Do you know everything that's on your network, 100 percent and for sure? If you don't, how are you going to make sure it is secure - and perhaps more importantly these days, to prove that it is secure, both to your bosses and your industry's regulators?

That's the premise behind the emergence of tools aimed specifically at network discovery. These are not asset management tools - after all, there might be things on the network that aren't yours to manage. Instead, they are aimed at tasks such as leak prevention, rogue detection and preparing for NAC deployment.

Of course, there's lots of network scanners on the market that will ping a range of IP addresses and see what answers. Some use SNMP and other protocols too, or watch for traffic crossing the LAN from cloaked IP addresses, but even that may not be enough for compliance purposes, argues Ofir Arkin, the CTO of Israeli network discovery specialist Insightix.

Active and passive

"Most existing network discovery tools are active," he says. "They are installed at one point on the network and send out packets. The problem is two-fold, first that the major operating systems now ship with personal firewalls and will not be detected. Also, the discovery is not real-time or complete - if I take my laptop home, it won't be picked up - so the most they will get is a snapshot of 60 to 70 percent of the network."

Insightix uses a combination of active and passive detection methods - but not agents - to build a stateful map of the network that shows what's connected at any time and can track changes.

"For example, if an element browses the web, it generates traffic on the network," he explains. "We can detect 99 percent of the elements on the network in real-time, do a network inventory and topology map. One of the coolest things we do is hook up VMware systems to their host machines, without needing agents."

What of the other one percent? Arkin smiles: "There's a saying that one percent is reserved for God - I'd never claim more than 99 percent for anything," he says.

Plugging the leaks

The other big issue for network discovery is locating the connections into and out of the network, adds Luke Brown, the VP Europe at Lumeta, whose IPsonar software works by detecting endpoints.

He says that IPsonar can discover more of a network than an active scanner will, because as well as scanning the address blocks that you tell it to, it also mines the information in your routers.

"Our code came from a Bell Labs/Lucent project to discover how big the Internet was, by detecting every known type of end-point," he explains. "The big thing is mining the router information and using that, and doing it fast, efficiently and graphically.

"We discover the entire address space - you input the known network, but also as many hops as you want beyond that. Typically we find 20 percent more of the client's network than they knew existed. The information can then be fed back into your network management framework.

"Our focus is discovering and understanding the flows on the network - how devices connect to each other. We'll produce network maps with an ongoing risk scorecard, and check for leaks and unauthorised connections. For example, organisations may have ex-partners from years ago that still have connectivity."

As well as enabling your security team to use their existing tools to close those leaks, this sort of information is vital when it comes to mergers, de-mergers and outsourcing projects, Brown says. For instance, it can show what's on a newly acquired network that will need managing, or what's still connected to the old one that shouldn't be.

So at what point should organisations look to implement network discovery, and how much might it cost? By coincidence, both Insightix and Lumeta quote the same starting price for a network discovery deployment, of around $20,000 (£10,000).

Luke Brown adds that Lumeta's actual figure will depend on other factors such as how long you want to run it for, whether you want it as software or a hosted service and how many IP addresses it discovers - he suggests that it "becomes relevant at 25,000 IP addresses, say."

In contrast, Ofir Arkin says his quote is for a software appliance designed to run on a standard x86 server, and licensed to detect up to 1000 devices.

"If I need to detect rogue elements, or unmanaged elements, or elements that don't log onto my domains, I don't know they are there," he says, concluding: "If I need to comply with regulations, or which systems to patch, I need to know who is on my network. Knowledge is power."