| technology | networking - Graeme Messina
How To Set Up Your First Network Inventory
To successfully perform your network inventory, you need to understand what you are trying to accomplish and why. It helps if you have a strong foundational knowledge of how network operations work — and what needs to be done to maintain a healthy network.
A certification like CompTIA's Network+ will give you an understanding of how a network operates. Performing a network inventory gives you an understanding of what you currently have on your network, so it makes sense to keep this knowledge as up to date as possible.
As the saying goes, “You cannot protect what you do not know is there.” Network inventory management also allows you to meet financial and security compliance requirements, which will keep the boss happy, too.
Why a Network Inventory is Important
If you have a small network of one or two computers, then network inventory is very straight forward. When things start scaling up to hundreds of computers, servers, and network switches, then gaining visibility of your network is more difficult. Not to mention the amount of cabling all of this requires. You need a system to keep tabs on your current network inventory.
If you understand what is connected to your network, then you can plan for the future and create capacity and reserves for expansion and growth. Having additional capacity also helps you to deal with outages and failures, but only if you know that the resources are available for use.
Time, Money, and Bandwidth. Connectivity and data flow are the lifeblood of modern businesses. Having access to the internet and remote sites via WAN connections is essential if you are going to get anything done. This is why you not only want to make sure that your connection is fit for purpose, but you also want to make sure that what you are getting billed for is what you are using.
A network inventory includes information about your connections to the outside world, including line speeds, cost estimates, and capacity. You will want to keep tabs on how your bandwidth is being used and identify abuse. The software can help you reign in users and sites that are using data in a disproportionate way to their contributions in productivity.
Access Control and Loss Prevention. Security is another huge area that needs attention. What files are accessible, and by who? A properly configured access control List gives you a template to work from that is repeatable across the entire organization. You can create groups that have default access to data, physical access to buildings, and anything else that needs to be secured, based on roles and positions within the business.
Loss prevention can take many different forms. Data loss prevention (DLP) is a suite of software applications and hardware that monitors data that is leaving the organization. Appliances are available that identify keywords, file signatures, and other proprietary identifiers to your company. If any material is detected that triggers a DLP system, then that transaction is flagged, and the user responsible for the attempt will be asked why they needed to send out such information. And perhaps more importantly, to who?
Loss prevention can also refer to security features such as physical security and hardware inventory lists. Users that need to take hardware home with them will need to acknowledge the fact that they are leaving the business with company property. If users are found with equipment without permission, then they will need to show who authorized the removal of that property.
Network inventory can help identify when last a piece of hardware was online, and where it was at the time. This can help to make the physical management of hardware much easier if you know when and where it was last seen.
Licenses, Warranties, and Compliance. Modern organizations have a lot of software. Managing this software means understanding your current licensing situation. A lot of software has a license that requires annual or bi-annual renewal. You never want to be blindsided by an expired piece of mission-critical software. For this reason, you will want to have a system that reminds you and the acquisition teams before a licensing lapse occurs.
Even with all the cost savings of software-defined networking, hardware makes up one of the largest IT expenditures in modern organizations. The move to cloud resources has taken much of this cost burden away from the business itself, but there is still a lot of physical hardware that needs to be “in-house".
Servers, Virtual hosts, SAN devices, Switches, Routers, Desktops, and Laptops all come with manufacturer warranties. Some warranties, like desktop and laptop warranties, are okay to let expire. Personal devices generally degrade faster and are reasonably priced to replace. However, infrastructure hardware needs to last well into the future and can sometimes have their warranties extended well after the initial expiration.
Compliance issues, like GDPR, are always a concern. If your company works in a regulated market, then non-compliance can spell disaster. There are systems and checks that can be set in place that will warn your compliance teams when things are not in line with the compliance requirements of your industry.
Bring Your Own Device (BYOD). People have dependencies on their smartphones, laptops, and other personal devices and are using them more and more often for work-related tasks such as email and messaging. Most companies are aware of this trend.
Implementing a BYOD scheme can help to cut costs by allowing users to bring their own hardware to work, but comes with some drawbacks, particularly relating to security. To successfully integrate this kind of system within a business, you really need to concentrate on network configuration and segmentation. Public Wi-Fi should always be on its own VLAN, and it needs to be isolated from the rest of the network.
