Smart Polling

Smart Polling uses active polling methods to collect network device attributes that are not present in network traffic. This enables accurate device vulnerability analysis, and enhances their identification on the Nozomi Networks platform.

Overview

Smart Polling™ extends the asset identification capability in Arc and Guardian. To do this, it adds active polling methods that provide more granular information about devices in your network. This non-invasive technique actively collects additional device details, such as:

operating system (OS)
Firmware versions
Patch levels and more

With this additional device information, the platform creates a more precise list of vulnerabilities affecting your environment and a richer list of the devices in it.

Smart Polling is built around the concepts of identities, strategies, and plans. An identity is a relationship between a list of target devices and their matching credentials. A strategy defines how the platform will poll devices which is based on their communication protocols. For example, the SNMPv3 strategy uses the SNMPv3 protocol to poll devices. This ensures devices are polled appropriately and safely. A plan is the combination of a strategy, one or more identities, additional security settings, and the polling interval or schedule. The recommended mode for Smart Polling is Progressive Mode. When enabled, Guardian and/or Arc automatically creates Smart Polling plans for the user. This provides quicker visibility with minimal or no configuration.

Alternatively, you can select what devices you would like to poll, and when. When run successfully, strategies extract information that shows in the Smart Polling page. You can also view the device details throughout the platform.

Discovery and Smart Polling

Discovery and Smart Polling complement each other to ensure that devices are safely detected and enriched for accurate profiling and risk assessment, without impacting network stability. Discovery identifies devices on the network, while Smart Polling uses protocol-specific, low-impact methods to retrieve firmware versions, configurations, potential vulnerabilities, and other details that are not available through traffic monitoring.

Triggers

Smart Polling can be triggered in two ways:

Through a Smart Polling plan: If devices match an active plan in Arc or Guardian
After a successful Discovery: Newly discovered devices that meet a Smart Polling strategy will be automatically polled

Active sensor

Smart Polling selects the sensor for execution based on the capture_device field of the polled node. If Arc detects the node, this field contains a reference to the Arc sensor, which is used to poll the node. Otherwise, the Guardian itself polls the node.

You can use the Guardian command-line interface (CLI) to modify the capture_device field to force Smart Polling from a specific Arc sensor. For example: vi node 192.168.1.1 capture_device arc[1e6a174c], where 192.168.1.1 is the node identifier (ID) and the value in brackets is the first eight characters of the Arc sensor ID.

The OS of the sensor that polls the node decides which network interface to use based on the routing table. All Smart Polling strategies are based on the internet protocol (IP) protocol, which means that all routing decisions are delegated to the OS.