Cisco Cisco Firepower Management Center 2000
35-2
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
To begin collecting discovery data, you must first apply an access control policy. The access control
policy (see
policy (see
) defines the traffic that you permit, and therefore
the traffic you can monitor with network discovery. Note that this means if you block certain traffic using
access control, the system cannot examine that traffic for host, user, or application activity. For example,
if you block access to social networking applications, the system does not provide you with any
discovery data on social network applications.
access control, the system cannot examine that traffic for host, user, or application activity. For example,
if you block access to social networking applications, the system does not provide you with any
discovery data on social network applications.
After you apply an access control policy, you must configure and apply a network discovery policy,
which specifies the network segments and ports you want to monitor with your managed devices, and
the kinds of data you want to collect. When you apply the network discovery policy, the system begins
generating discovery data, which you can then view and analyze using the Defense Center web interface.
which specifies the network segments and ports you want to monitor with your managed devices, and
the kinds of data you want to collect. When you apply the network discovery policy, the system begins
generating discovery data, which you can then view and analyze using the Defense Center web interface.
The system stores network discovery data in the Defense Center database; for information on storage
limits, see
limits, see
. In addition to the database limits, the total
number of detected hosts and users the Defense Center can store depends on your FireSIGHT license.
After you reach the licensed user limit, in most cases the system stops adding new users to the database.
To add new users, you must either manually delete old or inactive users from the database, or purge all
users from the database. On the other hand, after you reach the licensed host limit, you can configure the
system either to stop adding new hosts to the database, or to replace the hosts that have remained inactive
for the longest time.
To add new users, you must either manually delete old or inactive users from the database, or purge all
users from the database. On the other hand, after you reach the licensed host limit, you can configure the
system either to stop adding new hosts to the database, or to replace the hosts that have remained inactive
for the longest time.
To supplement the data gathered by the system, you can import records generated by NetFlow-enabled
devices, Nmap active scans, the Cisco host input feature, and User Agents that reside on a Microsoft
Active Directory server and report LDAP authentications. The FireSIGHT System integrates these
records with the information it collects via direct network traffic observation by managed devices.
devices, Nmap active scans, the Cisco host input feature, and User Agents that reside on a Microsoft
Active Directory server and report LDAP authentications. The FireSIGHT System integrates these
records with the information it collects via direct network traffic observation by managed devices.
For more information, see:
•
•
•
•
•
•
Understanding Host Data Collection
License:
FireSIGHT
As the system passively monitors the traffic that travels through your network, it system compares
specific packet header values and other unique data from network traffic against established definitions
(called fingerprints) to determine the following information about the hosts on your network, including:
specific packet header values and other unique data from network traffic against established definitions
(called fingerprints) to determine the following information about the hosts on your network, including:
•
the number and types of hosts (including network devices such as bridges, routers, load balancers,
and NAT devices)
and NAT devices)
•
basic network topology data, including the number of hops from the discovery point on the network
to the hosts
to the hosts
•
the operating systems running on the hosts
If the system cannot identify the operating system of a host, you can use the custom fingerprinting
feature to create custom client or server fingerprints. The system uses these fingerprints to identify new
hosts. You can map fingerprints to systems in the vulnerability database (VDB) to allow the appropriate
vulnerability information to be displayed whenever a host is identified using the custom fingerprint. For
feature to create custom client or server fingerprints. The system uses these fingerprints to identify new
hosts. You can map fingerprints to systems in the vulnerability database (VDB) to allow the appropriate
vulnerability information to be displayed whenever a host is identified using the custom fingerprint. For