16 Replies Latest reply on Apr 30, 2009 1:02 PM by brford

    Firewall

      I believe this product will not work if the host is running a personal firewall. Am I correct.

      Since it use ping and snmp.

      I believe 1/2 our users are running them and would not give us a acurate report.

        • Re: Firewall

          I suppose that depends on the FW and your company's current FW policy - are you using CSA or some other centrally managed product ?

            • Re: Firewall

              afraid not its the wild west EDU world. What would be nice and I have yet found what I am looking

              for is a product to pull the arp info out of a router mac table. then log it to a data base.  Which would give

              the most accurate info then trying to poll or scan a network.

                • Re: Firewall
                  bshopp

                  Understood, I have that already logged in the system as an enhancement request

                  • Re: Firewall

                    ?? Do you mean switch ??

                    Routers arp table is only going have entries for a connected networks. The rest relies on routing updates or statics when forwarding packets.

                    Switch will only have L3 arp entries if it's a layer 3 switch configured with an SVi for the segment you wish to pull info from. Otherwise a layer 2 switch arp table is null but it's mac-address table is stuffed (obviously).

                      • Re: Firewall

                        In our environment I would say Router . We are only looking in a few area's
                         say 3 or 4 routers. We have a 1/2 a class B from there divided into may vlans. You should be able to filter out all the networks that don't care about.
                        We do not have Layer 3 switches on all of our networks.
                        Even with a layer 3 switch you would still need a subnet interface on that switch.
                        If you have many different vlans  I would believe you would need a routed IP interface to get the information you would need for each vlan.
                        We have almost 200 vlans.
                        If it was a smaller environment a  Layer 3 switch will work fine as long as the subnet you are looking  has a routed interface on that switch. I could see it would be nice in a Layer 3 switch also.

                          • Re: Firewall

                            Sincerest apologies for hijacking this thread further, as it relates to the IPAM app, I just dont see how the app scaning a routers or switches arp table is the right direction to go. ICMP, SNMP are much more appropriate.


                            "Even with a layer 3 switch you would still need a subnet interface on that switch."
                            If you have many different vlans  I would believe you would need a routed IP interface to get the information you would need for each vlan."

                            You don't. Switches not cofigured to route packets, broadcast to forward packets off a particular broadcast domain. This is basic function of a switch - packet forwarding.

                            Brford, the moment you put an IP address (svi- a.k.a. subnet interface other a management IP) on a switch, enable it, ip routing and then pass traffic to it as end point it becomes a layer 3 switch. For no other fact than than the switch is now dealing with information at the IP layer. It is no longer broadcasting to resolve traffic to a L3 device for routing off a particular broadcast domain, it is now routing packets because it is functioing at layer 3. It will forward packets as needed to another layer 3 device based on the routing tables installed on the switch via IGP, or static entries.

                            Layer two switches with L3 management IP's will still perfrom the layer 2 funtion of forwarding packets outside a particular broadcast domain without ever having made an arp entry because they are not functioning at the IP layer, they are functioning at the data-link layer. A layer 2 switch will perform no routing what so ever. A layer 2 switch will have an ip-default gateway configured to reach it's management interface - ortherwise, it simply broadcasts out each of it's configured interfaces looking for where to forward a packet.

                            Routers only have arp tables for connected networks.

                            Unless - Im completely confused, I would humbly disagree with the suggestion that IPAM pulling arp tables is more accurate than ICMP/SNMP scan of a given subnet.  

                              • Re: Firewall

                                thanks for your post. Could you explain how a end user running a personal (pc) firewall that you have no

                                control over will reply to any ICMP or SNMP scan ?

                                  • Re: Firewall

                                    Brford,

                                    Beyond our perimter FW's, we use a centrally managed policy based desktop firewall. As such, we don't suffer that issue.

                                    I suppose if I found myself in that situation, I would see if there's any way to permit such traffic.

                                    Surely there must be some form of central management to the FW piece.

                                    An explicit policy for a management network doesn't seem out of the question audit wise.

                                    Tough one mate... may I ask what you use ?

                                      • Re: Firewall

                                        The EDU world is way more screwed up then the real world. There is no Policys and almost impossiable

                                        to mandate anything. Every dept is almost free to do what ever with No big foot to stop them. Also

                                        if there is any bad blood from any dept. cooperation is gone.

                                        Thanks again enjoyed your thoughts

                                        BF

                                      • Re: Firewall
                                        tonyled


                                        thanks for your post. Could you explain how a end user running a personal (pc) firewall that you have no

                                        control over will reply to any ICMP or SNMP scan ?

                                         



                                         

                                         

                                        sadly, short of what was said above about implementing pulling arp tables i cant think of another way

                                         

                                        we have some newer printers that also dont respond to icmp and rarely setup snmp on end user equipment so i too hope a feature is added to fix this

                                          • Re: Firewall

                                            I suppose there no easy answers Our networks are getting more complex every day.

                                            Between Nat, IPV6, Multi tier firewalls , wireless, authentication, load balancers, DNS, and future eq .

                                            I guess it's job security.

                                  • Re: Firewall
                                    tonyled

                                    i too would like this feature, i did a demo on a product that did this and it was very nice.  sadly, the price was not.

                                  • Re: Firewall

                                    Hi there,

                                    Need help. I can't seem to get the netflow info from my router behind the firewall. The router at the back of NTU is Cisco 2800 and at the back of router is ASA firewall.

                                    I have checked security configurations of the ASA firewall that would allow 2055 and still nothing.

                                    I have scanned the loggings of both firewalls and no 2055 or anything that would pick up the Netflow from 2800. thanks in advance.

                                  • Re: Firewall
                                    bshopp

                                    If both are blocked by firewall, then you could manually manage the IP if you wish.  If only SNMP is blocked, we could tell you something resides at that IP, but none of the system details.