There are various ways how OTbase Discovery can be deployed, and the best strategy involves some analysis and planning. The following principles can guide you along the way:
- In general you want to minimize the number of OTbase Discovery nodes, because installation, configuration and maintenance takes time for each node. Therefore, understand your network architecture first, in order to identify sweet spots for discovery.
- You don't want to give up cyber security for convenience (of having to install less nodes). Therefore, place OTbase Discovery behind firewalls and let them report outbound.
- You want your discovery to be as accurate as possible. This is best accomplished with layer 2 probing, meaning inside a subnet rather than remote probing via routing. Therefore, try to avoid routing (even though this conflicts with the desire to install a minimal number of nodes).
- You don't want to install new hardware in order to install OTbase Discovery. Therefore, try to identify existing hardware where OTbase Discovery can be installed.
Selecting A Good Hosting Machine
It is suggested to invest a little bit of planning before installing OTbase Discovery in order to minimize the overall effort that it will take you to make the best use of the software.
If you are just evaluating the software, a good option is to install OTbase Discovery on a laptop that you can use to probe multiple different networks. This option is also a way to collect configuration data from isolated ("air-gapped") networks.
In general, OTbase Discovery has a low footprint and can co-exist with other applications. One option to examine is to install OTbase Discovery on engineering stations/servers which usually have no realtime requirements.
When you consider to host OTbase Discovery on a dedicated machine, a low-cost product such as an Intel NUC is usually sufficient. Certainly you can also install OTbase Discovery on Virtual Machines.
On the hosting machine, OTbase Discovery can use all installed network interfaces. So, as an example, when you install OTbase Discovery on an engineering server that is hosted in two different networks, OTbase Discovery will be able to probe both networks.
Directly accessible networks
One way to deploy OTbase Discovery is to install it in every single subnet that has some kind of routing path to OTbase Inventory The drawback is deployment cost: Even though OTbase Discovery has a small footprint and may co-exist with engineering software etc., it still requires installation and configuration effort per node.
Routed networks
An alternative is to have one OTbase Discovery engine discover not just local networks (which are directly accessible via internal network interface cards) but also remote networks (which are accessible only via routing). The drawback is that with routing, ARP cannot be used for discovering IP addresses, so the much slower ICMP protocol must be used instead. However, taking advantage of routing usually goes a long way in minimizing the total number of OTbase Discovery nodes, and hence maintenance cost.
Comments
0 comments
Please sign in to leave a comment.