Wise usage of MARS by hosting company?

Answered Question
Oct 11th, 2007

Hi,

we have a partially hosted network with a reasonably inexperienced hosting comany. They have a dozen or so moderately sized accounts including us, and they have recently implemented a MARS implementation, which on the face of it sounded like a pretty nice addition.

The way it has been implemented though has me wondering if there is actually any significant use in wanting to use it. They have a private subnet onto which *all* customers ASA AIP modules, Cisco IDS boxes etc... (well, less of the etcetera i think) and the MARS appliance. For us this will encompass two pairs of ASA's, so two active AIP's at a given time.

our hosted network also contained a Nokia Checkpoint cluster, a couple of 3745's, a PIX 515e pair, a PIX 525 pair, 4 Catalyst 3560's, 4 Catalyst 2950's, F5 networks LTM/GTM/ASM, and of course the two ASA pairs themselves. we then have a WAN, and then just about all the same again in a network which we run for ourselves. All of these devices are connected to a different network and have no route to the MARS platform.

So, looking over what MARS can do, only connecting 2 IPS's to it is really missing out on about 80% of the potential of the boxes, and all you'll get out of it is some event suppression, a smidge of correlation, and that's about it. And as this is effectively out of band, it then only exists on one plasma screen in the operations area.

Seems like they've shot themselves in the foot to me... should we avoid using it and instead keep the direct managability and clarity of being able to see the actual traps in our estate wide monitoring systems which all the other devices are already connected to just fine? we can easily watch snmp traps with other systems...

Thanks

Chris

I have this problem too.
0 votes
Correct Answer by RITgrad2008 about 9 years 3 months ago

I would have to second what you are feeling. Our current implementation makes the device virtually useless.

As it stands how, it merely logs the IPS alerts and tries to determine false positives. Even then, I think it's questionable how efficiently the device can determine false positives. In my opinion, it doesn't deliver one a lot of what I was hoping for from the system: I would really like to see an overall alert view like VMS has where you can view every alert for the day and color coated, and call me old fashioned but I would be just a little hesitant to let this device start putting in arbitrary ACLs and other configuration changes onto live devices. Of course, I'm not responsible for administering an entire network so maybe this is a great feature that I cannot fully realize.

There are a couple things worth noting, however: From my standpoint, it offers me nothing since I don't have administrative access on the system even if I wanted to make use of the configuration abilities. I haven't taken any courses or examinations involving MARS so it could be a wonderfully powerful device that I can't utilize without the proper training.

Just my two cents,

Ryan

If you are just using MARS to view the sensor data, I wouldn't waste my time. However, if you put the switches, firewalls, etc on the MARS, then it is a good solution. The primary advantage for the MARS (in my opinion) can only be realized if you have all your devices sending syslogs, administrative access enabled, etc.

Jay

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer

If you are just using MARS to view the sensor data, I wouldn't waste my time. However, if you put the switches, firewalls, etc on the MARS, then it is a good solution. The primary advantage for the MARS (in my opinion) can only be realized if you have all your devices sending syslogs, administrative access enabled, etc.

Jay

acid_kewpie Mon, 10/15/2007 - 22:56

Thanks for the response. Since i posted this our hosting company have been getting hotter under the collar about my intention to not use their MARS implementation. They have grave concerns apparently... I just get more convinced with each thing around about what MARS can do but isn't.

It's a great help to see if other people would say that their use of it is reduced beyond the point of a significant benefit over just logging the IPS modules into a product such as Splunk, which would still threshold and alert and such, albeit with no specific understanding of IPS messages.

Thanks

Chris

Correct Answer
RITgrad2008 Tue, 10/16/2007 - 06:36

I would have to second what you are feeling. Our current implementation makes the device virtually useless.

As it stands how, it merely logs the IPS alerts and tries to determine false positives. Even then, I think it's questionable how efficiently the device can determine false positives. In my opinion, it doesn't deliver one a lot of what I was hoping for from the system: I would really like to see an overall alert view like VMS has where you can view every alert for the day and color coated, and call me old fashioned but I would be just a little hesitant to let this device start putting in arbitrary ACLs and other configuration changes onto live devices. Of course, I'm not responsible for administering an entire network so maybe this is a great feature that I cannot fully realize.

There are a couple things worth noting, however: From my standpoint, it offers me nothing since I don't have administrative access on the system even if I wanted to make use of the configuration abilities. I haven't taken any courses or examinations involving MARS so it could be a wonderfully powerful device that I can't utilize without the proper training.

Just my two cents,

Ryan

acid_kewpie Tue, 10/16/2007 - 12:05

Well this seems to mirror my thoughts exactly. What you're suggesting is precisely the architecture we're looking moving away from (but only from a week or implementation which they (as usual) assumed would happen without asking us. nominal event logging and visual alerting for 5% of a network doesn't exactly do it for me. We too would have literally no access at all to the system and any reports would, at best, be generated, copied to a usb memory stick, and then emailed to us... sounds like the dark ages...!

thanks for the response.

Have you considered segmentation of security events between companies in the MARS appliance? The MARS does not 'segment' events between different organizations (afaik), security events between all hosted companies would be aggregated in the MARS appliance.

Until the MARS appliance has the ability to 'virtualize' and segment events, using the platform in a service-provider environment is questionable.

I have run into this problem... We attempted to implement a managed MARS service for a period, but ran into difficulty b/c of this issue. We have a MARS GC that tried to normailize events across all of the LCs from different orgs. Basically, it was a huge mess, so we had to start managing them individually (major pain too). As security system go, I am not sold on SIMs especially MARS.

Jay

acid_kewpie Tue, 10/16/2007 - 13:32

absolutely another issue i had doubts about. i can totally see the logic in the hosting company believing they can buy once, implement many times for multiple customers, but without having a specific partitioning angle to it, then you're going to again be more and more limited with how you can use it.

part of me really thinks that they got the go ahead based on the brochure and the reality of how they want to use was very wide of their own expectations, but were stuck with the architecture that they had drawn up to get the single expenditure approved. I know as a purchase approver i wouldn't be happy if a "one box for everyone" architecture turned into a "one box per customer" one, clearly it'd then be part of the customers implementation itself, so not an added bonus for each customer.

mhellman Wed, 10/17/2007 - 05:57

The comments so far have been spot on IMHO. I would even go so far as to say MARS is really built for small/medium sized businesses (which we're not, but I digress). It has many serious architectual/design flaws. However, I see no reason the service provider can't continue down the MARS path while you still maintain your own monitoring systems. The syslog and snmp traps can be sent to both.

acid_kewpie Wed, 10/17/2007 - 06:16

well, they *can't* be sent to both if MARS is run on a private unroutable network containing *only* MARS and Cisco IPS devices and ASA AIP modules for 10 different customers.

mhellman Wed, 10/17/2007 - 06:29

you're in a much better position to determine whether it's possible or not. IMHO, there is no such thing as an unroutable network...only an un-routed network;-)

Actions

This Discussion