Classification of Assets in Passive Sensor

Passive sensors classify IPs as internal and external for asset inventory and traffic monitoring.

The area labelled Internal in the diagram below is the universe of IP ranges that exists within an enterprise and therefore worth building an asset inventory. Everything outside this range is External and not worth inventorying.

From a traffic monitoring perspective, PS tracks flows between assets in the inventoried IP range by 4-tuple. PS does not track individual IPs in the External range and attributes all external IPs to a single asset named External.

Following is a detailed explanation of how PS treats each class of IPs:
classification_assets

What is Inventory

PS uses IP addresses in this range to

Create assets and inventory various asset attributes such as hostname, MAC address, protocol-specific attributes, and more other.
Track traffic flows to/from these IPs to all other IPs outside this range.

Assets with IPs in this range are listed under the CSAM inventory.

PS aggregates the traffic flows from an IP in the internal range to another IP in the internal range by 4-tuple of Source IP, Destination IP, Destination port, and TCP or UCP protocol. Appliance reports traffic flows at an interval of 5 minutes for new assets and at 30 minutes for asset updates.

The appliance aggregates multiple flows of the same tuple into one flow when reporting it in the 5 or 30-minutes reporting interval.

For example, if Asset A1 initiated HTTP flow to a webserver A2 multiple times within the 30 minutes interval, PS aggregates these flows and reports a single HTTP flow from A1 to A2 at reporting time.

How to Configure Inventoried IP Range

To configure an IP range or subnet as internal inventoried, select the appliance from the Passive Sensor Module listing and navigate to its details to edit the internal asset configuration. Here, add the IP range and set the radio button under Do you want to inventory these assets? to Yes.
how_to_configured_inventoried_IP_range

What is Non-Inventory

PS uses IP addresses in this range only to track traffic flows to other IPs in the inventory range and NOT for inventory purposes. Assets in this IP range are not shown in the CSAM inventory. However, traffic flows to/from these assets are listed in the Network tab of CSAM and under the inventoried asset-centric traffic tab of CSAM.

How to Configure Non-Inventoried IP Ranges

To configure an IP range/subnet as internal non-inventoried, select the appliance from the Passive Sensor Module listing and navigate to its details to edit the internal asset configuration. Here, add the IP range and set the radio button under Do you want to inventory these assets? to No.
how_to_configured_non_inventoried_IP_range

To review the configuration, check the last column Inventoried.
status_inventoried.1png

What is Excluded

If there is a need to not see some sensitive or confidential assets listed in the inventory, then the passive sensor allows the user to specify configuring IPs and/or MACs in the Excluded range.

PS excludes gathering all inventory information of the IPs/MACs added in this category/group. These assets do not show in the CSAM asset listing. In the traffic flows to/from these assets as seen in the traffic listing, the asset is seen as Excluded without any IP-address.

How to Configure Excluded IPs/MACs

To configure an IP / MAC as excluded, select the appliance from the Passive Sensor Module listing and navigate to its details to edit the Excluded Assets configuration
. how_to_configured_excluded_ip

Traffic summary representation for Excluded Assets:
traffic_summary

What is Monitored External

PS does not track IPs outside the inventoried and non-inventoried range and attributes them to one asset named External as explained earlier. However, the user may want to monitor traffic flows from internal assets to certain external IPs/FQDNs. For example, monitor the volume of traffic from internal assets to social media sites such as Facebook, Twitter, etc. PS provides a Monitored External configuration and uses FQDNs or IPs specified therein to track traffic flows destined for an asset created per group. These assets are not shown in the CSAM asset listing. If Monitor External FQDNs or IPs are configured, then traffic flows of Monitor External assets will be tracked with the actual IP address. that means Traffic flows between inventoried assets & Monitor External assets are shown with the actual IP address of Monitor External IP's/FQDNs assets in the traffic listing of inventoried assets.

How to Configure Monitor External FQDNs or IPs

Select the appliance from the Passive Sensor Module listing and navigate to its details to edit the External Assets configuration to add FQDN or IP to a group. The following screenshots show two groups, each with a unique name. PS tracks traffic flows going to one of the 2 assets representing each group.

how_to_configured_monitored_external_fqdns

Traffic summary representation of Monitor External Assets & External Assets:
traffic_summary.png_monitor