Integrate Device Security with Switches for Network Discovery
Focus
Focus
Device Security

Integrate Device Security with Switches for Network Discovery

Table of Contents

Integrate Device Security with Switches for Network Discovery

Device Security and Cortex XSOAR use SNMP to discover network topology from switches.
Where Can I Use This?What Do I Need?
  • Device Security (Managed by Strata Cloud Manager)
  • (Legacy) IoT Security (Standalone portal)
One of the following subscriptions:
  • Device Security subscription for an advanced Device Security product (Enterprise Plus, Industrial OT, or Medical)
  • Device Security X subscription
One of the following Cortex XSOAR setups:
  • A free, cohosted, limited-featured Cortex XSOAR instance
    AND
    A Cortex XSOAR Engine (on-premises integration)
  • A full-featured Cortex XSOAR server
Device Security can work through Cortex XSOAR and an on-premises XSOAR engine to retrieve information about the network from network devices like switches and routers. To do this, XSOAR uses SNMP. The engine begins by establishing trust with an entry switch by sending it an SNMP community string for read-only access. A good choice for an entry switch is one at the L2-to-L3 conversion point, which is usually at the core or aggregation layer, because its position allows it to get information from downstream switches. After making a connection, the engine queries the switch for information about the network to which it’s connected:
  • Status of switch interfaces
  • Layer 2 VLANs and Layer 3 subnets
  • Network infrastructure devices like switches, routers, WLAN controllers, and access points
  • IP addresses of network service devices like DHCP and DNS servers per subnet
  • IP addresses of subnet gateways
  • Endpoint devices
Device Security also works with Cortex XSOAR to fetch the following information about switches on the network learned through Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP):
  • Switch MAC address, IP address, hostname, and serial number
  • Switch vendor, model, and firmware version
  • Switch location and description
As the XSOAR engine learns the IP addresses of neighboring switches from the entry switch, it next collects network information from them, including a list of their neighboring switches as well. XSOAR continues collecting network information and learning about other switches until it has queried them all.
After collecting information through SNMP, Device Security adds newly discovered details about the network to the Networks page and details about devices to the Devices and Device Details pages.
Cortex XSOAR runs a recurring job to query switches. Running the job daily is recommended although you can set the interval between jobs to occur more or less frequently as you want.
SNMPv2c and SNMPv3 are supported.
Using SNMP to collect information from network switches requires either a full-featured Cortex XSOAR server or the purchase and activation of an Device Security third-party integration add-on license, which comes with a free cohosted Cortex XSOAR instance. The basic plan includes a license for three integration add-ons, one of which can be used for network discovery. The advanced plan includes a license for all supported third-party integrations.
Alternatively, you can use the free Network Discovery plugin to do SNMP crawling. You can download the plugin onto a supported firewall without needing to integrate with Cortex XSOAR.