06-25-2019 02:16 AM
Hi All,
I am facing some challenges in profiling a few endpoints with static IP addresses.
1- HP printers with static IP
From the radius probe alone the printers were identified as "HP-Device" which will include the HP laptops as well. So I tried to configure SNMPv2 string on the printer itself and configured the same in ISE profiler settings. I wrote a profiling policy with 2 rules, first one will match the SNMP system description attribute and assign a certainty factor of 25 and the second rule with a network scan action based on printer subnet. I was able to profile the printer properly after I made these changes, but the a weird issue happened with HP printers that once SNMP string is configured they seem to go offline. The ping to the printer works but users were unable to print. So I asked the customer to configure dhcp scope for the printer subnet and reserve specific IPs for specific printers using their mac addresses. Then I used DHCP probes in ISE to profile the printers. It works quite fine. Is this a recommended method or there is a better way?.
2- CCTV Cameras
The customer has CCTV cameras from around 8 vendors. I was thinking of the same NMAP+SNMP query which I did initially for printers, but I found that some of the cameras does not support SNMP. The customer cannot assign dynamic IP for the cameras since the camera subnet does not have access to the DHCP server. So I cannot use DHCP probes in this case. What would be the best profiling method to use in such cases. The customer do not want to go with static endpoint groups with mac addresses since it will fail them in pen tests.
My question is generally to profile endpoints with static IPs what is the recommended method?.
Regards
Shabeeb
Solved! Go to Solution.
07-03-2019 01:19 AM - edited 07-03-2019 01:21 AM
Determine if cameras support CDP / LLDP and then use SNMP probe (or Device Sensor with RADIUS probe) to fetch results. For example, "All AXIS products starting with FW 8.50.1 support power negotiation using the Cisco Discovery Protocol (CDP) up to IEEE 802.3at 30 watts. By default, the camera is capable of power negotiating power via CDP as well as LLDP. Which protocol is used depends on the switch configuration, in case both protocols are enabled on the switch, first come first served. Unlike LLDP, there is no CDP traffic sent out from the camera by default regularly unless the network switch initiates CDP capabilities."
There are also 3rd-party tools that can profile all cameras and feed results to ISE over pxGrid.
Anomaly Detection only checks for changes in DHCP or profile from WS to printer/phone, so a camera with static IP would not fall into this bucket.
06-25-2019 05:19 AM
06-25-2019 11:05 PM
Profiling based on Source IP Address is a bit of a cheat, isn't it? Not really profiling at all. It means anyone can plug a device into a port, get an IP address from DHCP and claim to be a printer/light-bulb/whatever. What form of profiling have we achieved at that point?
Makes me question Profiling in general: Sure, it's easy enough to clone a MAC address and pretend to be a printer. But I would never create an AuthZ Rule to put a device in VLAN x because of a simple OUI match. In my opinion it would require more certainty than that - SNMP etc.
I get an uneasy feeling with profiling in general - leaving it up to ISE to classify device and dynamically re-authenticating them. I trust that ISE can do it, but I am more concerned about the hacking attempts of users who can exploit the simplistic fingerprinting/profiling techniques that seem to be bandied around the place.
I think I could sleep well at night, knowing that ISE is checking SNMP + NMAP + Netflow against each device as it connects to the network - but this is not always feasible because there might not be an SNMP agent on each endpoint, and Netflow is a PSN killer (and requires extra setup). I have yet to drink the cool aid ...
Needless to say, I have not deployed profiling in any of my customers since they all share the same level of concern as I do. We do EAP-TLS and MAB where possible. Anything else just ain't gettin' on.
What do others think? Am I being too bleak? :)
06-26-2019 12:31 AM
Hi,
@Arne Bier I totally agree with you. Using source IP as the single condition in the profiling policy is not what we expect from profiling. Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues.
How about DNS probes?. Do they help in profiling such endpoints?. Actually I am kind of lost since the major reason customer bought ISE is to utilize profiling functionality since they get comments (like mac spoofing)when they do penetration tests.
