This content has been marked as final. Show 10 replies
As far as I know (and Im remembering this from a training course, not through experience - we dont have RD enabled), a Rogue Sensor can only detect within that subnet.. you have to install another sensor on the target subnet if you want it scanned.
RSD uses WinPCap and captures ARP, RARP, some IP traffic and DHCP traffic, Each subnet requires a sensor since this traffic does not get forwarded by switches.
You could investigate the option to install RSD on DHCP servers.. RSD then can report on all the subnets that this DHCP server handles.
This may get what you are after.
Just to give you this in option format:
1) Install RSD on DHCP servers (we've had some issues with clients not being able to pull an IP fast enough and it was pointed at RSD)
2) Install RSD on random devices throught the subnet (leave off mobile devices, preferably devices that sit still and are not used alot)
3) Use desktop management software/NAP to deploy package rather than EPO
hope this helps.
Just to add a point - it depends to a certain extent on what you want RSD to do for you. If you want it to pick up your new machines as they are added to the network and deploy an agent to them, say, then this approach is fine. However if you want RSD to detect potentially unwanted machines in your environment, then just having a sensor on the DHCP server may not be enough since a rogue machine with a static IP will never request an address and the sensor on the DHCP server won't see it.
If you're worried about hostile machines and want to cover all the bases, then you'll need a sensor per subnet.
JB hit the nail on the head. If you have TPS you might want to look into NAC which would allow you to only allow systems on the network if they meet compliance. With RSD in a large environment there are alot of problems.
has anyone figured out which rule i have to creat that the clients with Host Intrusion Prevention 7.0.4 and active firewall dont geht a warning with UDP Port Scan when the RSD is scanning?
There is a rule for rssensor like this, but it brings nothing.
Our users still get this popup.
You're always going to get this, as far as I know: the sensor is effectively doing a port scan, and HIPs is alerting accordingly. The only way to stop this would be to reduce the functionality of HIPs, which I'm sure you don't want to do, or to avoid scanning the machine.
In ePO 4.0 this means turning off the OS detection in the sensor policy: in ePO 4.5, you can mark the machines you don't want scanned as exceptions and then the sensors will ignore them.
i cant believe that this is the only way.
We are a Small Company but in bigger company with thousands of Clients u cant send a mail u thousands of users that they must click on accept.....
That cant be the point ^^
I can create firewall rules and intrusion policies but i have no idea which i have to create for this.
Unfortunately these are mutually exclusive operations... the sensor performs a port scan, and HIPs detects port scans. If there was a way to tell HIPs to ignore the type of port scan that the sensor uses, you'd be introducing a hole in your coverage: it would be comparatively simple for malware to mimic the sensor's activity and so go undetected.