On systems that have multiple NICs, each resulting interface can be detected as a separate
system. When these interfaces are detected, they can appear as multiple rogue interfaces.
Identifying these systems and their interfaces, and managing them with Rogue System Detection
and ePolicy Orchestrator helps provide the network security your organization needs.
How the Rogue System Sensor works
The Rogue System Sensor is the distributed portion of the Rogue System Detection architecture.
Sensors detect systems, routers, printers, and other devices connected to your network. They
gather information about devices they detect, and forward the information to the ePO server.
The sensor is a Win32 native executable application that runs on any NT-based Windows
operating system, such as Windows 2000, Windows XP, or Windows Server 2003. It can be
installed on systems throughout your network. A sensor reports on all systems in the broadcast
segment where it is installed. A sensor installed on a DHCP server reports on all systems or
subnets using DHCP. In networks or broadcast segments that don’t use DHCP servers, you
must install at least one sensor in each broadcast segment, usually the same as a subnet, to
maintain coverage. DHCP deployment can be used in conjunction with segment-specific
deployment for the most comprehensive coverage.
Passive listening to layer-2 traffic
To detect systems on the network, the sensor uses WinPCap, a packet capture library. It captures
layer-2 broadcast packets sent by systems connected to the same network broadcast segment
and listens passively to all layer-2 traffic for Address Resolution Protocol (ARP), Reverse Address
Resolution Protocol (RARP), IP traffic, and DHCP responses.
The sensor also performs NetBIOS calls and OS fingerprinting on systems already detected to
obtain additional information. It does this by listening to the broadcast traffic of all devices in
its broadcast segment and by using NetBIOS calls to actively probe the network to gather
additional information about the devices connected to it, such as detected system operating
system.
NOTE:
The sensor does not determine whether the system is a rogue system. It detects systems
connected to the network and reports these detections back to the ePO server.
Intelligent filtering of network traffic
The sensor implements intelligent filtering of network traffic: it ignores unnecessary messages
and captures only what it needs, Ethernet and IP broadcast traffic. By filtering out unicast traffic
(DHCP monitoring uses unicast traffic, but only looks at DCHCP responses), which might contain
non-local IP addresses, the sensor focuses only on devices that are part of the local network.
To optimize performance and minimize network traffic, the sensor limits its communication to
the server by relaying only new system detections, and by ignoring any re-detected systems
for a user-configured time. For example, the sensor detects itself among the list of detected
systems. If the sensor sent a message every time it detected a packet from itself, the result
would be a network overloaded with sensor detection messages.
The sensor further filters on systems already detected:
• The sensor reports any system the first time it is detected on the network.
• For each detected system, the sensor adds the MAC address to the packet filter, so that it
is not detected again, until the user configured time elapses.
Detecting Rogue Systems
How the Rogue System Sensor works
McAfee ePolicy Orchestrator 4.0.2 Product Guide
190