06-05-2008 07:23 AM
I am trying to understand the difference between MARS, LMS and IPS and why you would use one over the other.
Thank you all.
Solved! Go to Solution.
06-05-2008 09:29 AM
MARS is an appliance that aggregates/deduplicates syslog and netflow data from routers,switches,firewalls, and IPS sensors. In addition to Cisco devices it also supports things like Checkpoint Firewalls, Snort IPS, etc.
LMS (Ciscoworks LMS) is primarily a device configuration and IOS management platform that runs on your own Windows server (not sure if Unix is still supported.) We use it to maintain the configs of hundreds of Cisco routers and switches, easily push out config changes to said devices, and mass-deploy IOS upgrades.
IPS is sort of like anti-virus "on the wire" - it runs on dedicated IPS sensors, plug-in modules on firewalls or 6500's, and on routers via IOS IPS. Events can be forwarded to MARS for correlation, etc.
You didn't ask, but CSM (Cisco Security Manager) is the more appropriate tool for mass-configuration and 'group policy' for firewalls and IPS sensors.
Each product solves a particular problem; you wouldn't choose one over the other since they all work together to provide a cohesive solution. The specifics of your environment (particularly the number and type of devices) would dictate your choices here.
06-05-2008 09:29 AM
MARS is an appliance that aggregates/deduplicates syslog and netflow data from routers,switches,firewalls, and IPS sensors. In addition to Cisco devices it also supports things like Checkpoint Firewalls, Snort IPS, etc.
LMS (Ciscoworks LMS) is primarily a device configuration and IOS management platform that runs on your own Windows server (not sure if Unix is still supported.) We use it to maintain the configs of hundreds of Cisco routers and switches, easily push out config changes to said devices, and mass-deploy IOS upgrades.
IPS is sort of like anti-virus "on the wire" - it runs on dedicated IPS sensors, plug-in modules on firewalls or 6500's, and on routers via IOS IPS. Events can be forwarded to MARS for correlation, etc.
You didn't ask, but CSM (Cisco Security Manager) is the more appropriate tool for mass-configuration and 'group policy' for firewalls and IPS sensors.
Each product solves a particular problem; you wouldn't choose one over the other since they all work together to provide a cohesive solution. The specifics of your environment (particularly the number and type of devices) would dictate your choices here.
06-05-2008 11:12 AM
Neil,
Very concise and accurate answer. You could have easily said go investigate on the Cisco web site but you didn't and I applaud you (I rate it a "5"). Thanks for taking the time to do things right.
Best,
Paul
06-06-2008 05:36 AM
Neil,
That was a great answer and excatly what I was looking for.
Thanks a bunch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide