Cisco Cisco Identity Services Engine 1.0.4 白皮書
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 14 of 27
Nmap Probe
The Network Scan probe is based on the open source “network mapper,” or Nmap. Over many years of community
contribution, Nmap has expanded and matured into a powerful scanning and endpoint enumeration tool.
contribution, Nmap has expanded and matured into a powerful scanning and endpoint enumeration tool.
The Nmap probe is commonly used to detect open ports that indicate the presence of specific applications and
services and to detect operating systems. ISE also uses this probe to determine whether the host is running an
SNMP agent. If so, additional SNMP queries can be sent to collect more details about the endpoint. (For more
information on SNMP query data collection, refer to the SNMPQUERY section under SNMP Probe.)
services and to detect operating systems. ISE also uses this probe to determine whether the host is running an
SNMP agent. If so, additional SNMP queries can be sent to collect more details about the endpoint. (For more
information on SNMP query data collection, refer to the SNMPQUERY section under SNMP Probe.)
The main attributes gathered from the Network Scan (Nmap) probe are:
●
Common ports (including 16 UDP ports and 18 TCP ports, fixed)
●
Operating system
●
SNMP endpoint query attributes (see the section on SNMPQUERY probes)
The Nmap Probe is enabled by default.
Caution: Depending on the endpoints to be profiled, some healthcare organizations may prohibit the use of an
active scanning tool against medical devices. Due to the critical nature of some clinical endpoints and the fact that
many are not updated on a regular basis, there is some concern that the scan may trigger a service disruption or
even device failure.
active scanning tool against medical devices. Due to the critical nature of some clinical endpoints and the fact that
many are not updated on a regular basis, there is some concern that the scan may trigger a service disruption or
even device failure.
Other devices that provide an ancillary or supporting role such as Windows or Linux workstations may be
acceptable candidates for an Nmap scan.
acceptable candidates for an Nmap scan.
Best practice: Review the risks and potential benefits of permitting an active Nmap scan against healthcare
endpoints.
endpoints.
NetFlow Probe
NetFlow is protocol designed by Cisco. NetFlowIt is widely implemented across the industry in routers, switches,
and other network devices to monitor the type of traffic sent to and from various hosts on the network. It is an
extremely powerful tool for the collection and analysis of network traffic.
NetFlow is protocol designed by Cisco. NetFlowIt is widely implemented across the industry in routers, switches,
and other network devices to monitor the type of traffic sent to and from various hosts on the network. It is an
extremely powerful tool for the collection and analysis of network traffic.
The NetFlow probe allows ISE to collect and make policy rules based on this flow data. The other probes
discussed to this point rely mostly on information originated by the endpoint. In contrast, the NetFlow probe is able
to learn the actual traffic patterns of the endpoint. This capability uniquely allows ISE to classify endpoints based
on behavior, not on attributes of the endpoint itself.
discussed to this point rely mostly on information originated by the endpoint. In contrast, the NetFlow probe is able
to learn the actual traffic patterns of the endpoint. This capability uniquely allows ISE to classify endpoints based
on behavior, not on attributes of the endpoint itself.
The NetFlow probe has a number of critical benefits in the healthcare environment, including:
●
Profiling of endpoints that cannot be identified with traditional profiling methods. For example, a
monitoring station for infusion pumps may run on a general-purpose hardware platform and operating
system kernel. In such cases, only a generic profile, if any, is possible. A lack of DHCP, DNS, and Nmap
data further limits what can be gleaned from the endpoint. Tracking network communications to infusion
pumps on specific ports offers a traffic fingerprint of the device.
monitoring station for infusion pumps may run on a general-purpose hardware platform and operating
system kernel. In such cases, only a generic profile, if any, is possible. A lack of DHCP, DNS, and Nmap
data further limits what can be gleaned from the endpoint. Tracking network communications to infusion
pumps on specific ports offers a traffic fingerprint of the device.
●
Increased profiling fidelity to complement data acquired through traditional methods. For example,
an infusion pump may be detected by a unique MAC address (OUI), but its communication to a monitoring
an infusion pump may be detected by a unique MAC address (OUI), but its communication to a monitoring