cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3616
Views
10
Helpful
13
Replies

Profiling Endpoints with Static IP

Hi All,

 

I am facing some challenges in profiling a few endpoints with static IP addresses.

 

1- HP printers with static IP

From the radius probe alone the printers were identified as "HP-Device" which will include the HP laptops as well. So I tried to configure SNMPv2 string on the printer itself and configured the same in ISE profiler settings. I wrote a profiling policy with 2 rules, first one will match the SNMP system description attribute and assign a certainty factor of 25 and the second rule with a network scan action based on printer subnet. I was able to profile the printer properly after I made these changes, but the a weird issue happened with HP printers that once SNMP string is configured they seem to go offline. The ping to the printer works but users were unable to print. So I asked the customer to configure dhcp scope for the printer subnet and reserve specific IPs for specific printers using their mac addresses. Then I used DHCP probes in ISE to profile the printers. It works quite fine. Is this a recommended method or there is a better way?.

 

2- CCTV Cameras

The customer has CCTV cameras from around 8 vendors. I was thinking of the same NMAP+SNMP query which I did initially for printers, but I found that some of the cameras does not support SNMP. The customer cannot assign dynamic IP for the cameras since the camera subnet does not have access to the DHCP server. So I cannot use DHCP probes in this case. What would be the best profiling method to use in such cases. The customer do not want to go with static endpoint groups with mac addresses since it will fail them in pen tests.

 

My question is generally to profile endpoints with static IPs what is the recommended method?.

 

Regards

Shabeeb

 

 

 

1 Accepted Solution

Accepted Solutions

Determine if cameras support CDP / LLDP and then use SNMP probe (or Device Sensor with RADIUS probe) to fetch results.  For example, "All AXIS products starting with FW 8.50.1 support power negotiation using the Cisco Discovery Protocol (CDP) up to IEEE 802.3at 30 watts.  By default, the camera is capable of power negotiating power via CDP as well as LLDP. Which protocol is used depends on the switch configuration, in case both protocols are enabled on the switch, first come first served. Unlike LLDP, there is no CDP traffic sent out from the camera by default regularly unless the network switch initiates CDP capabilities."

 

There are also 3rd-party tools that can profile all cameras and feed results to ISE over pxGrid.

 

Anomaly Detection only checks for changes in DHCP or profile from WS to printer/phone, so a camera with static IP would not fall into this bucket.

View solution in original post

13 Replies 13

Mike.Cifelli
VIP Alumni
VIP Alumni
IMO you have a couple of options.
For both scenarios it may be possible to profile using IP:ip STARTSWITH. Essentially if your printers are in one vlan or ip pool you could profile them based on the first three octets. I have seen this used and there are usually no issues. Then if you wanted to build out child policies underneath the "printer or camera" global policy to narrow down more specifics you could. In order to be profiled by a child policy an endpoint must meet the parent policy first. For the Printer scenario you could also utilize DHCP:host-name STARTSWITH condition. If you have a naming convention that is followed for all printers this is a viable option as well.
Good luck & HTH!

Hi @Mike.Cifelli 

 

Profiling based on Source IP Address is a bit of a cheat, isn't it?  Not really profiling at all.  It means anyone can plug a device into a port, get an IP address from DHCP and claim to be a printer/light-bulb/whatever.   What form of profiling have we achieved at that point?

 

Makes me question Profiling in general:  Sure, it's easy enough to clone a MAC address and pretend to be a printer.  But I would never create an AuthZ Rule to put a device in VLAN x because of a simple OUI match.  In my opinion it would require more certainty than that - SNMP etc.

 

I get an uneasy feeling with profiling in general - leaving it up to ISE to classify device and dynamically re-authenticating them.  I trust that ISE can do it, but I am more concerned about the hacking attempts of users who can exploit the simplistic fingerprinting/profiling techniques that seem to be bandied around the place.  

 

I think I could sleep well at night, knowing that ISE is checking SNMP + NMAP + Netflow against each device as it connects to the network - but this is not always feasible because there might not be an SNMP agent on each endpoint, and Netflow is a PSN killer (and requires extra setup).  I have yet to drink the cool aid ...

 

Needless to say, I have not deployed profiling in any of my customers since they all share the same level of concern as I do.  We do EAP-TLS and MAB where possible. Anything else just ain't gettin' on.

 

What do others think?  Am I being too bleak? :)

Hi,

 

@Arne Bier  I totally agree with you. Using source IP as the single condition in the profiling policy is not what we expect from profiling. Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues. 

