NICE: Network Introspection by Collaborating Endpoints

NICE, or Network Introspection by Collaborating Endpoints, is a research project that explores novel approaches to network discovery and topology mapping in enterprise networks. The goal of NICE is to develop and demonstrate a capability for mapping networks without relying on traditional network management tools and protocols (such as SNMP), which presume some knowledge of the network topology a priori and require administrative credentials to managed network devices in order to collect their data. NICE targets the security administrator - who does not have either the knowledge or authority to manage the network infrastructure - as opposed to the network administrator. The security administrator does have authority to manage client security software on every managed endpoint. By leveraging this presence on the endpoints, NICE attempts to extract the security-relevant network information that the security administrator needs in order to prevent, ameliorate, and respond to security incidents. The NICE project consists of research and development in multiple areas. NICE uses low-level network switch properties to locate and map all the switches on a subnet and then associate rogue systems with specific physical switches. NICE also captures a wealth of information about rogue systems, authorized systems/devices, and topology simply by listening to broadcast traffic. Lastly, NICE explores techniques for having pairs of endpoints talk across the network to infer the presence of intermediate devices and processing. We have produced a NICE integrated system prototype addressing these research areas and conducted some experimentation to evaluate the effectiveness and scalability of the approach.