Can I SPAN a SPAN?

deanwebb · February 17, 2018, 08:41:29 AM

We can also do L3 responses. We got other tools that a former coworker of mine called "spooky magic."

Preferred enforcement for ForeScout CounterACT is to do a post-connect endpoint assessment via information gathered from DHCP packets, switch SNMP traps, info from a connection to the switch CLI. That's all we get for unmanaged devices. If possible, we want an SNMP string to use on company-managed IoT devices and a local admin account and/or a client for desktop computing devices. Those are the managed devices.

Helping out all this is mirror traffic and/or netflow that indicates what else may be on the network that we can track. All that comes together for our information gathering about endpoints. Also NMAP. We do some NMAP, yeah. Best to let us know where not to NMAP so we don't crash sensitive devices...

Enforcement can be done via applying an ACL on the MAC address, ACL on the switchport, a VLAN change for the endpoint - all done from switch communications. If those aren't available, we can also use the mirror response port to do a DNS hijack and/or a HTTP-HTTPS hijack to redirect traffic such that a non-compliant device is directed to a compliance portal. Last ditch effort is the "virtual firewall" that will basically use the mirror response to act like an IPS and kill off specified TCP traffic.

CounterACT can also do full 802.1X, but not all switches are ready to do full 802.1X, hence the other options, above.

wintermute000 · February 17, 2018, 06:19:57 PM

thanks, interesting

but I'm still curious about your original q: if SPAN can't 'write' either, why did you reject RPSAN due to the same limitation?

deanwebb · February 18, 2018, 07:02:15 PM

Quote from: wintermute000 on February 17, 2018, 06:19:57 PM
thanks, interesting

but I'm still curious about your original q: if SPAN can't 'write' either, why did you reject RPSAN due to the same limitation?

In this case, because the customer wants monitor plus transmit with the mirror traffic.

Otanx · February 20, 2018, 09:23:30 AM

You can "write" with a normal SPAN on some devices, but it has limitations. It is not the same as being inline which I am sure Dean knows. On a 6500 you can do "monitor session 1 destination Gi1/1/1 ingress" which sets up the switch to accept inbound packets from the SPAN destination. A common use case is to be able to manage a monitoring device over the same port that is collecting the SPAN. You don't see it too often anymore. Most devices will use a separate management interface. However, another use case (and what I think Dean is trying to do) is for injecting data to interrupt communications. As an example. Endpoint A tries to open a http connection to Server 1. My IDS sees the SYN, and wants to stop this connection. It can inject a RST to both sides spoofing the IPs. This will prevent the connection. Another fun one Dean mentioned is DNS hijack. If my device can respond quick enough I can beat the real server to responding to the client, and get my DNS answer into the cache first. Then all your communication goes to the IP I sent, and not the real server.

It isn't a real replacement to being inline, but there are some nifty security tricks you can do with it.

-Otanx

Can I SPAN a SPAN?

deanwebb

wintermute000

deanwebb

Otanx