cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
606
Views
1
Helpful
3
Replies

Is there a way to detect NATed VM host?

csco11552159
Level 5
Level 5

Hi Folks,

I'm looking for some helps again.

During deployment we found some users are running VM  host and NATed to their physical host, it seems ISE cannot detect it.

Is there a way to block this kind use case? I remember Forscout can detect NATed device with TTL.

Does ISE have this feature?

thank you.

1 Accepted Solution

Accepted Solutions

gbekmezi-DD
Level 5
Level 5

The Forescout model is interesting (https://www.forescout.com/wp-content/uploads/2015/12/ForeScout-CounterACT-Network-Address-Translation-NAT-Detection-Tech-Note.pdf) but seems pretty difficult to scale since it appears to require an appliance an a SPAN port to implement the TTL technique you are describing.

You may be able to accomplish what you are looking for by using ISE posture and Application Condition Settings (https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100000.html#id_38954) to detect if any hypervisors are running on the client (i.e. VMWare, VirtualBox) and fail posture if they are running.

George

View solution in original post

3 Replies 3

gbekmezi-DD
Level 5
Level 5

The Forescout model is interesting (https://www.forescout.com/wp-content/uploads/2015/12/ForeScout-CounterACT-Network-Address-Translation-NAT-Detection-Tech-Note.pdf) but seems pretty difficult to scale since it appears to require an appliance an a SPAN port to implement the TTL technique you are describing.

You may be able to accomplish what you are looking for by using ISE posture and Application Condition Settings (https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_0100000.html#id_38954) to detect if any hypervisors are running on the client (i.e. VMWare, VirtualBox) and fail posture if they are running.

George

Thanks, George.

Because some users are using Hypervisors without network connected which is allowed.

it is really difficult to detect.....

If those users are an exception, maybe they can be identified buy an AD or LDAP group and have a different posture policy?