I am trying to guage the usefullness of this product, can anyone give me some stories about how it changed their work for the better?
We are running it on a brand new Cisco ACI setup, and here UDT is completely broken.
The rest of our network is also monitored in UDT, but since we dont have have L3 devices for theese (L3 devices are handled by line providers) so here's it's also rather useless and only showings MAC's.
So all in all, test it out VERY carefully before spending any money on it, we didnt have the new ACI setup before purchase, and since we werent already paying customers at the time of purchase SolarWinds did not want to disclose any detailed roadmap on upcomming features (This was back in december when ACI was starting to get mentioned).
So we bought on the premise that they were working on it, but so far ended up being a lost investment, hopefully it will work out better in the future..
In the Army, we had a field exercise before going into a sandbox for a year. The Infantry think they are better than all, and decide that US Gov only systems policy doesn't get me YouTube, so they connected their systems to the network.
Information Assurance Manager send me daily MAC Address report of unauthorized systems on the network. 15 MAC Addresses to systems within 30 minutes away.
All the Help Desk could do was see if the MAC Address was still on the network with a lease. When a system finally responded, we took a drive out to the area.
20 minutes of proceeding to find the switch, then using your finger to follow the links into the building to find some system. The system we originally looked for was gone, but another one was on the network. Took the laptop and sent it to security.
I use this scenario that played out 14 years ago, and how all of this could have been done through User Device Tracker without leaving my desk.
System entered the net: User Device Tracker can send new MAC Address alert
Unauthorized device on the network, add Device to Watch List through Web Console or API.
Search for unauthorized systems no longer on the network. see what Switch and associated port/VLAN system was connected.
When it enters the network again, I will have current connection automatically, which I can shut the port down, or further track the system.
I now have the system in my possession, along with logging history of where they were connected (and NetFlow to show what they connected to/from)
In a past life I was a network engineer with a company who had a complete rats nest in their switch closets and from time to time a user would call up saying their workstation wouldn't connect anymore. These workstations were hard wired up and didn't move around so with UDT it tends to be pretty easy to get them to give me their AD info, i look them up to see which switch port their account had been associated with, and then I can spot check if that interface is currently showing up/down/whatever and if it shows down then I have a pretty good idea what I will be looking for when I get into the closet.
I also had a case where IT loaned out a laptop to someone in marketing for a presentation, when I went to get it back it was of course lost. I dug up the mac address for the laptop wifi and set up a watchlist notification for it, so 2 months later when whoever happened to have that laptop in a cabinet pulled it out to use it again I saw it come online, which WAP and SSID it registered on and now I knew the offices to go looking for it.
I found that there was nothing I was doing with UDT that a skilled systems engineer couldn't do by jumping through switches and routers and AD correlating IP's, MAC's, and usernames by hand, but in many orgs the network techs who chase a lot of user problems don't have a lot of access/experience with AD, or vis versa, the help desk knows desktop stuff but the network is a mystery to them so tools like this can help to bridge the gaps to make that kind of info more easy to find.
Some people also try to use it as a poor man's Network Access Control, but I try to discourage investing too much into that dream because it is designed with pretty low frequency polling so a machine can potentially be on your network for half an hour, sometimes more before it even shows up in UDT. I view it as a quality of life tool, not a true security audit or anything that robust.
