Cisco Cisco FirePOWER Appliance 7115

Version 5.3

Sourcefire 3D System User Guide

1303

HAPTER

NTRODUCTION

ETWORK

ISCOVERY

The Sourcefire 3D System uses a feature called network discovery to monitor

traffic on your network and build a comprehensive map of your network assets.
As managed devices passively observe traffic on the network segments you

specify, the system compares specific packet header values and other unique

data from network traffic against established definitions (called fingerprints) to

determine the number and types of hosts (including network devices) on your

network, as well as the operating systems, active applications, and open ports on

those hosts.
You can also configure Sourcefire managed devices to monitor user activity on

your network, which allows you to identify the source of policy breaches, attacks,

or network vulnerabilities.
To supplement the data gathered by the system, you can import records

generated by NetFlow-enabled devices, Nmap active scans, the Sourcefire host

input feature, and Sourcefire User Agents that reside on a Microsoft Active

Directory server and report LDAP authentications. The Sourcefire 3D System

integrates these records with the information it collects via direct network traffic

observation by managed devices.
The system can correlate certain types of intrusion, malware, and other events

occurring on hosts on your network to determine when hosts are potentially

compromised, tagging those hosts with indications of compromise (IOC) tags.

IOC data can give you a clear, direct picture of the threats to your monitored

network as they relate to its hosts.
The system uses all of this information to help you with forensic analysis,

behavioral profiling, access control, and mitigating and responding to the

vulnerabilities and exploits to which your organization is susceptible.