McAfee EPOCDE-AA-BA Product Guide - Page 272
How the Rogue System Sensor works, Passive listening to layer-2 traffic
View all McAfee EPOCDE-AA-BA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 272 highlights
21 Detecting Rogue Systems How the Rogue System Sensor works How the Rogue System Sensor works The Rogue System Sensor is the distributed portion of the Rogue System Detection architecture. Sensors detect systems, routers, printers, and other devices connected to your network. They gather information about the devices they detect, and forward the information to the McAfee ePO server. The sensor is a Win32 native executable application that runs on any NT-based Windows operating system, including: • Windows XP • Windows Server 2003 • Windows 2008 • Windows Vista • Windows 7 It can be installed on systems throughout your network. A sensor reports on all systems in the broadcast segment where it is installed. A sensor installed on a DHCP server reports on all systems or subnets using DHCP. To maintain coverage In networks or broadcast segments that don't use DHCP servers, you must install at least one sensor in each broadcast segment, usually the same as a subnet. DHCP deployment can be used with segment-specific deployment of the Rogue System Sensor for the most comprehensive coverage. Passive listening to layer-2 traffic To detect systems on the network, the sensor uses WinPCap, a packet capture library. It captures layer-2 broadcast packets sent by systems that are connected to the same network broadcast segment. It also listens passively to all layer-2 traffic for Address Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP), IP traffic, and DHCP responses. To obtain additional information, the sensor also performs NetBIOS calls and OS fingerprinting on systems that were already detected. It does this by listening to the broadcast traffic of all devices in its broadcast segment, and by using NetBIOS calls, actively probing the network to gather additional information about the devices connected to it, such as the operating system of a detected system. The sensor does not determine whether the system is a rogue system. It detects systems connected to the network and reports these detections back to the McAfee ePO server, which determines whether the system is rogue based on user-configured settings. Intelligent filtering of network traffic The sensor filters network traffic "intelligently" - it ignores unnecessary messages and captures only what it needs, which is Ethernet and IP broadcast traffic. By filtering out unicast traffic, which might contain non-local IP addresses, the sensor focuses only on devices that are part of the local network. To optimize performance and minimize network traffic, the sensor limits its communication to the server by relaying only new system detections, and by ignoring any re-detected systems for a user-configured time. For example, the sensor detects itself among the list of detected systems. If the sensor sent a message every time it detected a packet from itself, the result would be a network overloaded with sensor detection messages. 272 McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide