Insightix Enterprise 1.5 Quick Setup How-To and Review
Posted by Michael Mon, 13 Mar 2006 15:52:00 GMT
Synopsis
We spend a huge amount of time protecting our network access, but how many of us can say with any certainty exactly what’s on our network? I was having lunch with a friend who runs a medium sized company and I asked the question “How many servers do you have on your network?”, his reply: “I don’t know maybe 350-450”. So apparently, a 25% margin of error is acceptable to him. Got a site license for a product? Paying for the right number of installations? How do you know? How many people are running web servers on your network? Don’t worry, we didn’t know the exact number either, but we do now.
Insightix Ltd.’s Insightix Dynamic Infrastructure Discovery Collector 1.5 did a complete inventory of Imapenguin’s testing network in just over 20 minutes. It identified every aspect of the network correctly and displayed changes we made in real time. Installation was a snap, and most importantly, we didn’t have to do anything but put it in a place to see all of the traffic.
Overview
Insightix is a new company in an interesting space. As an “Infrastructure Discovery” platform, they have some competitors, including being able to do some of this with a mash-up of open source tools, but none are packaged quite like this. Insightix uses a combination of BOTH active and passive discovery. The result is a very good picture of your network in less than a half and hour with much (much much much) less active traffic required for probing to find out what’s going on.
Installation and configuration
The Insightix product requires two network interfaces to work properly, one for active scanning and one for passive scanning. In order to do passive scanning, the product needs to have one of it’s two interfaces on a span port that is configured to access all of your traffic. The quick start and admin guides outline this well. We configured out network switch to span a port, connected the passive port to it, and connected the active port to an ordinary switch port. Only the active port needs an IP address.
The enterprise product installs a locked down Linux (based on Ubuntu if you were wondering) on most standard x86 servers. We chose a fairly standard Dell PowerEdge server with 1GB of Ram. First you do a download from the ftp site, gunzip the file, burn the iso to a CD, and boot. You can bypass this step by requesting an CD from them if you don’t want to go through this cd creation process. If you are familiar with many unix style text based installations, you’ll recognize the standard Linux boot messages scrolling by. Hit the space bar a few times to scroll through the EULA, type ‘yes’ to accept and the system installs and automatically reboots. You are then prompted to enter the information about your IP address for the active interface, which is also the interface you’ll point your web browser to in order to get to the web interface. You make a simple decision about whether you want to enable NTP (I said yes), and you’re done. At this point, the system immediately starts it’s passive listening. Active scanning starts after 10 minutes and only probes a few ports to determine some more information based on it’s preliminary operating system guess.
The next step is to login to the web interface. On any system with Java 1.5 installed, point your web browser at the ip address and login as admin. The password is blank by default, and yes, you should set one. There is only one other optional configuration step and that’s to go over to the configuration tab and set your SNMP string(s) if you have them. You can also add some information about your switches or subnets if you have a particularly unusual or complicated network.
Performance
Bounce (or waddle if you’re a penguin) over to the Dashboard and see how it’s doing. After about 20 minutes, the “undetected” counts should shrink to a low number and the “detected” should be going higher
A big part of the problem with current infrastructure discovery products is the traffic they generate with the active scanning. Some of them probe every port, 1-65535 for every machine. You can get an idea of how much traffic this type of scanning will generate by doing it on a single machine by running nmap. Just do:
sudo nmap -T3 -vv -sS -p 1-65535 -P0 somehost.comand you’ll get an idea of what a problem this could create across your network. Granted, this is nmap with the full stops turned on, but active scanning of any type done in this manner can cause serious traffic problems on all sizes of networks.
Insightix gets around flooding the network with traffic by using a unique combination of active and passive scanning. For the first 10 minutes, the system actually does no active scanning at all. It gathers information about the systems on your network, taking an educated guess at each one by comparing it to it’s extensive database, and then only probes a small amount of ports on the active scanning to verify that it’s guess during the passive phase was right. There is a nice interface to view and edit the ports probed for each operating system as well as a place to add custom entries as well.
The Insightix Enterprise correctly identified all devices on our network including some hand rolled storage and VOIP devices. Pretty impressive in 20 minutes, and I didn’t have to do a thing to my network but set up a simple span port.
Reporting
Now that the system is up an running, you have all sorts of reporting options. How about a usable Visio diagram or pretty PDF picture? We found the reporting tools useful and the default outputs very well laid out for our tests. The real time infrastructure interface allows you to expand and contract views by switch which is useful if you have a large number of devices on one section.
Drill down into the management console a little bit and it will tell how many instances of just about any service you have running, and with SNMP enabled switches, even tell you what switch port they are connected to. How many times last year would an up to date inventory of SQL worm vulnerable machines have come in handy? (Oh and you forgot that most Microsoft Outlook™ installations run a version of SQL server didn’t you?). To top it off, we we’re able to get an accurate inventory of servers and services running inside VMWare Virtual Machines.
We found the overall interface and reporting to be well polished compared to some of the other products we’ve tested although the choice of a Java interface could prove problematic on some installations. This is a reality of a rich interface inside of a browser and much prefer it to a proprietary web format like ActiveX or a desktop client and to their credit, they do support the most modern Java Virtual Machine.
In upcoming releases, Insightix is working to fix our one annoyance and that’s a lack of persistence of any historical data. There is only a short window in which the data about your network is available. In talking to them, we discovered that this is high on their feature list and that they may even allow for external use of the collected data.
Conclusion
The Insightix Enterprise DID Collector may seem a little expensive, but this product just works. You plug it in, turn it on and it does what it is supposed to. We all know the value of a product that does exactly what it is supposed to do without taking up IT staff’s precious time. Overall we we’re very pleased with the product and look forward to what future developments are in store at Insightix. For the super price conscious, they have a Lite version of the product that installs on a Windows server that’s worth looking at.
