McAfee EPOCDE-AA-BA Product Guide - Page 273
Data gathering and communications to the server, Systems that host sensors
View all McAfee EPOCDE-AA-BA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 273 highlights
Detecting Rogue Systems How the Rogue System Sensor works 21 The sensor further filters on systems that were already detected: • The sensor reports any system the first time it is detected on the network. • For each detected system, the sensor adds the MAC address to the packet filter, so that it is not detected again, until the user-configured time elapses. • The sensor implements aging on the MAC filter. After a specified time, MAC addresses for systems that have already been detected are removed from the filter, causing those systems to be re-detected and reported to the server. This process ensures that you receive accurate and current information about detected systems. Data gathering and communications to the server Once the sensor detects a system on the local network, it gathers information about that system by actively scanning using NetBIOS calls and OS fingerprinting. The gathered information includes: • DNS name • Operating system version • NetBIOS information (domain membership, system name, and the list of currently logged-on users) All NetBIOS-related information that is gathered is subject to standard limitations of authorization, and other limitations documented in the Microsoft management API. The sensor packages the gathered information into an XML message, then sends the message via secure HTTPS to the ePolicy Orchestrator server for processing. The server then uses the ePolicy Orchestrator data to determine whether the system is a rogue system. Bandwidth use and sensor configuration To save bandwidth in large deployments, you can configure how often the sensor sends detection messages to the server. You can configure the sensor to cache detection events for a given time period, such as one hour, then to send a single message containing all the events from that time period. For more information, see Configuring Rogue System Detection policy settings. Systems that host sensors Install sensors on systems that are likely to remain on and connected to the network at all times, such as servers. If you don't have a server running in a given broadcast segment, install sensors on several workstations to ensure that at least one sensor is connected to the network at all times. To guarantee that your Rogue System Detection coverage is complete, you must install at least one sensor in each broadcast segment of your network. Installing more than one sensor in a broadcast segment does not create issues around duplicate messages because the server filters any duplicates. However, additional active sensors in each subnet results in traffic sent from each sensor to the server. While maintaining as many as five or ten sensors in a broadcast segment should not cause any bandwidth issues, you should not maintain more sensors in a broadcast segment than is necessary to guarantee coverage. McAfee® ePolicy Orchestrator® 4.6.0 Software Product Guide 273