I need someone to explain how UDT and Rogue Endpoint detection should work. It seems miserably flawed to me and support is giving me the run around saying it's doing what it should be doing. If that is the case the product is severely crippled for our intended use case.
Our plan was to use UDT to monitor rogue endpoints when they show up on certain networks. We use all the other functions as all that integrate with IPAM as well. The problem we are seeing is that when you add a node from Orion or discover ports, it brings in all endpoints it sees even on trunk ports and adds them to the rogue device list. We want to start by monitoring and then whitelisting only devices connected to ports that are not secured in a data closet or data center. This approach is taking small bites off of the network evaluating endpoints that are not on our whitelists (initially comprised of AD exports and VM exports of known MACs, we only use MAC whitelisting as anything else doesn't really make much sense in our environment) and then deciding if they should be whitelisted, removed, or perhaps watched. Call it poormans NAC if you will but for now it's better than nothing.
Now here is the problem, when a node is added, or ports are discovered it starts monitoring all the ports by default. When it monitors things like trunk ports it brings in endpoints that at that moment are out of scope. So using common sense we decided OK lets just unmonitor those ports in UDT, if it's not monitoring the port it won't see the endpoint and those will go away. Well they don't, they remain and the endpoints on the unmonitored ports stay on our rogue device list indefinitely. The endpoint marks it as Last Seen: CURRENT which makes no sense if I'm not monitoring the port. I then took one step further and deleted the port from UDT, no change. I then, per support, wiped all data relating to UDT and started over, re-added a switch and router, performed the same steps and ended up with every endpoint it could see because it started monitoring all ports when added. Trying to create my own work around I decided to limit which ports it monitored as part of the discovery (UDT Settings --> Advanced Settings --> Monitored Port Types) Set this to only include the ethernetCsmacd (6) type which would exclude trunk ports etc. No luck the discovery by default ignored this setting and attempted to discover all available ports. So this setting does ?, nothing?
After going back and forth with support asking why I'm getting endpoints showing as current, why it's monitoring all ports, why they won't fall off the rogue device list (which we have set to "Past Hour"), and how someone is supposed to accomplish our use case.... the answers I received were start over, or whitelist all devices that are showing and review devices going forward. Well that last one violates pretty much every concept of whitelisting and authorized device review by blindly trusting that what we have in current state is good, awful idea. Not sure the point of UDT Rogue Device if for every device that shows up you just whitelist it, or as also suggested enable the 3 default rules for MAC, IP, and DNS to whitelist all nodes.... again not sure why you would want to ever do this if you WERE interested in reviewing and managing the devices on your network. I also can not get a good answer as to why when I unmonitor a port do the endpoints on that port remain, as if it's monitoring the endpoint now instead? We set retention settings to 1 day, ran database maintance and have waited 5 days and no change the endpoints all remain on the Rogue device list all marked as CURRENT.
HELP!! Can someone, anyone explain how this is supposed to work? I'm being told that this is normal but then that it's also not normal, and then silence from support. I'm doing 1. what the sales team said is normal and reasonable 2. The steps that are defined here:
"Our first objective is to identify those devices (nodes and endpoints) that connect to the network. This information will then help us create device profiles and help us determine which devices are authorized."
"Our second objective is to identify and verify which devices are authorized to use the network and to construct access controls using whitelists"