topic Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org in Network Access Control

Cisco ISE 3.0 trying to connect to http://moleman.w3.org

adamscottmaster2013 — Tue, 19 Apr 2022 15:31:44 GMT

For one day last week, my Cisco ISE Primary Admin/MNT attempted to communicate with http://moleman.w3.org and it was blocked by our Internet firewalls, as it should be. However, this triggered security alarms in our environment.

The Cisco ISE 3.0 infrastructure has been up and running for over year now and this is the first time it attempted to communicate with this unknown website. Because I am using Smart Licensing features, the ISE node is only allowed to communicate with https://tools.cisco.com, https://tools1.cisco.com, https://tools2.cisco.com and https://tools3.cisco.com and nothing else.

Is this a bug or just bad coding? Thoughts?

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

thomas — Wed, 20 Apr 2022 14:21:14 GMT

There should be no ISE software doing that.

Look in your ISE logs fot that day to see which process tried to connect to that site.

The fact that it happened only for one day reinforces that it probably wasn't ISE doing it systemically but perhaps someone configuring or testing something on ISE. The only places I can think of where ISE fetches a URL is profiling or posture updates if someone was testing those.

Are you the only ISE admin? If not, talk to your team mates and be sure they weren't playing with those features.

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

adamscottmaster2013 — Wed, 20 Apr 2022 14:57:47 GMT

1- I don't use profiling or posture features in ISE. I disable those features last year when ISE was put into production,

2- I am the only ISE admin to this device.

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

Mark Elsen — Wed, 20 Apr 2022 16:05:17 GMT

- Some advanced tricks as mentioned in this link (an example only) : https://serverfault.com/questions/666482/how-to-find-out-pid-of-the-process-sending-packets-generating-network-traffic , could reveal the process which is using the particular dns resolution or query , the only problem being that ISE shields basic linux administrative access. If security requirements are high , one could restore a previous application backup (e.g.) or re-image, the latter being a measure of last resort.

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

hslai — Thu, 21 Apr 2022 03:19:09 GMT

I believe adamscottmaster2013 already working with TAC.

www.w3.org also resolved to the same IP address. FYI.

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

adamscottmaster2013 — Thu, 21 Apr 2022 12:55:06 GMT

@hslai: Cisco had the same issue with ISE 1.1 back in 2013. Since you are working for Cisco, you can easily find that ticket.

Re: Cisco ISE 3.0 trying to connect to http://moleman.w3.org

hslai — Mon, 25 Apr 2022 13:57:31 GMT

adamscottmaster2013 Please provide the defect ID if you have it and let the assigned TAC known the earlier ticket. This is the first I heard of this issue.