We have all been there. We are at a new place with new devices and the previous person did not keep good records. Now we’re being asked to secure the network without losing current functionality. Allow the good devices and block the bad, or at least put the bad on the guest network. So, what are all the devices on the network?
Some of the devices will be easy to identify and others not so much. An invaluable free tool to help you get started is Nmap (https://nmap.org/) . This tool helps you do a quick scan of your network to help find out how much you know and how much you don’t know.
How Nmap Enables Endpoint Visibility
You can run Nmap from the shell prompt, among the myriad of other command line options, but an easier way to get started is to use the Zenmap tool that has a UI to help you navigate your initial discovery.
One helpful feature of both the Nmap command line tool and Zenmap is the ability to output the results as XML. This output then allows you to use additional data parsing techniques to dig further into your data and look for patterns that can help you identify various devices with some detective work.
Nmap does a great job at identifying certain devices, but it’s not a comprehensive resource for all IoT devices in the market. Most of the time, you can identify the laptops, servers, and networking devices in your network, but not the mass of IoT devices people carry around or use in modern offices. TVs, projectors, lightbulbs, phones, and other harder to identify devices need to be properly identified especially as you strive to not interrupt business as usual.
Getting Started With Nmap
Let’s work through a small example on how to use the results from Nmap to help identify groups of devices on your network to help you determine network security rules for applications like your Network Access Control (NAC) software.
First, we will install Zenmap to help us through our process. The latest instructions can be found here: https://nmap.org/zenmap/
Running a Scan on Your Network
After installation, we select to run an intense scan on a subnet of our network. In this case the 192.168.1.X part of our network by specifying the proper CIDR notation.
The UI shows you the resulting command line from your profile selection should you choose to use the command line in future scripts. Look here for formatting your output to your desired format. For this example, we will be using the -oX option from Zenmap which allows us to look at and search the XML.
Examining Your Scan Results
Running this scan on a network you have access to might yield a typical IoT set of results.
As you can see there are many devices that are identified as Linux OS and unknown OS. Also, there is the easily identified Windows OS which is one of the laptops on the network, and many MacOS devices which include the Macbooks, iPhones, Apple watches, and other devices that attach to the network.
Classifying Unknown IoT Devices
Since many IoT devices use a base Linux OS, let’s see if we can find a pattern to help classify a larger subset of these unknown devices.
By selecting a device from our list, we can find some good details about what the device might be. Selecting the “Port/Hosts” and “Host Details” tabs we get some insightful data into the identity of this device.
Host Details (Enlarge)
Already we see that one of the ports is associated with Amazon devices. There is one more hint in the XML output which can be obtained from the menu selection Scan -> Save Scan and opening the XML in Visual Studio Code.
Here we can see that the MAC vendor (the manufacturer of the network access card) is also Amazon Technologies. MAC vendors are identifiable from the first three bytes of the MAC address and searchable from such online sources as https://standardsoui.ieee.org/oui/oui.txt
Filtering Out Devices From Results
With these hints we can start to look at our network with the lens of filtering out all Amazon devices like Alexa Echo Dots and Fire TV sticks.
A short PowerShell script run on the XML output yields the results that follow:
Or even better, you can use this script to get the IP addresses of those same devices, although you will still want the MAC addresses for NAC and other purposes.
This tells us that we likely have 8 devices on our network from Amazon and I could start to scan our larger network looking for IP addresses for MAC addresses belonging to Amazon and classifying those devices. Our network is one step closer to being secure.
Use Nmap to kickstart your network detective work and get your network more secure by knowing what devices are out there.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。