Considerations might be:
The load this places on the XP box, as the rogue sensor might be quite busy as a result.
Sounds silly but make sure it can't reach out externally, you really don't want the sensor attempting to scan the internet !
Possible single point of failure. If that sensor goes offline you may have no other discovery going on unless unless you plan failover contingency. Normally you may place a couple of sensors per subnet, but ePO only has one active at a time. If the active sensor fails then failover to one of the others on that network is automatic.
Functionally sounds like it would works otherwise but you should keep a very close eye on performance of the XP client and perhaps router load initially until you're happy it is reasonable.
beinig not a network guy and have no experience other than reading after things in this respect I'd like to ask a few things:
- how will the rogue sensor contact the ePO server?
- how will the rogue sensor scan clients that it detects?
- how will RSD policies be sent down?
For me this situation is not automatically self-explaining only if the PC has two network cards, but question is that by hanging with one NIc on its own LAN and the other on the SPAN port (if this is how it is) can this RSD effectively perform (not out of performance, but technically). For example how does it know that it should monitor one card but use the other for other actions ?
Thank you for your explanation.
The rogue sensor sends its data back as events to ePO like any other McAfee product.
Policies are also transmitted through the usual agent-server communication process.
The networks a sensor will listen to are configurable by policy, as are the network interface(s) the sensor is bound to.
The sensor has passive & active components.
The passive part is listening to layer 2 traffic (ARP, RARP, Broadcast, IP & DHCP typically).
The active part will make NetBios and OS fingerprinting calls to identified machines (this can be turned off by policy but it may affect the level of detail gathered about the systems).
I'm sorry I was using ambigous wording. I was trying to ask that how does the sensor know which interface to use when sending the information to ePO server it acquired from listening? Or which interface it should expect policy from ePO server?
Or which interface to use when trying to scan clients whose MACs it detected on the interface bound to the SPAN port of the router?
Before you install the sensor, it will be an epo-managed machine.
The sensor transmits data back as events, just like, say VirusScan so it uses the normal ASC channel the agent is already using.
Same goes for policies, they run through the agent not the sensor.
As for the scan interface, that's a policy choice too. You can set all or any combination as the machine has.
Thanks for the info.
The XP box in question would only be used as a rogue sensor, no other use whatsoever.
I'll be sure to check the config to ensure we don't scan the Internet