Best Practices for Network Discovery – Cisco Network Discovery Policy
Best Practices for Network Discovery
A network discovery policy enables Secure Firewall to discover applications, hosts, and users in a network. A threat defense discovers a network passively; it does not directly affect the traffic flow. However, to ensure optimal performance, you should consider the following best practices when you enable network discovery:
- Keep the VDB version up to date. Installing the latest version ensures the detection of the latest software and application with more precise version information.
Figure 9-3 shows the current VDB version on the Help > About page. This page also confirms the versions of all the software components running on the management center.
- By default, the management center comes with an application discovery rule, which uses 0.0.0.0/0 and ::/0 as the network address. This address enables Secure Firewall to discover applications from any observed networks. Snort leverages this application discovery data for intrusion detection and prevention by detecting the service metadata of a packet.
Figure 9-3 Current VDB Version on a Management Center
- When you add a custom rule for host and user discovery, include only the network addresses you own, such as the private IP addresses of your organization (see RFC 1918). Do not add the network address 0.0.0.0/0 and ::/0 to a host and user discovery rule because it encompasses all the subnets in the Internet. Attempting to discover host and user data from the entire Internet traffic can deplete the host and user licenses quickly. Likewise, excessive user discovery and host profile data can fill the management center database rapidly. As the threat defense continues to discover new hosts from the Internet, the management center continues to accommodate this new data by dropping the older discovery events and respective host profiles from the database. This continuous process can eventually impact management center database performance. Therefore, always limit the scope of your discovery policy within your internal network.
- Exclude the IP addresses of any NAT and load-balancing devices from the list of monitored networks. These types of devices can hide computers running behind them, which leads a threat defense to generate excessive discovery events depending on the operating system and applications running on the hosts behind the device. Exclusion of NAT and load-balancing IP addresses can improve threat defense performance.
Figure 9-4 shows the positions of two types of intermediate devices—a router and a load balancer—that can each represent multiple network hosts.
- You can also exclude any ports from being monitored if you are sure about the service a port might be running. Doing so reduces the number of discovery events for known ports and services.
- Avoid creating overlapping rules that include the same hosts multiple times to prevent performance degradation.
- Deploy the threat defense as close as possible to the hosts. The lower the hop count between a threat defense and a host, the faster the threat defense detects the host and with a higher confidence value.
Figure 9-4 NAT Device (Router) and Load-Balancer Interface Representing Multiple Hosts