Before you can secure a network, you have to know what’s on it.
That’s one reason the first of the CIS 20 Critical Security Controls is to create an “inventory of authorized and unauthorized devices”.
The inventory is simple: it’s a list of devices that may attempt to connect to the network. It’s a powerful way to keep your network security and management organized.
Small offices do not need a fancy and expensive tool to make an inventory. A simple spreadsheet will do.
The five steps to create your network inventory are below.
This spreadsheet will be the master list of authorized network devices.
The hardware you will eventually list in the spreadsheet may include:
In a spreadsheet, create columns for each detail you wish to record about the devices. For example, you may wish to record the following:
You can also Download our FREE Network Inventory Excel Template – We did the work for you!
List Unauthorized Network Devices
It’s also worthwhile to create a second spreadsheet for hardware that is not allowed to use your network but may attempt to connect.
This may include devices such as those:
Hundreds of network inventory tools are available to help you discover the hardware on your network.
Generally, the tools can be grouped into two buckets:
Since some devices block inbound ping packets, some active scanners also use transmission control protocol (TCP) synchronize (SYN) or acknowledge (ACK) packets to elicit a response.
Other tools are complete inventory management systems, and scanning is only a small part of what they offer. However, free and basic scanning tools are good enough for most small businesses.
Free Network Scanners for Desktops
Free Wireless Scanners for Smartphones
Supplement your network scans with scans for wireless devices. You can do this will free smartphone apps:
DHCP Clients List
You can also supplement your scan data with information from a DHCP clients list. This shows all the devices on your network that have been assigned an IP address by the DHCP server (which is usually in a router).
In AccessEnforcer UTM Firewall, you can find this under Home > DHCP Clients.
The list will show the IP address, host name, MAC address, manufacturer, and connection time for each device on your network that has been assigned an IP address by the DHCP server in AccessEnforcer.
Your scans will not discover all network devices – especially those currently powered off or otherwise not connected to the network.
It’s time to stretch your legs and use your eyes. Walk through all rooms of the office.
Document every device you find that could connect to the network. Be sure to check outside (you might find an IP camera or two).
Once created, a network diagram is a fast and easy way to refresh your memory on the layout of the network. It can also be useful for troubleshooting.
You can create a simple hand-drawn version (be sure to scan and save it to a computer).
Free tools can make diagramming much cleaner and simpler than drawing by hand:
Paid tools can also give you professional results:
A hardware inventory list you created three years ago has little relevance today.
For example, say you notice a suspicious devices on the network. An outdated network inventory will not likely tell you if the device is safe.
This is why you must update your inventory list every three months (at a minimum).
When the quarterly update arrives, repeat steps #1 - #3 above to create a new network inventory. Also update your network diagram.
Then compare your new inventory to the old one and look for changes. Determine if the new devices are authorized or if they should be removed.
The network inventory is a fast and easy way to see the devices that are allowed on your network. Maintaining one is among the most fundamental tasks for securing a network.
The steps above are distilled from the SANS whitepaper, Cybersecurity Inventory at Home.
To learn more about network inventory documentation, check the related resources below for the SANS whitepaper and the CIS 20 Critical Security Controls.