3 Questions: On the subject of discovery

Discovery is more than just scanning your network and matching a virus profile. Here are some of the things you should be looking to do with discovery.

With Tom Geairn, principal of NewView Consulting LLC in Porter, Ind., concerning elements enterprises should consider including in a patch management strategy.

This interview originally appeared in the IT Business Edge weekly report on Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit

By Terry Sweeney

Question: One of the first elements of patching is discovery, which is more than just scanning your network and matching a virus profile. What sorts of things should enterprises be looking to do with discovery?

Geairn:Discovery is a many-headed beast. As soon as you tame one area, another head grows in its place. First, there is machine discovery. Most vendors start with the Domain Browse List. The browser list is unreliable as it is at the mercy of subnet problems, the presence or absence of WINS, correct client configuration, multi-homed host problems, and it only reports currently (or recently) connected computers. One step up from this is the ability to periodically check the browse list for new computer listings, such as a recently connected notebook computer. A better approach would include the ability to search subnets (specified by an admin/installer) for computers and to periodically recheck those subnets.

Question:Then there's also vulnerability discovery and configuration discovery. How do they work?

Geairn:Vulnerability discovery tools use an XML configuration file to map patches to products and determine what is and isn't applied. They then apply the missing pieces. So the product might look at a computer and say: "If the version of file X is greater than or equal to 6.0.203 and the OS version is 5.1.2600, then patch 03-999 has been applied." If the test fails, and the enterprise policy calls for that patch to be present, then the patch gets applied. With configuration discovery, if the corporate policy is that only TCP/IP is allowed as a client protocol, the product should have some way of discovering that a user has also enabled NetBEUI or AppleTalk or whatever. This type of configuration discovery is going to require a client agent of some kind to read and report on what it finds, as well as a mechanism to enforce policy.

Question:Once all the discovery processes are complete, IT then turns to removal, whether it's an infected computer, a faulty process, or a problematic patch. How automated a process has removal become after the last six months of patching hell?

Geairn:Automatically removing a computer from the network at the first sign of trouble is a feature I have not found in any of the available management suites. What I would love to see would be the use of the quarantine to hold computers until the apparent problem has been fixed. If my management server or IDS or firewall sees a client suddenly performing port scans, opening network shares against dozens of computers, or sending e-mails at some improbable rate, the privilege of being on my network should be immediately revoked.

Editor's Picks