UDP is a less reliable protocol for asset discovery since it doesn’t incorporate TCP’s handshake method for guaranteeing data integrity and ordering. If the host name does not resolve, it is considered UNRESOLVED, which, for the purposes of scanning, is the equivalent of DEAD. If a scan target is listed as a host name in the site configuration, the application attempts DNS resolution. The risk of selecting this option is that you may miss devices that have been configured to provide only reset responses. If this problem exists in your environment, you can choose the option to not treat TCP reset responses as live assets. firewall, router, etc.) sending TCP reset responses to the Scan Engine. This may cause non-existent targets to appear in scan results due to an intermediate device (e.g. On the point of using TCP packets for device discovery, you must remember that the Scan Engine considers any response from a device as a proof of its liveness. You may wish to use UDP as a supplemental protocol, as target devices are also more likely to block the more common TCP and ICMP packets. It is also used by more services than UDP. TCP is more reliable than UDP for obtaining responses from target assets. You can view TCP and UDP port settings on default scan templates, such as Discovery scan and Discovery scan (aggressive) to get an idea of commonly used port numbers. If you select TCP or UDP for device discovery, make sure to designate ports in addition to 80, depending on the services and operating systems running on the target assets. In this case, the application reports the asset to be ALIVE in scan logs. This at least establishes that the asset is online and that port scans can occur. If nothing is registered on port 80, the target asset will send a “port closed” response, or no response, to the Scan Engine. Firewalls are often configured to allow traffic on port 80, since it is the default HTTP port, which supports Web services. With these protocols, the application attempts to verify the presence of assets online by opening connections. You can select TCP and/or UDP as additional or alternate options for locating live hosts. Selecting both TCP and UDP for device discovery causes the application to send out more packets than with one protocol, which uses up more network bandwidth. On the other hand, a firewall may be configured to send proxy ARP responses, which could result in non-existent assets appearing to be alive.
![clear mac address from sccm clear mac address from sccm](https://pelegit.co.il/wp-content/uploads/2016/06/SCCM_MAC_QUERY.gif)
In either case, the application infers that the device is not present, and reports it as DEAD in the scan log. A firewall may discard the pings, either because it is configured to block network access for any packets that meet certain criteria, or because it regards any scan as a potential attack. There are a couple of drawbacks of this approach. The benefit is accuracy, since it is checking all possible targets.īy default, the Scan Engine uses ARP and ICMP requests, also known as pings, to seek out an asset during device discovery. This method costs time, because the application checks ports on all target assets, whether or not they are live. So for these types of scans, it’s more efficient to have the application “assume” that a target asset is live and proceed to the next phase of a scan, service discovery. Peripheral networks usually have very aggressive firewall rules in place, which blunts the effectiveness of asset discovery. The Web audit and Internet DMZ audit templates do not include any of these discovery methods. If the application cannot verify that an asset is live with one method, it will revert to another. Using more than one discovery method promotes more accurate results. See Make your environment “scan-friendly”. Be mindful of where you deploy Scan Engines and how Scan Engines interact with firewalls. This can reduce the overall accuracy of your scans. In either case, the application reports the asset to be DEAD in the scan log. If a firewall is on the network, it may block the requests, either because it is configured to block network access for any packets that meet certain criteria, or because it regards any scan as a potential attack. The potential downside is that firewalls or other protective devices may block discovery connection requests, causing target assets to appear dead even if they are live. ICMP echo requests (also known as “pings”).Three methods are available to contact assets: Filtering out dead assets from the scan job helps reduce scan time and resource consumption.
![clear mac address from sccm clear mac address from sccm](https://www.windows-noob.com/forums/uploads/monthly_09_2008/post-1-1222769468.jpg)
Determining if target assets are liveĭetermining whether target assets are live can be useful in environments that contain large numbers of assets, which can be difficult to keep track of. If you choose not to configure asset discovery in a custom scan template, the scan will begin with service discovery.