Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
ICS SHIELD R 500.1
Active Asset Discovery ESP
User Guide
CS-ICSE602en-500A
February 2019
DocID CS-ICSE602en-500A 2
DISCLAIMER
This document contains Honeywell proprietary information. Information contained herein is to be
used solely for the purpose submitted, and no part of this document or its contents shall be
reproduced, published, or disclosed to a third party without the express permission of Honeywell
International Sàrl.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims
the implied warranties of merchantability and fitness for a purpose and makes no express
warranties except as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The
information and specifications in this document are subject to change without notice.
Copyright 2019 – Honeywell International Sàrl
DocID CS-ICSE602en-500A 3
Notices
Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of
Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a
business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of
Honeywell International, Inc.
Other trademarks Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation
in the United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark owner, with
no intention of trademark infringement.
Third-party licenses This product may contain or be derived from materials, including software, of third parties. The third
party materials may be subject to licenses, notices, restrictions and obligations imposed by the
licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials
accompanying the product, in the documents or files accompanying such third party materials, in a
file named third_party_ licenses on the media containing the product, or at
http://www.honeywell.com/ps/thirdpartylicenses.
Documentation feedback You can find the most up-to-date documents on the Honeywell Process Solutions support website
at:
http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your feedback to:
DocID CS-ICSE602en-500A 4
Use this email address to provide feedback, or to report errors and omissions in the documentation.
For immediate help with a technical problem, contact your local Honeywell Process Solutions
Customer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).
How to report a security vulnerability For the purpose of submission, a security vulnerability is defined as a software defect or weakness
that can be exploited to reduce the operational or security capabilities of the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and
services.
To report a potential security vulnerability against any Honeywell product, please follow the
instructions at:
https://honeywell.com/pages/vulnerabilityreporting.aspx
Submit the requested information to Honeywell using one of the following methods:
Send an email to [email protected].
or
Contact your local Honeywell Process Solutions Customer Contact Center (CCC) or Honeywell
Technical Assistance Center (TAC) listed in the “Support” section of this document.
Support For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To
find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-
us/customer-support-contacts/Pages/default.aspx.
Training classes Honeywell holds technical training classes that are taught by process control systems experts. For
more information about these classes, contact your Honeywell representative, or see
http://www.automationcollege.com.
DocID CS-ICSE602en-500A 5
About this Guide
This guide describes how to configure and use the Active Asset Discovery ESP, the solution that
enables the VSE to collect information about the network assets that the VSE can access.
Scope This guide provides step-by-step instructions for configuring, distributing, and using Active Asset
Discovery ESP. at all levels, from the initial settings up to the deployment in the Security Center and
the VSEs.
Intended audience This guide is for people who are responsible for the configuration and operation of Active Asset
Discovery ESP on the Security Center and VSEs:
• Initial Settings - Professional Services, Support, or IT personnel
• Security Center – Administrators and operators
• VSE – Administrators and operators
Prerequisite skills This guide assumes basic knowledge of the ICS Shield R 500.1 modules relevant to the Security
Center, the VSE, or both, depending on your specific role.
Related documents The following list identifies publications that contain information relevant to the information in this
document.
Document Name Document Number
ICS Shield R500.1 - Security Center Getting Started Guide CS-ICSE400en-500A
ICS Shield R500.1 - Virtual Security Engine – User Guide CS-ICSE601en-500A
Revision History
Revision Supported Release Date Description
A R 500.1 February 27, 2019 First release of ICS Shield
DocID CS-ICSE602en-500A 6
Contents 1. SECURITY CONSIDERATIONS ........................................................................................................................ 7
1.1 Physical security ............................................................................................................................... 7
1.2 Secured zone ..................................................................................................................................... 7
1.3 Limiting access ................................................................................................................................. 7 1.3.1 At the VSE level ................................................................................................................................ 7 1.3.2 At the directory or file level ............................................................................................................. 8
1.4 Authorization measures ................................................................................................................... 8
2. TERMS AND DEFINITIONS ............................................................................................................................... 9
3. INTRODUCTION ................................................................................................................................................ 11
3.1 Understanding the Active Asset Discovery ESP solution ......................................................... 11
3.2 Exploring the Active Asset Discovery ESP architecture ........................................................... 12
3.3 Basic workflow of the Active Asset Discovery ESP solution ..................................................... 13
3.4 Requirements .................................................................................................................................. 13
4. CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE ................................................ 14
4.1 Creating a new device for Active Asset Discovery ESP ............................................................. 15
4.2 Configuring the basic parameters of the device ........................................................................ 16
4.3 Configuring the advanced parameters of the device ................................................................ 19
5. RUNNING ACTIVE ASSET DISCOVERY ESP ............................................................................................ 22
5.1 Active Asset Discovery ESP output .............................................................................................. 22 5.1.1 Asset Discovery Report ................................................................................................................. 22 5.1.2 VSE devices ..................................................................................................................................... 24
5.2 Using the ESP from the Security Center ..................................................................................... 27 5.2.1 Running the ESP from the Security Center ............................................................................... 27 5.2.2 Generating the Asset Discovery Report from the Security Center ......................................... 30 5.2.3 Viewing the discovered assets ..................................................................................................... 32
5.3 Using the ESP from the VSE ......................................................................................................... 33 5.3.1 Running the ESP from the VSE ................................................................................................... 33 5.3.2 Generating the Asset Discovery Report from the VSE ............................................................. 35 5.3.3 Viewing the discovered assets ..................................................................................................... 37
SECURITY CONSIDERATIONS
DocID CS-ICSE602en-500A 7
1. Security Considerations
This chapter outlines the security measures for Active Asset Discovery ESP.
1.1 Physical security
CAUTION
Active Asset Discovery ESP is a mission-critical component.
Take all necessary physical measures to prevent attacks or disasters.
Ensure that the server where Active Asset Discovery ESP is installed is located in an approved
physically secure location that is accessible only to authorized personnel.
1.2 Secured zone Active Asset Discovery ESP contains sensitive information, the loss of which could have severe
consequences. Therefore, there is a need to protect the sensitive information and prevent attacks
against the product. To do that, the VSE software, as well as its related extensions, must be installed
in an internally secured zone such as the site’s layer 3 network, with strict access control lists and
appropriate firewall/routing rules.
Ensure that Active Asset Discovery ESP is installed in a directory that is only accessible to
authorized personnel responsible for the product.
CAUTION
If Active Asset Discovery ESP is installed on one or more servers that are exposed to untrusted networks such as the Internet, protection against denial-of-service (DoS) attacks must be implemented.
1.3 Limiting access It is highly recommended to follow regulatory, industry, and enterprise standards for limiting access
to sensitive information as specified below.
1.3.1 At the VSE level The user management at the host running the VSE must follow the principles of need to know and
least privilege: Only users who absolutely must have access to the computer are granted access,
and these users are assigned the minimal set of permissions allowing them to perform their job.
SECURITY CONSIDERATIONS
DocID CS-ICSE602en-500A 8
1.3.2 At the directory or file level Access to directories and files should also be granted in accordance with the principles of need to
know and least privilege: Only Users who absolutely must have access to the requested directory
and file are granted access, and these Users are assigned the minimal set of permissions allowing
them to perform their job.
Use the built-in file access audit logging of the OS to monitor unauthorized changes to sensitive
files.
1.4 Authorization measures It is strongly recommended to implement the following security measures:
• Change the default administrative password and delete/disable the default service accounts
as soon as new administrative accounts are created
• Disable any default Administrator/Root user on the computer
• Disable any default Guest user on the computer
• Disable any unauthenticated access to the computer via shared directories etc.
• Ensure that the OS is up to date with the latest security patches provided by the OS vendor
TERMS AND DEFINITIONS
DocID CS-ICSE602en-500A 9
2. Terms and definitions
Term Definition
asset Any site component that is connected to the network and is accessible
from the VSE
communication server (CS)
The Communication Server provides secure communication between the
Security Center and the VSEs
compliance Whether the device meets the organization policy
corrective action An execution profile that performs an action to correct a problem
detected by other execution profiles; for example, if a monitoring profile
detected a low disk space issue, a corrective action will delete obsolete
and large temporary files
device A representation of a physical or virtual server or machine in the VSE
diagnose routine (DR)
An execution profile that runs on demand when an issue is encountered,
and is intended to collect in-depth diagnostic data
discovery engine A VSE utility that represents the ICS Shield Active Discovery ESP, which
detects and classifies network assets, and, optionally, adds them as
devices to the VSE
Essential security policy (ESP)
Essential Security Policy: A collection of scripts related to one logical
area, such as machine security status, hardware information, event logs,
or storage information; these scripts can either be run on demand
(Diagnose Routine or Corrective Action) or based on a predefined
schedule.
execution profile A collection of scripts related to one logical area, such as machine
security status, hardware information, event logs, or storage information;
these scripts can either be run on demand (Diagnose Routine or
Corrective Action) or based on a predefined schedule.
HQ Headquarters; the physical location of the Security Center
monitoring profile (MP)
An execution profile configured to run at set time intervals, such as Every
day at 18:00
Nmap A network scanning software tool used for the asset discovery
Perl A scripting language used by execution profiles
TERMS AND DEFINITIONS
DocID CS-ICSE602en-500A 10
Term Definition
product line A set of actions and scripts that together instruct the VSE to perform
certain procedures on devices that are defined in the VSE
Security Center (SC) ICS Shield component that is installed at the corporate data center. The
security center is composed of various software components, which
enable to remotely collect, analyze, view, manage, and store data
retrieved from the VSEs. This data refers to the monitored network assets
and devices found at the VSE’s sites.
site A remote physical location, such as an industrial plant, which includes
one or more network environments and has at least one VSE
VSE Virtual Security Engine; the ICS Shield component that is installed at the
remote site, monitors the devices at the site, and provides additional
functionalities such as remote access
INTRODUCTION
DocID CS-ICSE602en-500A 11
3. Introduction
This chapter presents a brief introduction into the ICS Shield, the main functions of the Active Asset
Discovery ESP, and requirements for running the ESP.
3.1 Understanding the Active Asset Discovery ESP solution The Active Asset Discovery ESP enables the VSE to collect information about the network assets
that the VSE can access. The ESP initiates a network scan that involves communication between
the VSE and every network entity that has an IP address within a specified range. After the network
assets are detected, Active Asset Discovery ESP collects information, such as operating systems
and vendors, from each asset that responds, and classifies the assets based on this information. An
inventory asset report that displays the discovered assets and their parameters is generated in
HTML format. The network scan is activated on a scheduled basis or once a day at midnight.
Active Asset Discovery ESP is designed to meet the following needs:
• Security – fundamental to network security is the identification of all the network components.
Any unknown component is a potential security breach. An automated solution verifies that all
the network components are known and monitored.
• Cost Efficiency – manual inventory management can be inefficient and costly in terms of
manpower and money. An automated solution reduces the cost and time involved in inventory
management. There can be additional savings regarding associated licenses as well.
• Compliance and Regulations - many industrial companies must comply with government
regulations and be certified by various organizations. Often the compliance policies require
constant monitoring and auditing of all the machines and hardware being used in the
company. An automated solution facilitates and simplifies compliance.
Active Asset Discovery ESP is distributed to the VSEs that require asset discovery, and then it is
represented by a specific device in each VSE. After the device is configured, network scanning is
scheduled for asset discovery.
To implement Active Asset Discovery ESP
1. In the VSEs, locate the existing device for the Active Asset Discovery ESP, called the Discovery
Engine. If this device does not exist, create and configure a specific device for Active Asset
Discovery ESP.
2. Activate the Discovery Engine device to scan the network in the specified IP range.
3. View the discovered assets in the Asset Discovery Report.
4. View the discovered assets that were added as devices in the Execution Result – View window.
INTRODUCTION
DocID CS-ICSE602en-500A 12
3.2 Exploring the Active Asset Discovery ESP architecture The following diagram illustrates the architecture of the Active Asset Discovery ESP solution:
1. The Active Asset Discovery ESP is activated from the VSE at the remote site. It scans the
network assets within the specified IP range. Assets outside of the range are not accessed; for
example, Asset 7 in the above figure is outside the specified IP range.
2. In the scanning process information about each asset is collected and the assets are
classified as hosts.
3. The information is further analyzed, and the assets are reclassified more precisely; for example,
in the above figure Asset 3 is reclassified as a router and Asset 4 is reclassified as a printer.
However, Asset 1, Windows OS, and Asset 2, Linux OS, remain classified as hosts.
4. An asset discovery report is generated listing all the discovered assets and their classifications.
This report is available from the VSE and is sent to the Security Center.
5. Types of assets that have been configured to be added as devices to the VSE can now be
monitored by the VSE. In the above figure, Asset 6 has not been configured.
6. A report of the new devices is available from the VSE and is sent to the Security Center.
Figure 3-1. Active Asset Discovery ESP architecture
INTRODUCTION
DocID CS-ICSE602en-500A 13
3.3 Basic workflow of the Active Asset Discovery ESP solution The basic workflow of the configuration, execution, and operation of the Active Asset Discovery ESP
solution is as follows:
1. Security Center
a. Importing the Active Asset Discovery ESP
b. Distributing the Active Asset Discovery ESP from the Security Center into the required
VSEs
For details, see the Security Center Administrator Guide.
2. VSEs
a. Creating a specific device for the Active Asset Discovery ESP, if this device does not already
exist
b. Configuring the device used for Active Asset Discovery ESP based on the specific
parameters and the required synchronization interval
3. VSEs and Security Center
Running the Active Asset Discovery ESP, either manually or automatically, in accordance
with the built-in schedule
3.4 Requirements Before you start configuring and using the Active Asset Discovery ESP, you need to verify the
following:
• ICS Shield has been installed
• The Active Asset Discovery ESP exists in the Security Center and has been distributed to the
appropriate VSEs.
• If it is necessary to add the discovered assets as devices, the following product lines are
distributed and present in the VSEs:
Nextnine Linux Machine
Nextnine Windows Machine
Nextnine Network Device
NOTE
If these product lines are not distributed to the VSEs on which the Active Asset
Discovery ESP runs, the discovered assets will not be added as devices to the VSEs.
However, they will be displayed as discovered assets in the Asset Discovery Report,
which is generated following a discovery run.