 

How about DNS probes?. Do they help in profiling such endpoints?. Actually I am kind of lost since the major reason customer bought ISE is to utilize profiling functionality since they get comments (like mac spoofing)when they do penetration tests.

 

I might use anomalous detection for mac spoofing, but even that does not address the whole scenarios of mac spoofing.

...Regarding NMAP, I tried to run NMAP query from the ISE towards one camera, ISE identified the device as Cisco 6506 router !. I did NMAP from a linux workstation to the same camera, it identified the device as ip-web-camera, I opened a ticket with Cisco and they said NMAP has some known issues. 

If your TAC case still open, please ask to explain why two different results. In case it due to different versions of NMAP, then ask TAC to open a bug for that.

How about DNS probes?. Do they help in profiling such endpoints?...


See ISE Profiling Design Guide > Profiling Using the DNS Probe

 

@ArneBier I agree to a certain extent on your points. I should have elaborated more on the example ideas. Reservations in DHCP could be enabled for the printers and other probes could be used to strengthen the profiling attempt of his devices. IMO I think profiling aides in automating certain tasks and can be powerful if properly used. I would assume flexauth is enabled on the admin's interfaces since it is 2019. Maybe I should not have assumed that. Obviously I agree that 8021x with eap-tls is more secure. The points made are valid, but I think we need to remember the general phrase security in-depth. Someone would have to know the network range, how to get in the building, then an area they know that connects back to the device, among many other items, etc. Like @SHABEEB KUNHIPOCKER mentioned anomalous detection is another mechanism that could be used to deter threats. I think I could go on and on, but I think we get it :)

Determine if cameras support CDP / LLDP and then use SNMP probe (or Device Sensor with RADIUS probe) to fetch results.  For example, "All AXIS products starting with FW 8.50.1 support power negotiation using the Cisco Discovery Protocol (CDP) up to IEEE 802.3at 30 watts.  By default, the camera is capable of power negotiating power via CDP as well as LLDP. Which protocol is used depends on the switch configuration, in case both protocols are enabled on the switch, first come first served. Unlike LLDP, there is no CDP traffic sent out from the camera by default regularly unless the network switch initiates CDP capabilities."

 

There are also 3rd-party tools that can profile all cameras and feed results to ISE over pxGrid.

 

Anomaly Detection only checks for changes in DHCP or profile from WS to printer/phone, so a camera with static IP would not fall into this bucket.

Hi,

Could pls name any third party tool that can do profiling and upload the results to ISE via pXgrid?.

 

Regards

Shabeeb

 

You can look for such partners on Cisco MarketPlace. Example: http://marketplace.cisco.com/catalog/solution/165126?pid=173917

 

Craig Hyps

Kevin S Hatch
Level 1
Level 1
Printers-

I use DHCP Reservations for HP Printers as well. One thing that you may want to look at is: Check the Self-signed Cert that came from HP on the printer. They are usually valid for 5 years from date of Manufacture. You may need to re-generate the Cert on the device. I have had them fail getting on the network, if older than 5 years……

CCTV Cameras-

One option would be to create a profile for each vendor. Use the MAC OUI field. Then create a Logical profile called CCTV and put all of the vendor profiles into the Logical profile.

Kevin

Hi Kevin,

The issue in using OUI based profiling is that a penetration tester can easily bypass it through a Mac address changer tool. The customer is sticking  to that point from the beginning. I am thinking about NMAP or netflow. But I don't know performance impact of these probes on a PSN. Otherwise there should be a way to integrate ISE with the video management solution (milestone in our case) and pull the inventory from there. Any thoughts ?

 

Thanks

Hi,

Is there anyone here who successfully used NMAP probes in a large environment let's say 10000 endpoints with two PSNs?.Kindly advise the performance.

 

Thanks 

Shabeeb

 

The NMAP performance depends on the scanning parameters. I would also suggest to do it in smaller batches.

REF: ISE Profiling Design Guide > Profiling Using the Network Scan (NMAP) Probe > Procedure 49 Run a Network Scan

In general, the performance impact is minimal for NMAP probe since scan only run for a given endpoint automatically when:

  1. First time scan when IP address learned for endpoint.
  2. If profile match set to trigger scan -- In default profiler policy, this can occur in specific cases such as endpoints that match initial profile equal to generic Apple or Windows device and a scan could lead to more specific result.

 

As Hsing-Tsu noted, if performing manual NMAP scan, then best to perform in smaller batches and preferably during times of reduced network activity.  Of course, if endpoints shut down at end of day, then after hours scanning will end up missing endpoints.  Custom scans can be configured to validate ping reachability prior to scan.

 

/C