topic Re: IOT SNMP Queries using Xsoar and L3 in General Topics

IOT SNMP Queries using Xsoar and L3

Sec101 — Wed, 11 May 2022 16:34:10 GMT

I see that snmp queries can be used to discover devices for IOT using xsoar engines. I also see that it uses cdp lldp and gathers arp and mac data.

https://docs.paloaltonetworks.com/iot/iot-security-integration/network-management/integrate-iot-security-with-network-switches-for-snmp-discovery

Specifically in the documentation:
The XSOAR engine also queries the entry switch for the IP addresses of neighboring switches on the network. It collects device information from them next and also gets a list of their neighboring switches as well. XSOAR continues collecting device information and learning about other switches until it has queried them all.

What I don't understand is what happens when this engine hits a L3 boundary. Does the discovery continue past/through an MPLS network, or is it simple snmp queries, and will it fail past a routed MPLS connection, not discovering other networks/routers?

Re: IOT SNMP Queries using Xsoar and L3

LAYER_8 — Tue, 14 Jun 2022 00:58:08 GMT

I know the engineer that got this feature built during a PoC. He is on vacation but I've sent this his way to get clarification for you. Will follow up when he does.

Re: IOT SNMP Queries using Xsoar and L3

Sec101 — Tue, 14 Jun 2022 17:52:26 GMT

@LAYER_8

I also wonder how far it goes switch wise. Does it stop at the distribution switch, or does it go to the access layer switch, and what triggers it to go further?

Re: IOT SNMP Queries using Xsoar and L3

LAYER_8 — Tue, 14 Jun 2022 18:54:46 GMT

Spoke with the dev that made the feature. You configure the snmp crawl profile, it will reach out to that switch you configure it for.

From there, it will use LLDP to go switch to switch, up to 5 layers (we can change this if need be). The LLDP discovery gives MAC to port binding (so we know which next targets to find), and after the crawler has exhausted LLDP switch discovery, it will then request ARP tables from each switch to populate MAC to IP for IoT.

He doesn't wish to share how the crawler itself functions in the network, but, that he will show it in PoC.

You can create multiple SNMP profiles, and will need to for each subnet/segment of the network. That is to say, it won't crawl any L3 boundaries.

Re: IOT SNMP Queries using Xsoar and L3

Sec101 — Wed, 15 Jun 2022 13:32:52 GMT

I've noticed in some cases it never gets past the distribution switch, that is not 5 hops away. Seems like it stops there, while others it goes all the way down to the access switch. Just not sure what would cause that.

Either way- that is spectacular feedback. Thank you @LAYER_8