Smart Polling
Smart Polling uses active polling methods to collect network device attributes that are not present in network traffic. This enables accurate device vulnerability analysis, and enhances their identification on the Nozomi Networks platform.
Overview
Smart Polling™ extends the asset identification capability in Arc and Guardian. To do this, it adds active polling methods that provide more granular information about devices in your network. This non-invasive technique actively collects additional device details, such as:
- operating system (OS)
- Firmware versions
- Patch levels and more
With this additional device information, the platform creates a more precise list of vulnerabilities affecting your environment and a richer list of the devices in it.
Smart Polling is built around the concepts of identities, strategies, and plans. An identity is a relationship between a list of target devices and their matching credentials. A strategy defines how the platform will poll devices which is based on their communication protocols. For example, the SNMPv3 strategy uses the SNMPv3 protocol to poll devices. This ensures devices are polled appropriately and safely. A plan is the combination of a strategy, one or more identities, additional security settings, and the polling interval or schedule. The recommended mode for Smart Polling is Progressive Mode. When enabled, Guardian and/or Arc automatically creates Smart Polling plans for the user. This provides quicker visibility with minimal or no configuration.
Alternatively, you can select what devices you would like to poll, and when. When run successfully, strategies extract information that shows in the Smart Polling page. You can also view the device details throughout the platform.
Discovery and Smart Polling
Discovery and Smart Polling complement each other to ensure that devices are safely detected and enriched for accurate profiling and risk assessment, without impacting network stability. Discovery identifies devices on the network, while Smart Polling uses protocol-specific, low-impact methods to retrieve firmware versions, configurations, potential vulnerabilities, and other details that are not available through traffic monitoring.
Triggers
Smart Polling can be triggered in two ways:
- Through a Smart Polling plan: If devices match an active plan in Arc or Guardian
- After a successful Discovery: Newly discovered devices that meet a Smart Polling strategy will be automatically polled
Active sensor
Smart Polling on Guardian selects the sensor or sensors for execution based on the
capture_devices field of the polled node. Smart Polling will
engage the corresponding sensors. When at least one successful execution occurs from
a sensor, Smart Polling remembers to use that sensor in future executions. If Smart
Polling records no successful executions for more than a week, it will fall
back to engaging the sensors recorded in the capture_devices field
of the node.
To add a sensor to the applicable sensors for a node, you can use the Guardian
command-line interface (CLI) to modify the capture_devices
field, by adding the capture device. For example, vi node 192.168.1.1
capture_device arc[1e6a174c], where 192.168.1.1 is the
node identifier (ID) and the value in brackets is the first eight
characters of the Arc sensor's ID.
The OS of the sensor that polls the node decides which network interface to use based on the routing table. All Smart Polling strategies are based on the internet protocol (IP), which means that all routing decisions are delegated to the OS.