cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
3
Helpful
5
Replies

NGIPS - How Host Detection works (Terminal Server)

roesch4alc
Level 1
Level 1

Hello,

I already postet my question in the Cisco support forum, perhaps somebody here has the answer to my question.

Hi,

I´m interested in the Sourcefire products, especially the Firepower modules for Cisco ASA Next Gen Firewalls. Now there are a lot of interesting features that firepower offers.

Im especially interested in, how firepower determines the host attributes? I think the sourcefire terminology was Sourcefire RNA (Real-time Network Awareness). As this sheet (http://www.clm.com.br/produtos/cisco/pdf/Sourcefire-RNA-Fact-Sheet.pdf) states, there are no agents necessary on the hosts in the network!!!  The most other solutions like palo alto needs agents on the main servers and thus the central engine is dependent on piece of software that works at layer 7. If cisco/sourcefire can do all this with just analysing network packets, I think its the absolutely selling argument.

My questions:

1.) How does firepower recognize the operating systems, user etc.?

2.) Can it distinguish between users on a terminal server????

3.) How does a Cisco NextGen Firewall with Firepower recognize the operating system from a network host? What information about a host can be discovered without an agent on a client? So what for data from a rogue client can be gathered? Where can I find the best information about that?

Thanks!

5 Replies 5

wbalanqu
Level 1
Level 1

Hi Sebastian,

Cisco’s Firepower solution has multiple components in terms of discovery – Host Discovery, Application Identification and User Discovery. The solution first identifies the OS, protocols and services that run on each host. It then reports potential vulnerabilities that are present on each host based on the information gathered. It uses OpenAppID to identify over 1900 unique applications including applications that run over web services i.e. Facebook, LinkedIn etc. For user discovery, it is configured to monitor user ID’s real time while services are in use. It is also integrated with MS AD to commandingly identify users. You also have the option to fine-tune your IPS policies and select rules and preprocessor configs that applies to your network’s environment. Alerting can be customized through email, syslog, eStreamer, or SNMP. You can check on these links below for you to know more about the product.

Hope this helps,

Tony

Hello Tony,

that are good links, useful information. Thanks.

Perhaps you can tell me also sth. about information regarding the Clustering of ASA´s with Firepower. I want to create a cluster wih 2 Firewalls an the questions is, how the licensing behaves. I found information to my question (http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/guide-c07-732249.html#_Toc415177142), but I didn´t understand it 100%.

Product High-Availability Configurations

Type 1: Sensor Clustering for High Availability

   If the customer wants high availability for sensors, two appliances are required.

   Appliances must be of the same model and generation.

   Both appliances must be identically licensed and have the same support.

   Licenses will be applied to the same primary Cisco FireSIGHT Management Center that manages the high-availability pair.

Does it really mean, that I need the licenses 2 times for each ASA??? It´s only a active/standby cluster.

Best Regards

Sebastian

Does it really mean, that I need the licenses 2 times for each ASA??? It´s only a active/standby cluster.

Hi Sebastian,

Yes, both ASA's must be of the same model and have the type of Licenses on them.

Tony

Note: Virtual Appliance does not support high availability and clustering.

csco11552159
Level 5
Level 5

So far as I know they couldn't. Most vendors have a terminal server agent to collect users login info with assigned port range.

But sourcefire doesnt have it. We were asking this feature too. However, they dont have.

Hello Chao,

thanks for that. But thats a pitty, I´ve rellay thought, that Sourcefire is able to handle that. Otherwise there are some competitors, that can do that. For example palo alto can and also sophos will be able to do it with their new system....

@Tony: Do you know, if there are any plans to implement that important feature?

Review Cisco Networking for a $25 gift card