Continuous Scan is an intrusion detection feature that uses one or more LANsurveyor maps as the baseline network environment. When Continuous Scan is active, LANsurveyor scans the appropriate network ranges and looks for nodes that appear on the network. In a managed switch environment, you can disable network access for rogue nodes directly from the Threat List or automatically disable network access for all rogue nodes.
Continuous Scan can be set to either scan all open maps or just maps you specify. Use the AutoOpen option under Tools>Options to specify which maps to use.
Continuous Scan is a great way to meet regulatory requirements: Continuous Scan monitors your network for new nodes, checks new nodes for compliance as they connect to the network, and keeps a log of all nodes as they connect to and disconnect from the network.
Select Continuous Scan from the Window menu to view the Continuous Scan window. Click on the Start button to start scanning and click on the Stop button to stop scanning.
Note: We recommend you run Continuous Scan for at least several days before automatically disabling network ports. As Continuous Scan runs, LANsurveyor is able to aggregate more information, provide more comprehensive network diagrams, and significantly reduce the number of false positives.
When a new node is detected on the network, LANsurveyor adds the node to the Threat List.
The Threat List includes information about when the node was detected, the node name, IP address, Ethernet (MAC) address, the hub or switch the node is connected to, the port number used for the connection if connected to an SNMP-enabled device, and the status of any authentication methods you have configured.
LANsurveyor attempts to authenticate the node using either an SNMP community string or the Responder client password or a third party product such as Microsoft Baseline Security Analyzer (MBSA). If the node is authenticated, the Threat List is updated to reflect the type of authentication. LANsurveyor Alerts can be set based on whether a node is authenticated or unauthenticated. To configure authentication methods, select Options from the Monitor>Continuous Scan menu and select the IP Node Response Options tab.
If you detect a rogue node, you can disable network access for the node by clicking on the node in the Threat List and clicking the Disable button If you determine a disabled node should be enabled, click on the Enable button. You can automatically disable network access for all rogue nodes from the Response Options tab on the Continuous Scan Options dialog. Only nodes connected to a switch port can be disabled or enabled.
You can also disable or enable ports directly from the map.
Note: Port enable/disable requires a "managed" or SNMP-enabled switch with the correct read/write community string.