Cisco Cisco FirePOWER Appliance 8250
42-2
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Assessing Your Detection Strategy
Assessing Your Detection Strategy
License:
FireSIGHT
Before you make any changes to the system’s default detection capabilities, you should analyze what
hosts are not being identified correctly and why, so you can decide what solution to implement. Use the
following as a guide for your decision:
hosts are not being identified correctly and why, so you can decide what solution to implement. Use the
following as a guide for your decision:
•
•
•
•
•
Are Your Managed Devices Correctly Placed?
License:
FireSIGHT
If network devices such as load balancers, proxy servers, or NAT devices reside between the managed
device and the unidentified or misidentified host, place a managed device closer to the misidentified host
rather than using custom fingerprinting. Cisco does not recommend using custom fingerprinting in this
scenario.
device and the unidentified or misidentified host, place a managed device closer to the misidentified host
rather than using custom fingerprinting. Cisco does not recommend using custom fingerprinting in this
scenario.
Do Unidentified Operating Systems Have a Unique TCP Stack?
License:
FireSIGHT
If the system misidentifies a host, you should investigate why the host is misidentified to help you decide
between creating and activating a custom fingerprint or substituting Nmap or host input data for
discovery data.
between creating and activating a custom fingerprint or substituting Nmap or host input data for
discovery data.
Caution
If you encounter misidentified hosts, contact your support representative before creating custom
fingerprints.
fingerprints.
If a host is running an operating system that is not detected by the system by default and does not share
identifying TCP stack characteristics with existing detected operating systems, you should create a
custom fingerprint.
identifying TCP stack characteristics with existing detected operating systems, you should create a
custom fingerprint.
For example, if you have a customized version of Linux with a unique TCP stack that the system cannot
identify, you would benefit from creating a custom fingerprint, which allows the system to identify the
host and continuing monitoring it, rather than using scan results or third-party data, which require you
to actively update the data yourself on an ongoing basis.
identify, you would benefit from creating a custom fingerprint, which allows the system to identify the
host and continuing monitoring it, rather than using scan results or third-party data, which require you
to actively update the data yourself on an ongoing basis.
Note that many open source Linux distributions use the same kernel, and as such, the system identifies
them using the Linux kernel name. If you create a custom fingerprint for a Red Hat Linux system, you
may see other operating systems (such as Debian Linux, Mandrake Linux, Knoppix, and so on) identified
as Red Hat Linux, because the same fingerprint matches multiple Linux distributions.
them using the Linux kernel name. If you create a custom fingerprint for a Red Hat Linux system, you
may see other operating systems (such as Debian Linux, Mandrake Linux, Knoppix, and so on) identified
as Red Hat Linux, because the same fingerprint matches multiple Linux distributions.
You should not use a fingerprint in every situation. For example, a modification may have been made to
a host’s TCP stack so that it resembles or is identical to another operating system. For example, an Apple
Mac OS X host is altered, making its fingerprint identical to a Linux 2.4 host, causing the system to
a host’s TCP stack so that it resembles or is identical to another operating system. For example, an Apple
Mac OS X host is altered, making its fingerprint identical to a Linux 2.4 host, causing the system to