Discovering unmanaged interfaces

When you configure discovery methods, the managed interfaces in your environment are used to identify unmanaged interfaces.

After identifying the unmanaged interfaces, you can bring these interfaces under the management of your Tanium Server by installing the Tanium Client with the Tanium Client Deployment service in Discover.

Discovery methods overview

To define a discovery method, you must specify a computer group to scope where the discovery method runs. For example, you might create a computer group that includes endpoints only when they are on the secure network.

For active discovery methods, such as simple ping script discovery, you might choose to scope the discovery to computer groups in a specific subnet and run discovery a few times a day. For passive discovery methods, you might choose to scope the discovery to a computer group and run discovery every hour.

Each discovery method has its own set of benefits and drawbacks. A typical configuration usually contains a combination of passive and active discovery methods that are scoped by different computer groups and schedules. Work with your Technical Account Manager (TAM) to ensure that you fully understand the impact before you deploy a discovery method.

ARP cache discovery

The Address Resolution Protocol (ARP) cache discovery method accesses ARP cache tables that are on all managed endpoints. These ARP cache tables provide data about the interfaces in the immediate network vicinity of each managed endpoint. When you enable ARP cache discovery, Discover uses a sensor to collect the ARP cache from each managed interface.

The ARP cache can include interfaces that are not a part of the network. When ARP cache discovery runs on a managed interface, it filters out the interfaces that are not in the immediate network vicinity by removing any interfaces that do not match the first three octets of any of the IP addresses. For example, the managed interface has one or more IP addresses assigned, such as 10.0.0.2 and 192.168.0.2. Only ARP interfaces that match the first three octets (either 10.0.0. or 192.168.0) are reported.

Supported platforms: Windows, Linux
Discover 1.3 and later also supports: Mac OS X, Solaris, AIX

Data Received: IP Address, MAC, NAT IP Address, Device Type

Network impact: The ARP cache discovery method has nearly no network impact. This method uses only a sensor to look at the ARP tables that are already on the endpoint.

Limitations: Online availability data is not available from ARP Cache discovery.

Value on Interfaces pages: arp

Interface connections discovery

The connections discovery method uses a sensor to collect all current IP connections that are made to each managed endpoint. Then, this discovery method looks up the interfaces in the local ARP cache to resolve the related MAC address.

This discovery method improves on the ARP cache discovery because of the IP connection data.

When connections discovery runs on an endpoint that has the Tanium Client, it filters out the interfaces that do not reside in the subnet of the endpoint.

Supported platforms: Windows
Discover 2.6 and later also supports: Linux and Mac OS X

Data Received: IP Address, MAC Address, NAT IP Address

Network impact: Connections discovery has nearly no impact on the network. This method uses only a sensor to discover interfaces.

Value on Interfaces pages: connected

Simple ping script discovery

The simple ping script discovery method finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints, then scanning only in the gaps between the managed interfaces. Scanning only in the gaps eliminates many of the common issues with network scanners that generate a lot of network traffic and trigger alarms in intrusion prevention systems (IPS) and firewalls.

Managed endpoints are connected to each other in a linear chain architecture. On a single managed endpoint, the scanning package calculates a range of IP addresses to scan by looking at its peers in the linear chain. This range is from the backward peer in the linear chain to either the forward peer or the end of the subnet.

After the range is calculated, the scanning package pings the targeted IP addresses. After it finds interfaces, the simple ping script resolves host names. Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To override this behavior, select the Enable Scanning on Isolated Endpoints option when you configure the discovery method.

When the results are imported, the Discover service checks to see if the interface is managed or unmanaged. The MAC and Device Type are also resolved as a part of the import process.

Supported platforms: Windows, Linux, Mac OS X
Discover 1.3 and later also supports: Solaris, AIX

Data Received: IP Address, MAC Address, Device Type, Hostname, and NAT IP Address

Network impact: The simple ping script discovery method uses a sensor and package. The network impact is running a ping -a command for each targeted IP address.

The simple ping script discovery causes a bit more network impact, therefore you might choose to run it on a smaller computer group or at a longer interval.

Limitations: The automatic scanning package distribution and configuration must be completed before discovery can begin. The maximum Distribute Over Time value is four hours, which means that package distribution must happen within that time. The package distribution takes about one and a half times the configured reissue setting (with a maximum up to four hours). For example, if you have the simple ping method set to run every hour, unmanaged interfaces start to display in Discover after 1.5 hours. This distribution cost is only for creation or update of the ping discovery method.

Value on Interfaces pages: script

Nmap scan discovery

The Npcap library replaced the WinPcap library in Discover 2.5. See Review changes to the Nmap discovery method after upgrading to Discover 2.5.

