6 Replies Latest reply on Sep 26, 2011 1:02 AM by Sailendra Pamidi

    Rogue System Detection

    Don_Martin

      Hello,

       

      I´ve a Questions in how to configure RSD properly.

       

      We are working with several domains and subnets and are planning to use RSD for every Domain. The problem here is indicated in how the RSD is working related to the process of identifying an unautorised System.
      As far as I understand there are only Systems autorised which belongs to one Domain within a Subnet but all other Systems in this subnet unknown to the ePO-ServerDB of this specific domain are going to be tagged as unautorised. Wether or not those Systems belongs to an other Domain within our Company and is known on an other ePO-Server (in an other Domain).

       

      Question A
      Is there a Problem in having several Sensors placed in one Subnet while each Sensorsystem belongs to an other Domain and will report to an other ePO-Server?

       

      Question B
      Is there a possible Solution for an automated process like (Pseudocode): If Domain 1 = false but Domain 2 = true then recognize System X = autorised and send E-Mail to xyz


      In the following I will ask the same thing in german. I guess my english is not as good as it needs to be for explaining my thoughts.

       

      regards

       

       


      Hallo,

      ich habe eine Frage zum Thema RSD.

      Wir haben mehrere Domänen mit mehreren Subnetzen. Geplant ist die Ausbringung des RSD für jede Domäne, problematisch dabei gestaltet sich jedoch die Konfiguration hinsichtlich der entdeckten Systeme innerhalb der verschiedenen Subnetze.

      Es ist zwar nicht die Regel aber hinsichtlich der Domänen gibt es durchaus IP-Überschneidungen was die Subnetze angeht. So gehört ein System der Domäne B an, hat aber eine IP-Adresse, die primär in Domäne A genutzt wird. Bedingt durch die Funktionsweise des ePO-Servers, jeweils einer für jede Domäne, erhalten wir durch den AD-Sync natürlich Meldungen von unautorisierten Systemen innerhalb einer Domäne da der ePO-Server die Computerkonten gegen die jeweilige Domäne abgleicht.


      Gäbe es bekannte Probleme wenn man innerhalb eines Subnetzes mehrere Systeme mit Sensoren ausbringt, die zum einen jeweils zu einer anderen Domäne gehören und zum anderen entsprechend auch einen anderen ePO-Server adressieren?

      Gibt es nun eine Möglichkeit den RSD so zu konfigurieren, dass dieser die Systeme innerhalb eines Subnetzes auch auf Domänenzugehörigkeit überprüft und eine entsprechende wie zum Beispiel (Pseudocode)  "Wenn Domäne A = falsch aber Domäne B = wahr dann autorisiertes System = wahr und sende Benachrichtigung an xyz" realisierbar ist?

       

       

      Grüße

       

      Nachricht geändert durch Don_Martin on 22.09.11 05:27:43 CDT
        • 1. Re: Rogue System Detection
          rackroyd

          Hi,

           

          You can put sensors where you like, but don't go mad with it. 3 or 4 per network woud be enough for redundancy.

           

          The thing to remember is that the sensors do not actually *care* about Windows domains at all, they are just listening for network traffic to identify anything on the subnets it can see that might be a rogue machine.

          When it finds something interesting, it sends the data back to ePO and ePO decides if it is authorised (ie it has an agent installed) or not.

           

          Hth.

          1 of 1 people found this helpful
          • 2. Re: Rogue System Detection
            Don_Martin

            Hello,

             

            just to be sure: I have no option except Blacklisting Systems in case there are several Systems within ONE Subnet but belongs to different Domains to prevent messages for unautorised Systems?! What a mess...

            • 3. Re: Rogue System Detection
              JoeBidgood

              Hi...  I'm not completely sure I understand the question, but let me try and answer anyway    I think what you are describing is systems controlled by two separate ePO servers on the same subnet - is this correct? If so:

               

              Question A

              Is there a Problem in having several Sensors placed in one Subnet while each Sensorsystem belongs to an other Domain and will report to an other ePO-Server?

               

              No, there's no problem here: the sensors will  not interfere with each other.


              Question B
              Is there a possible Solution for an automated process like (Pseudocode): If Domain 1 = false but Domain 2 = true then recognize System X = autorised and send E-Mail to xyz

               

              Yes, this is possible. Imagine you have two ePO servers, A and B. You can register the ePO servers with each other, and RSD can make use of both databases, so when a sensor belonging to server A detects a machine that belongs to server B, it can correctly identify this as "not a rogue".

               

              Does that make sense? Or have I misunderstood?

               

              Regards -

               

              Joe

              • 4. Re: Rogue System Detection
                Don_Martin

                Hello,

                 

                this make sense and no, you haven´t misunderstood my questions nor the situation   but I suppose my english seriously needs to be refreshed...

                 

                 

                I really appreciate your answer

                • 5. Re: Rogue System Detection
                  JoeBidgood

                  Believe me, your English is waaaaaaay better than my German

                   

                  Glad to help -

                   

                  Regards,

                   

                  Joe

                  • 6. Re: Rogue System Detection
                    Sailendra Pamidi

                    To add to what Joe said, there is an option under Server Settings-> Detected Systems Compliance-> ePO Servers

                     

                    Systems detected with an Agent that belongs to these ePO Servers should not be considered Rogue. Here you can key in the name of the other ePO server whose clients you would want not be flagged as Rogue.

                    1 of 1 people found this helpful