6 Replies Latest reply on Jul 3, 2012 2:12 PM by SeaWalker999

    Rogue Sensor / Covered Subnets

      So I did alot of searches and I could not come up with anything definitive.


      https://kc.mcafee.com/corporate/index?page=content&id=KB66028&actp=search&viewlo cale=en_US&searchid=1329319012584 


      The above linked KB states that in ePO 4.0 DHCP covered subnets will show up as uncovered unless there is a sensor installed on that subnet.


      I am good with that information.  But since I am now on ePO 4.5 I need to know if the same KB still applies.  Would be nice if they had updated the KB to say it affects 4.0 and 4.5.  I have sensors installed on the DHCP servers and I consider myself covered but I need some supporting information.


      Thanks in advance for any help.



        • 1. Re: Rogue Sensor / Covered Subnets
          Laszlo G

          Hi MikeyLikesIt522, the easiest way to cover subnets managed by a DHCP server should be installing a Rogue Snesor on the DHCP Server itself so it will listen any to any DHCP request

          • 2. Re: Rogue Sensor / Covered Subnets

            Thanks, thats how I have it set up currently.  I have it installed on my DHCP servers however I am still seeing uncovered subnets while I know there is a sensor providing "coverage".  So I am assuming that 4.5 is the same as 4.0 in that unless a sensor is physically on each subnet it will report as uncovered. 

            • 3. Re: Rogue Sensor / Covered Subnets
              Laszlo G

              That's right, you'll need a Rogue Snsor under every subnet not covered by the DHC server

              • 4. Re: Rogue Sensor / Covered Subnets

                Okay maybe I am not explaining myself right..


                DHCP Server is x.x.113.14  (Rogue Sensor Installed)

                workstation is  : x.x.98.45  (pulls IP from DHCP server, and no other Rogue Sensors on that subnet.)


                They are On different Subnets, however the Rogue Sensor see's any rogues that send DHCP requests. So the subnet is considered "covered".  x.x.98.0 still gets reported as an uncovered subnet.  This is exactly what the KB refers to and says it is working properly.  The KB is for ePO 4.0 I am just trying to find out if it applies to ePO 4.5 as well.


                I would totally have no problem installing RSS on each subnet except in my environment all the workstations are laptops as people work from home quite a bit... so if I were to do that it would result in numerous rogues being reported as people come on and off the network. 

                • 5. Re: Rogue Sensor / Covered Subnets
                  Laszlo G

                  Ups sorry, now I understand what you were talking about.


                  That's strange, I thought that after having installed a RSD on the DHCP server then all subnets covered by this DHCP (i.e. subnets where computers sends DHCP resquests to this server) should appear as covered.


                  In fact I cannot tell very much about this as I usually don't install RSD on DHCP servers even if McAfee recommends it (I had a problem with 3 DHCP-DC servers on the same customer with BSD so I didn't try it anymore) so perhaps someone else can tell if its a normal behaviour or not

                  • 6. Re: Rogue Sensor / Covered Subnets



                    McAfee hasn't updated the KB article, but I can tell you that RSD on EPO 4.5 is in the same boat.  Using the RSD on DHCP option means that that sensor will listen to all the DHCP traffic and report it, but will ONLY report the actual physical network it is connected to as "Covered".  To meet security requirements, we have had to backstop the RSD-DHCP sensors with additional RSD sensors within the individual physical subnets to get reported coverage.