BES Asset Discovery Update

(imported topic written by BenKus)

As posted on the BES Admin mailing list:

The BES Asset Discovery site has been updated with new features and improvements!

BES Asset Discovery allows you to run distributed scans throughout your environment to find devices that BES doesn’t currently manage including:

  1. An accurate inventory of network devices like routers, printers, switches, unauthorized wireless access points, or any device with an IP address.

  2. A list of all the computers that don’t have the BES Client installed.

See a screenshot here: http://support.bigfix.com/bes/sites/images/ua_console.jpg

The newly improved site contains a number of new features to enhance functionality and usability.

List of Major Changes:

  • Service Detection – Added service detection to probe unmanaged computers to detect whether computers are running services like web servers, ftp servers, DHCP servers, and other services.
  • Correlation to BES Clients – Enabled correlation of unmanaged assets against the BES database to remove false-positives and help identify computers with the BES Client stopped.
  • New Wizard – Updated the BigFix Asset Discovery Nmap Configuration Wizard to make it easier to configure the scan points and run scans.
  • Upgraded Asset Discovery components – Upgraded the nmap utility and importer to improve the accuracy of the OS detection and improve the scan speed.

Customers with BES Asset Discovery currently installed, please check the “Tasks” on the BES Asset Discovery site for information on how to upgrade existing components.

For more information on BES Asset Discovery, please see http://support.bigfix.com/bes/sites/assetdiscovery.html

If you are not currently licensed for BES Asset Discovery, please contact your sales representative.

Questions / Comments? Use the BigFix User Forum at http://forum.bigfix.com,

BigFix Product Team

Asset Discovery is a very useful site and if you have never looked at it, I highly recommend starting a trial.

Feel free to post questions about the site here.

Ben

(imported comment written by stt10191)

What is the recommended ratio of scaninig points to subnets? We have a very large network and will plan the amount of scanning points and placement of them accordingly.

(imported comment written by jessewk)

It takes approximately 20 minutes to scan a class C subnet. This can depend greatly on the scan parameters but it should work as an estimate. If you can put a single scan point in each of your class C subnets then it will take you approximately 20 minutes to complete a scan of your entire network.

Relays make great scan points…

(imported comment written by BenKus)

I think the general rule for scanpoints is that the more scanpoints, the better coverage and the easier it is on your network (because there is no need to scan across subnets), you shouldn’t need more than one computer designated as a scanpoint per subnet. You can configure scanpoints to scan nearby subnets if you don’t want to deal with having scanpoints in each subnet. As Jesse mentions, making relays scanpoints too tends to get you a big chunk of the coverage you need.

I have seen companies with as many as 3000 scanpoints without an issue so the system can handle quite a lot of scanpoints.

Ben

(imported comment written by prasadk23)

Hi,

Will the discovery of rogue devices be in real time?? what would be the kind of traffic generated if more number of scan points scan the entire network periodically to probe the network?

Regards,

P K

(imported comment written by BenKus)

Hey Prasad,

You can run the scans as often as you would like (as Jesse mentioned, it takes somewhere around 10-20 minutes to scan all the IPs in a class C subnet). However, most people run the scans anywhere from once every 6 hours to once every few days. All this can be done in parallel if you are using scanpoints spread throughout your network. This is much much faster than trying to scan from one location, which can take days or even weeks to scan your whole company (and often misses many computers that are off at night or temporarily not connected to the network and so on).

The amount of traffic generated by a scan is generally considered negligible for 2 reasons:

  1. Scanpoints tend to scan the computer in nearby network LANs that tend to have very fast network speeds.

  2. The scan itself doesn’t generate very much network traffic. It is basically looking for IPs and doing OS fingerprinting, which not bandwidth intensive operations.

Ben