08-25-2017 02:49 PM
Running ISE 2.2 patch 1. This a two part question:
Where can we see exactly what ISE is scanning in the Unknown endpoint state. I swear changes every version. I thought it was OS and common ports but now I am seeing voice ports (TCP 1720- H.323 and TCP 5060- SIP) show up as open ports on my Unknown devices. I don't mind this, but if ISE is scanning all ports in the Unknown state that would be nice to know. Maybe it always was, but I thought it was OS and common ports. It would be nice if the Unknown profile was exposed to us to we could see and set exactly what we want scanned in this state.
The 2nd part is okay now I see that TCP 5060 is open and I want to profile on that. That is not in the NMAP or NMAP extensions. How do I add it so I can use it in my profiling rules.
Solved! Go to Solution.
08-28-2017 08:45 AM
This is not a recent phenomenon. I have seen additional ports captured under endpoint details since early ISE 1.x days. I do think it is related to the OS scan function. https://nmap.org/book/osdetect.html
08-26-2017 10:24 AM
This has been same config for many releases.
/Craig
08-26-2017 11:59 AM
That is what I thought as well. Originally it was common ports and OS. Then it changed to OS and SNMP. Now in 2.2 I am seeing many more ports show up. How is tcp 1720 and 5060 being listed for unknown devices? There are no built in NMAP scans that scan for those ports.
Sent from my iPhone
08-27-2017 07:18 AM
Craig,
Just to show you another example of how this has changed in 2.2. Here is my lab system running 2.2. patch 1. It is a fresh build with nothing in it. I have loaded one of my switches into ISE and have it SNMP polled so MACs are learned. Here you see an Unknown device with FTP identified as open. So 2.2 is definitely not just doing SNMP and OS. I know 2.0 and 2.1 definitely did SNMP and OS only because it broke what we do for printer identification, i.e. port 9100 open is key criteria. In 2.2 I noticed that 9100 was starting to be identified again on Unknown and Profiling groups using the predefined condition of SNMP and OS NMAP detection. So to me it looks like that definition is somehow broke and way more is getting scanned. I don’t mind that but if this is a bug and I can’t depend on common ports being scanned I would like to know that.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
08-27-2017 07:33 AM
Craig,
I did more testing and SNMP and OS NMAP action in 2.2 is definitely broken (I like the way it works though). Here is how I tested. I changed the Cisco Switch definition in profiling to do SNMP and OS:
I added a rule to SCAN based of the predefined SNMP check. Here is what you see it scanned for my switch. Just a few more things and SNMP.
Like I said I like it like this, but I am guessing and some point it is going to get fixed and I can’t rely on this being true. I will being doing 2.3 installs this week so I will know if it still doing more than it should.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
08-27-2017 07:36 AM
Grr sorry for so many emails. Are those ports being flagged open via the SNMP and OS NMAP action because it is using the ports in the OS detection part? I know in 2.0 and 2.1 only the SNMP ports were being shown. Now I see way more with that scan action, but maybe those ports are used as part of the OS detection so it is reporting them as open.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
08-28-2017 08:45 AM
This is not a recent phenomenon. I have seen additional ports captured under endpoint details since early ISE 1.x days. I do think it is related to the OS scan function. https://nmap.org/book/osdetect.html
08-28-2017 10:16 AM
Craig,
I have seen the same things since the early days. We have always been using port 9100 being open as a key indicator in our printer profiles. This worked fine in 1.x, then in some versions of 2.x (I think 2.0 and 2.1) I stopped seeing 9100 show up on my endpoints. So I had to go and create a custom NMAP scan to do Common Ports and OS scan to get what I wanted. Then I had to go in and modify all the Cisco prebuilt printer top level profile polices (HP-Device, Canon-Device, Ricoh-Device, etc.) to use my custom scan. Now in 2.2 and I am assuming in 2.3 I am going to see the ports show up again.
The problem I have is if everything says SNMP ports and OS scan only, yet we are seeing all these other ports show up and no one can really explain why, then what is the assurance that at some point the developers are going to realize SNMP ports and OS scan is broken and change it to really only do SNMP ports and OS scan. Then if we have been relying on these other ports things stop profiling correctly. I would rather not have to create custom NMAP scans can modify a bunch of the Cisco prebuilt rules to get what I want. I like seeing all these other ports, but not sure if it is functioning as designed.
Thanks for your input Craig!
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
09-12-2017 08:05 PM
It looks like OS scans can potentially perform port scans, after reading some of the online info; e.g.
https://serverfault.com/questions/829009/which-ports-does-nmap-scan-for-os-detection
https://www.cyberciti.biz/networking/nmap-command-examples-tutorials/
https://serverfault.com/questions/498372/do-an-os-scan-with-nmap-only
You may check ISE debug log file -- nmap.log
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide