Description
This article provides examples of which tools can be leveraged in FortiNAC-F to classify IoT/OT devices.
Scope
FortiNAC-F, FortiNAC.
Solution
The device profiler feature in FortiNAC is used to classify unknown (rogue) devices by using multiple different methods as criteria to register the device as trusted. Using network access policies makes it possible to provision network access based on the matching user/host profile.
IoT devices are unique in the hardware, OS, security features and protocols they use for communication. Additionally, these are 'headless' devices, meaning that there is no user associated with them. In such cases, the registration process cannot rely on the user and this reduces the registration options available.
The following methods can be leveraged in such scenarios.
- Location and OUI.
With the location method, it is possible to ensure that the device is actually connecting to a location (Switch/device) that would be expected for that device type to be provisioned.
Using the Vendor OUI, it is possible to match for 'Vendor Code' or 'Vendor Name' in order to match specific attributes to the camera or PLC.
If the unknown device is an Axis Camera, the administrator would expect that it always connects to switch1 and the container 'Floor1 switches'.
Another example would be a PLC device that would always be connected to a rugged FortiGate device modeled in the Container 'Firewall'.
- Location method criteria. Add location elements:
b. OUI method criteria. Add Vendor matching criteria:
Customers may find their rugged FortiGate models under the same Container 'ICS network 1'. In this network, the customers would likely expect only Siemens vendor devices to be connected and communicating. By selecting the container and the device itself, it is possible to ensure that Siemens identified devices are connected to a FortiGate in the ICS network 1.
- Network traffic.
Leveraging the NetFlow protocol makes it possible to identify devices by their generated traffic attributes. For example, it is possible to simulate a PLC client that communicates with a snap7 Server.
For FortiNAC-F to collect session information, enable the following requirements:
- Enable the 'netflow' protocol in port1 services through the CLI.
config system interface
edit port1
set allowaccess ping ssh snmp http https-adminui nac-agent nac-ipc radius radius-acct radius-local netflow
next
end
- Enable 'Firewall session polling' in the FortiGate modeled device in the Network Inventory. This will make it possible for FortiNAC to collect FortiGate session information and use it to classify the device.
Set Firewall session polling frequency:
Leave 'Create Rogues from Session Data' as disabled since, depending on the environment, this could generate a large number of Rogue records depending on the network environment.
- To check the collected network sessions for a host, check by right-clicking the host and selecting 'Show Network Session'.
- Configure the method in the Profiling rule.
Selecting 'Apply Device As source Device' means that the rogue is expected to be the source of the traffic, and it is communicating to the Destination IP and Destination Port specified in the method.
- To test the device profiler and identify issues, use the following commands in the CLI.
diagnose debug plugin enable ActiveFingerprint
diagnose tail -F output.nessus | grep -i "00:1C:06:E4:1F:47"
In the GUI, go to Adapters, right-click the affected adapter, and select 'Test Device Profiling Rule'.
In the CLI, verify the events related to profiling methods and matching criteria:
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:541 :: #47 :: testRuleMatch() starting rule = PLC_Client mac = 00:1C:06:E4:1F:47
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:542 :: #47 :: testRuleMatch() performing scans. rule = PLC_Client mac = 00:1C:06:E4:1F:47 ip = 10.10.10.102
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:542 :: #47 :: performScans() rule = PLC_Client mac = 00:1C:06:E4:1F:47
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:542 :: #47 :: performScans() rule = PLC_Client mac = 00:1C:06:E4:1F:47 enabled = true
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:542 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = OUIMethod
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:543 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = OUIMethod fingerprint = Fingerprint [dbid=null, source=Vendor OUI, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={OUI=00:1C:06, VENDOR=Siemens Numerical Control Ltd., Nanjing}]
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:543 :: #47 :: performScans() rule = PLC_Client mac = 00:1C:06:E4:1F:47 enabled = true
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:543 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = LocationMethod
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:543 :: #47 :: performScan(00:1C:06:E4:1F:47) starting
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:543 :: #47 :: match() starting 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:543 :: #47 :: match() client = 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:544 :: #47 :: match() ending 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:544 :: #47 :: performScan(00:1C:06:E4:1F:47) = true ending
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:544 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = LocationMethod fingerprint = Fingerprint [dbid=null, source=Location, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={}]
