04-19-2022 08:31 AM
For one day last week, my Cisco ISE Primary Admin/MNT attempted to communicate with http://moleman.w3.org and it was blocked by our Internet firewalls, as it should be. However, this triggered security alarms in our environment.
The Cisco ISE 3.0 infrastructure has been up and running for over year now and this is the first time it attempted to communicate with this unknown website. Because I am using Smart Licensing features, the ISE node is only allowed to communicate with https://tools.cisco.com, https://tools1.cisco.com, https://tools2.cisco.com and https://tools3.cisco.com and nothing else.
Is this a bug or just bad coding? Thoughts?
04-20-2022 07:21 AM
There should be no ISE software doing that.
Look in your ISE logs fot that day to see which process tried to connect to that site.
The fact that it happened only for one day reinforces that it probably wasn't ISE doing it systemically but perhaps someone configuring or testing something on ISE. The only places I can think of where ISE fetches a URL is profiling or posture updates if someone was testing those.
Are you the only ISE admin? If not, talk to your team mates and be sure they weren't playing with those features.
04-20-2022 07:57 AM
1- I don't use profiling or posture features in ISE. I disable those features last year when ISE was put into production,
2- I am the only ISE admin to this device.
04-20-2022 09:05 AM
- Some advanced tricks as mentioned in this link (an example only) : https://serverfault.com/questions/666482/how-to-find-out-pid-of-the-process-sending-packets-generating-network-traffic , could reveal the process which is using the particular dns resolution or query , the only problem being that ISE shields basic linux administrative access. If security requirements are high , one could restore a previous application backup (e.g.) or re-image, the latter being a measure of last resort.
M.
04-20-2022 08:19 PM
I believe adamscottmaster
www.w3.org also resolved to the same IP address. FYI.
04-21-2022 05:55 AM
@hslai: Cisco had the same issue with ISE 1.1 back in 2013. Since you are working for Cisco, you can easily find that ticket.
04-25-2022 06:57 AM
adamscottmaster
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide