DeepSurface needs to understand which subnets can talk with one another. The Network Connectivity Probe determines this and models communications at a subnet to subnet level.
Connectivity scanning consists of:
A Network Connectivity probe takes information from an credentialed scan and tries to determine if there are any firewalls or other blocks that prevent one machine from connecting to another. This is not accomplished by blindly running a port scan on every single machine and every single port (which would take forever and consume a lot of resources), it uses a sophisticated sampling scheme to locate where communications from one machine to another might be blocked.
Remember that a block is probably a good thing in terms of security. Network administrators often want to isolate one area from another. While this isolation may be required for privacy or other business reasons, it also means a blocked off area of your network will be much less likely to be the victim of an exploit in the other area of your site.
Connectivity information is gathered through a combination of:
In the Connectivity Settings area of the screen in the top left, you can configure the following settings:
Let's briefly cover each of those items
Number of port scan workers - This is the maximum number of hosts to use in parallel as port scan clients. These clients are the machines running ports scans to see what connections are possible. Experienced system administrators know this activity can freak security software completely out. Time pause between port scans (seconds) - This is the amount of time each port scan client pauses between each port scan. When security software (such as desktop firewalls and intrusion prevention systems) see an internal host conducting port scans, it may trigger alerts or even a blockage of that host. Obviously, that's bad. Increasing the time pause value helps the connectivity scanning process to avoid triggering this type of detection. Scanned service timeout(ms) - If a scanned port does not respond in this amount of time, the port scanner will give up and consider this service to be unavailable (either because it's filtered by a firewall or is otherwise non-routable). Maximum ports per client scanner - The maximum number of ports to scan from any given client host in a single connectivity scan. This is another way of ensuring the probes don't run for an unacceptable amount of time.
The right-hand side shows all subnets included in the network connectivity probe. The left-hand side shows addresses excluded. Select any subnets you would like to be included in probes and add them to the included list. It is recommended that your first job only include a few subnets so you can observe if any security software gets triggered.
Often internal networks have a large number of subnets that can communicate with one another without any significant restrictions. We refer to these as Cliques. When you create a subnet clique, you are telling DeepSurface that all the members of each subnet in a clique can communicate with all the other members of the other subnets in the clique with no significant firewalls or other blocks in the way. See below for an illustration.
The subnet clique section of this page can be found at the bottom. This section is where subnets discovered by the Network Connectivity scan may be grouped together as cliques. When you create a subnet clique, you are telling DeepSurface that all the members of each subnet in a clique can communicate with all the other members of the other subnets in the clique with no significant firewalls or other blocks in the way. When you do this, it means future network connectivity probes need not check for firewalls/blocks here.
Note: If, for example, you added a firewall in the future, it will just mean that the attack paths reported show some paths which aren't really vulnerable. If you discover this, you may want to edit your cliques or launch a new, full connectivity probe.
To add a subnet clique, click the big '+ Connectivity Clique' button. You will see a form that looks like the following.
On the left, you will see all the subnets discovered by the Network Connectivity probe. Now, do the following with the pop-up form.
A Final Note: There are two ways to tell the Network Connectivity Probe, "you don't need to scan here".