User Detection Fundamentals
You can use your identity policies to monitor user activity on your network, which allows you to correlate threat, endpoint, and network intelligence with user identity information. By linking network behavior, traffic, and events directly to individual users, the system can help you to identify the source of policy breaches, attacks, or network vulnerabilities. For example, you could determine:
- who owns the host targeted by an intrusion event that has a Vulnerable (level 1: red) impact level
- who initiated an internal attack or portscan
- who is attempting unauthorized access of a server that has high host criticality
- who is consuming an unreasonable amount of bandwidth
- who has not applied critical operating system updates
- who is using instant messaging software or peer-to-peer file-sharing applications in violation of company IT policy
Armed with this information, you can use other features of the ASA FirePOWER module to mitigate risk, perform access control, and take action to protect others from disruption. These capabilities also significantly improve audit controls and enhance regulatory compliance.
After you configure user identity sources, you can perform user awareness and user control.
The ability to view and analyze user data
The ability to configure user access control rule conditions to block users or user activity in traffic on your network, based on conclusions you drew from user awareness.
You can obtain user data from authoritative identity sources (referenced by your identity policy).
An identity source is authoritative if a trusted server validated the user login. You can use the data obtained from authoritative logins to perform user awareness and user control. Authoritative user logins are obtained from passive and active authentications:
- Passive authentications occur when a user authenticates through an external server. The User Agent and ISE/ISE-PIC are the only passive authentication methods supported by the ASA FirePOWER module.
- Active authentications occur when a user authenticates through a Firepower device. Captive portal is the only active authentication method supported by the ASA FirePOWER module.
The following table provides a brief overview of the user identity sources supported by the ASA FirePOWER module.
Consider the following when selecting identity sources to deploy:
- you must use captive portal to record failed authentication activity. A failed authentication attempt does not add a new user to the list of users in the database.
- you must deploy an appliance that has an IP address for its sensing interface (for example, a routed interface) in order to use captive portal.
User Identity Deployments
When the system detects user data from a user login, from any identity source, the user from the login is checked against the list of users in the user database. If the login user matches an existing user, the data from the login is assigned to the user. Logins that do not match existing users cause a new user to be created, unless the login is in SMTP traffic. Non-matching logins in SMTP traffic are discarded.
The User Activity Database
The user activity database on the device contains records of user activity on your network reported by all of your configured identity sources. The system logs events in the following circumstances:
- when it detects individual logins or logoffs
- when it detects a new user
- when you manually delete a user
- when the system detects a user that is not in the database, but cannot add the user because you have reached your user limit
The Users Database
The users database contains a record for each user reported by your configured identity sources.
The total number of users the device can store depends on the model. When the limit has been reached, you must delete users (manually or with a database purge) to allow new users to be added.
If an identity source is configured to exclude specific user names, user activity data for those user names are not reported to the ASA FirePOWER module. These excluded user names remain in the database, but are not associated with IP addresses.
Current User Identities
When the system detects multiple logins to the same host by different users, the system assumes that only one user is logged into any given host at a time, and that the current user of a host is the last authoritative user login. If multiple users are logged in through remote sessions, the last user reported by the server is the user reported to the ASA FirePOWER module.
When the system detects multiple logins to the same host by the same user, the system records the first time that a user logs into a specific host and disregards subsequent logins. If an individual user is the only person who logs into a specific host, the only login that the system records is the original login.
If another user logs into that host, however, the system records the new login. Then, if the original user logs in again, his or her new login is recorded.