Before you can secure a network, you have to know what’s on it.
That’s one reason the first of the CIS 20 Critical Security Controls is to create an “inventory of authorized and unauthorized devices”.
The inventory is simple: it’s a list of devices that may attempt to connect to the network. It’s a powerful way to keep your network security and management organized.
Small offices do not need a fancy and expensive tool to make an inventory. A simple spreadsheet will do.
The five steps to create your network inventory are below.
Step #1. Create a Network Inventory Spreadsheet
This spreadsheet will be the master list of authorized network devices.
The hardware you will eventually list in the spreadsheet may include:
- Desktop and laptop computers
- Smartphones and tablets
- Printers, scanners, and VoIP phones
- Servers, routers, and switches
- Any other devices authorized to use the network
In a spreadsheet, create columns for each detail you wish to record about the devices. For example, you may wish to record the following:
- IP Address
- MAC Address
- Device Type
- Model Number
- Serial Number
- Operating System Version
- Firmware Version
- Primary User
You can also Download our FREE Network Inventory Excel Template – We did the work for you!
List Unauthorized Network Devices
It’s also worthwhile to create a second spreadsheet for hardware that is not allowed to use your network but may attempt to connect.
This may include devices such as those:
- Owned by employees
- Removed from service
- Suspected of being compromised
- Used in the office and which are not authorized to use the network
Step #2. Scan the Network for Devices
Hundreds of network inventory tools are available to help you discover the hardware on your network.
Generally, the tools can be grouped into two buckets:
- Active tools – automatically scan the network for devices. Many send ping packets to a given IP range and await responses.
Since some devices block inbound ping packets, some active scanners also use transmission control protocol (TCP) synchronize (SYN) or acknowledge (ACK) packets to elicit a response.
- Passive tools – monitor network traffic to listen for new devices attempting to send data. Some connect to a switch via port mirroring to monitor traffic.
Other tools are complete inventory management systems, and scanning is only a small part of what they offer. However, free and basic scanning tools are good enough for most small businesses.
Free Network Scanners for Desktops
Free Wireless Scanners for Smartphones
Supplement your network scans with scans for wireless devices. You can do this will free smartphone apps:
DHCP Clients List
You can also supplement your scan data with information from a DHCP clients list. This shows all the devices on your network that have been assigned an IP address by the DHCP server (which is usually in a router).
In AccessEnforcer UTM Firewall, you can find this under Home > DHCP Clients.
The list will show the IP address, host name, MAC address, manufacturer, and connection time for each device on your network that has been assigned an IP address by the DHCP server in AccessEnforcer.
Step #3. Discover Additional Hardware Manually
Your scans will not discover all network devices – especially those currently powered off or otherwise not connected to the network.
It’s time to stretch your legs and use your eyes. Walk through all rooms of the office.
Document every device you find that could connect to the network. Be sure to check outside (you might find an IP camera or two).
Step #4. Create a Network Diagram
Once created, a network diagram is a fast and easy way to refresh your memory on the layout of the network. It can also be useful for troubleshooting.
You can create a simple hand-drawn version (be sure to scan and save it to a computer).
Free tools can make diagramming much cleaner and simpler than drawing by hand:
Paid tools can also give you professional results:
Step #5. Update the Network Inventory
A hardware inventory list you created three years ago has little relevance today.
For example, say you notice a suspicious devices on the network. An outdated network inventory will not likely tell you if the device is safe.
This is why you must update your inventory list every three months (at a minimum).
When the quarterly update arrives, repeat steps #1 – #3 above to create a new network inventory. Also update your network diagram.
Then compare your new inventory to the old one and look for changes. Determine if the new devices are authorized or if they should be removed.
Know Friend from Foe
The network inventory is a fast and easy way to see the devices that are allowed on your network. Maintaining one is among the most fundamental tasks for securing a network.
The steps above are distilled from the SANS whitepaper, Cybersecurity Inventory at Home.
To learn more about network inventory documentation, check the related resources below for the SANS whitepaper and the CIS 20 Critical Security Controls.