I might use anomalous detection for mac spoofing, but even that does not address the whole scenarios of mac spoofing.
06-29-2019 07:33 PM
...Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues.
If your TAC case still open, please ask to explain why two different results. In case it due to different versions of NMAP, then ask TAC to open a bug for that.
How about DNS probes?. Do they help in profiling such endpoints?...
See ISE Profiling Design Guide > Profiling Using the DNS Probe
06-26-2019 05:22 AM - edited 06-26-2019 05:24 AM
@ArneBier I agree to a certain extent on your points. I should have elaborated more on the example ideas. Reservations in DHCP could be enabled for the printers and other probes could be used to strengthen the profiling attempt of his devices. IMO I think profiling aides in automating certain tasks and can be powerful if properly used. I would assume flexauth is enabled on the admin's interfaces since it is 2019. Maybe I should not have assumed that. Obviously I agree that 8021x with eap-tls is more secure. The points made are valid, but I think we need to remember the general phrase security in-depth. Someone would have to know the network range, how to get in the building, then an area they know that connects back to the device, among many other items, etc. Like @SHABEEB KUNHIPOCKER mentioned anomalous detection is another mechanism that could be used to deter threats. I think I could go on and on, but I think we get it :)
07-03-2019 01:19 AM - edited 07-03-2019 01:21 AM
Determine if cameras support CDP / LLDP and then use SNMP probe (or Device Sensor with RADIUS probe) to fetch results. For example, "All AXIS products starting with FW 8.50.1 support power negotiation using the Cisco Discovery Protocol (CDP) up to IEEE 802.3at 30 watts. By default, the camera is capable of power negotiating power via CDP as well as LLDP. Which protocol is used depends on the switch configuration, in case both protocols are enabled on the switch, first come first served. Unlike LLDP, there is no CDP traffic sent out from the camera by default regularly unless the network switch initiates CDP capabilities."
There are also 3rd-party tools that can profile all cameras and feed results to ISE over pxGrid.
Anomaly Detection only checks for changes in DHCP or profile from WS to printer/phone, so a camera with static IP would not fall into this bucket.
07-03-2019 03:44 AM - edited 07-03-2019 03:46 AM
Hi,
Could pls name any third party tool that can do profiling and upload the results to ISE via pXgrid?.
Regards
Shabeeb
07-03-2019 09:34 AM
You can look for such partners on Cisco MarketPlace. Example: http://marketplace.cisco.com/catalog/solution/165126?pid=173917
Craig Hyps
06-25-2019 03:14 PM
07-03-2019 12:15 AM
Hi Kevin,
The issue in using OUI based profiling is that a penetration tester can easily bypass it through a Mac address changer tool. The customer is sticking to that point from the beginning. I am thinking about NMAP or netflow. But I don't know performance impact of these probes on a PSN. Otherwise there should be a way to integrate ISE with the video management solution (milestone in our case) and pull the inventory from there. Any thoughts ?
Thanks
07-03-2019 10:56 PM
Hi,
Is there anyone here who successfully used NMAP probes in a large environment let's say 10000 endpoints with two PSNs?.Kindly advise the performance.
Thanks
Shabeeb
07-04-2019 10:14 AM
The NMAP performance depends on the scanning parameters. I would also suggest to do it in smaller batches.
REF: ISE Profiling Design Guide > Profiling Using the Network Scan (NMAP) Probe > Procedure 49 Run a Network Scan
07-08-2019 04:26 PM
In general, the performance impact is minimal for NMAP probe since scan only run for a given endpoint automatically when:
As Hsing-Tsu noted, if performing manual NMAP scan, then best to perform in smaller batches and preferably during times of reduced network activity. Of course, if endpoints shut down at end of day, then after hours scanning will end up missing endpoints. Custom scans can be configured to validate ping reachability prior to scan.
/C
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide