About Us

david.tran · ‎11-17-2013

I have an ISE version 1.1.2.145 Patch-5 running in standalone mode. No one has access to the ISE appliance except myself. The ISE has an IP address of 1982.168.1.1

today, I noticed that the ISE is attempting to make an outbound http to an unknown Internet IP address of files.liferay.com. Fortunately, my checkpoint firewall does not allow this connection:

Number: 99427

Date: 17Nov2013

Time: 23:03:11

Interface: eth2

Origin: Corp_Firewall

Type: Log

Action: Drop

Service: http (80)

Source Port: 58025

Source: Corp_Firewall-192.168.1.1 (192.168.1.1)

Destination: files.liferay.com (38.75.15.3)

Protocol: tcp

Rule: 100

Rule UID: {1234abcd-1111-xxxx-vvvv-aaaaaaaaaa}

Rule Name: Corp_Firewall Log Drop rule

Current Rule Number: 100-Corp_Firewall

Product: Security Gateway/Management

Product Family: Network

Policy Info: Policy Name: Corp_Firewall

Created at: Sat Nov 16 01:30:50 2013

Installed from: corp-mgmt-192.168.1.2

The question is why the ISE is doing this? What is the purpose for this http connection, some kind of "back door" by Cisco?

Charlie Moreton · ‎11-18-2013

Liferay is an open source web portal for hosting cloud applications. This is definitely NOT a Cisco back-door to the ISE.

About Us

Enterprise. Open Source. For Life.

Enterprise.

Liferay, Inc. was founded in 2004 in response to growing demand for Liferay Portal, the market's leading independent portal product that was garnering industry acclaim and adoption across the world. Today, Liferay, Inc. houses a professional services group that provides training, consulting and enterprise support services to our clientele in the Americas, EMEA, and Asia Pacific. It also houses a core development team that steers product development.

Open Source.

Liferay Portal was, in fact, created in 2000 and boasts a rich open source heritage that offers organizations a level of innovation and flexibility unrivaled in the industry. Thanks to a decade of ongoing collaboration with its active and mature open source community, Liferay's product development is the result of direct input from users with representation from all industries and organizational roles. It is for this reason, that organizations turn to Liferay technology for exceptional user experience, UI, and both technological and business flexibility.

For Life.

Liferay, Inc. was founded for a purpose greater than revenue and profit growth. Each quarter we donate to a number of worthy causes decided upon by our own employees. In the past we have made financial contributions toward AIDS relief and the Sudan refugee crisis through well-respected organizations such as Samaritan's Purse and World Vision. This desire to impact the world community is the heart of our company, and ultimately the reason why we exist.

You may want to investigate the applications being used on site.

Hopefully this helps.

Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.

Charles Moreton

david.tran · ‎11-18-2013

ISE is an appliance so what can I investigate? I am at the mercy of Cisco. why is the ISE appliance communicating with liferay.com, for what purpose?

I only use the box for wired dot1x authentication and nothing else.

David Pease · ‎11-18-2013

David,

Please keep us informed on here. I am not seeing this particular behavior, but I am curious as the the extent and origin of it, and I shall keep close watch on this topic.

Thank You.

Sam Hertica · ‎11-18-2013

Please open a TAC case for investigation.

david.tran · ‎11-18-2013

some additional disturbing info:

for the past two months, the ISE has attempted to repeatedly making http outbound connection to 64.95.112.233 which I tracked down to be terracotta.org that does some kind of memory management for big data platform.

Sam Hertica · ‎11-19-2013

There's an internal bug for Terracotta, which attempts to get updates for itself, which is unnecessary, so it was resolved in ISE 1.2. I haven't found anything on Liferay, but doing my own testing on the side.

I still strongly recommend you create a case for this as there's no documented use for for Liferay on ISE.

david.tran · ‎11-19-2013

there is a typo on my part.

the ACS server appliance version 5.2 attempts http outbound to files.liferay.com which is blocked by the firewall. Why is it doing that?

Sam Hertica · ‎11-19-2013

ACS is expected and documented in CSCtw59701 which is fixed in 5.4. If I had to guess (and this is entirely a guess) ISE uses the same plugins from Liferay ACS did, and is trying to check for updates.

As of now I can't find any internal or external documenation or bug describing the call to Liferay with ISE, which should be customer-facing since it is clearly an anomaly that needs to be addressed.

You mentioned you made a typo. Was the typo mistaking ISE for ACS? Or something else?

.

david.tran · ‎11-19-2013

ISE does not go to liferay.com. Only ACS does go to files.liferay.com

ISE does go toTerracotta. ISE does not go to files.liferay.com

How do I know that this is NOT NSA snooping around or some built-in backdoor by Cisco ?

Sam Hertica · ‎11-19-2013

Ok.

ACS and Liferay - CSCtw59701 - Fixed in 5.4

ISE and Terracotta - CSCub24101 and CSCuh61180

These are currently internal bugs, but i'm marking them external and they should be visible within a day. Essentially we use some terracotta components that were reaching out to their site looking for updates. They're not malicious/harmful in any way, shape, or form, but you are correct in that ISE shouldn't be doing this. It is fixed in ISE 1.2.

Disturbing http connection from ISE to an unknown Internet address

About Us

Enterprise.

Open Source.

For Life.