we have a partially hosted network with a reasonably inexperienced hosting comany. They have a dozen or so moderately sized accounts including us, and they have recently implemented a MARS implementation, which on the face of it sounded like a pretty nice addition.
The way it has been implemented though has me wondering if there is actually any significant use in wanting to use it. They have a private subnet onto which *all* customers ASA AIP modules, Cisco IDS boxes etc... (well, less of the etcetera i think) and the MARS appliance. For us this will encompass two pairs of ASA's, so two active AIP's at a given time.
our hosted network also contained a Nokia Checkpoint cluster, a couple of 3745's, a PIX 515e pair, a PIX 525 pair, 4 Catalyst 3560's, 4 Catalyst 2950's, F5 networks LTM/GTM/ASM, and of course the two ASA pairs themselves. we then have a WAN, and then just about all the same again in a network which we run for ourselves. All of these devices are connected to a different network and have no route to the MARS platform.
So, looking over what MARS can do, only connecting 2 IPS's to it is really missing out on about 80% of the potential of the boxes, and all you'll get out of it is some event suppression, a smidge of correlation, and that's about it. And as this is effectively out of band, it then only exists on one plasma screen in the operations area.
Seems like they've shot themselves in the foot to me... should we avoid using it and instead keep the direct managability and clarity of being able to see the actual traps in our estate wide monitoring systems which all the other devices are already connected to just fine? we can easily watch snmp traps with other systems...
I would have to second what you are feeling. Our current implementation makes the device virtually useless.
As it stands how, it merely logs the IPS alerts and tries to determine false positives. Even then, I think it's questionable how efficiently the device can determine false positives. In my opinion, it doesn't deliver one a lot of what I was hoping for from the system: I would really like to see an overall alert view like VMS has where you can view every alert for the day and color coated, and call me old fashioned but I would be just a little hesitant to let this device start putting in arbitrary ACLs and other configuration changes onto live devices. Of course, I'm not responsible for administering an entire network so maybe this is a great feature that I cannot fully realize.
There are a couple things worth noting, however: From my standpoint, it offers me nothing since I don't have administrative access on the system even if I wanted to make use of the configuration abilities. I haven't taken any courses or examinations involving MARS so it could be a wonderfully powerful device that I can't utilize without the proper training.
Just my two cents,
If you are just using MARS to view the sensor data, I wouldn't waste my time. However, if you put the switches, firewalls, etc on the MARS, then it is a good solution. The primary advantage for the MARS (in my opinion) can only be realized if you have all your devices sending syslogs, administrative access enabled, etc.