You need to perform network discovery in order for FireSight to know which hosts or networks to protect. The Default network discovery action is to perform Network discovery only, which can be found under Policies > Access Control. By default, all network and application are inspected, specified by the network ::/0, and this can be found under Policy > Network Discovery
You specify the internal network you want to discover under Object > Individual Object > Add Network. Don't specify any external network (Internet) to avoid overwhelming the FireSight database.
You can then modify the network discovery policy under Policy >Networks > click the pencil icon on 0.0.0.0/0 > Edit Rule > click on the newly created object (Private Networks) then click Add > Click Save and click Apply (beside the check icon).
FireSight can do fingerprint on well-known OS. If it's not supported, you can manually create your own custom OS fingerprint by going to Policies > Network Discovery > Custom Operating System > click Create Custom Fingerprint.
You can create or customize your network topology by clicking on Policies > Network Discovery > Custom Topology > Create Topology. This helps put labels on topology tree for easy identification in FireSight.
You can add more networks to your topology by clicking on Add Network and then Save.
Once the networks (or subnet) are added, you enable the topology by clicking on the gray icon (put a check and make it blue) beside the edit (pencil) icon.
Some additional post settings you can enable on FireSight and one of them is to capture server banner which is under Policies > Network Discovery > Advanced > Capture Banner.
Next, you can choose between Active (from Nmap scan) and Passive (gathered from host/network traffic) network discovery output if FireSight detects an identity conflict.
Once all network discovery settings are complete, click Apply for FireSight to start performing the network discovery.
You specify the internal network you want to discover under Object > Individual Object > Add Network. Don't specify any external network (Internet) to avoid overwhelming the FireSight database.
You can then modify the network discovery policy under Policy >Networks > click the pencil icon on 0.0.0.0/0 > Edit Rule > click on the newly created object (Private Networks) then click Add > Click Save and click Apply (beside the check icon).
FireSight can do fingerprint on well-known OS. If it's not supported, you can manually create your own custom OS fingerprint by going to Policies > Network Discovery > Custom Operating System > click Create Custom Fingerprint.
You can create or customize your network topology by clicking on Policies > Network Discovery > Custom Topology > Create Topology. This helps put labels on topology tree for easy identification in FireSight.
You can add more networks to your topology by clicking on Add Network and then Save.
Once the networks (or subnet) are added, you enable the topology by clicking on the gray icon (put a check and make it blue) beside the edit (pencil) icon.
Some additional post settings you can enable on FireSight and one of them is to capture server banner which is under Policies > Network Discovery > Advanced > Capture Banner.
Next, you can choose between Active (from Nmap scan) and Passive (gathered from host/network traffic) network discovery output if FireSight detects an identity conflict.
Once all network discovery settings are complete, click Apply for FireSight to start performing the network discovery.
No comments:
Post a Comment