Hi @Mike.Cifelli 

Profiling based on Source IP Address is a bit of a cheat, isn't it?  Not really profiling at all.  It means anyone can plug a device into a port, get an IP address from DHCP and claim to be a printer/light-bulb/whatever.   What form of profiling have we achieved at that point?

Makes me question Profiling in general:  Sure, it's easy enough to clone a MAC address and pretend to be a printer.  But I would never create an AuthZ Rule to put a device in VLAN x because of a simple OUI match.  In my opinion it would require more certainty than that - SNMP etc.

I get an uneasy feeling with profiling in general - leaving it up to ISE to classify device and dynamically re-authenticating them.  I trust that ISE can do it, but I am more concerned about the hacking attempts of users who can exploit the simplistic fingerprinting/profiling techniques that seem to be bandied around the place.  

I think I could sleep well at night, knowing that ISE is checking SNMP + NMAP + Netflow against each device as it connects to the network - but this is not always feasible because there might not be an SNMP agent on each endpoint, and Netflow is a PSN killer (and requires extra setup).  I have yet to drink the cool aid ...

Needless to say, I have not deployed profiling in any of my customers since they all share the same level of concern as I do.  We do EAP-TLS and MAB where possible. Anything else just ain't gettin' on.

What do others think?  Am I being too bleak? :)

Hi,

@Arne Bier  I totally agree with you. Using source IP as the single condition in the profiling policy is not what we expect from profiling. Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues. 

How about DNS probes?. Do they help in profiling such endpoints?. Actually I am kind of lost since the major reason customer bought ISE is to utilize profiling functionality since they get comments (like mac spoofing)when they do penetration tests.

I might use anomalous detection for mac spoofing, but even that does not address the whole scenarios of mac spoofing.

...Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues. 

If your TAC case still open, please ask to explain why two different results. In case it due to different versions of NMAP, then ask TAC to open a bug for that.

How about DNS probes?. Do they help in profiling such endpoints?...

---

See ISE Profiling Design Guide > Profiling Using the DNS Probe

@ArneBier I agree to a certain extent on your points. I should have elaborated more on the example ideas. Reservations in DHCP could be enabled for the printers and other probes could be used to strengthen the profiling attempt of his devices. IMO I think profiling aides in automating certain tasks and can be powerful if properly used. I would assume flexauth is enabled on the admin's interfaces since it is 2019. Maybe I should not have assumed that. Obviously I agree that 8021x with eap-tls is more secure. The points made are valid, but I think we need to remember the general phrase security in-depth. Someone would have to know the network range, how to get in the building, then an area they know that connects back to the device, among many other items, etc. Like @SHABEEB KUNHIPOCKER mentioned anomalous detection is another mechanism that could be used to deter threats. I think I could go on and on, but I think we get it :)

Hi,

Could pls name any third party tool that can do profiling and upload the results to ISE via pXgrid?.

Regards

Shabeeb

You can look for such partners on Cisco MarketPlace. Example: http://marketplace.cisco.com/catalog/solution/165126?pid=173917

Craig Hyps

Hi Kevin,

The issue in using OUI based profiling is that a penetration tester can easily bypass it through a Mac address changer tool. The customer is sticking  to that point from the beginning. I am thinking about NMAP or netflow. But I don't know performance impact of these probes on a PSN. Otherwise there should be a way to integrate ISE with the video management solution (milestone in our case) and pull the inventory from there. Any thoughts ?

Thanks

Hi,

Is there anyone here who successfully used NMAP probes in a large environment let's say 10000 endpoints with two PSNs?.Kindly advise the performance.

Thanks 

Shabeeb

The NMAP performance depends on the scanning parameters. I would also suggest to do it in smaller batches.

REF: ISE Profiling Design Guide > Profiling Using the Network Scan (NMAP) Probe > Procedure 49 Run a Network Scan

In general, the performance impact is minimal for NMAP probe since scan only run for a given endpoint automatically when:

1. First time scan when IP address learned for endpoint.
2. If profile match set to trigger scan -- In default profiler policy, this can occur in specific cases such as endpoints that match initial profile equal to generic Apple or Windows device and a scan could lead to more specific result.

As Hsing-Tsu noted, if performing manual NMAP scan, then best to perform in smaller batches and preferably during times of reduced network activity.  Of course, if endpoints shut down at end of day, then after hours scanning will end up missing endpoints.  Custom scans can be configured to validate ping reachability prior to scan.

/C