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 14
4. Configuring the Active Asset Discovery ESP in the VSE
A product line or ESP that is distributed to a VSE must be represented by a specific device in the
VSE before it can be configured and executed.
In general, a new device must be created in the VSE for each distributed ESP. In some cases,
depending on the specific ESP and your predefined configurations, specific devices might already
exist in your VSE. In certain VSE configurations, the VSE already includes a device for Active Asset
Discovery ESP, called the Discovery Engine. Therefore, before creating a new device for the ESP,
check whether the Discovery Engine already exists in your VSE.
If it does not exist, check whether your VSE has Nmap and Perl installed because the Discovery
Engine requires them, and they need to be installed before the Discovery Engine is created.
Once the device for the ESP has been created, you must configure it. The key parameter that must
be set for this device is the IP range of the network scan. If necessary, include Nmap and Perl
installation packages. In addition, if necessary, add login credentials for communicating with
assets through protocols that require credentials.
The configuration of the Active Asset Discovery ESP consists of the following steps:
1. Verifying whether the VSE already includes a device for Active Asset Discovery ESP, called the
Discovery Engine.
2. If the Discovery Engine does not exist – see section 4.1, Creating a new device for Active Asset
Discovery ESP.
3. Configuring the basic parameters of the Active Asset Discovery ESP, mainly providing an IP
range and the necessary communication credentials – see section 4.2, Configuring the basic
parameters of the device.
[Optional]
4. Configuring the advanced parameters of the Active Asset Discovery ESP – see section 4.3,
Configuring the advanced parameters of the device.
After you configure the Discovery Engine according to your network specification and
requirements, it will automatically start running once a day at midnight.
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 15
4.1 Creating a new device for Active Asset Discovery ESP If you do not have a specific device for the distributed Active Asset Discovery ESP, you must define
a new device by entering several values in the VSE.
To create a new device for Active Asset Discovery ESP
1. In the VSE, go to Operations > Device Management.
2. Click New to display the New Device page.
3. In the top section of the New Device page, as shown below, define the device by setting the
following values:
From the Product Line drop-down list – select NextNine Asset Discovery v2.
In the Device Address text box – enter 127.0.0.1.
In the Device Name text box – enter Discovery Engine or any other name.
NOTE
To create a device, enter the definition values in the top section of the New Device
page. If a value is not specified for Device Address, an alert message appears, and
the required field is highlighted in red. The new device cannot be saved without this
value.
4. Click Save at the bottom of the page.
Figure 4-1. Top of New Device page
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 16
4.2 Configuring the basic parameters of the device
NOTE
The instructions below assume that the name of the Active Asset Discovery ESP
device is Discovery Engine. If your Active Asset Discovery ESP device has a different
name, use the name you chose.
To configure the basic parameters of the Active Asset Discovery ESP device:
1. In the VSE, go to Operations > Devices.
2. From the All Devices list in the left pane, select Discovery Engine.
NOTE
You can also set the configuration through the Device Management page by
selecting Discovery Engine from the list and clicking Edit at the top of the screen.
3. Click the tool icon next to the Discovery Engine item.
The Edit Protocol Settings of Device dialog box opens, allowing you to configure the settings
for the Discovery Engine.
4. In the Edit Protocol Settings of Device dialog box, configure the parameters listed in Table
4-1.
Figure 4-2. Edit Protocol Settings of Device dialog box
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 17
NOTE
• The IP Range is the only mandatory property for the device.
• The parameters listed in the table do not have default values.
• Scanning multiple domains, with different credentials, is not supported. Instead, the device can be reconfigured with different credentials between scans executions or multiple devices can be created in the VSE.
Executing multiple scans at the same time is not recommended.
Table 4-1. Basic parameters for the Discovery Engine
Parameter Name Description
IP Range The IP range for the network scan.
When entering IP ranges, you can use various formats and can
also combine the formats. The following examples are all valid:
• 192.168.200.160-170
• 192.168.200.1/23 (CIDR notation)
• 192.168.200.160 192.168.200.162 192.168.200.165 (use the space character to separate the addresses)
• 192.168.200.1/23 10.33.15.22 10.33.15.23 (combination)
WMI Username [for
Windows machines
only]
The name of the user that has the permissions to connect
remotely and query the data via WMI on the target Windows-
based machines
WMI Password [for
Windows machines
only]
The password for the username mentioned above
WMI Domain [for
Windows machines
only]
The domain for the above username
SSH Username [for
Linux machines and
network equipments]
The username of the user that has the permissions to connect
remotely and query the data via SSH on the target Linux
machines and network elements.
SSH Password [for
Linux machines and
network equipments]
The password for the username mentioned above
SNMP Community String [for network
equipments]
The read-only community string for a remote connection that
uses SNMP
Label A metadata tag, consisting of one or more words
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 18
Parameter Name Description
Active Asset Discovery ESP associates the Label tag to all the
newly discovered assets that are added as devices to the VSE. It
does this by populating the Label property of the added devices.
Associating the Label to the discovered devices enables you to:
• More easily manage the discovered devices from the Security Center.
• Distribute user privileges according to the label.
• Perform compliance calculations.
Note:
To see the devices associated with the Label in the Security Center, the
Label must be added to the Security Center. In addition, the user in the
Security Center requires permissions related to the Label (for example,
for viewing, editing, deleting and managing).
5. Click Save.
By default, once the Discovery Engine device is created, the first network scan is automatically
executed at midnight. You can wait for the automatic execution, or perform one or both of the
following:
• [Optional] Configure the advanced parameters of the Active Asset Discovery ESP device – see
section 4.3, Configuring the advanced parameters of the device.
• Manually run the Active Asset Discovery ESP, and generate the Asset Discovery Report – see
chapter 5, Running Active Asset Discovery ESP.
CAUTION
When the Active Asset Discovery ESP scans the network, it uses some of the bandwidth and might interfere with other processes that are currently running.
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 19
4.3 Configuring the advanced parameters of the device This section provides instructions for changing the default value of the advanced parameters of the
Active Asset Discovery ESP device, if needed.
To configure the advanced parameters of the Active Asset Discovery ESP device:
1. Open the Edit Protocol Settings of Device dialog box. (See section 4.2, Configuring the basic
parameters of the device).
2. Click Add.
A new row is added below the basic parameters.
3. Enter the parameter name and its value in the appropriate table cells, using the information
listed in Table 4-2.
NOTE
• Copy the parameter name from the following table, without making any changes.
The names and values of the parameters are case sensitive.
Table 4-2. Advanced parameters for the Discovery Engine
Parameter Name Description Default Value
AutoAddWindows If the value is yes, any asset that is identified
as a Windows host will automatically be
added as a device that is related to the
Windows Machine Product Line
(WindowsPL_name and
WindowsVendor_name).
If the value is no, the discovered host will
appear only in the Asset Report and will not
be added as a device to the VSE.
yes
AutoAddLinux If a discovered host is identified as a Linux
host, it will automatically be created as a
Linux device. This action requires the
definition of the Linux Machine Product
Line (LinuxPL_name and
LinuxVendor_name).
If the value is no, the discovered host will
appear only in the Asset Report and will not
be added as a device to the VSE.
yes
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 20
Parameter Name Description Default Value
AutoAddNetwork If a discovered host is identified as a
Network host, it will automatically be created
as a Network Element.
This action requires the definition of the
Network/Cisco Machine Product Line
(NetworkPL_name and
NetworkVendor_name; or, CiscoPL_name
and CiscoVendor_name).
If the value is no, the discovered host will
appear only in the Asset Report and will not
be added as a device to the VSE.
yes
LinuxPL_name The name of the product line for Linux
machines
Generic Linux
Machine
LinuxVendor_name The name of the vendor of the product line
for Linux machines
Nextnine
NetworkPL_name The name of the product line for network
elements
Network Device
NetworkVendor_name The name of the vendor of the product line
for network elements
Nextnine
WindowsPL_name The name of the product line for Windows
machines
Windows
Machine
WindowsVendor_name The name of the vendor of the product line
for Windows machines
Nextnine
ExcludeVendorsScan The name of vendors whose discovered
components will not be included in the scan
results
NMAPLocation Full path of the Nmap folder Nextnine\
Siteserver\
Nmap
OSfingerprint Specifies that an OS fingerprinting
technique will be used for enhancing the
accuracy of identifying different operating
yes
CONFIGURING THE ACTIVE ASSET DISCOVERY ESP IN THE VSE
DocID CS-ICSE602en-500A 21
Parameter Name Description Default Value
systems. The accuracy level of the detection
will be displayed in the report.
If you set the parameter to no, less
information might be retrieved, reducing the
level of accuracy. The default value yes will
provide better results but will require slightly
more network traffic.
PythonLocation Full path of the Python folder Nextnine\
Siteserver\
Python
SSH_Port The SSH port for communication 22
4. After entering all the required settings, click Save.
The Save command overrides the default values.
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 22
5. Running Active Asset Discovery ESP
By default, once the settings of the Active Asset Discovery ESP in the Security Center and VSE have
been configured, the Active Asset Discovery ESP runs once a day at midnight. No additional actions
are required to ensure the execution of the discovery scan.
The Active Asset Discovery ESP can be run on demand from the following locations:
• The Security Center
• The VSE
NOTE
The execution of both the Active Asset Discovery ESP has a default timeout of 8
hours. This means that if after 8 hours the ESP execution could not be completed,
the ESP run will be stopped, and an error message will appear. No partial data will be
displayed following an incomplete run.
