McAfee EPOLICY ORCHESTRATOR 3.6 - WALKTHROUGH GUIDE Manual page 56

®
ePolicy Orchestrator 3.6 Walkthrough Guide
Passive listening to layer-2 traffic
To detect systems on the network, the sensor utilizes WinPCap, an open source packet
capture library. Using WinPCap, the Rogue System sensor captures layer-2 broadcast
packets sent by systems connected to the same network broadcast segment. The
sensor listens passively to all layer-2 traffic for Address Resolution Protocol (ARP),
Reverse Address Resolution Protocol (RARP), and IP traffic. The sensor is able to listen
to the broadcast traffic of all devices on its broadcast segment.
The sensor does not actively probe the network to search for which devices are
connected.
The sensor does not determine whether the system is a rogue system. It detects
systems connected to the network and reports these detections back to the ePolicy
Note
Orchestrator server.
Intelligent filtering of network traffic
The sensor implements intelligent filtering of network traffic to ignore unnecessary
messages and capture only what it needs: Ethernet and IP broadcast traffic. By filtering
out unicast traffic, which may contain non-local IP addresses, the sensor focuses only
on devices that are part of the local network. For example, if a system on the network
happens to be browsing McAfee, packets appear on the local network with the IP
address belonging to mcafee.com. The sensor detects systems on your local network
only, so it ignores all such unicast packets because their sources cannot be guaranteed
to be a local system.
To optimize performance and minimize network traffic, the sensor is designed to limit
its communication to the server by only relaying new system detections, and to ignore
any re-detected systems for a user-configurable time. For example, the Rogue System
sensor detects itself among the list of detected systems. If the sensor sent a message
every time it detected a packet from itself, the result would be a network overloaded
with sensor detection messages.
The sensor further filters on systems already detected:
The sensor always reports any system the first time it is detected on the network.
The sensor adds the MAC address of each detected system to the packet filter, so
that it is not detected again until removed from the filter.
The sensor implements aging on the MAC filter so that after a time period, MAC
addresses for systems that have already been detected are removed from the filter,
causing those systems to be re-detected and reported to the server.
Data gathering and communications to the server
Once the sensor detects a system located on the local network, it attempts to gather
as much information about that system from the information contained in the network
packet. The information gathered includes DNS name, operating system version, and
NetBIOS information such as domain membership, system name, and the list of
currently logged-in users.
All of the NetBIOS-related information gathered is subject to standard limitations of
authorization and other limitations, as documented in the Microsoft management API.
53
5
Rogue System Detection