Calyptix Blog

Network Inventory Made Easy: 5 Simple Steps

by Calyptix, October 2, 2017

Network-inventory-6Before you can secure a network, you have to know what’s on it.

That’s one reason the first of the CIS 20 Critical Security Controls is to create an “inventory of authorized and unauthorized devices”.

The inventory is simple: it’s a list of devices that may attempt to connect to the network. It’s a powerful way to keep your network security and management organized.

Small offices do not need a fancy and expensive tool to make an inventory. A simple spreadsheet will do.

The five steps to create your network inventory are below.

Network-inventory-4Step #1. Create a Network Inventory Spreadsheet

This spreadsheet will be the master list of authorized network devices.

The hardware you will eventually list in the spreadsheet may include:

  • Desktop and laptop computers
  • Smartphones and tablets
  • Printers, scanners, and VoIP phones
  • Servers, routers, and switches
  • Any other devices authorized to use the network

In a spreadsheet, create columns for each detail you wish to record about the devices. For example, you may wish to record the following:

  • Name
  • IP Address
  • MAC Address
  • Device Type
  • Manufacturer
  • Make
  • Model Number
  • Serial Number
  • Operating System Version
  • Firmware Version
  • Primary User
  • Function
  • Location

You can also Download our FREE Network Inventory Excel Template – We did the work for you!

List Unauthorized Network Devices

It’s also worthwhile to create a second spreadsheet for hardware that is not allowed to use your network but may attempt to connect.

This may include devices such as those:

  • Owned by employees
  • Removed from service
  • Suspected of being compromised
  • Used in the office and which are not authorized to use the network

Network-inventory-3Step #2. Scan the Network for Devices

Hundreds of network inventory tools are available to help you discover the hardware on your network.

Generally, the tools can be grouped into two buckets:

  • Active tools – automatically scan the network for devices. Many send ping packets to a given IP range and await responses.

Since some devices block inbound ping packets, some active scanners also use transmission control protocol (TCP) synchronize (SYN) or acknowledge (ACK) packets to elicit a response.

  • Passive tools – monitor network traffic to listen for new devices attempting to send data. Some connect to a switch via port mirroring to monitor traffic.

Other tools are complete inventory management systems, and scanning is only a small part of what they offer. However, free and basic scanning tools are good enough for most small businesses.

Free Network Scanners for Desktops

Free Wireless Scanners for Smartphones

Supplement your network scans with scans for wireless devices. You can do this will free smartphone apps:

DHCP Clients List

You can also supplement your scan data with information from a DHCP clients list. This shows all the devices on your network that have been assigned an IP address by the DHCP server (which is usually in a router).

In AccessEnforcer UTM Firewall, you can find this under Home > DHCP Clients.

The list will show the IP address, host name, MAC address, manufacturer, and connection time for each device on your network that has been assigned an IP address by the DHCP server in AccessEnforcer.

Step #3. Discover Additional Hardware Manually

Your scans will not discover all network devices – especially those currently powered off or otherwise not connected to the network.

It’s time to stretch your legs and use your eyes. Walk through all rooms of the office.

Document every device you find that could connect to the network. Be sure to check outside (you might find an IP camera or two).

Network-inventory-2Step #4. Create a Network Diagram

Once created, a network diagram is a fast and easy way to refresh your memory on the layout of the network. It can also be useful for troubleshooting.

You can create a simple hand-drawn version (be sure to scan and save it to a computer).

Free tools can make diagramming much cleaner and simpler than drawing by hand:

  • io – Web-based
  • Draw – Windows – Part of the LibreOffice open-source software suite

Paid tools can also give you professional results:

Network-inventory-5Step #5. Update the Network Inventory

A hardware inventory list you created three years ago has little relevance today.

For example, say you notice a suspicious devices on the network. An outdated network inventory will not likely tell you if the device is safe.

This is why you must update your inventory list every three months (at a minimum).

When the quarterly update arrives, repeat steps #1 – #3 above to create a new network inventory. Also update your network diagram.

Then compare your new inventory to the old one and look for changes. Determine if the new devices are authorized or if they should be removed.

Know Friend from Foe

The network inventory is a fast and easy way to see the devices that are allowed on your network. Maintaining one is among the most fundamental tasks for securing a network.

The steps above are distilled from the SANS whitepaper, Cybersecurity Inventory at Home.

To learn more about network inventory documentation, check the related resources below for the SANS whitepaper and the CIS 20 Critical Security Controls.

Hardware Inventory Spreadsheet - CTA

Related Resources

SANS: Cybersecurity Inventory at Home

CIS 20 Critical Security Controls

5 Network Security Best Practices from High-Attack Industries

5 Internet of Things Attacks: Deadly Dolls and Killer Cars

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *