6-23
Firepower 8000 Series Hardware Installation Guide
Chapter 6 Deploying Firepower Managed Devices
Complex Network Deployments
Multiple management interfaces are supported in a NAT environment provided you do not use separate
management interfaces for traffic channels. See
Deploying on a Management Network, page 5-1
more information. Note that Lights-Out Management is supported only on the default management
interface, not additional management interfaces.
After you install your Firepower Management Center, you configure multiple management interfaces
using the web interface. See Configuring Appliance Settings in the
Firepower Management Center
Configuration Guide
for more information.
Integrating Managed Devices within Complex Networks
You can deploy managed devices in more complex network topologies than a simple multi-sector
network. This section describes the issues surrounding network discovery and vulnerability analysis
when deploying in environments where proxy servers, NAT devices, and VPNs exist, in addition to
information about using the Firepower Management Center to manage multiple managed devices and the
deployment and management of managed devices in a multi-site environment.
Integrating with Proxy Servers and NAT
Network address translation (NAT) devices or software may be employed across a firewall, effectively
hiding the IP addresses of internal hosts behind a firewall. If managed devices are placed between these
devices or software and the hosts being monitored, the system may incorrectly identify the hosts behind
the proxy or NAT device. In this case, Cisco recommends that you position managed devices inside the
network segment protected by the proxy or NAT device to ensure that hosts are correctly detected.
Integrating with Load Balancing Methods
In some network environments, “server farm” configurations are used to perform network load balancing
for services such as web hosting, FTP storage sites, and so on. In load balancing environments, IP
addresses are shared between two or more hosts with unique operating systems. In this case, the system
detects the operating system changes and cannot deliver a static operating system identification with a
high confidence value. Depending on the number of different operating systems on the affected hosts,
the system may generate a large number of operating system change events or present a static operating
system identification with a lower confidence value.
Other Detection Considerations
If an alteration has been made to the TCP/IP stack of the host being identified, the system may not be
able to accurately identify the host operating system. In some cases, this is done to improve performance.
For instance, administrators of Windows hosts running the Internet Information Services (IIS) Web
Server are encouraged to increase the TCP window size to allow larger amounts of data to be received,
thereby improving performance. In other instances, TCP/IP stack alteration may be used to obfuscate the
true operating system to preclude accurate identification and avoid targeted attacks. The likely scenario
that this intends to address is where an attacker conducts a reconnaissance scan of a network to identify
hosts with a given operating system followed by a targeted attack of those hosts with an exploit specific
to that operating system.