5.1 Active Asset Discovery ESP output The discovery scan output consists of the following:
• Asset Discovery Report – an inventory report, in HTML format, listing all the network assets
discovered in the scan. This report is produced after every execution of the scan.
• VSE devices – the devices are created after the execution of the scan when your system is
configured to add newly discovered assets as devices to the VSE.
• Asset Scan Result – a summary listing the number of discovered assets and the number of the
assets added or not added as VSE devices.
5.1.1 Asset Discovery Report Each execution of the Active Asset Discovery ESP automatically generates an HTML report, called
the Asset Discovery Report. This inventory report lists all the assets that were detected in the scan,
along with additional information about each asset.
The Asset Discovery Report displays the information collected and classified by the Active Asset
Discovery ESP. Once the ESP is executed, it tries to identify and collect the following parameters for
each detected asset:
• Hostname
• IP
• MAC
• OS
• Vendor
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 23
After these parameters are collected, each detected asset undergoes a classification process. This
process determines the asset type, which is indicated in the Type column in the Asset Discovery
Report. Initially, each newly discovered asset is classified as a Host as shown in Figure 5-1.
Afterwards, further classification is performed according to the following rules:
• If the asset OS is either Windows or Linux - the Asset Type remains Host.
• If the asset OS is not Windows or Linux, the Active Asset Discovery ESP tries to identify the
exact type of network component and to classify the asset:
If the identification of the exact type of network component is successful, the identified
type serves as the Type of the discovered asset in the Report. For example, if the Active
Asset Discovery ESP identified a printer, a router, and a switch, the type of these
components in the report will be Printer, Router, and Switch, respectively.
If the identification of the exact type of network element fails, the Type of the discovered
asset in the Report will be either Network Element or Cisco Network Element.
NOTE
The Type of the asset is shown in the Asset Discovery Report and in the Execution
Result – View dialog box, which shows a summary of results of the last scan.
For each classified type, the discovery scan attempts to gather the following information:
• Windows-based host – exact OS version
• Linux-based host – kernel version or OS type
Figure 5-1. Asset Discover Report – initial classification
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 24
• Network elements – manufacturer information
• Cisco Network elements – device type (switch, router, or printer), including model and version
If the discovery scan cannot gather the required information on an asset with absolute certainty, it
uses the OS fingerprinting technique to identify the missing information with a percentage of
certainty. In this case, the level of certainty of the information will be displayed as a percentage in
the report, as shown in the highlighted box in Figure 5-2.
5.1.2 VSE devices After the classification, every asset that was detected by the Active Asset Discovery ESP can be
added to the VSE as a device. It is then configured and monitored by the VSE according to its
device definition.
NOTE
• The advanced parameters determine if and how discovered assets are added as devices to the VSE.
• The VSE license limits the number of devices in a VSE. If the number of discovered assets exceeds the license terms, some of the assets will not be added as devices to the VSE. However, all the discovered assets appear in the Asset Discovery Report that is generated after a scan
The name of each device is unique. By default, the name of a newly added device is the hostname
of the machine. If the network scan is unable to detect the hostname of the machine, the IP
address of the machine is used as the name of the device.
Figure 5-2. Asset Discover Report – final classification
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 25
Each device that is added to the VSE using the Active Asset Discovery ESP, has several properties
that are updated automatically, as follows:
Table 5-1. Device properties that are updated automatically
Property Name Description Example
[Optional]
Labels
One or more words that are attached as
a tag to the device.
This property only receives a value if the
Label property of the Discovery Engine
was set (see section 4.2, Configuring
the basic parameters of the device).
Testing, Production
First Seen Date and time of the first time that the
VSE detected the device
Sun Apr 10 17:13:56 2016
Last Seen Date and time of the last time that the
device was detected by the VSE
Thu Apr 21 06:23:54 2016
Each execution of the Active Asset Discovery ESP initiates a new scan of the specified IP range. All
the assets that are detected for the first time are added to the VSE. Upon each run, the Active Asset
Discovery ESP checks if a newly discovered asset already exists in the VSE. Only when a newly
discovered asset does not exist in the VSE is it added to the VSE as a device. The date of the first
time the ESP discovered an asset and added it as a device appears in the First Seen parameter of
the device (see Figure 5-3).
Figure 5-3. First Seen parameter
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 26
When previously discovered assets no longer appear in a new scan, they are not automatically
removed from the devices list. It is possible to identify the current presence of a device by checking
the value of its Last Seen parameter. If the date value of the Last Seen parameter is earlier than the
last scan, this means that the device was not present in the last scan, or even in earlier scans. This
might mean that the device is down, or that it no longer exists in the scanned network.
Figure 5-4. Last Seen parameter
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 27
5.2 Using the ESP from the Security Center After an IP range and network protocols credentials are specified for the device, the ESP can be run
manually from the Security Center to generate reports.
