Mapping and identifying misplaced devices on a network by use of metadata

Abstract: Context. Network placement of devices is an issue of operational security for most companies today. Since a misplaced device can compromise an entire network and in extension, a company, it is essential to keep track of what is placed where. Knowledge is the key to success, and knowing your network is required to make it secure. Large networks however may be hard to keep track of, since employees can connect or unplug devices and make it hard for the administrators to keep updated on the network at all times. Objectives. This analysis focuses on the creation of an analysis method for network mapping based on metadata. This analysis method is to be implemented in a tool that automatically maps a network based on specific metadata attributes. The motivation and goal for this study is to create a method that will improve network mapping with regard to identifying misplaced devices, and to achieve a better understanding of the impact misplaced systems can have on a network. Method. The method for analyzing the metadata was manually checking the network metadata that was gathered by Outpost24 AB’s proprietary vulnerability scanner. By analyzing this metadata, certain attributes were singled out as necessary for the identification. These attributes were then implemented in a probability function that based on the information determines the device type. The results from the probability function are then presented visually as a network graph. A warning algorithm was then run against these results and prompted warnings when finding misplaced devices on subnets. Results. The proposed method is deemed to be 30 878 times faster than the previous method, i.e. the manual control of metadata. It is however not as accurate with an identification rate of between 80% and 93% of devices and correct device type identification of 95-98% of the identified devices. This is as opposed to the previous method, i.e. the manual control of metadata, with 80-93%% identification rate and 100% correct device type identification. The proposed method also flagged 48.9% of the subnets as misconfigured. Conclusion. In conclusion, the proposed method proves that it is indeed possible to identify misplaced devices on networks based on metadata analysis. The proposed method is also considerably faster than the previous method, but does need some further work to be as efficient as the previous method and reach a 100% device type identification rate.