About the Author

Jason Forsgren

Lost Assets and Rogue devices Part II

Rogue DevicesIn part one of this blog series, we discussed how tracking rogue IT assets is very similar to tracking down stray livestock during the annual roundup. With IT assets, that roundup often comes during an audit or annual hardware refresh and often comes in the form of someone looking around the office and cataloguing devices in a spreadsheet; which is not only ineffective but costly. As you know, LANDESK has always offered asset discovery, we have to know what devices you have in order to manage those devices. This has often been in the form of active network discovery. You pick a location (subnet) and start scanning and it will return a report of devices on that network, eliminating the need to send someone around the office. Or does it? As we mentioned in the previous blog, this is just a targeted look into the network. The device might not be on that subnet or might have certain security features enabled that prevent the sweep from being successful. So that leads us to the need for passive scanning capabilities. However, setting this up can take some planning and often serious IT effort.

What does passive scanning offer that active discovery does not? Our passive discovery is listening to the ARP requests to see what devices come online. It send a CBA ping request to see if that agent is managed; if it does not respond to the request, it is marked as unmanaged and a list is sent to the core server. The benefit to this over a standard IP ping is, I have yet to find a way to have a device connect to a network without sending out ARP discovery packets.

Now that we understand that we should have passive scanning enabled, how do we go about reconfiguring my network to do this? LANDESK System and Security Suite 2016 has simplified this by automatically enabling passive scanning by default on all devices. Now, if you have been with LANDESK for a while, you are saying to yourself, “Wait a minute! I have been warned for years not have passive scanning on all devices, especially devices that leave the office as I will often get false positives and create a backlog of devices I need to determine if they are on my network or the local coffee shops.” In 2016 we introduced a new platform technology that will help eliminate this administrative mess while maintaining the benefits of passive discovery. Self-electing subnet services (SESS), is enabled by default for all windows devices, currently multicast and passive unmanaged device discovery (formerly referred to as Extended device discovery (XDD) or the marketing term of neighborhood watch) operate on SESS with more to be added in future releases.

To dive a little deeper into this, SESS is now available to be configured on a per-agent setting, it can also be disabled/enabled per subnet. The configuration options are limited to XDD both for ARP and WAP.  You can set your thresholds and either enable or disable the ability to perform said service. So the next comment that is often mentioned is, I do not want or need all of my devices preforming this service. That is where the advantage of SESS comes into play. Once we have decided what agent settings to use, the devices on that subnet hold an election to designate a host to talk back to the core server. If that device goes offline, another election is held and a new system is elected to talk back to the core server, so you will always have a device preforming these capabilities.

Now that we have discussed needing to find our assets, how to go about doing so? Let’s cover a real-world example that we saw during our LDMS 2016 field test. Remember, I stated earlier that discovery is enabled by default. During field testing, we had a customer that installed the agent to his pilot test group; this covered multiple subnets by chance. As we were discussing the new features in 2016, SESS came up and they stated, “That will probably be useful on our remote subnets but the subnets local we know what is out there.” They pulled up unmanaged device discovery and were a bit surprised to see that we had already located 30 some odd computers on this local subnet alone. Looking at the list, most were laptop and a few were BYOD but somewhere company resources as well as a handful of desktops they had purchased and installed in the last 6 months or so and forgotten about.  They were surprised by the results to stay the least and stated that this was going to a huge help in starting to get full control of their resources both for keeping track of company assets and knowing what rogue devices are on that network that might be causing significant risk to the business.