Whats the difference between SIMS and CS-MARS?

Unanswered Question
Jul 22nd, 2007
User Badges:

What is the essential difference between the two(except one is from netForensics (OEM) and one's from Protego networks)?

On what basis a selection amongst the two products shall be made on a real deployment?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mhellman Mon, 07/23/2007 - 06:22
User Badges:
  • Blue, 1500 points or more

We used netforensics before switching to MARS a few years back. It's been quite a while now and netforensics surely has changed some since, so bear that in mind when reading these comments. When it comes right down to it, we found COST to be our primary motivation for moving. It is unlikely that we would have been able to budget for the licenses to collect events from the 250+ devices we have configured today in MARS.

Netforensics licensing is "by device". The licensing is further broken down using different classes of devices. For example, Intrusion prevention sensors used to be category 1 or 2 and desktops were category 3. Category 1 is the most expensive license, category 3 the least expensive.

Netforensics uses added-on components to support correlation and incident response. You will have to purchase them separately.

So when you're pricing out the two, be sure to include all the device licenses you think you'll ever need and also include at least the correlation add-on module. Without correlation in netforensics, you'd really be at a disadvantage when compared to MARS.

I'll mention a couple less objective differences (i.e. IMHO):

Netforensics has better reporting device support. It supports more devices and it supports them better. The classic example is Cisco's own NIDS products. MARS only gets updates ~12 weeks. Netforensics was more like ~2 weeks. MARS is very weak in this regard. Don't assume that because MARS says it supports product XYZ that it supports the latest version of product XYZ...check the versions.

Netforensics will not support as many events per second as MARS without considerable tuning. Perhaps if you installed it on one of these it would: http://www.top500.org/

Netforensics is not an "appliance" product. I think Cisco sells an "appliance-like" version, or used to, but it was not designed that way and I'd bet that it behaves much less like an appliance than MARS. This has its advantages too of course;-)

Netforensics supports failover. Because it's not an appliance, you have much more flexibility when it comes to things like backup and failover.

Netforensics scales extremely well, if you have the money.

Netforensics uses java agents to collect Windows events. I can only say one nice thing about these agents, and that is that when they work, they support encrypted communications. MARS uses Snare, which we've been very happy with but is clear text syslog.

Netforensics uses a java "fat client". It offers more functionality than the browser based MARS client.

You have to have at least one server to install netforensics on to. But, you also have to have an archive server for MARS. The netforensics server will need to be beefy, the MARS archive server will not.

sourabh.naik Mon, 07/23/2007 - 10:15
User Badges:

I appreciate the extensive explanation provided.

So as i understood, NetForensics is a good scalable solution but at the expense of cost.

yogendra.trivedi Mon, 07/23/2007 - 19:37
User Badges:


In my view (I've just started in SIM world):-

1. MARS is a STM (In addition to SIM) device where netforensics is SIM device. So when we need to mitigate the threat MARS is helpful.

2. Currently there is no s/w upgrade path for MARS from GEN1 to GEN2 which means you will have to buy new H/W (which is reqd as its new technology but then it becomes expensive)

3. MARS upgrade gives problems sometimes for e.g. i upgraded recently frm 4.2.6 to 4.2.7 and now reporting is not working, i m working with cisco engineers on the same SR TAC request.Earlier also we had issues after upgrades though few upgraqdes were quite smooth.

4. I do not know whether netforensics is capable of analyzing netflow which may be MARS strongest point. as then MARS has in depth view whats going on in switches/routers etc. Pl correct me if i am not right as i've not worked on netforensics.

to be continued...

mhellman Tue, 07/24/2007 - 06:29
User Badges:
  • Blue, 1500 points or more

MARS as an STM has no value to me. It may for some though so it's a valid differentiator.

The GEN1, GEN2 issue should be irrelevant to a new customer.

Netforensics upgrades are (or were) just as painful as MARS upgrades.

I don't know about Netforensics and netflow. I'm not convinced that netflow has much more value than simply collecting the logs from the default route firewalls. I'm waiting to be convinced though. For some this could be an important differentiator.

mhellman Tue, 07/24/2007 - 06:48
User Badges:
  • Blue, 1500 points or more

Yes, scalable in the sense that you can continue to add as many engines as you need to get the job done. So if a single engine can process 1000 events/sec, you can add a second engine to process 2000 events/sec. 3 engines to support 3000 events/sec (you have to pay for additional engines of course). This is a gross over-simplification, but you get the idea. It scales to as large as you need it to be.

In my experience, you'd have to spend some serious time and money to create a Netforensics environment that can process as many events as even a MARS 100e. I'm sure they would beg to differ though. You might try getting them to commit supporting n number of events per second number given your planned configuration.


This Discussion