IT Asset Inventories Need To Be Actionable

eTelemetry matches device addresses with names, cable ports and physical locations for compliance and for quicker "hey you, turn that off," as part of your IT Asset Inventory/Management.
eTelemetry matches device addresses with names, cable ports and physical locations for compliance and for quicker "hey you, turn that off," as part of your IT Asset Inventory/Management.Do you know what's on your network, hardware-wise and software-wise?

Maybe -- if you, or somebody providing IT administration and management, is running one or more IT inventory tools. Or if you're using a tool that generates this data as a by-product of other tasks, like a network traffic monitoring tool.

There's no shortage of IT Asset Management, a.k.a. IT Inventory, tools around, from Symantec Altiris to smaller players like NetSupport DNA. Many VARs offer this tracking for the systems they sell.

Or, like many small companies, you might simply use an Excel spreadsheet.

(FYI, here's an article I wrote about IT asset inventory/management a few years ago.)

And there are compelling reasons to have and run these tools, like:

  1. Making sure you're not running unlicensed copies of software, or more copies than you have licenses for, as the License Police can be, like the RIAA, draconian in their pursuit. (Insert standard rants regarding free Open-Source software here and/or below.)
  2. Letting you know if you have more licenses than you're using, so you can avoid or reduce software spending
  3. Depending on the software vendor and how you've sent things up, let you do concurrent-use licensing or other deals -- possibly switching software -- rather than per-specific-user licensing -- great savings if you've got lots of users but only a few people need to use something the same time.
  4. Identifying operating systems and applications that need updating, upgrading, patching, and so on.
  5. Identifying hardware that needs, or could stand to be, upgraded; can/can't support migrating to Windows 7.

You get the idea. Knowing what you've got is the first step in deciding when to hold 'em and when to fold 'em.

Depending on what business you're in, having a current network inventory -- list of what's connected to your network -- may not be just a good idea, but an industry and/or government requirement. For example, says Ermis Sfakiyanudis, CEO of eTelemetry, it's part of PCI DSS (Payment Card Industry Data Security Standard) compliance, and has to be updated quarterly.

Which can be a pain in the fundament to do, if you don't have the right tools.

Also, what these tools don't necessarily tell you is a, where the device is physically located, and b, who uses it or is responsible for it, like, say, so you can pick up a phone and yell "Turn that dang thing off NOW!"

One company working to make some of IT Asset Inventory/Management easier is eTelemetry, which has recently added new features to Version 5.0 of their Locate network appliance, which centralizes the process, and adds device discovery reporting and dashboarding.

By scanning network traffic, Locate builds a table that correlates "people on your network with their IP address, MAC address, and switch port in real-time and historically," not just for computers and network devices, but IP devices that don't have anyone who authenticates to them, such as printers, or IP announcement systems.

This information should be enough to let you know where, physically, a device is -- and having the owner's name means that if there's an immediate concern, like alerts indicating a machine is spewing out viruses or spam, you can call its owner, or have somebody nearby unplug the network or power cable.

Or, using Locate's Isolator feature, shut that person's access down at the switch port... easier than yanking or cutting their network cable. (Probably not as satisfying to do, but also easier when it's time to restore the device, or re-enable the port with a different device attached.)

And, says Sfakiyanudis, "Locate gives you endpoint security without having to deploy a trusted infrastructure. There's no need to do NAC (Network Access Control), this provides 'switchpoint' identity."

Locate can also be used to detect rogue Access Points, which is faster and easier than having somebody walk around with a handheld scanner.

This isn't just about compliance; it's also an important security tool for quickly discovering and identifying unauthorized Access Points, computers, or peripherals.

The new Collaborative Device Registration System (CDRS) works with Microsoft Active Directory, so users can register their information and identify devices they "own" based on hostname, IP address, or MAC address. Other new features include device discovery reporting, to show new devices and when they were first found on the network.

According to Sfakiyanudis, Locate is being used by the gamut of verticals and organization sizes, including "a lot in small local government, SMBs in finance, education... in particular, where there are users moving from location to location."

Beth Cohen, President of computer/network consultancy Luth Computer Specialists, Inc., says, "A mid-sized business definitely needs something like this -- any organization with twenty or more things attached to their network switch, particularly if they have WiFi."

Pricing for a Locate appliance starts at around $5,000 (they're looking into a virtual-machine software version). While that may feel like a lot of money to IT budget-sensitive organizations, ROI is "typically 150% in the first year," Sfakiyanudis claims, because of the time saved for network engineers to resolve problems by tracing IP addresses back to physical locations, the containment of problems, and the reduction of liability and risk.

Locate and doesn't have to be located on premises. "Locate has a crawler and a sniffer, we can sniff the authentication traffic and crawl the switch network, it can be at a separate location," says Sfakiyanudis.

Locate isn't a comprehensive IT asset inventory solution, nor does it claim to be. "We aren't doing full profiling of the endpoint," says Sfakiyanudis. But they make a good point, that knowing who and where go with what is useful, actionable data to have readily available.