One advantage of running the ESP from the Security Center as compared to running it from the
VSE is that you can see the results immediately in the Security Center. By default, the VSE updates
the Security Center once an hour, and it can therefore take up to an hour until the results appear in
the Security Center.
5.2.1 Running the ESP from the Security Center In addition to running the Active Asset Discovery ESP on a scheduled basis, you can manually run
the ESP on demand.
To run the Active Asset Discovery ESP from the Security Center:
1. On the Security Center, on the Device List tab of a specific site, open the Discovery Engine.
2. Once the Discovery Engine is opened, click Diagnose.
3. On the Run Diagnose activity on device Discovery Engine dialog box that appears, open the
Diagnosis Routine drop-down list and select the Run Asset Scan option. After every execution
of the scan, an inventory report, in HTML format, is produced listing all the network assets
discovered in the scan.
Figure 5-5. Discovery Engine from Security Center
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 28
4. To start the scan, click Run.
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 29
Once the Active Asset Discovery ESP run is initiated, the run activity is added to the Activity
Log. In addition, a message appears, indicating that the run activity has started.
The Active Asset Discovery ESP starts running, and the defined IP range of the VSE is scanned
for network assets. When the scan is completed, the status of its activity in the Activity Log
changes to Completed.
The newly discovered assets are displayed as devices in the Device List page.
Figure 5-6. Run Active Discovery
Figure 5-7. Discovered assets displayed as devices
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 30
5.2.2 Generating the Asset Discovery Report from the Security Center After each run of the Active Asset Discovery ESP, the HTML-based Asset Discovery Report is
generated. In addition, you can regenerate and view the report from the Security Center. The report
generated displays the information of the last scan.
To generate and view the Asset Discovery Report from the Security Center:
1. On the Security Center, open the Discovery Engine.
2. Once the Discovery Engine is opened, click Diagnose.
The Run Diagnose activity on device Discovery Engine dialog box appears.
3. On the Run Diagnose activity on device Discovery Engine dialog box, open the Diagnosis
Routine drop-down list and select the Generate Asset Scan Report option.
4. To generate the report, click Run.
Once the report generation is initiated, the generation activity is added to the Activity Log. In
addition, a message appears, indicating that the report generation activity has started.
5. To view the report, open the Activity Log tab.
6. Locate the report generation activity and click either View Data or View Details on the right
side of the activity line.
Figure 5-8. Report generation activity
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 31
Note that:
Clicking View Data opens the Data Viewer window.
Clicking View Details opens the Activity Log Details window and then clicking View
Attached Data in the Data column opens the Data Viewer window.
7. In the Data Viewer window, the Asset Scan Result is listed in the Value column.
Figure 5-9. Activity Log Details dialog box
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 32
5.2.3 Viewing the discovered assets After the Active Asset Discovery ESP is executed, a summary of the scan results can be viewed in
the Security Center.
To view the Discovered Assets Summary in the Security Center:
1. In the Security Center, find and open the VSE for which you wish to view the scan.
2. Open the Data tab of the selected VSE and select the Discovery Engine option from the list in
the left pane.
NOTE
You can also open the Activity Log tab of the selected VSE. The list of performed
activities, including scans, appears there.
On the Data page of the Discovery Engine, you can view a partial summary of the scan results
in the Value column.
3. To view the full summary of the last scan results, click the Result link in the Property column,
as shown below, to display the result details.
To learn more about the displayed information, see section 5.3.3, Viewing the discovered
assets.
Figure 5-10. Partial summary of the last scan results
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 33
5.3 Using the ESP from the VSE After defining an IP range for the and adding the credentials necessary for using your network
protocols, you can manually run from the VSE and generate and view its report.
NOTE
You can also run the and generate its report from the Security Center.
5.3.1 Running the ESP from the VSE In addition to running the Active Asset Discovery ESP on a scheduled basis, you can manually run
the ESP on demand.
To run the Active Asset Discovery ESP from the VSE:
1. In the VSE, go to Operations > Devices.
The All Devices page appears.
2. From the list in the left pane, select Discovery Engine.
A list of available Execution Profiles for the Discovery Engine is displayed in the Execution tab.
The Active Asset Discovery ESP contains the following execution profiles:
Generate Asset Scan Report – generates an Asset Discovery Report (in HTML format)
that displays a summary of the assets discovered in the last scan. This profile is triggered
immediately after the scan is complete. See section 5.3.2, Generating the Asset Discovery
Report from the VSE.
Run Asset Scan – runs the Active Asset Discovery ESP once on demand. A summary
report of the discovered assets is generated after the scan is completed. Immediately
after the summary report is completed, the Generate Asset Scan Report profile is
automatically triggered, generating an HTML document called the Asset Discovery Report.
Run Asset Scan Every Day – similar to Run Asset Scan, except that the Active Asset
Discovery ESP runs once a day, according to a predefined schedule.
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 34
3. To run the Active Asset Discovery ESP once, select the check box for Run Asset Scan and click
Execute Once Now.
