Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3034
Views
0
Helpful
1
Replies

Controlling NMAP in ISE

Go to solution
paul
Level 10
Level 10

‎12-01-2016 12:39 AM

I have posted a few times on NMAP questions and now I have an idea I want to run by the group to validate my thinking.

I have had several customers, specifically in the healthcare and manufacturing space, that have forced me to turn off NMAP on the ISE deployment because in the past they have had NMAP take down things like PLC controllers, PACS systems, etc.  Think Qualys scanners out of control.  Even when I explain the limited nature of the scans that ISE is doing (even showing them the exact switches used in the NMAP scans) they still want me to turn it off.

The big issue is that ISE scans systems that fall into the "unknown" category and as far as I know I have no control of turning off NMAP scanning for "unknown" systems.  I can control NMAP for every other category in ISE.  Since many systems either end up in or start in unknown there is a good chance the system will be NMAP scanned by ISE.

So here is my idea to deal with these customers:

I am going to create a custom unknown profiling policy, let's call it "Paul-Unknown" for this example.  Knowing that the Cisco predefined profiling policies have minimum certainty factors in the 5-30 range I am going to set the minimum certainty factor on Paul-Unknown to 1.  Paul-Unknown will have no NMAP scan actions applied.  My only rule in Paul-Unknown is that if the  MAC Address matches ".*" increase the certainty factor by 1. That should catch everything and make sure nothing ever hits the Cisco built in unknown.

I think that should work.  If the customer is concerned about NMAP scans in the other profiling rules I can easily shut them off. 

Thoughts?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎12-02-2016 01:10 PM

Yes, adding a minimal match profile to move new endpoints out of Unknown bucket is one way to achieve this.  If you know the address space of the critical devices you can also configure NMAP Subnet Exclusions to prevent the scan of endpoints in this IP range.  I pinged engineering and they will consider adding option to control default scan behavior, but no commit at this point.

Cheers,
Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎12-02-2016 01:10 PM

Yes, adding a minimal match profile to move new endpoints out of Unknown bucket is one way to achieve this.  If you know the address space of the critical devices you can also configure NMAP Subnet Exclusions to prevent the scan of endpoints in this IP range.  I pinged engineering and they will consider adding option to control default scan behavior, but no commit at this point.

Cheers,
Craig

0 Helpful
Customers Also Viewed These Support Documents