Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


What can I discover?
Leverage Spectre Lumeta to discover routes, routers, inter-connectivity of the network, the nature of external connections, your network's edge, the core of your network, hosts, devices attached to your network (as well as their characteristics), and the anomalies of your network (e.g., whether a device is leaking, whether a device is answering on TCP ports that are unexpected, unknown networks or connections).  

How do I know what my network is?
Spectre Lumeta is the means to knowing what your network is. It provides you with an authoritative understanding of your network is:  the assets that comprise it, its perimeter, its forwarders, what traffic is coming in and going out of it, and the IP addresses and CIDRs that compose it.  

What parameters do I set for Spectre Lumeta to know what to scan?
You'll configure a Zone and Collectors to begin acquiring an understanding of your network. Collectors may be set up to execute one or more of the following discovery types:

  • Broadcast
  • OSPF
  • SNMP
  • Path
  • Host
  • Port
  • Leak Path
  • Discovery Spaces
  • Profile

Which parameters you set depends on what you are trying to learn about your network. See Configuration by Objective for more. 

What is active discovery?
Active discovery is network exploration that continuously incorporates data uncovered via passive listening techniques and via targeted discovery spaces.  This information is analyzed against network norms and policies to identify components that require further assessment, ensuring that shadowy corners and suspicious configurations on your network do not go unexamined. 

What parameters need to be set for active scanning?
You need to configure your collector(s) in a particular zone(s) before beginning your active scanning. The following parameters need to be set for active scanning to occur (per collector):

  • SNMP
  • Path
  • Host
  • Port
  • Spaces

You also need to designate Zone Network(s). 

What is passive scanning?
Passive discovery involves the monitoring of broadcast packets via ARP, DHCP, and ICMPv6, and passively participating in OSPF to discover routing topology.

What parameters need to be set for passive scanning?
The following parameters need to be addressed before you can begin passive scanning (per collector):

  • Broadcast
  • OSPF

What is the optimum configuration needed to run a scan?
In order to run a scan, you will need to have at least three collectors configured in at least one zone. This collector has to have at least one of the following parameters activated:

  • Broadcast OSPF 
  • Path SNMP
  • Host Port Leak Path  Discovery Spaces

What is the difference between Zone Network and Collector Discovery Space?
The Collectors operate within space under the allotted Zone Network Space. Configuration changes made on the Zone level are applied across any/all collectors configured in that zone. Collector Discovery Spaces control what is, and what is not, discovered at the collector level.

Spectre

Lumeta Configuration

Since Spectre Lumeta is always scanning, and has configurable rescan intervals, it's important to be aware of the impact of your configuration on the network.  In Spectre Lumeta collectors are the equivalent of a scan configuration in IPsonar, and each zone (similar to a report/SDG) can have multiple collectors.  Each collector has its own rescan interval and target list.  When configuring path discovery or host discovery to scan a large target list or discovered routes, that collector should use a longer rescan interval to avoid continuously scanning the network.  To check the status of already discovered IPs or SNMP discovered IPs, another collector can be configured with a short rescan interval and no target list.  Regardless of rescan interval, whenever a new device or target is discovered, it is immediately scanned and is not affected by the rescan interval.

How many collectors do I need to configure?
Best practice is to configure 3 collectors - passive, path,  and host discovery.  Insert picture. 

How frequently should each collector discover?
The frequency of discovery for each collector is a decision best made by you. It is, however, ideal that you enable each collector while you can observe its discoveries. If your collector is only performing passive keep is short, 10 minutes is good enougu.  If doing path medium  30 minutes or more. SNMP - 45 minutes. long.  SNMP data doesn't change that often, so no need to scan so repetitively. Dynamic gets captured more frequently. 
 

What is the best practice for configuring collectors?  

There are a few practices you can use to maximize the efficiency of your collectors:

  1. When configuring path discovery or host discovery to scan a large target list or discovered routes, that collector should use a longer rescan interval to avoid continuously scanning the network.
  2.  To check the status of already-discovered IPs or SNMP-discovered IPs, another collector can be configured with a short rescan interval and no target list.

Zones

Excerpt Include
About Organizations, Zones & Users
About Organizations, Zones & Users
nopaneltrue

What separates two zones?

Zones vary in their individual rules and policies. They can be as simple or as complex as defined by an organization and can be comprised of logical networks and subnets. So, the variations of these networks and/or subnets in the zones, as well as variations in their rules and policies firmly establishes each of them as separate from one another.


What network space do I need to set for zones?
There are additional Zone Networks at the Zone level:

  • These options are applied across any/all collectors configured in that Zone.
  • Known List - used for labeling devices (via CIDR blocks) as "Known" for reporting and analysis purposes.
  • Eligible list - used to allow Spectre Lumeta to probe networks further when they are discovered via  SNMP, for example.
  • Internal List - used for labeling devices (via CIDR blocks) as "Internal" for purposes of reporting, mapping, and analysis.

Note that the only option in Zone Network that controls or limits discovery within collectors is the Eligible List; the other two (Known Internal are for post-discovery reporting and analysis.

Discovery Objectives

Recently, the focus of the overall Spectre Lumeta Discovery Process has shifted to a "task oriented" methodology.  This is a change from IPsonar Classic's scanning or phase focus in concept and positioning with the market.  Being a continuous product Spectre Lumeta shifts the linear approach of scanning to a "what do you want to do" approach.  As an example, no longer will we discuss Network Discovery as a scanning phase,  but switch to a mind set of the "client wants to discover their network".  Although this task oriented approach may seem like a minimal change, it does have a significant impact on how we describe how, what and why clients use the product.

  1. Discover the network: The focus of this task is to provide the client information on their infrastructure.  Discovering the routes and routers, inter-connectivity of the network, defining external connections to partners, the Internet, etc.  Produces a representation of the network from both Layer 2 and Layer 3 of the OSI model.
  2. Discovery Type Use:

Active discovery of targeted networks which provides accurate coverage at the edges of the network

Passive discovery using routing protocols which provides instantaneous network updates and broadens understanding of the core of the network

Targeted System Inquires using SNMP which provides rich data gathered from the network equipment

  1. Discover the hosts: 
  2. Profile the devices: The focus of this task is to provide the client information on devices attached to their network.  Determining which devices are "alive and what they are (device type, OS, hardware, etc.).
  3. Discover the anomalies:  The focus of this task is to provide the client information on anomalies that have been discovered by SpectreLumeta.  Determining if a device is leaking, whether a device is answering on TCP ports that are unexpected, finding unknown networks or connections, or any other discovered information that may be deemed anomalous either through Lumeta "best practices" or as defined by the user.