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:544 :: #47 :: match() starting 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:545 :: #47 :: match() client = 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:545 :: #47 :: match() ending 00:1C:06:E4:1F:47
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:546 :: #47 :: performScans() rule = PLC_Client mac = 00:1C:06:E4:1F:47 enabled = true
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:546 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = NetFlowMethod
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:546 :: #47 :: performScan() rule = PLC_Client mac = 00:1C:06:E4:1F:47 method = NetFlowMethod fingerprint = Fingerprint [dbid=null, source=Net Flow, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={DESTIP=172.16.180.3, SOURCEDEVICE=true, DESTPORT=102, PROTOCOL=TCP}]
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:550 :: #47 :: process() Net Flow 00:1C:06:E4:1F:47
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:560 :: #47 :: testRuleMatch() matching rule. rule = PLC_Client mac = 00:1C:06:E4:1F:47 ip = 10.10.10.102
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:560 :: #47 :: match() starting 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:561 :: #47 :: match() client = 00:1C:06:E4:1F:47
yams.dpc.LocationMethod FINER :: 2024-04-24 12:17:37:565 :: #47 :: match() ending 00:1C:06:E4:1F:47
yams.ActiveFingerprint FINER :: 2024-04-24 12:17:37:572 :: #47 :: testRuleMatch() Rule matches: PLC_Client 00:1C:06:E4:1F:47 [Fingerprint [dbid=null, source=Vendor OUI, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={OUI=00:1C:06, VENDOR=Siemens Numerical Control Ltd., Nanjing}], Fingerprint [dbid=null, source=Location, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=null, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={}], Fingerprint [dbid=null, source=Net Flow, physAddress=00:1C:06:E4:1F:47, ipAddress=10.10.10.102, hostName=PC1, entityTag=null, os=null, createTime=null, lastHeardTime=null, attributes={DESTIP=172.16.180.3, SOURCEDEVICE=true, DESTPORT=102, PROTOCOL=TCP}]]
- Other methods.
- FortiGuard.
FortiNAC uses the FortiGuard IOT/OT signatures to perform device registration.
These signatures are updated constantly from FortiGuard teams and leveraged by FortiNAC to additionally perform FortiGuard IoT scans that provide a confidence score that shows how trustworthy or secure a device is considered to be.
More information about this is provided in the IOT deployment Guide:
- TCP.
An additional method that can be used is 'TCP', which uses results from an NMAP active scan to detect open ports on the host.
However, in many cases, not all open ports can be detected: especially when dealing with devices that use non-standard ports for communication. In these cases, FortiNAC will fail the registration.
More examples are provided in the Device profiler guide.
- Scanning with Nmap and Manual classification.
Currently, FortiNAC does not support Device profiling by using custom Nmap scans or the Nmap Scripting Engine (NSE).
However, advanced users can use these features that are provided by FortiNAC in order to see what attributes they are receiving back from the devices and then perform manual registration in Host View.
To list NSE scripts, run the following in the FortiNAC-F CLI:
execute enter-shell
ls -la /usr/share/nmap/scripts/
To list nmap options, run the following:
nmap --help
As an example, a snap7 Siemens server has been simulated that listens on port 102 TCP.
Currently, it is not possible to collect the port information from a standard scan used for the 'TCP' method.
Running a custom scan, it is possible to check the output.
nmap 10.10.10.101 -Pn -p 1-65000
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-24 15:38 CEST
Nmap scan report for 10.10.10.101
Host is up (0.00064s latency).
Not shown: 64998 closed ports
PORT STATE SERVICE
22/tcp open ssh
102/tcp open iso-tsap
Utilizing the Nmap scripting engine makes it possible to collect more information about the device to identify its attributes and whether they really match a snap7 server.
nmap 10.10.10.101 -Pn -p 102 --script s7-info.nse
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-24 15:41 CEST
Nmap scan report for 10.10.10.101
Host is up (0.00023s latency).
PORT STATE SERVICE
102/tcp open iso-tsap
| s7-info:
| Module: 6ES7 315-2EH14-0AB0
| Basic Hardware: 6ES7 315-2EH14-0AB0
| Version: 3.2.6
| System Name: SNAP7-SERVER
| Module Type: CPU 315-2 PN/DP
| Serial Number: S C-C2UR28922012
|_ Copyright: Original Siemens Equipment
Service Info: Device: specialized
Nmap done: 1 IP address (1 host up) scanned in 0.14 seconds
naclab1:/bsc/logs$
Important note:
Many scripts or scans may cause service disruption to IoT/OT devices, depending on scan type and frequency. Scans should be first tested in a test environment and how devices respond should be properly verified. Additionally, many scripts may contain vulnerabilities or exploits and should not be performed in a live environment without proper validation.
After making sure of the above, perform a manual registration by going to User&Hosts>Profiled Devices to register the device:
This option is available when we are using Manual registration in the device profiling rule as noted in the following image:
Related documents:
Device profiler implementation.
FortiGate session polling article.
FortiGate session pollig documentation.
