Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2051
Views
10
Helpful
10
Replies

Disturbing http connection from ISE to an unknown Internet address

david.tran
Level 4
Level 4

‎11-17-2013 03:39 PM - edited ‎03-10-2019 09:06 PM

I have an ISE version 1.1.2.145 Patch-5 running in standalone mode.  No one has access to the ISE appliance except myself.  The ISE has an IP address of 1982.168.1.1

today, I noticed that the ISE is attempting to make an outbound http to an unknown Internet IP address of files.liferay.com.  Fortunately, my checkpoint firewall does not allow this connection:

Number:                          99427

Date:                           17Nov2013

Time:                              23:03:11

Interface:                        eth2

Origin:                         Corp_Firewall

Type:                              Log

Action:                         Drop

Service:                          http (80)

Source Port:                    58025

Source:                           Corp_Firewall-192.168.1.1 (192.168.1.1)

Destination:                    files.liferay.com (38.75.15.3)

Protocol:                         tcp

Rule:                           100

Rule UID:                        {1234abcd-1111-xxxx-vvvv-aaaaaaaaaa}

Rule Name:                    Corp_Firewall Log Drop rule

Current Rule Number:        100-Corp_Firewall

Product:                          Security Gateway/Management

Product Family:              Network

Policy Info:                     Policy Name: Corp_Firewall

                                Created at: Sat Nov 16 01:30:50 2013

                                Installed from: corp-mgmt-192.168.1.2

The question is why the ISE is doing this?  What is the purpose for this http connection, some kind of "back door" by Cisco?

Labels:
0 Helpful
10 Replies 10

Charlie Moreton
Cisco Employee
Cisco Employee

‎11-18-2013 06:33 AM

Liferay is an open source web portal for hosting cloud applications.  This is definitely NOT a Cisco back-door to the ISE.



 About Us 




 Enterprise. Open Source. For Life. 














 Enterprise. 


 Liferay, Inc. was founded in 2004 in response to growing demand for  Liferay Portal, the market's leading independent portal product that was  garnering industry acclaim and adoption across the world. Today,  Liferay, Inc. houses a professional services group that provides  training, consulting and enterprise support services to our clientele in  the Americas, EMEA, and Asia Pacific. It also houses a core development  team that steers product development.










 Open Source. 


 Liferay Portal was, in fact, created in 2000 and boasts a rich open  source heritage that offers organizations a level of innovation and  flexibility unrivaled in the industry. Thanks to a decade of ongoing  collaboration with its active and mature open source community,  Liferay's product development is the result of direct input from users  with representation from all industries and organizational roles. It is  for this reason, that organizations turn to Liferay technology for  exceptional user experience, UI, and both technological and business  flexibility.










 For Life. 


 Liferay, Inc. was founded for a purpose greater than revenue and profit  growth. Each quarter we donate to a number of worthy causes decided  upon by our own employees. In the past we have made financial  contributions toward AIDS relief and the Sudan refugee crisis through  well-respected organizations such as Samaritan's Purse and World Vision.  This desire to impact the world community is the heart of our company,  and ultimately the reason why we exist.

You may want to investigate the applications being used on site.

Hopefully this helps. 

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.

Charles Moreton

0 Helpful

david.tran
Level 4
Level 4
In response to Charlie Moreton

‎11-18-2013 07:26 AM

ISE is an appliance so what can I investigate?  I am at the mercy of Cisco.  why is the ISE appliance communicating with liferay.com, for what purpose?

I only use the box for wired dot1x authentication and nothing else.

0 Helpful

David Pease
Level 1
Level 1
In response to david.tran

‎11-18-2013 12:51 PM

David,

Please keep us informed on here.   I am not seeing this particular behavior, but I am curious as the the extent and origin of it, and I shall keep close watch on this topic.

Thank You.

0 Helpful

Sam Hertica
Cisco Employee
Cisco Employee

‎11-18-2013 09:30 AM

Please open a TAC case for investigation.

0 Helpful

david.tran
Level 4
Level 4
In response to Sam Hertica

‎11-18-2013 06:58 PM

some additional disturbing info:

for the past two months, the ISE has attempted to repeatedly making http outbound connection to 64.95.112.233 which I tracked down to be terracotta.org that does some kind of memory management for big data platform.

0 Helpful

Sam Hertica
Cisco Employee
Cisco Employee
In response to david.tran

‎11-19-2013 05:55 AM

There's an internal bug for Terracotta, which attempts to get updates for itself, which is unnecessary, so it was resolved in ISE 1.2. I haven't found anything on Liferay, but doing my own testing on the side.

I still strongly recommend you create a case for this as there's no documented use for for Liferay on ISE.

0 Helpful

david.tran
Level 4
Level 4
In response to Sam Hertica

‎11-19-2013 07:45 AM

there is a typo on my part.

the ACS server appliance version 5.2 attempts http outbound to files.liferay.com which is blocked by the firewall.  Why is it doing that?

0 Helpful

Sam Hertica
Cisco Employee
Cisco Employee
In response to david.tran

‎11-19-2013 08:36 AM

ACS is expected and documented in CSCtw59701 which is fixed in 5.4. If I had to guess (and this is entirely a guess) ISE uses the same plugins from Liferay ACS did, and is trying to check for updates.

As of now I can't find any internal or external documenation or bug describing the call to Liferay with ISE, which should be customer-facing since it is clearly an anomaly that needs to be addressed.

You mentioned you made a typo. Was the typo mistaking ISE for ACS? Or something else?

.

0 Helpful

david.tran
Level 4
Level 4
In response to Sam Hertica

‎11-19-2013 08:54 AM

ISE does not go to liferay.com.  Only ACS does go to files.liferay.com

ISE does go toTerracotta.  ISE does not go to files.liferay.com

How do I know that this is NOT NSA snooping around or some built-in backdoor by Cisco ?

Sam Hertica
Cisco Employee
Cisco Employee
In response to david.tran

‎11-19-2013 09:07 AM

Ok.

ACS  and Liferay - CSCtw59701 - Fixed in 5.4

ISE and Terracotta -  CSCub24101 and CSCuh61180

These are currently internal bugs, but i'm marking them external and they should be visible within a day. Essentially we use some terracotta components that were reaching out to their site looking for updates. They're not malicious/harmful in any way, shape, or form, but you are correct in that ISE shouldn't be doing this. It is fixed in ISE 1.2.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents