In support of ongoing federal cybersecurity and supply-chain risk management initiatives, Forward Networks has developed a streamlined detection workflow for identifying devices manufactured by Huawei, ZTE, TP-Link or any other network device of concern that are within an enterprise or government environment.
This proactive measure aligns with Cybersecurity and Infrastructure Security Agency (CISA) guidance and the Federal Zero Trust Architecture (ZTA) implementation goals outlined in OMB Memorandum M-22-09. This capability helps agencies rapidly locate unapproved or unmanaged devices—enhancing visibility, compliance, and operational integrity across complex network infrastructures.
What’s Going On
Because consumer network devices (routers, access points, and embedded network interface components) are widely deployed in home and small-office settings, they may appear in larger networks without full discovery or oversight. These “commercial off-the-shelf” (COTS) components can bypass standard asset controls, introducing unmanaged exposure or unsupported hardware into production-grade environments.
Forward Networks’ solution helps customers proactively locate these devices, bringing them into scope for network visibility, audit, and Zero Trust Architecture alignment.
Why It Matters
Recent assessments have highlighted increased national security risk associated with certain COTS network devices, This risk is amplified in regulated or high-assurance environments such as federal networks, where supply-chain integrity and hardware provenance are critical.
- Devices may not align with approved vendor baselines or hardened configurations.
- Firmware patching and monitoring may be inconsistent with enterprise-grade standards.
- Unrecognized components may expose management ports, weaken segmentation, or create unmanaged endpoints.
By identifying these assets, network teams can reduce exposure, support compliance with CISA supply-chain risk management guidance, and advance the Zero Trust goals outlined in OMB M-22-09.
How Forward Networks Can Help
The Forward Networks solution uses the Network Query Engine (NQE) to identify devices by analyzing Organizationally Unique Identifiers (OUIs)—the vendor-specific prefixes embedded in every network interface’s MAC address. Each hardware manufacturer registers its OUIs with the IEEE, allowing network teams to determine the vendor associated with any network interface.
Watch a demonstration here:
NQE Query:
/**
* @intent List Network Devices and/or Hosts containing hardware from specific OUI vendors registered with IEEE.
* @description Check everything in the model for OUI's corresponding to specific registered vendor names,
* according to the IEEE Registry at http://standards-oui.ieee.org/oui/oui.csv.
*/
// modify this list of comma-separated IEEE-registered OUI Vendor Names as desired
OUINames = ["Intelliverese - DBA Voicecom", "UNIGRAND LTD", "Gemtek Technology Co., Ltd."];
foreach device in network.devices
foreach host in device.hosts
where isPresent(host.macAddress)
where ouiAssignee(host.macAddress) in OUINames
select {
deviceName: device.name,
locationName: device.locationName,
addresses: host.addresses,
macAddress: host.macAddress,
vendor:ouiAssignee(host.macAddress),
interfaces: host.interfaces,
hostType: host.hostType,
vlans: (foreach vlan in host.vlans select vlan.from),
gatewayDevice: (foreach int in host.gatewayInterfaces select int.deviceName),
gatewayInterfaces: (foreach int in host.gatewayInterfaces select int.ifaceName)
}
The script begins by defining a small list of vendor names registered OUIs. While some vendors have more than 200 OUI entries in the IEEE registry, the Forward Enterprise data model normalizes these under consistent vendor names—simplifying the detection process significantly.
The NQE logic then:
- Iterates through every network device and host in a Forward Enterprise snapshot.
- Retrieves each MAC address and its corresponding OUI assignee.
- Compares the OUI vendor name to the vendor list defined in the query.
- Returns a structured report containing matching devices, including their hostname, IP address, connected interface, and network location.
This method provides a repeatable, data-driven approach to vendor identification. By leveraging OUIs already collected from MAC tables and ARP caches within Forward Enterprise, organizations can quickly surface unauthorized, unmanaged, or policy-restricted hardware across the entire network—without additional data sources or manual investigation.
Continuous Monitoring
Once validated, the detection query can be added to the Verify library as a recurring check and included in a Scorecard for ongoing visibility. Each new snapshot automatically re-evaluates the network, updating results and ensuring that changes are captured without manual intervention.
This integration transforms what would normally be a one-time audit into a continuous monitoring process. Teams can:
- Track compliance over time, viewing a live count of unmanaged or unapproved devices.
- Receive automated alerts when new hardware appears in protected or restricted network zones.
- Use the query results as Key Performance Indicators (KPIs) for security and compliance dashboards.
- Combine the device check with additional NQE scripts—such as CVE correlation or end-of-life checks—to create a comprehensive supply-chain risk scorecard.
Because Forward Enterprise normalizes network data from multiple sources, these checks operate seamlessly across vendors, domains, and environments. Every snapshot becomes both a historical record and a proactive validation step—helping organizations ensure that only trusted, compliant, and fully supported devices exist within their infrastructure.
Broader Use Cases
Because the detection logic relies on standardized Organizationally Unique Identifiers (OUIs), this same approach can be extended to virtually any vendor, product line, or hardware category. It provides a flexible and scalable foundation for supply-chain visibility and device-inventory assurance across complex networks.
Forward Networks engineers have already expanded this framework to identify:
- Other restricted vendors (such as Huawei or ZTE) in accordance with federal compliance requirements.
- Counterfeit or gray-market network equipment by validating serial numbers against authorized ranges.
- Unsupported or end-of-life hardware, giving IT and security teams a head start on replacement planning.
- Devices with unverified firmware or outdated operating systems requiring additional patch validation.
By adjusting the vendor name list within the NQE query, network teams can tailor these checks to their specific compliance or asset-management policies. This adaptability creates a repeatable method for continuous verification—one that aligns directly with Zero Trust and evolving CISA/OMB directives.
What began as a targeted check for an unapproved device becomes a supply-chain assurance framework that can scale across the entire enterprise.
Next Steps
Try the NQE script included in this post to identifying devices of concern. You can copy it, modify the vendor names if needed, and run it in your own Forward Enterprise environment to verify results.
If you have questions or would like guidance on adapting the query for your network, we’re here to help.
-
Ask questions in the comments below.
-
Reach out to your Forward Networks Customer Success Engineer for assistance.
-
Or contact us to speak with a Forward Networks engineer about how to extend this check for other vendors or compliance use cases.
