Identifying gaps in scanning

Background

After you have run a full network discovery scan, you can start to better understand your coverage and begin to optimize. By the end of this guide, you will understand how to use the out of the box reports in runZero to understand your gaps in network coverage.

RFC 1918 coverage

The first report to look at is the RFC 1918 coverage report. This report shows you which internal IPv4 subnets have been scanned, which likely contain assets, and which are still unknowns.

The scan coverage maps show all the addresses scanned within the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 ranges. See the legend to understand what percentage of each address space has been scanned. Clicking into any of the scanned subnets gives you access to the subnet grid for deeper asset analysis.

Identify scanned and un-scanned areas with the coverage map: On the flip side, red outlines indicate that there are un-scanned addresses runZero has indirect knowledge of that haven’t been scanned directly. For example, this can happen when runZero finds a secondary IP address on a multi-homed device within a scanned subnet. The red boxes highlight the subnets most likely to be in use, but un-scanned.

Scan missing subnets: From the coverage report, you can launch a scan for any missing subnets in a given RFC1918 block – look for the binocular icon.

Scan missed subnets: The missing subnets will be shown in the scan scope and the subnet ping will be enabled by default. You can tune the scan configuration as needed for your environment.

Subnet utilization

The Subnet utilization report can provide similar visibility into your network to the RFC 1918 coverage report, but with emphasis on the subnets that contain live assets. This report will enumerate each of the subnets defined in your site definitions, and provide a count of live assets for that site and subnet, along with a utilization percentage. If there are live assets that are outside any site subnet, they will be aggregated into an inferred subnet based on the network mask size you select.

From this report, you can pivot to the asset inventory for a given subnet or initiate a new scan of a subnet. Another benefit of this report is that you can export the results as a CSV. This can be helpful for more complex data analysis and for scheduling recurring scans.

Switch topology

View layer-2 link information extracted from SNMP-enabled switches. This report can be used to find unmapped assets and investigate why they aren’t showing up in your scans.

Configuration for this report: The Switch Topology report uses data enumerated via SNMP to map switch ports to assets. In environments where SNMP v1 or v2 with default public or private communities are in use, this enumeration happens automatically. Non-default communities for SNMP v1/v2/v3 can also be provided in the scan configuration. Clicking on a node in this report will expand it to show its connections.

Finding unmapped MACs: This topology view is helpful when trying to understand how a given asset or switch is connected, but also provides a critical data point related to risk; the number of unmapped assets. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques runZero uses for remote MAC address discovery.

Re-scan to properly map MAC addresses: For environments where a runZero agent is connected to each network segment, unmapped MACs may highlight VLANs or network segments that are missing from the scan scope. In environments where runZero is scanning assets multiple hops away, the unmapped asset count can provide an estimate of how well the remote segment is being identified.

Unmapped MACs

If you prefer a condensed view to see all unmapped macs, you can also use the Unmapped MACs report. This report shows all the unmapped MACs in your organization, organized by switch, and again by port. This data can be used similarly to the unmapped MACs data from the Switch Topology report.

Updated