Security

 View Only
last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ARP with SPAN

This thread has been viewed 53 times
  • 1.  ARP with SPAN

    Posted May 18, 2023 04:23 AM
      |   view attached

    Hi All,

    I am still looking for alternative from DHCP method to profile an endpoint.

    From the attached, I see there are two kinds of ARP, one is active, one is passive.

    Since the customer does not allow active ones, what needs to be done to achieve passive ARP ?  Is there any example of output out there as well ?

    Thanks.



  • 2.  RE: ARP with SPAN

    Posted May 18, 2023 09:24 AM

    Do a SPAN to one of the unused ports on the ClearPass server, keep in mind load though.  Why do you feel you need the ARP information?  What's wrong with DHCP relay, Device Sensor, or other profiling methods?




  • 3.  RE: ARP with SPAN

    Posted Jun 01, 2023 12:54 AM

    Hi Alex & Herman,

    Thanks for your response.

    • DHCP relay: so far the value of DHCPOptions row can be different in different connection attempt, so customer is asking for other method
    • Device Sensor: understand from the technote it is only detecting network devices, whereas we want to gather some fingerprints from endpoints instead.
    • Other profiling method: customer do not allow active subnet scanning from ClearPass

    But in the end, I need more distinguishable signature result than just IP , MAC , or dhcpOptions.

    Customer also does not allow account differentiation between different services.




  • 4.  RE: ARP with SPAN

    EMPLOYEE
    Posted May 25, 2023 11:28 AM

    Active or Passive ARP relates to the learning of ARP addresses. With ARP a client requests the MAC address for a specific IP. With passive ARP learning, a network device can use such a ARP request or an ARP reply to learn the IP address for a specific MAC address. You can't practically make a network work without Active ARP, so not sure what your customer is not allowing. Static ARP would be an option, but that is highly unusual as you would need to program each network device with a list of MAC addresses for each IP. This really is not practical, and it would make profiling quite impossible and Client Insight (Central with gateways) would be an option to get profiling information from the normal network traffic. You may best work with your Aruba partner on the options you have.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------