Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1997
Views
3
Helpful
5
Replies

NGIPS - How Host Detection works (Terminal Server)

roesch4alc
Level 1
Level 1

‎10-27-2015 08:43 AM

Hello,

I already postet my question in the Cisco support forum, perhaps somebody here has the answer to my question.

Hi,

I´m interested in the Sourcefire products, especially the Firepower modules for Cisco ASA Next Gen Firewalls. Now there are a lot of interesting features that firepower offers.

Im especially interested in, how firepower determines the host attributes? I think the sourcefire terminology was Sourcefire RNA (Real-time Network Awareness). As this sheet (http://www.clm.com.br/produtos/cisco/pdf/Sourcefire-RNA-Fact-Sheet.pdf) states, there are no agents necessary on the hosts in the network!!!  The most other solutions like palo alto needs agents on the main servers and thus the central engine is dependent on piece of software that works at layer 7. If cisco/sourcefire can do all this with just analysing network packets, I think its the absolutely selling argument.

My questions:

1.) How does firepower recognize the operating systems, user etc.?

2.) Can it distinguish between users on a terminal server????

3.) How does a Cisco NextGen Firewall with Firepower recognize the operating system from a network host? What information about a host can be discovered without an agent on a client? So what for data from a rogue client can be gathered? Where can I find the best information about that?

Thanks!

Labels:
5 Replies 5

wbalanqu
Level 1
Level 1

‎10-28-2015 08:01 AM

Hi Sebastian,

Cisco’s Firepower solution has multiple components in terms of discovery – Host Discovery, Application Identification and User Discovery. The solution first identifies the OS, protocols and services that run on each host. It then reports potential vulnerabilities that are present on each host based on the information gathered. It uses OpenAppID to identify over 1900 unique applications including applications that run over web services i.e. Facebook, LinkedIn etc. For user discovery, it is configured to monitor user ID’s real time while services are in use. It is also integrated with MS AD to commandingly identify users. You also have the option to fine-tune your IPS policies and select rules and preprocessor configs that applies to your network’s environment. Alerting can be customized through email, syslog, eStreamer, or SNMP. You can check on these links below for you to know more about the product.

Hope this helps,

Tony

0 Helpful

roesch4alc
Level 1
Level 1
In response to wbalanqu

‎11-09-2015 08:20 AM

Hello Tony,

that are good links, useful information. Thanks.

Perhaps you can tell me also sth. about information regarding the Clustering of ASA´s with Firepower. I want to create a cluster wih 2 Firewalls an the questions is, how the licensing behaves. I found information to my question (http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.html#_Toc415177142), but I didn´t understand it 100%.

Product High-Availability Configurations

Type 1: Sensor Clustering for High Availability

   If the customer wants high availability for sensors, two appliances are required.

   Appliances must be of the same model and generation.

   Both appliances must be identically licensed and have the same support.

   Licenses will be applied to the same primary Cisco FireSIGHT Management Center that manages the high-availability pair.

Does it really mean, that I need the licenses 2 times for each ASA??? It´s only a active/standby cluster.

Best Regards

Sebastian

0 Helpful

wbalanqu
Level 1
Level 1
In response to roesch4alc

‎11-11-2015 01:59 PM

Does it really mean, that I need the licenses 2 times for each ASA??? It´s only a active/standby cluster.

Hi Sebastian,

Yes, both ASA's must be of the same model and have the type of Licenses on them.

Tony

Note: Virtual Appliance does not support high availability and clustering.

0 Helpful

csco11552159
Level 5
Level 5

‎11-03-2015 06:05 PM

So far as I know they couldn't. Most vendors have a terminal server agent to collect users login info with assigned port range.

But sourcefire doesnt have it. We were asking this feature too. However, they dont have.

0 Helpful

roesch4alc
Level 1
Level 1
In response to csco11552159

‎11-09-2015 08:24 AM

Hello Chao,

thanks for that. But thats a pitty, I´ve rellay thought, that Sourcefire is able to handle that. Otherwise there are some competitors, that can do that. For example palo alto can and also sophos will be able to do it with their new system....

@Tony: Do you know, if there are any plans to implement that important feature?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card