6 Replies Latest reply on Mar 19, 2013 2:26 PM by mathr601

    Rogue detection - Policy - Interfaces settings

      Hi guys,

       

      I put a check on "Do not listen on interfaces whose IP addresses are included in the following networks:"

      With the following IP: 192.168.1.1/27

       

      Now why does the ePO report rogues with IPs like: 192.168.1.8, 192.168.1.12, etc?

       

      Isn't it supposed to reject rogues whose IPs are between 192.168.1.1 and 192.168.1.30?

       

      I configured the policy before I installed the sensors.

       

      Do I need to do something else?

       

      Thanks

        • 1. Re: Rogue detection - Policy - Interfaces settings
          andrep1

          The rogue sensor will identify devices that broadcast any addresses on one of your subnets on which a sensor is listening. It will enable you to identify those devices and potentially take actions.

           

          If you've enabled scan system OS for details, it will be useful to identify the rogues devices except for devices in the subnets that you mention in your question. In that case, it will go directly to the default gateway since it is the only way IP knows how to handle that address.

           

          Remember RSD will not do any type of blocking, it just logs.

          • 2. Re: Rogue detection - Policy - Interfaces settings

            I did not enable scan system OS for details because a lot of users have HIPS installed and when the sensors or ePO (not sure) scan the ports it is flagged and blocked by the IPS module..

            The first 30 IPs of the subnet are reserved for network printers, switches, etc. I don't want them to be reported as rogue.

            I thought that setting up the Interfaces with the range I want to avoid being reported would de the trick.

            (I don't want these IPs to show up in detected system -> rogue)

            • 3. Re: Rogue detection - Policy - Interfaces settings
              andrep1

              What is the detection method for those devices. DHCP or broadcast ?

              • 4. Re: Rogue detection - Policy - Interfaces settings

                Both

                I put one sensor on the DHCP server and now I want to roll out the sensors on every segment. So the DHCP monitoring in the Policy is enabled.

                • 5. Re: Rogue detection - Policy - Interfaces settings
                  andrep1

                  Took me  day to wake up

                  The setting is called "Do not listen on interfaces whose IP addresses are included in the following networks:" This refers to the sensor server's NICs. Basically, this setting says that if you had a NIC connected to 192.168.x.x, it could be safely ignored. But it won't exclude detections from those network coming in in RSD. What you can do is stop the OS dectection details with this setting: " "

                   

                  What we do to keep it clean is that we have a few queries defined (Printers by naming convention, Printers by OUI, Network equipement by OUI) and we run those queries in a server task every few hours to classify the exceptions in their respective categories. Granted we could use automatic response, bu tin an environement our size it would be difficult.

                   

                  So does this help a bit more?

                  • 6. Re: Rogue detection - Policy - Interfaces settings

                    Hi!

                    Thanks for the info and sorry for the delay.

                     

                    Like I said I did not enable the OS detection because of issues with HIPS.

                     

                    I think in order for the default automatic response "RSD: Query New Rogue Detection Printers, Routers, ..." to do its job, the OS detection must be on. So in my case it doesn't work.

                     

                    I created a query that looks for new rogues with specfic IP range. Then I created an automatic response based on that query that flags these rogues as exception. It seems to be working flawlessly!

                     

                    Thanks for your help