Security

 View Only
Back to discussions
Expand all | Collapse all

Device Profiling in Static IP Environment with Security Restrictions (SNMP vs. NMAP)

This thread has been viewed 19 times

  • 1.  Device Profiling in Static IP Environment with Security Restrictions (SNMP vs. NMAP)

    Posted Mar 17, 2025 05:10 AM

    Hello,

    I need some guidance on how to perform device profiling in an environment where all devices (desktops and non-802.1x capable devices like printers) are statically addressed. Due to security concerns, we are restricted from opening too many ports, especially for devices such as printers.

    I'm considering two methods for profiling printers, but I'm unsure which one would be more secure and efficient in this scenario:

    1. SNMP-Based Queries – Would querying devices over SNMP be a secure and effective way to profile printers without opening too many additional ports?
    2. NMAP-Based Scans – Is it safe to use NMAP to scan specific ports (e.g., TCP 515 for LPD or TCP 631 for IPP) to gather profiling data for printers, or does this introduce any security concerns or risks?

    I'd appreciate any advice or best practices on how to achieve device profiling effectively and securely within these constraints.

    Thanks in advance!



  • 2.  RE: Device Profiling in Static IP Environment with Security Restrictions (SNMP vs. NMAP)

    Posted Mar 18, 2025 09:08 AM

    That is a hard question to fully answer. Without DHCP, you miss a lot of profiling information, and moving to DHCP with static reservations for the devices you want to have on a fixed IP may be the best solution. Further it depends a bit on what those devices offer as services, as the more information they expose, the better your profiling, but in the end the accuracy and effectiveness may vary.

    Alternatively, as you may have a record of MAC addresses for each device, you may enter them in the Endpoint repository, or query your CMDB if it has those devices listed, and assign them to the printer role/vlan through that path. Then limit access from that role such that if someone would spoof the MAC, there is really limited access that cannot hurt.

    Your HPE Aruba partner can probably assist in making the optimal design.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Device Profiling in Static IP Environment with Security Restrictions (SNMP vs. NMAP)

    Posted Mar 19, 2025 05:48 AM

    Exactly! It has been quite challenging for our team to identify viable solutions, given the significant limitations of the current environment. Despite our efforts, we find ourselves leaning towards manual addition of device attributes, although we are aware that it's neither scalable nor practical in the long run. Unfortunately, at this point, it seems to be the only available option-though we recognize how inefficient this approach is.


    Original Message


Related Content