The Active Asset Discovery ESP starts running and the defined IP range of the VSE is scanned
for network assets. During the scan, in the Current Execution tab, the status of the Run Asset
Scan action changes to collecting.
NOTE
The estimated time of a scan of a subnet of 255 addresses is approximately 1 hour.
Once the scan is completed, the action no longer appears in the Current Execution tab. The
newly discovered assets might appear as devices in the Operations tab under the Devices
Management page.
Figure 5-11. Run Asset Scan
Figure 5-12. Current Execution tab
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 35
NOTE
If necessary, click on the currently selected tab again to see the results of the last
scan.
5.3.2 Generating the Asset Discovery Report from the VSE After each run of the Active Asset Discovery ESP, the HTML-based Asset Discovery Report is
generated. In addition, you can regenerate and view the report. The report displays the information
of the last scan.
To generate and view the Asset Discovery Report from the VSE:
1. In the VSE, go to Operations > Devices.
2. From the All Devices list in the left pane, select Discovery Engine.
3. To generate the Active Asset Discovery Report of the last scan, select the check box for
Generate Asset Scan Report and click Execute Once Now.
Figure 5-13. Operations tab displaying newly discovered assets
Figure 5-14. Generate Asset Scan Report
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 36
A message appears, indicating that the report generation execution profile has started.
4. Click OK on the confirmation message.
Once the activity is completed, the Asset Discovery Report is generated. It displays the
information of the last scan.
5. To view the report list, click the View Data tab.
The View Data page appears, displaying all the reports that were generated in the last week.
6. Locate the report in the list by verifying that:
Generate Asset Scan Report is displayed in the Profile Name column
Diagnose Routine is displayed in the Type column
Manual is displayed in the Reason column
The date and time when the scan was executed is displayed in the Execution Date
column
7. To open the report, click the OK link in the Status column of the required report.
8. On the Execution Result – View dialog box that appears now, click the link report.html in the
Value column.
The report is downloaded.
9. Click the downloaded HTML file to display the Asset Discovery Report.
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 37
5.3.3 Viewing the discovered assets When your system is configured to add newly discovered assets as devices to the VSE, the number
of assets added as devices is displayed in the summary for each scan. Otherwise, only the number
of assets, listed according to each type of asset, and the total number of assets are displayed.
To view the scan summary from the VSE:
1. In the VSE, go to Operations > Devices.
2. Select the Discovery Engine option from the All Devices list.
3. Click the View Data tab.
4. To open a scan summary, click the OK link in the Status column of the Run Asset Scan or Run
Asset Scan Everyday profile.
The Execution Result – View window opens, displaying the scan summary.
Figure 5-15. The Asset Discovery Report
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 38
Figure 5-16. Asset Scan summary
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 39
The summary of the asset discovery scan is displayed in the Value column and arranged in the
following categories:
First category at the top – lists the number of discovered assets arranged according to
their operating systems and types, such as the number of Windows Hosts and Linux
Hosts. See the top of the Value column in Figure 5-16.
Total number of Assets Found – indicates the total number of assets that were
discovered, not the number of assets that were added as devices to the VSE. In the first
execution of the network scan, all the assets that are discovered appear in either the
Device Added or Devices Not Added categories. In later scans, if the assets that are
discovered were already added to the VSE, they will not appear in the categories Device
Added or Devices Not Added, but their total will appear in the category Total number of
Assets Found. In Figure 5-16, see the line highlighted with a dotted green line.
Added Devices – lists the discovered assets that are added as devices to the VSE
following the current scan. For every added device, the following details are provided:
Hostname, IP address, OS, and Type. If an asset that was discovered in the current scan
was already added as a device following a previous scan, it will not appear here again. See
the area highlighted by means of a solid red line in Figure 5-16.
Devices Not Added – lists the discovered assets that were not added as devices to the
VSE following the current scan, either due to an error or because the number of devices in
the VSE exceeded the maximum number of licensed devices. See the bottom of the Value
column in Figure 5-17.
Figure 5-17. Scan summary listing the devices that are not added
RUNNING ACTIVE ASSET DISCOVERY ESP
DocID CS-ICSE602en-500A 40
If your system is not configured to add newly discovered assets as devices to the VSE, or
all assets have already been added as devices to the VSE, the summary will show the
number of discovered assets and total number of assets found as shown in Figure 5-18.
Figure 5-18. Scan summary without any added devices
CS-ICSE602en-500A February 2019 © 2019 Honeywell International Sàrl
Honeywell Process Solutions
1250 W Sam Houston Pkwy S #150, Houston,
TX 77042
Honeywell House, Skimped Hill Lane
Bracknell, Berkshire, RG12 1EB Building #1, 555 Huanke Road, Zhangjiang
Hi-Tech Park,
Pudong New Area, Shanghai, China 201203
www.honeywellprocess.com