There are various ways how Asset Discovery can be deployed, and the best strategy involves some analysis and planning. The following principles can guide you along the way:
- In general you want to minimize the number of Asset Discovery node, because installation, configuration and maintenance takes time for each node. Therefore, understand your network architecture first, in order to identify sweet spots for discovery.
- You don't want to give up cyber security for convenience (of having to install less nodes). Therefore, place Asset Discovery behind firewalls and let them report outbound.
- You want your discovery to be as accurate as possible. This is best accomplished with layer 2 probing, meaning inside a subnet rather than remote probing via routing. Therefore, try to avoid routing (even though this conflicts with the desire to install a minimal number of nodes).
- You don't want to install new hardware in order to install Asset Discovery. Therefore, try to identify existing hardware where Asset Discovery can be installed.
Picking good hosting targets
It is suggested to invest a little bit of planning before installing Asset Discovery in order to minimize the overall effort that it will take you to make the best use of the software.
If you are just evaluating the software, a good option is to install Asset Discovery on a laptop that you can use to probe multiple different networks. This option is also a way to collect configuration data from isolated ("air-gapped") networks.
In general, OT-BASE Asset Discovery has a low footprint and can co-exist with other applications. One option to examine is to install Asset Discovery on engineering stations/servers which usually have no realtime requirements.
When you consider to host Asset Discovery on a dedicated machine, a low-cost product such as an Intel NUC is usually sufficient. Certainly you can also install Asset Discovery on Virtual Machines.
On the hosting machine, Asset Discovery can use all installed network interfaces. So, as an example, when you install Asset Discovery on an engineering server that is hosted in two different networks, Asset Discovery will be able to probe both networks.
Directly accessible networks
One way to deploy Asset Discovery is to install it in every single subnet that has some kind of routing path to Asset Center. The drawback is deployment cost: Even though Asset Discovery has a small footprint and may co-exist with engineering software etc., it still requires installation and configuration effort per node.
An alternative is to have one Asset Discovery engine discover not just local networks (which are directly accessible via internal network interface cards) but also remote networks (which are accessible only via routing). The drawback is that with routing, ARP cannot be used for discovering IP addresses, so the much slower ICMP protocol must be used instead. However, taking advantage of routing usually goes a long way in minimizing the total number of Asset Discovery nodes, and hence maintenance cost.