I work as the sole systems administrator for a small company with about 25 employees. We operate primarily on Windows, managing around 30 servers in a vSphere 8.x cluster. Given that we're heavily regulated, I regularly conduct internal vulnerability scans with Nessus Pro, alongside our obligatory third-party scans. Now, I've been assigned the task of setting up a weekly automated scan to detect any rogue devices on our network. Currently, we have MAC address filtering enabled for DHCP, but we haven't yet implemented 802.1X. All access is limited to wired connections across a single floor with several layers of physical security. My initial idea is to schedule a basic Nmap scan to sweep our internal LAN IP range each week and then compare the results against our known device MAC address list. I'm looking for advice on this approach – any thoughts? It needs to be simple since I'm handling everything on my own. Thanks!
10 Answers
If everything in your setup is wired, do you have a managed switch? Many models can provide reports on what's connected to each port, eliminating the need for scanning altogether.
Using Tenable could be an option too. You could automate your scans and export the data via the API for an easy comparison weekly!
Consider using Domotz! It’s fairly affordable and offers much more than alerts for new devices—great for NIST compliance.
Rather than scanning, why not just pull data from your switches and compare? Tools like Netbox could really assist you in managing your device list effectively.
If you’re following a solid procedure and keeping up with compliance, you seem to be on the right path. Just make sure your internal audit team is on board with your scanning process!
Thanks for that! Another thought I had was to get another Nessus license and set up basic scans weekly. Would that be effective?
Nessus could definitely work! It’ll give you a level of visibility without needing to rely solely on Nmap.
We wrote a bash script that runs every few hours, comparing known-good MAC addresses with what we scanned. It’s pretty efficient since once a MAC is added to the list, it won’t appear in the report again. Just keep a lookout for VLAN mismatches with known-good devices. If you’re desperate, I’d be happy to share our scripts with you!
You already have a good plan in mind, but don’t forget about implementing 802.1X when you can. It prevents rogue devices before they even connect. While your Nmap proposal is reactive, having solid 802.1X support makes your network way more secure. If you still want to do scans, consider better solutions once you've set up 802.1X, especially with decent managed switches in play.
I appreciate the advice! I’m aware of the benefits of 802.1X, and it’s on our to-do list. However, is there anything I could do in the meantime?
802.1X might prevent devices, but most compliance frameworks still necessitate regular scanning for rogue devices, so keep that on your radar too.
Setting up a scheduled task for your Nmap scans sounds like a solid approach! You can configure the output to be saved on a network share for easy access and review later. It’ll make it simpler to track changes over time.
Exactly, that’s what I’m leaning towards! I’m just figuring out how to automate it since I'll be running Nmap on a Windows server, so no Cron jobs for me.
If you save the results into separate files or folders, then you can easily compare them to earlier entries for any discrepancies.
I’d skip the Nmap route entirely. Managing MAC lists can be a nightmare, and since you’re on Windows, have you tried enabling Device Discovery in Defender for Endpoint? It can act as a passive sensor and find rogue devices automatically without much fuss.
That sounds promising! Can you explain how that works? We haven't used that feature yet.
True word! Gathering MAC addresses is a hassle, but some compliance requirements do necessitate it, especially for scoped networks.
Honestly, a weekly scan might not be frequent enough. Consider running scans continuously or at least every hour. This way, you'll get real-time alerts for any rogue devices. Plus, you could scrape the ARP tables from your routers instead of scanning, which is faster.
Domotz sounds interesting for my needs! I’ll have to look into it further.