Cisco Cisco Firepower Management Center 4000
42-4
FireSIGHT System User Guide
Chapter 42 Enhancing Network Discovery
Enhancing Your Network Map
Enhancing Your Network Map
License:
FireSIGHT
The FireSIGHT System builds the network map using data it detects by passively analyzing traffic. It
also uses data added through active sources such as the host input feature and the Nmap scanner.
Understanding how the system decides which data to use for an application or operating system identity
can help you decide how best to augment the system’s passive detection capabilities with active input
sources.
also uses data added through active sources such as the host input feature and the Nmap scanner.
Understanding how the system decides which data to use for an application or operating system identity
can help you decide how best to augment the system’s passive detection capabilities with active input
sources.
For more information, see the following topics:
•
•
•
•
Understanding Passive Detection
License:
FireSIGHT
Passive detection is the detection of host operating system, client, and application information through
analysis of traffic passively collected by the system. The system uses information in the VDB to help it
identify your network assets.
analysis of traffic passively collected by the system. The system uses information in the VDB to help it
identify your network assets.
If the system cannot identify an operating system on a host, you can manually determine it and then
create a custom server or client fingerprint to help the system recognize that operating system on other
hosts with similar operating system characteristics.
create a custom server or client fingerprint to help the system recognize that operating system on other
hosts with similar operating system characteristics.
The system uses all collected passive fingerprints for a host operating system to create a derived
fingerprint. The system creates derived fingerprints by applying a formula which calculates the most
likely identity using the confidence value of each collected fingerprint and the amount of corroborating
fingerprint data between identities. Common elements are identified between identities.
fingerprint. The system creates derived fingerprints by applying a formula which calculates the most
likely identity using the confidence value of each collected fingerprint and the amount of corroborating
fingerprint data between identities. Common elements are identified between identities.
If you use user-defined application detectors on your network, you can augment the system’s application
detection capabilities by creating custom detectors that provide the system with the information it needs
to identify those applications. NetFlow can also add passively detected application information to the
network map.
detection capabilities by creating custom detectors that provide the system with the information it needs
to identify those applications. NetFlow can also add passively detected application information to the
network map.
Note that the system does not use application protocol and operating system data that it classified as
unknown because it is unable to interpret the data. The managed device reports the identity to the
Defense Center as
unknown because it is unable to interpret the data. The managed device reports the identity to the
Defense Center as
unknown
and the identity data is not used to derive fingerprints.
Understanding Active Detection
License:
FireSIGHT
Active detection is addition, to the network map, of data collected by active sources, such as host
operating system and application information. For example, you can use the Nmap scanner to actively
scan the hosts that you target on your network. Nmap discovers operating systems and applications on
hosts.
operating system and application information. For example, you can use the Nmap scanner to actively
scan the hosts that you target on your network. Nmap discovers operating systems and applications on
hosts.
In addition, the host input feature allows you to actively add host input data to the network map. There
are two different categories of host input data:
are two different categories of host input data: