Cisco Cisco Firepower Management Center 4000
E-1
FireSIGHT System User Guide
A P P E N D I X
E
Security, Internet Access, and Communication
Ports
Ports
To safeguard the Defense Center, you should install it on a protected internal network. Although the
Defense Center is configured to have only the necessary services and ports available, you must make
sure that attacks cannot reach it (or any managed devices) from outside the firewall.
Defense Center is configured to have only the necessary services and ports available, you must make
sure that attacks cannot reach it (or any managed devices) from outside the firewall.
If the Defense Center and its managed devices reside on the same network, you can connect the
management interfaces on the devices to the same protected internal network as the Defense Center. This
allows you to securely control the devices from the Defense Center.
management interfaces on the devices to the same protected internal network as the Defense Center. This
allows you to securely control the devices from the Defense Center.
Regardless of how you deploy your appliances, intra-appliance communication is encrypted. However,
you must still take steps to ensure that communications between Cisco appliances cannot be interrupted,
blocked, or tampered with; for example, with a distributed denial of service (DDoS) or
man-in-the-middle attack.
you must still take steps to ensure that communications between Cisco appliances cannot be interrupted,
blocked, or tampered with; for example, with a distributed denial of service (DDoS) or
man-in-the-middle attack.
Also note that specific features of the FireSIGHT System require an Internet connection. By default, all
Cisco appliances are configured to directly connect to the Internet. Additionally, the system requires
certain ports remain open for basic intra-appliance communication, for secure appliance access, and so
that specific system features can access the local or Internet resources they need to operate correctly.
Cisco appliances are configured to directly connect to the Internet. Additionally, the system requires
certain ports remain open for basic intra-appliance communication, for secure appliance access, and so
that specific system features can access the local or Internet resources they need to operate correctly.
Tip
With the exception of Sourcefire Software for X-Series, Cisco appliances support the use of a proxy
server. For more information, see
server. For more information, see
.
For more information, see:
•
•
Internet Access Requirements
By default, Cisco appliances are configured to directly connect to the Internet on ports 443/tcp (HTTPS)
and 80/tcp (HTTP), which are open by default on all Cisco appliances; see
and 80/tcp (HTTP), which are open by default on all Cisco appliances; see
. Note that most Cisco appliances support use of a proxy server; see
.
To ensure continuity of operations, both Defense Centers in a high availability pair must have Internet
access. For specific features, the primary Defense Center contacts the Internet, then shares information
with the secondary during the synchronization process. Therefore, if the primary fails, you should
access. For specific features, the primary Defense Center contacts the Internet, then shares information
with the secondary during the synchronization process. Therefore, if the primary fails, you should