Threat Detection. Antivirus Software is essential for all of your endpoints. Every laptop, server, and desktop should have antivirus software. Threats like ransomware have the potential to sink an organization. Commercial threat detection can reduce the risk of malware and viruses from attacking your network.
Network inventory systems can track your endpoints' current state and show you which units are up to date and which ones need to be updated. If a poorly configured device is on your network, then your software should be able to tell you before it becomes a legitimate issue over time.
Getting Started: Setting up Your Network Inventory
Setting up your network inventory solution can be daunting, but you have to start somewhere. You should have an initial idea about what you want to measure and control and prioritize which information will take precedence. You'll also want to have a robust understanding of your servers.
Network Inventory Software Solutions
To accomplish this, you will have to do some homework. Research is key when looking for the best software solutions for your network to create an effective inventory. What information do you want to keep, and how are you planning on storing and sharing this data with the rest of the organization?
Some inventory solutions also have built-in alerting and monitoring for critical infrastructure. If you already have monitoring across all your sites, then great. But if not, then this could be the time to look at finding a monitoring and alerting solution that works together with your network inventory software.
Think about your budget and what you are willing to set aside for it. If the answer is “not much," or “preferably nothing,'' then there are some free and open source solutions out there, but you will have to put in the work to understand how they work and how they create the network map that you are looking for.
Network Scanning Devices
The fundamental feature that you are looking for is a network scanning capability. Most network inventory software uses a combination of IP scanning, SNMP scanning, and WMI data to build a picture of the devices on your network. You can build a map of your network showing how many devices are attached to each segment of your network, and identify any misconfigured or suspicious devices.
SNMP helps you to fill in the blanks regarding device information and will give you details such as make, model, serial number, and software version of a network device. WMI information relays data about hosts such as servers and computers on your network, giving you information about the visibility of computers on your network.
When you add up these components and the results that they yield, you end up with an overview of the details of your network. This information is an excellent starting point for creating your network inventory.
Ensuring Network Scalability
The solution that you choose needs to tick a few more boxes. Are there additional sensors for a growing network? Are there any license considerations that you need to think about when your network grows? Is the pricing affordable, and is there an annual increase in licensing fees? As with any solution, you really need to think about future-proofing it with projections about your company's growth and plans.
You also need to think about unexpected downturns. How easy is it to downgrade if your workers no longer need to access the company's network resources? What if you are downsizing your operations and no longer require a license to cover unused seats?
How easy is it to support this solution when things are not working as you expected? You should consider questions like these before choosing the right solution for your circumstances.
Thinking about these aspects will help you understand what you are trying to accomplish with your network inventory solution.
Mapping Your Network
It is important to remember that if you can't manage something, you can't measure it. Mapping your network allows you to take stock of what you are currently working with. Once you have a solid map of your environment, you can start being more proactive when managing your network.
Network Automation: Mapping and Monitoring
The days of manually mapping and monitoring network components and servers are almost entirely behind us now. Network automation is a crucial component of the machine that is network inventory.
Using a system that automates everyday tasks like network discovery and monitoring saves time and money, thanks to reduced downtime. Your engineers can spend their time making the automation processes more streamlined instead of repetitive tasks like monitoring alerts and emails constantly.
Physical, Logical, and Functional Network Maps
There are different layouts that you need to be aware of when mapping your environment. A good network inventory will allow you to take these different layers into account to give you a full picture of what is happening on your network.
For example, a logical network map will tell you how the traffic flows across your network. It will have information about your network, such as IP schemes, Domain structures, and traffic routes. A physical map will show you the physical connections between devices and have basic information about what devices are connected to your physical network's specific segments.
You need to make sure that whichever network inventory system you choose has the ability for you to quickly look at the current state of your network. This is important not only for planning but also for troubleshooting, especially when there are intermittent issues that are hard to diagnose without a full picture of the network.
