A network map is a key element of an incident response plan. It tells stakeholders where their critical or high-value assets are and where sensitive corporate data is stored. This is helpful when creating backup and disaster recovery plans, security incident response plans, and for using after a network breach.
There are many software tools that can discover what is on a network and create maps from this information. For this how-to, we will use Solarwinds’ Orion Network Performance Monitor (NPM). Of course, there are plenty of alternatives available, and your organization might already have such a tool.
Use Solarwinds to discover network resources, which are accessed through the settings gear at the top. There are a number of steps to run here, including scanning network devices, as well as router and switch ports.
Mapping the network and its assets goes beyond running a scanning tool. Networks are organic and ever-changing, and trying to stay on top of their configuration is often a losing battle. Still, it’s important to make the effort:
- Begin by making sure the lower-level maps make sense in terms of what IP addresses and servers and routers they display.
- Next, move on to more upper-level networks maps that show how everything is connected.
- Many network administrators even recommend that maintaining a paper or whiteboard copy of the network to visually document what might have changed when running the automatic scan.
To learn more about NPM without the hassle of a download, use the online simulator to explore the data it has collected from a more complex network to illustrate its features. Screenshots from this simulator are used to illustrate this post.
After the automated discovery
After running the automated discovery tool, analyze the report to understand the normal or baseline operations of the network. This will help when problems occur, because admins can then focus on variations from the baseline. Here are recommended steps:
1. Click on Home then Top Ten to see the below screenshot.
This shows the major issues on the network: the slowest nodes by packet loss, most used router interfaces, and other problem areas. Some of these might be caused by ordinary problems encountered by administrators, such as a misconfigured router or a congested network. However, some of the issues might be caused by malicious activity.
2. Look at routers and switches to understand where active ports are connected — and why, using the Device Tracker page from the main menu.
Solarwind has the capability to provide visibility into the network, including generating a list of rogue devices (managed by clicking on the button above the list), popular wireless access points (a typical point of hostile entry on most networks), and a histogram of Ethernet port usage over time (another place to view abnormal activity).
3. Account for all the IP address space, and determine if there are any conflicts. Go to IP Address from the top-level menu to see the screen below.
Note the address conflicts (on the right-hand screen) and get those resolved right away — they might be the cause of congestion issues. Also note subnets that are almost completely used up (on the left-hand screen). Hover over the list with a mouse or click on any of the items in these displays to get more information, then visit where these devices are and see what is actually physically connected to them. In some cases, the address conflict is caused by a device with a static IP address that is assigned within a DHCP address range, or two static addresses.
4. Look at what applications are running across the network.
Go to the top level menu and click on Applications to see this summary. There is a long list in the simulator of apps that are and aren’t running, from which to determine what is the network’s typical profile. Pay particular attention to apps that are out of warrant, which might mean that service agreements need to be updated, or it could mean that someone brought a rogue laptop into the office. Scroll down to see all the apps that aren’t running under the Down Applications box. Again, hover over each entry mouse to see more specifics, such as whether the server attached to this app is actually up or down and which components have issues.