"Unknown" is the flag Lumeta uses to identify all networks and devices in a zone that are not managed by your organization. The central value of Lumeta is its authoritative and comprehensive discovery of the unknowns in the enterprise network. Each unknown represents a potential vulnerability in the network that increases its overall risk profile and should be addressed. Specifically, "unknown" networks and devices are those that have been discovered in the enterprise, but are not included on any of Lumeta's Zone Network lists–Eligible, Known, or Internal.
To prepare for discovery, you'll need select a zone and specify members of the Zone Network Lists (i.e., IPs and networks), which describe a starter set of networks and devices that Lumeta will use to discover the comprehensive universe of network devices in that zone. Generally, this starter set of networks and IPs comes from existing network management solutions such as IP address management, asset management, and vulnerability management systems. When Lumeta discovers networks and devices that are not included in these lists, they are termed “unknown” and should be considered high priority items for remediation.
Lumeta's Zone Network Lists
- Eligible Zone Networks - When a device discovered by any collector in a zone is listed in Eligible, that device is interrogated by the current collector and all others collectors in the zone. Any device (IP or CIDR) your collector discovers via Lumeta's target becomes available for other collectors to target when and only when that device is also listed in Eligible. Therefore, the Eligible list serves as a bridge between collectors.
Those Lumeta-discovered subnets---the ones your organization didn't know about originally—become authorized for further investigation by Lumeta when your organization adds them to the Eligible list. As you come to understand these subnets better, you will take ownership of some of them by labeling them as Internal Zone Networks.
The Eligible list is the set of networks you give Lumeta permission to probe. If an Lumeta collector discovers an IP or CIDR that is not included on the Target list, it then checks the Eligible list. If the element is on the Eligible list, it is interrogated; otherwise, it proceeds to the Avoid list. If it is not included on the Avoid list, the element is interrogated. If a network you didn't know about was discovered via SNMP, for example, you might choose to add that network to the Eligible list to ensure that it is included in subsequent explorations.
When you enable TargetDiscoveredRoutes in Host Discovery, Lumeta discovers all devices within the Eligible Zone Network list. When you enable TargetDiscoveredRoutes in Path Discovery, Lumeta traces to all of the Eligible networks and can display the findings in a map. Discovery types SNMP, Port, Profile, and Leak can be configured to run on Eligible-discovered subnets.
- Known Zone Networks - IPs and CIDRs that you recognize and are aware of are recorded in your Known list. These are subnets about which you are superficially acquainted. You do not own them or manage them. You may or may not want more information about them. The Known list enables you to define and label devices via associated CIDR blocks as "known" for reporting and analysis purposes.
The Known list does not control discovery processes. It is used to label data and therefore affects how data is reported. It may be helpful to think of the Known list as "networks your company knows about."
When you change the designation (i.e., label) of a network element from unknown to known, Lumeta recommends that you add that element to your Eligible list, so that from that point forward, all collectors in the zone (and not just the current, selected collector) will interrogate it.
- Internal Zone Networks - Subnets in a zone that your organization owns and manages. Internal subnets are those belonging to the zone. Lumeta uses the list of Internal subnets to define the perimeter of your network. The last forwarding devices -- the "hop" before a packet lands beyond Internal space–these are defined as perimeter routers and the network edge. The Internal Zone Networks list enables you to define and label devices via associated CIDR blocks as "Internal" for the purposes of reporting, mapping, and analysis. The Internal list affects reporting only and not discovery. By interrogating your Internal list, you can be apprised when an element in your zone goes inactive.