Active device polling jobs
Using the active polling jobs, you can conduct a security audit of monitored devices in terms of receiving accurate and complete information about devices and their configurations directly from the devices themselves. Active polls are performed by using connectors. To conduct active polling of devices, one or more Active poll connectors must be added to the application.
Connectors provide various methods for conducting active polling. The available active polling methods depend on the utilized protocols and the commands and functions of these protocols. The application's built-in Active poll connector type contains a set of methods that support active polls over application-layer protocols and common protocols. Kaspersky Industrial CyberSecurity for Networks supports the following methods to actively poll the devices:
- Polling via ARP (only for computers with the kernel version 4.3 or later)
- Polling via CIP™
- Polling via DNP3
- Getting process control settings and tags (only for computers with the kernel version 4.3 or later)
- Polling via IEC 61850: MMS
- Polling via Modbus TCP
- Polling via BECKHOFF ADS/AMS over UDP
- Polling via PROFINET DCP (only for computers with the kernel version 4.3 or later)
- Polling via Siemens S7comm over Industrial Ethernet
- Polling via Siemens S7comm over TCP
- Receiving a Schneider Electric Modicon M580/M340 advanced configuration
- Getting Siemens SIMATIC S7-300/S7-400 extended configuration
- Polling via SMB
- Polling via SNMP
- Polling via SSH
- Polling via WinRM HTTP
- Polling via WinRM HTTPS
- Polling via WMI
- Risk analysis on Cisco devices via SSH
- Risk analysis on Linux devices via SSH
The methods are distinguished by the specific device information that they obtain. You can select the relevant information you need and the methods you want to use when configuring the active polling settings.
Some methods use secrets to connect to devices. Device connections are made using credentials from secrets added to the application.
When using these methods, the application can automatically update the following device information based on the active polling results:
- Name used to represent a device in the application.
- Name used to represent the device in the network (network name).
- Name of the device hardware vendor.
- Device model name.
- Device hardware version number.
- Name of the device software vendor.
- Device software name.
- Device software version number.
- Address information for network interfaces of the device.
- Name of the operating system installed on the device (only for devices running Windows and Linux operating systems).
- Configuration of Process Control settings and tags.
- Advanced configuration for industrial devices.
The list of operating systems supported by the application for active polling of devices is provided in the Appendix.
The application does not update data for which the automatic update function was disabled using the Auto update toggle button when the device was added or when device information was edited. The application also evaluates the authenticity of received device information and in some cases may reject unreliable updates of previously received information.
Some active polling methods support the capability to detect risks and to make changes to the topology map based on obtained device information.
You can manually run security audit jobs or configure a schedule to automatically run each job. Only users with the Administrator role can run active device polling jobs.
To utilize active polling functionality, you need to take into account the following special considerations and limitations:
- This functionality is available after a license key is added.
- Application modules of the connectors used to conduct active polling of devices must have network access to the devices so that they can send requests and receive data from the devices. If application modules are running on a node that has application components installed, to ensure network access to devices this computer must have a network interface with a connection to the network of these devices. Network interfaces of monitoring points cannot be used for this purpose if these network interfaces receive mirrored industrial network traffic (for example, from SPAN ports of network switches).
- Active polling may result in some unforeseen issues with devices due to the possibility that these devices may incorrectly interpret the incoming active polling commands. These issues may be caused by an inappropriate or highly specialized configuration of devices. Issues may also arise due to latent errors in the network configuration that are not apparent during normal interactions between the devices. Consequently, active polling poses the following risks of potential impact on devices:
- Device shutdown
- Loss of connectivity with the device
- Impaired performance of the device
- Other potential malfunctions in the network and equipment
Page top