Nmap scan discovery finds unmanaged interfaces by automatically distributing a scanning package to the Tanium managed endpoints, then using the Network Mapper (Nmap) utility for network discovery and security auditing to do host discovery. Nmap can find information about network interfaces beyond what can be acquired with the other discovery methods, including OS fingerprinting.

The Nmap scan discovery method calculates a range of IP addresses to scan by looking at its peers in the linear chain, similar to the simple ping script discovery method. Isolated endpoints are not scanned by default. Isolated endpoints are endpoints that are on an isolated subnet, or appear to be on an isolated subnet because the endpoint has no peers. For more information about isolated subnets, see Tanium Client Deployment Guide: Configure "isolated subnets". To override this behavior, select the Enable Scanning on Isolated Endpoints option when you configure the discovery method.

Use one of the following options for configuring Nmap scan discovery: 

Host

Run Nmap scan discovery on the local subnet with default settings. If an ARP reply to the target is found, the endpoint is listed as available. No operating system or open port information is returned about the interfaces.

Host Discovery and OS fingerprint

Run Nmap scan discovery with default settings, same as the Host Discovery setting. By default, OS fingerprinting scans about 1000 commonly used TCP ports on each endpoint. You can specify your own list of TCP ports to scan and exclude with advanced settings on the discovery method.

Supported platforms: Windows, Linux, Mac OS X, Solaris. Discover does not distribute the Nmap package to Windows XP computers.

Data Received: IP Address, MAC Address, Device Type, Hostname, Open Ports (includes most commonly used 1000 ports as identified by Nmap, or from the list you specified), OS Platform, OS Generation (represents a "best guess" of OS from Nmap), and NAT IP Address

Network impact: The Nmap scan discovery method uses a sensor and package. The level of network impact depends on the configuration.

Endpoint files: The Nmap discovery method installs the following files on Windows endpoints. You might need to add exclusions for these files: 

  • expand.exe: Extracts files.
  • nmap.zip: Runs scanning operations.
  • nmap-0.99-r2.exe and vcredist_x86.exe: Run on the endpoint and add libraries that Nmap requires. These executable files run out of the Tanium Client\Downloads\Action_<action_id> directory. Npcap is loaded on demand and is available to only admin users on the endpoint.

On all platforms, the nmap.exe executable runs scanning operations from the Tanium Client\Tools\Discover\nmap\ directory.

Limitations: The automatic scanning package distribution and configuration must be completed before discovery can begin. The maximum Distribute Over Time value is four hours, which means that package distribution must happen within that time. The package distribution takes about one and a half times the configured reissue setting (with a maximum up to four hours). For example, if you have the Nmap scan discovery method set to reissue every hour, unmanaged interfaces start to display in Discover after 1.5 hours. This distribution cost is only for creation and update of the Nmap discovery method.

Value on Interfaces pages: nmap

Managed interfaces

In addition to the discovery methods for unmanaged interfaces, interfaces that respond to the Managed Assets saved question are created with a Computer ID value only.

Value on Interfaces pages: managed

Configure scan exclusions

To exclude a group of IPs from Nmap and simple ping script scans, configure scan exclusions.

  1. From the Discover home page, click Settings , then go to Scan Exclusions. Click Add Scan Exclusions.
  2. Specify a name and comma-separated list of IP addresses to exclude. Click Save.
  3. Associate the exclusions with one or more discovery methods. You can specify the Scan Exclusions to use when you create or edit a simple ping script or Nmap scan discovery method.

Configure discovery methods

After you decide which discovery methods meet the requirements of your environment, you can create discovery methods.

Prerequisites

You must have computer groups defined to specify a scope in which to run your discovery method. To configure computer groups, click the Main Menu, then Administration > Computer Groups.

Procedure

  1. (Optional) Configure the background process frequency. From the Discover home page, click Settings and edit the Background Processes Frequency setting. This setting determines how often the results from running discovery methods are imported to the Interfaces pages.
  2. Add discovery methods. From the Discover home page, click Settings and click the Discovery Methods tab. Click Add Discovery Method. The settings vary depending on the discovery method that you select.
    If you are configuring simple ping script or Nmap scan discovery, you can specify whether isolated endpoints should be scanned and the sets of scan exclusions to use. To configure exclusions, see Configure scan exclusions.
  3. The results of discovery methods are imported on the reissue interval that you defined. The results are imported on the interval that you defined for background process frequency.
    To force an import of the results, go to the Discover home page. In the How to Use Discover section, click Configure Discover Settings then Discover Unmanaged Interfaces. When you click this button: 
    • ARP cache and interface connections results are collected and imported.
    • Simple ping script and Nmap discovery active results are collected. If these methods are not active on the endpoints, no results are collected.

    Clicking Discover Unmanaged Interfaces does not force the execution of the simple ping script or the Nmap discovery methods. The results for those methods are gathered if they are already distributed and active on the endpoints.

What to do next

Last updated: 7/11/2018 2:53 PM | Feedback