cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 11

Rogue Sensors

How can I let a Rogue Sensor scan a network part that is on another subnet.
I can't find any settings to expand the IP range for scanning.

Anyone knows? TIA
10 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 11

RE: Rogue Sensors

As far as I know (and Im remembering this from a training course, not through experience - we dont have RD enabled), a Rogue Sensor can only detect within that subnet.. you have to install another sensor on the target subnet if you want it scanned.
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 11

RE: Rogue Sensors

He's right...
RSD uses WinPCap and captures ARP, RARP, some IP traffic and DHCP traffic, Each subnet requires a sensor since this traffic does not get forwarded by switches.

You could investigate the option to install RSD on DHCP servers.. RSD then can report on all the subnets that this DHCP server handles.

This may get what you are after.
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 11

RE: Rogue Sensors



Just to give you this in option format:

1) Install RSD on DHCP servers (we've had some issues with clients not being able to pull an IP fast enough and it was pointed at RSD)
2) Install RSD on random devices throught the subnet (leave off mobile devices, preferably devices that sit still and are not used alot)
3) Use desktop management software/NAP to deploy package rather than EPO

hope this helps.

Seats.
JoeBidgood
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 11

RE: Rogue Sensors



Just to add a point - it depends to a certain extent on what you want RSD to do for you. If you want it to pick up your new machines as they are added to the network and deploy an agent to them, say, then this approach is fine. However if you want RSD to detect potentially unwanted machines in your environment, then just having a sensor on the DHCP server may not be enough since a rogue machine with a static IP will never request an address and the sensor on the DHCP server won't see it.
If you're worried about hostile machines and want to cover all the bases, then you'll need a sensor per subnet.

JB
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 11

RE: Rogue Sensors



JB hit the nail on the head. If you have TPS you might want to look into NAC which would allow you to only allow systems on the network if they meet compliance. With RSD in a large environment there are alot of problems.

Seats
Former Member
Not applicable
Report Inappropriate Content
Message 7 of 11

RE: Rogue Sensors

hi,
has anyone figured out which rule i have to creat that the clients with Host Intrusion Prevention 7.0.4 and active firewall dont geht a warning with UDP Port Scan when the RSD is scanning?

There is a rule for rssensor like this, but it brings nothing.
Our users still get this popup.
JoeBidgood
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 11

RE: Rogue Sensors



You're always going to get this, as far as I know: the sensor is effectively doing a port scan, and HIPs is alerting accordingly. The only way to stop this would be to reduce the functionality of HIPs, which I'm sure you don't want to do, or to avoid scanning the machine.

In ePO 4.0 this means turning off the OS detection in the sensor policy: in ePO 4.5, you can mark the machines you don't want scanned as exceptions and then the sensors will ignore them.

HTH -

Joe
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 11

RE: Rogue Sensors

hi,
i cant believe that this is the only way.
We are a Small Company but in bigger company with thousands of Clients u cant send a mail u thousands of users that they must click on accept.....

That cant be the point ^^
I can create firewall rules and intrusion policies but i have no idea which i have to create for this.
JoeBidgood
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 11

RE: Rogue Sensors



Unfortunately these are mutually exclusive operations... the sensor performs a port scan, and HIPs detects port scans. If there was a way to tell HIPs to ignore the type of port scan that the sensor uses, you'd be introducing a hole in your coverage: it would be comparatively simple for malware to mimic the sensor's activity and so go undetected.

Joe
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community