Appendix E- Classification of Assets in Passive Sensor

Passive sensors classify IPs as internal and external for asset inventory and traffic monitoring.

The area labeled Internal in the diagram below is the universe of IP ranges within an enterprise, and therefore, it is worth building an asset inventory. Everything outside this range is External and not worth inventorying.

From a traffic monitoring perspective, PS tracks flows between assets in the inventoried IP range by 4-tuple. PS does not track individual IPs in the External range and attributes all external IPs to a single asset named External.

The following is a detailed explanation of how PS treats each class of IPs.

classification_assets

Inventory

PS uses IP addresses in this range to:

Create assets and inventory various asset attributes, such as hostname, MAC address, protocol-specific attributes, and so on.
Track traffic flows to/from these IPs to all other IPs outside this range.

Assets with IPs in this range are listed under the CSAM inventory.

PS aggregates the traffic flows from an IP in the internal range to another IP in the internal range by using a 4-tuple of Source IP, Destination IP, Destination port, and TCP or UCP protocol. The appliance reports traffic flows every 5 minutes for new assets and every 30 minutes for asset updates.

The appliance aggregates multiple flows of the same tuple into one flow when reporting it in the 5- or 20-minute reporting interval.

For example, if Asset A1 initiates an HTTP flow to a webserver A2 multiple times within the 30-minute interval, PS aggregates these flows and reports a single HTTP flow from A1 to A2 at reporting time.

Configure Inventoried IP Range

To configure an IP range/subnet as internally inventoried, select the appliance from the Passive Sensor Module listing and navigate to its details to edit the internal asset configuration. Add the IP range and set the radio button under Do you want to inventory these assets? to Yes.

how_to_configured_inventoried_IP_range

Non-inventory

PS uses IP addresses in this range only to track traffic flows to other IPs in the inventory range and NOT for inventory purposes. Assets in this IP range do not show in the CSAM inventory. However, traffic flows to/from these assets are listed in the Network tab of CSAM and under the inventoried asset-centric traffic tab of CSAM.

Configure Non-Inventoried IP Ranges

Perform the following steps to configure an IP range or subnet as internal non-inventoried,

Select the appliance from the Passive Sensor Module listing and navigate to its details for editing the internal asset configuration.
Add the IP range and set the radio button under Do you want to inventory these assets? to No.

To review the configuration, check the last column, Inventoried. status_inventoried.1png

Excluded

If some sensitive or confidential assets need not be listed in the inventory, the passive sensor allows the user to specify configuring IPs and/or MACs in the Excluded range.

PS excludes gathering all inventory information of the IPs or MACs added in this category or group. These assets do not show in the CSAM asset listing. In the traffic flows to or from these assets, as seen in the traffic listing, the asset is seen as Excluded without any IP address.

Configure Excluded IPs/MACs

To configure an IP / MAC as excluded, select the appliance from the Passive Sensor Module listing and navigate to its details to edit the Excluded Assets configuration. how_to_configured_excluded_ip

Traffic summary representation for Excluded Assets: traffic_summary

Monitored External

PS does not track IPs outside the inventoried and non-inventoried range and attributes them to one asset named External, as explained earlier. However, users may want to monitor traffic flows from internal assets to certain external IPs/FQDNs. For example, monitor traffic volume from internal assets to social media sites like Facebook, Twitter, etc. PS provides a "Monitored External" configuration and uses FQDNs or IPs specified therein to track traffic flows destined for an asset created per group. These assets do not show in the CSAM asset listing. In the traffic flows to/from these assets as seen in traffic listing, the asset is seen as External if FQDN was added or the actual IP, if IP was added”.

Configure Monitor External FQDNs or IPs

Select the appliance from the Passive Sensor Module listing and navigate to its details to edit the External Assets configuration to add FQDN / IP to a group. The following screenshots show two groups, each with a unique name. PS tracks traffic flows going to one of the 2 assets representing each group.

how_to_configured_monitored_external_fqdns

Traffic summary representation of Monitor External Assets & External Assets: traffic_summary.png_monitor