Topographical Network Maps
Are very useful for getting a complete overview of how multiple networks all fit together. Large companies with multiple sites can get a quick overview of how everything ties in with one another. This includes data links between sites, cloud services, and all components on the network.
Most of these types of maps will give you the ability to zoom in and drill down into a network segment to get the information that you need. Realtime information is important when you are managing live systems across different regions, so identifying degradation across a service is important before it becomes a solid issue resulting in downtime.
Most Popular Network Inventory Software Solutions
By this point, you are probably wondering how many different solutions are out there, and the answer is plenty. We've gathered some recommendations for you to consider if you are planning on implementing something for your company. Each of these systems has its own benefits that you may or may not be looking for, but it’s good to know that there are options out there.
Spiceworks. Most of you have probably heard of Spiceworks before. They are an IT-focused online community that has made some stellar applications over the years, including a network inventory tool. Simply install the software, set up some parameters like scanning schedules and you are off to the races. The software builds an inventory of what is on your network and sends reminders about licenses, warranties, and much more. They also have a real-time monitoring and helpdesk ticketing system that are all free to download and use.
SolarWinds. SolarWinds are well known in monitoring and inventory circles. They produce paid for software solutions such as the SolarWinds Network Configuration Manager. It offers network discovery, mapping, and inventory all rolled into one tool. It features automated processes like configuration change roll-outs as well as capacity planning tools. It is not free but comes with a 30 Trial.
Open-AuditIT. This is a free and open-source offering that handles inventory management and network discovery. It has a dashboard and reporting system that gives you added visibility and information at your fingertips. The reporting is especially useful for giving upper management the rundown on how things are working (or not working) on your network.
Network Inventory Best Practices
The key thing to ensure when setting up your network inventory is dynamic tracking. What does that mean? In simple terms, you want your network inventory system to update every time there is a change discovered. Every time there is some kind of update to your hardware or change in your network configuration, you want the system to track and record this information.
Using Network Inventory Automation
Your system has to be able to track and manage changes on its own if you are going to keep track of changes on your network. Most network inventory systems have services running on the network that will detect new hardware when communicating over the network.
An important and often neglected factor is that you might not want to measure everything on your network. You might have a range of devices that don't require constant monitoring for change. Most systems give you flexible options for changing what you monitor and what you don't. Once you have set up these conditions, then the automated systems will follow your configuration.
Other systems have an agent that runs on every computer and tracks changes whenever anything is different from what it has stored on record. These automated processes are always running, keeping you up to date on all the changes on your network.
Discover All the Network Devices
You need to start by collecting all of the device information that you can. This helps you to set a baseline of what is currently on your network. From there, you can start whittling down the list of devices that are being monitored, leaving you with only what you need.
From here, you are able to track changes to the network, as well as additions to the devices that you are monitoring. If something new gets plugged into the network, your system should notify you that there is something new connected and then prompt you with the option of monitoring it and adding it to the inventory.
Based on your requirements, you can prioritize the devices essential to maintaining operations, such as virtual machine hosts and core switches. You need to ensure that these systems receive the highest priority and then work your way down.
Create Policies for Network Baselines and Escalation
It is important that everyone knows and understands what to do when things go wrong. Your network baselines will give you an idea of general network traffic and behavior, so if there are any drops or dips in communications, then you will immediately identify issues as they occur.
Each potential scenario must have a policy in place that maps out a list of actions to mitigate downtime and get things running smoothly again. Escalation policies help in this regard, allowing your network inventory system to notify specific people or teams when something fails. For instance, if there is a networking issue, you will want to notify the network admins first, passing on their findings to the next team if there is an issue somewhere else.
Everyone must understand their roles and what the standards are.
Network inventory solutions really help maintain network health, performance, and security while providing you and your teams with critical insights about your networking environment. Although essential and useful, network inventory software on its own will not be able to fill in all the gaps in your IT policy. Creating a network inventory is one of the first, best steps in determining your security needs.
Instead, we should think of network inventory as only one part of a much larger puzzle within your company's IT requirements. Be sure to research as much as you can when deciding on which solution and approach you wish to take when setting up your own solution for the first time. Hopefully, some of the details that we have gone into will provide you with the information you need to get started on your own solution.