating system type of the discovered machine. Unfortunately, unless the scanner is on the same subnet of a discovered target machine, or has administrative credentials to login to the discovered asset, it is unable to pull the MAC address of the discovered network interface. Still, the IP address and operating system information can be reconciled against the organization’s asset inventory assembled in the asset database and regularly updated.
Wireless devices (and wired laptops) may periodically join a network and then disappear making the inventory of currently available systems churn significantly. Likewise, virtual machines can be difficult to track in asset inventories when they are shut down or paused, because they are merely files in some host machine’s file system. Additionally, remote machines accessing the network using VPN technology may appear on the network for a time, and then be disconnected from it. Each machine, whether physical or virtual, directly connected to the network or attached via VPN, currently running or shut down, should be included in an organization’s asset inventory.
To evaluate the effectiveness of the asset inventory and its monitoring, an organization should connect a fully patched and hardened machine to the network on a regular basis, such as monthly, to determine whether that asset appears as a new item in the network scan, the automated inventory, and/or asset management database.
Sandia National Labs takes the inventory a step further by requiring the name and contact information of a system administrator responsible for each element in its inventory. Such information provides near instantaneous access to the people in a position to take action when a system at a given IP address is found to have been