SimpleIPAM
Try It Free
Back to Blog
4 min read

Why SimpleIPAM Doesn't Scan Your Network

Every traditional IPAM tool scans your network. We deliberately chose not to. Here's why that decision makes SimpleIPAM faster, more secure, and easier to use.

The Traditional IPAM Approach

Most IPAM tools work by scanning your network infrastructure:

  1. You provide network device credentials (SNMP, SSH, API keys)
  2. Agents query devices every few minutes/hours
  3. Data is aggregated in a central database
  4. You get a dashboard of current network state

This works, but it comes with significant overhead.

The Hidden Costs of Network Scanning

1. Security Risks

Network scanning requires credentials — lots of them:

  • SNMP community strings for every device
  • SSH keys or passwords for CLI access
  • API tokens for REST-based management
  • Service accounts in Active Directory

Now you're managing credential rotation, security reviews, and access controls for a tool that's supposed to simplify your life. When the IPAM tool gets compromised, an attacker has credentials to your entire network.

2. Firewall Configuration

To scan your network, the IPAM tool needs access to it. That means:

  • Opening firewall rules for SNMP (UDP 161)
  • Allowing SSH access (TCP 22) from the IPAM server
  • Permitting HTTPS API calls to management interfaces
  • Maintaining these rules across firewall upgrades and reconfigurations

Every firewall rule is a potential attack vector. Every management interface exposed is a risk.

3. Performance Impact

Network scanning isn't free:

  • SNMP polling adds load to device CPUs
  • SSH sessions consume memory
  • API queries impact management plane performance
  • Large networks can take 30-60 minutes to scan completely

We've seen cases where aggressive IPAM scanning caused management interface slowdowns during critical troubleshooting.

4. Compliance Headaches

Regulatory frameworks (PCI DSS, HIPAA, SOC 2) have specific requirements around:

  • Credential management and rotation
  • Network access logging
  • Third-party tool security reviews
  • Data retention and privacy

Scanning-based IPAM tools trigger all of these requirements. Your compliance team will want documentation, audits, and assurances before approval.

The Config-Based Alternative

SimpleIPAM sidesteps all of these problems by using a fundamentally different data source: your firewall configuration files.

Security Benefits

  • Zero network access: We never connect to your network. No credentials to store, rotate, or leak.
  • You control the data: Redact sensitive information before upload. Remove comments, hostnames, or anything you don't want to share.
  • No persistent storage (in preview): Configs are parsed and discarded. Nothing is retained on our servers.
  • Audit-friendly: Easy to demonstrate to auditors — just show them the config you uploaded (or didn't).

Speed Benefits

  • Results in seconds: Parsing a 50,000-line FortiGate config takes 3-5 seconds. No waiting for scan cycles.
  • No device impact: Zero load on your production infrastructure.
  • Instant updates: Made a config change? Upload the new config and see updated results immediately.

Compliance Benefits

  • No credential management: Eliminates an entire category of compliance requirements.
  • No network access logging: The tool never touches your network.
  • Minimal security review: Upload a config, get results. No agents, no scanning, no persistent connections.

What You Give Up

Config-based IPAM isn't perfect. Here's what you lose compared to scanning:

  • Real-time DHCP utilization: We can't tell you how many addresses are currently leased from your DHCP pools.
  • Rogue device detection: We won't find devices that shouldn't be on your network.
  • Automatic updates: You need to re-upload configs to see changes. No continuous monitoring.
  • Layer 2 visibility: We don't see MAC addresses, switch ports, or ARP tables.

For many teams, these tradeoffs are worth it. If your primary pain point is "I don't know what's in my firewall config," SimpleIPAM solves that instantly. If you need real-time DHCP monitoring, you probably still need a traditional IPAM tool.

Future: API-Based Integration (Not Scanning)

We're planning to support API-based cloud integrations for AWS, Azure, and Google Cloud VPC data. You provide credentials, we fetch metadata about your cloud subnets.

Key difference: This is read-only API access to cloud metadata, not network scanning. You're in control of what we can access via IAM policies.

Try It Yourself

The best way to understand the difference is to experience it:

Upload a Config and See Results in 5 Seconds

No registration required. No credentials to provide. Just upload and see what we extract.

Tagged: security, architecture, compliance