You can select TCP and/or UDP as additional or alternate options for locating live hosts. Selecting both TCP and UDP for device discovery causes the application to send out more packets than with one protocol, which uses up more network bandwidth. On the other hand, a firewall may be configured to send proxy ARP responses, which could result in non-existent assets appearing to be alive. In either case, the application infers that the device is not present, and reports it as DEAD in the scan log. A firewall may discard the pings, either because it is configured to block network access for any packets that meet certain criteria, or because it regards any scan as a potential attack. There are a couple of drawbacks of this approach. The benefit is accuracy, since it is checking all possible targets.īy default, the Scan Engine uses ARP and ICMP requests, also known as pings, to seek out an asset during device discovery. This method costs time, because the application checks ports on all target assets, whether or not they are live. So for these types of scans, it’s more efficient to have the application “assume” that a target asset is live and proceed to the next phase of a scan, service discovery. Peripheral networks usually have very aggressive firewall rules in place, which blunts the effectiveness of asset discovery. The Web audit and Internet DMZ audit templates do not include any of these discovery methods. If the application cannot verify that an asset is live with one method, it will revert to another. Using more than one discovery method promotes more accurate results. See Make your environment “scan-friendly”. Be mindful of where you deploy Scan Engines and how Scan Engines interact with firewalls.
This can reduce the overall accuracy of your scans. In either case, the application reports the asset to be DEAD in the scan log. If a firewall is on the network, it may block the requests, either because it is configured to block network access for any packets that meet certain criteria, or because it regards any scan as a potential attack. The potential downside is that firewalls or other protective devices may block discovery connection requests, causing target assets to appear dead even if they are live. ICMP echo requests (also known as “pings”).Three methods are available to contact assets: Filtering out dead assets from the scan job helps reduce scan time and resource consumption. Determining if target assets are liveĭetermining whether target assets are live can be useful in environments that contain large numbers of assets, which can be difficult to keep track of. If you choose not to configure asset discovery in a custom scan template, the scan will begin with service discovery. reporting any assets with unauthorized MAC addresses.collecting information about discovered assets.
Asset discovery configuration involves three options:
0 kommentar(er)
