Cisco Cisco Firepower Management Center 2000
35-14
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Understanding Discovery Data Collection
Host Limits and Discovery Event Logging
License:
FireSIGHT
When the system detects a client, server, or web application it generates a discovery event unless the
associated host has already reached its maximum number of clients, servers, or web applications.
associated host has already reached its maximum number of clients, servers, or web applications.
Host profiles display up to 16 clients, 100 servers, and 100 web applications per host. See
and
for
more information.
Note that actions dependent on the detection of clients, servers, or web applications are unaffected by
this limit. For example, access control rules configured to trigger on a server will still log connection
events.
this limit. For example, access control rules configured to trigger on a server will still log connection
events.
Special Considerations for Application Protocol Detection: Squid
License:
FireSIGHT
The system positively identifies Squid server traffic when either:
•
the system detects a connection from a host on your monitored network to a Squid server where
proxy authentication is enabled, or
proxy authentication is enabled, or
•
the system detects a connection from a Squid proxy server on your monitored network to a target
system (that is, the destination server where the client is requesting information or another resource)
system (that is, the destination server where the client is requesting information or another resource)
However, the system cannot identify Squid service traffic if:
•
a host on your monitored network connects to a Squid server where proxy authentication is disabled,
or
or
•
the Squid proxy server is configured to strip Via: header fields from its HTTP responses
Special Considerations: SSL Application Detection
License:
FireSIGHT
The Cisco 3D System provides detectors that can use session information from a Secure Socket Layers
(SSL) session to identify the application protocol, client application, or web application in the session.
(SSL) session to identify the application protocol, client application, or web application in the session.
When the system detects an encrypted connection, it marks that connection as either a generic HTTPS
connection or as a more specific secure protocol, such as SMTPS, when applicable. When the system
detects an SSL session, it adds
connection or as a more specific secure protocol, such as SMTPS, when applicable. When the system
detects an SSL session, it adds
SSL client
to the
Client
field in connection events for the session. If it
identifies a web application for the session, the system generates discovery events for the traffic.
For SSL application traffic, managed devices running Version 5.2 or later can also detect the common
name from the server certificate and match that against a client or web application from an SSL host
pattern. When the system identifies a specific client, it replaces
name from the server certificate and match that against a client or web application from an SSL host
pattern. When the system identifies a specific client, it replaces
SSL client
with the name of the client.
Note that managed devices running versions earlier than Version 5.2 cannot detect applications in SSL
traffic, even if managed by a Version 5.2 Defense Center.
traffic, even if managed by a Version 5.2 Defense Center.
Because the SSL application traffic is encrypted, the system can use only information in the certificate
for identification, not application data within the encrypted stream. For this reason, SSL host patterns
can sometimes only identify the company that authored the application, so SSL applications produced
by the same company may have the same identification.
for identification, not application data within the encrypted stream. For this reason, SSL host patterns
can sometimes only identify the company that authored the application, so SSL applications produced
by the same company may have the same identification.
In some instances, such as when an HTTPS session is launched from within an HTTP session, managed
devices running Version 5.2 or later detect the server name from the client certificate in a client-side
packet.
devices running Version 5.2 or later detect the server name from the client certificate in a client-side
packet.