[c-nsp] Cisco ISE - NMAP Profiling

Steve Housego Steve.Housego at itps.co.uk
Tue Jan 12 08:56:23 EST 2016


Hi All,

Has anyone got any experience with ISE Profiling in relation to static IP devices and NMAP Scanning?

I have the situation where we have some statically addressed devices that do not support EAP.

Scenario;

I have a ‘catch-all’ MAB authorisation rule matching the built in ‘Wired MAB’ condition but delivering a downloadable ACL permitting return traffic back to ISE to support NMAP scanning (and dhcp but not relevant for this scenario).

Once authenticated ISE nmap scans the device and detects the device (finds various ports, SNMP hostnames etc), lets call it a RICOH printer, it sends the COA to the switch and it re-runs through the authorisation rules and now matches a more specific rule which permits full access to the network.

All great…. Until

I configure another device (evil hax0r’s laptop) with the same mac/ip address, unplug the printer and plug in my laptop.. I gain full network access and seemingly I’m never ‘re-profiled’ (within my test 12 hour window anyway, plenty of time to wreak havoc)

Question;

Why would ISE not re-scan on each subsequent authentication? I have the NMAP probe enabled, and NMAP scan is in the policy for ‘ricoh-printer’.

If ISE inherently has some block that prevents a re-run the nmap scan – what is the point of profiling/nmap scans? ISE is simply using standard MAB at this point, we might as well have stuck with Cisco ACS.

Whilst I appreciate an NMAP scan could take anywhere from 5-10 seconds, we would simply scale up the environment to cater for how many concurrent scans would need to take place. Our PSN's are all dual quad cpu's and we’d even be happy to dedicate PSN’s as nmap probes, in theory we should be able to crank out 10’s if not 100’s of nmap scans simultaneously (which would likely never be required scenario anyway).

As we don’t use re-authentication timers a device could be on the network for months or even years requiring only 1 nmap scan per host per x weeks/months of use. Even then, the amount of the hosts we’d require the full nmap scan on are so few, as the majority of our estate is EAP-TLS and doesn’t require nmap scanning.

I’m either missing something obvious or Cisco have really missed a trick here in relation to static IP devices/NMAP, it seems so sensible to assume there would be a endpoint profile comparison post authentication and a CoA sent if the host has changed, and I can’t think of a downside of doing so. Even if it took 10mins to complete an NMAP scan and feed the info into the DB, at least the attacker would be kicked off, in the current scenario the attacker can stay on the network until someone realises the printer isn’t printing anymore.

Further;

Im aware I could restrict the printer/potential attackers access with dACL’s etc, however Cisco is banging on about ISE and profiling etc, and it seemingly can’t even protect the low hanging fruit.


Thanks
SteveH

Steve Housego
Principal Consultant

IT Professional Services
Axwell House
Waterside Drive
Metrocentre East Business Park
Gateshead
Tyne & Wear NE11 9HU

T. 0191 442 8300
F. 0191 442 8301

Steve.Housego at itps.co.uk<mailto:Steve.Housego at itps.co.uk>

Celebrating 15 years of commitment to delivering integrity, quality and expertise in ICT solutions. Thank you to all our valued customers for their years of continued support.

Call us to arrange a visit to our new data centre, or check out www.itps.co.uk <http://www.itps.co.uk/> and see how we can help your IT budget deliver more for less.

[http://www.it-ps.com/wp-content/themes/itps/images/logo.png],

[http://itpswebhost01.it-ps.com/customer_images/itps/twitter]<http://twitter.com/#!/itpsltd>  [http://itpswebhost01.it-ps.com/customer_images/itps/facebook] <http://www.facebook.com/pages/ITPS/180607505381380>   [http://itpswebhost01.it-ps.com/customer_images/itps/linkedin]  <http://uk.linkedin.com/in/itpsltd>

Company No. 3930001<tel:3930001> registered in England
VAT No. 734 1935 33 <tel:734%201935%2033>

Disclaimer: The opinions expressed in this email are not necessarily those of ITPS. All emails received and sent to / from ITPS are monitored for information security purposes. This email is intended only for the named addressee - if you are not this person please inform us via support at itps.co.uk. Please don’t copy or distribute it. After letting us know it’s not for you, please delete the e-mail. Emails should not be considered to be totally secure as they pass through third party Internet services where it is possible they can be viewed. It is also possible for emails to be delayed, lost, or be potentially altered by unauthorised third parties whilst in transit. For secure email facilities please contact us and we can discuss how we can help you secure your emails. While ITPS takes all reasonable steps to minimise virus transmission risks, we can’t accept liability for any issues or losses you or your organisation may have as a result of a virus being contained within an email, any attachment the email may contain and or any data corruption or third-party interference with the email content.


More information about the cisco-nsp mailing list