Cisco Cisco Identity Services Engine 1.3 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 17 of 27
Probe
Default ISE Setting
Main Attributes Collected
● FQDN
● Class ID
● User class ID
● Parameter request list
● Class ID
● User class ID
● Parameter request list
HTTP
Disabled
● User agent
DNS
Disabled
● FQDN
Nmap
Enabled
● Common ports
● Operating system
● Operating system
Nmap >> SNMP query
(Depends on scan action)
● System name
● System description
● System contact
● System location
● HR device description
● System description
● System contact
● System location
● HR device description
NetFlow
Disabled
● Source IP address
● Source port
● Destination IP address
● Destination port
● Protocol
● Source port
● Destination IP address
● Destination port
● Protocol
ACIDEX
Enabled
(through RADIUS)
(through RADIUS)
● Device platform
● Device platform version
● Device type
● Device platform version
● Device type
Device Sensor
Enabled
(through RADIUS)
(through RADIUS)
● MAC address
● IP address
● CDP
● LLDP
● mDNS
● SIP
● H.323
● IP address
● CDP
● LLDP
● mDNS
● SIP
● H.323
When deciding how best to classify devices using profiling, it is important to understand the basic characteristics of
the device being profiled and the types of data it is capable of exposing to the network. This information will help
determine which probes and collection methods are most appropriate for classifying the device. Common
questions include:
the device being profiled and the types of data it is capable of exposing to the network. This information will help
determine which probes and collection methods are most appropriate for classifying the device. Common
questions include:
●
Is the device statically or dynamically assigned an IP address? If statically, is it possible to use DHCP
reservations to assign a specific address while also collecting profiling data?
reservations to assign a specific address while also collecting profiling data?
●
Is it acceptable to actively scan the endpoint using Nmap, or could such a scan adversely affect the host?
●
Does the device have a deterministic hostname format? Does the device have a DNS entry with a specific
naming convention?
naming convention?
●
Does the device have predictable traffic patterns? (For example, does a nurse’s workstation always
communicate to a known set of patient-monitoring devices?)
communicate to a known set of patient-monitoring devices?)
●
Is the device directly connected to the IP network, or is it connected through another serial or wireless
gateway device? In the both cases, it is necessary to profile the controller device rather than the actual
medical device.
gateway device? In the both cases, it is necessary to profile the controller device rather than the actual
medical device.