cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1075
Views
4
Helpful
5
Replies

Anomalous Behavior Question

scamarda
Cisco Employee
Cisco Employee

I have a customer that is using static IP for his Dell Printer and exchanges it with a static addressed laptop.  When the printer first connects to the network it is profiled correctly by nmap.  When he replaces it with a static addressed laptop, the AB does not fire. Nmap also does not kick off with this second connection.

Reading the profiling design guide it looks like I may get nmap to fire a subsequent time if I add nmap to the conditions of the Dell Printer profile template.  At this point the host should be reclassified and AB will kick in.

Is this correct?  I do realize this has the potential to increase ISE load as it will be doing more scanning.

Is there another way to have AB fire when using a static IP address?

1 Accepted Solution

Accepted Solutions

Anomaly Behavior Detection is not well-suited for static IP assignment today since few attributes are continuously emitted by endpoint.  DHCP is one which will help allow ISE capture new info on each connection.  SNMP Query can also be triggered periodically, but CDP/LLDP attributes are not normally something a spoofing PC will generate.  NMAP is only queried initially or upon more specific trigger, or manually.

The real solution here is to make Dell printer authenticate to network.  It would also be preferred if use DHCP for the printer, even if Static DHCP (reservations).  This provides the control of fixing IP, but ability to support moves/adds/changes without visiting the device.  And, of course, it provide greatly visibility for profiling and ABD.

View solution in original post

5 Replies 5

hslai
Cisco Employee
Cisco Employee

ISE profiling is not working this way. The scan action is triggered only when the endpoint first classified to the profiler policy.

Craig's response for Re: ISE Profiling Logic - Need confirmation gave some details how it works.

Anomaly Behavior Detection is not well-suited for static IP assignment today since few attributes are continuously emitted by endpoint.  DHCP is one which will help allow ISE capture new info on each connection.  SNMP Query can also be triggered periodically, but CDP/LLDP attributes are not normally something a spoofing PC will generate.  NMAP is only queried initially or upon more specific trigger, or manually.

The real solution here is to make Dell printer authenticate to network.  It would also be preferred if use DHCP for the printer, even if Static DHCP (reservations).  This provides the control of fixing IP, but ability to support moves/adds/changes without visiting the device.  And, of course, it provide greatly visibility for profiling and ABD.

Thanks for the replies.  I'll revisit with the customer.  The big concern was, yes the printer can use DHCP, but if the attacker is smart enough to spoof the printer's MAC address, then they would be smart enough to spoof the printer's IP as well.  That would lead to not updating DHCP.

Thanks again.

First it is important to level set with customers that Profiling is NOT authenticated identity.

Spoofing endpoint attributes is primarily a matter of determination. I can spoof MAC, IP, DHCP, CDP, LLDP, SNMP, and even responses to port scans.  There needs to be a balance between controls implemented and risk.

If trying to thwart a curious or even somewhat malicious user, then basic controls may be sufficient.  To truly detect a savvy attacker, then there needs to be a layered approach including port security (to enforce DHCP clients and ARP inspection and prevent rogue DHCP), NAC, and upwards to network traffic analysis (for example, StealthWatch to check for anomalous activity), IDS/IPS, DNS inspection, Firewalls to block backdoor channels, etc.

Another basic rule is to always to implement a policy of least privileges.  For example, if classified as a Phone, then only permit phone things.  This may be a narrow policy based on well-known phone protocols such as SIP, but may expand into other applications due to the advanced integration with IP Telephony systems including video and collaboration apps.  It should still be reasonable to lock down phones and printers to NOT have access to critical portions of data center, or blind internet access.  The point here is that if a determined attacker does successfully spoof an IoT endpoint, then don't offer them free access to the crown jewels!

And when customer again returns to the question of best way to prevent MAC Spoofing, you can promptly return to Item #1: Authentication!    Yes, there is a proven solution but everyone is looking for any easy button via non-deterministic technologies.

$.02, Craig

Concur in a world with endless resources.   The customer turned on ABD and the Printer with the static IP was their first test.  They already had the ACL limiting what the printer could talk to.  Was curious why it did not detect the change.  No amount of rocket science there. Customer has been briefed, educated and now understands the situation and capability.