Problem solve Get help with specific problems with your technologies, process and projects.

Network security begins with device discovery and assessment

Understanding your IP address ranges and device locations will help you prioritize and respond to security incidents.

The objective of securing your network can be broken down into two fundamental questions: 1) What devices are on...

your network? 2) How secure is each device?

Chances are, devices reside on your network that you don't know about or have forgotten. Unknown devices are problematic, and necessitate regular network device discovery efforts, preferably using an automated tool. If nothing else, network device discovery can serve as a great verification or foundation for comprehensive system documentation.

More network discovery
and monitoring advice
Starting points for network monitoring: When looking at automated network monitoring tools, your first considerations should be uptime and reachability of systems.
Preparing for a network security audit starts with monitoring and remediation: Follow four steps to get ready for an audit of your network that includes device discovery, continuous monitoring and remediation.
How to conduct firewall configuration reviews: Network security expert Mike Chapple reveals how to conduct a proper firewall "health check."

A good place to start is by considering just the primary information you'll need for discovery and assessment: the list of IP addresses your network uses.

Your IP address ranges, internal and external, define your battlefield. The more you know about your address space, including where IP addresses are physically located or assigned, what address ranges are for remote access and which IPs belong to important servers, the better you'll be able to assess, prioritize and respond to security issues. Hopefully your networking person can give you most of that information easily, particularly if that person is you. If the answer you get (if you can get one) is incomplete, you can use a few simple tricks to verify or create that list, and possibly expand it.

The settings on your DHCP servers will give you the address ranges they dynamically assign -- that's a great start. The remaining problems are statically assigned addresses and any rogue DHCP servers or other network-extending devices, such as wireless access points.

Routing tables on your routers and switches are another great reference to identify all in-use addresses. You could also run a network scanner, such as Nmap, and have it scan every possible IP address and discover what responds. Be careful about running any scanning product, including Nmap, on your network -- it may be in violation of policy and can cause outages in legacy products.

Another method is to extract IP addresses from various application and system logs that are in your network. Antivirus products are frequently deployed across many endpoints and are often centrally managed; the resulting log data can be used to enumerate the IP addresses in use. Active Directory logs are another great source of IP address data. VPN address ranges, available via examination of configuration settings or via review of connection logs, are another important part of your network. VPN connections are a frequent entryway for malicious software or malware to enter your network.

A last-ditch method for defining your network is to find your current IP address, since that's obviously in use, and solicit the same information from co-workers across the company. It's hardly an ideal method, but it's a viable start if nothing else is available.

Your external address space can be found through the person responsible for your external network connections, or from your ISP. Online lookups, such as, can also be used to discover your network addresses from an outsider's perspective.

With your IP address space known, you can begin the continual cycle of discovering the inhabitants of your network and assessing them. Knowing your IP range might not seem like much, but it's an important foundation as you build environmental information. You can now start adding layers of contextual information such as the names and roles of critical servers, and why those servers are deemed critical. Ultimately, the more you know about your network the better prepared you will be to respond to operational and security events.

Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.

Send comments on this technical tip to

Dig Deeper on Integrating security into networks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.