Re: NMAP Scan Questions

paul · ‎01-09-2019

I am working on a very large deployment and have a few questions on NMAP scans:

I am assuming profiling takes a back seat to authentications on the PSNs. We are noticing that as we have ramped up the authentications (over 100K concurrent now) NMAP scans are taking longer to complete (could take 12+ hours before we see results under the endpoint). Is that normal?
Is it possible to setup PSNs just to perform the NMAP scans or would that create ownership issues with the endpoints?
When or how does ISE decide to give up on NMAP scan? We notice that if ISE is not able to scan a device in a certain period of time it seems to stop trying. We will see the MAC address in our NMAP scan profile, but no NMAP scan count value meaning it hasn't been scanned. The MAC will have an elapsed days of several months. If we delete the MAC and force ISE to profile it again from the start an NMAP scan will usually get run (again there may be a 12+ hour delay).

Any thoughts would be appreciated.

Thanks.

Jason Kunst · ‎01-09-2019

Why is NMAP being used?

paul · ‎01-09-2019

We use NMAP extensively at most of our customers for profiling. As an example our printer profile has NMAP TCP/9100 = jetdirect as a key component. We try not to use just MAC address OUI if possible and look for other options to pair with the MAC OUI. Timely NMAP scans is important once we get out of monitor mode and need new devices to be profiled quickly and correctly.

Jason Kunst · ‎01-09-2019

Thanks @paul i have asked SME @kthiruve to look at it

kthiruve · ‎01-09-2019

Paul,

Is this a manual scan or Automatically triggered scan.

NMAP can be triggered in the following cases:

Manual NMAP scan
Automatically when endpoint discovered and profile set to Unknown
Automatically by matching a profile and one of the matching conditions has action to trigger NMAP. The NMAP scan type is defined under the NMAP Scan Actions (under Policy > Policy Elements > Results > Profiling > NMAP Scan Actions).

The way automatic scan works is that when endpoint is detected based on MAC OUI, if there is a rule match then it triggers the scan. Make sure that happens. Also use manual scan for initial discovery (make sure network is reachable via ICMP). When you do that you can select the PSN closest to the endpoint to do a triggered scan. For the scan to work, please make sure MAC and IP address is learnt already, if not the probe result will be discarded. I dont think we have a schedule to run the NMAP scan.

If automatic scan does not work use manual scan to the limited subnet to see that works. SNMP scan can be used as needed.

THere are some notes given under procedure 52 in the profiling deployment guide. Make sure you isolate the cause

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--836075618

Thanks

Krishnan

paul · ‎01-11-2019

Krishnan,

These are automated scans kicked off by profiling rules. We use automated NMAP extensively for profiling and have for years. I know my rules are right but my questions revolve more around how does ISE perform NMAP scans on a heavily loaded system. Does profiling especially NMAP take a back seat to authentications? i.e. is it normal on a loaded system for NMAP results to show up 12+ hours after the MAC and IP address are learned by ISE?

Also the other part of my question was about dedicate a couple of PSNs to just the NMAP process. If we shut off NMAP profiler on all but two PSNs and those two PSNs are not processing authentication would they scan the endpoints and feed the results to the other PSNs or would their be an ownership issue?

paul · ‎01-15-2019

Krishnan,

Do you have any thoughts on my last update? Also if I do manual scans from a PSN that is not currently authenticating endpoints do I run the risk of having an ownership change issue?