First Implementation - Random Questions

Unanswered Question
Dec 21st, 2008
User Badges:

Hi all, I've been doing my first implementation for past week and I've come across a few questions that I haven't found the answers to (yet). While scouring the user guides and Google, I figured I might as well ask the forums to expedite my research.


1) I created a new security device, but canceled creation during the process. Now when I try to re-add the device with the same name, it complains that it already exists, however it's not in the device list. Where can I find it?


2) I added my Foundstone device to MARS and configured it to do topology updates. Is there any method for confirming MARS is pulling vulnerability information from Foundstone?


3) When I create a custom rule (keyword specific) to be notified on, a similar built-in rule fires, but mine does not. If I disable the built-in rule, mine will fire and alert me. Does MARS match only the first, or the best rule to fire on?


4) Is it possible to customize the main Dashboard, or only the "My Reports" section.


Thanks in advance for any replies,


TBC

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
pmccubbin Mon, 12/22/2008 - 08:07
User Badges:
  • Silver, 250 points or more

Hi Carl,

I can help you some.


1. If a device needs to be deleted it must be done in two places:


1st from the Device List. Admin->Security+ Monitoring Devices

2nd from IP Management. Management->IP Management


4. On the Main Dashboard you can only configure the "My Reports" section. This is a frequently asked question and one Cisco has received many requests about. People usually want to get rid of the pseudo network diagrams at the top of the Dashboard because they can't be configured like CiscoWorks.


Hope this helps.

thebigch1980 Tue, 12/23/2008 - 07:05
User Badges:

Thanks for the replies. I was able to add the device and schedule the topology updates, but short of watching the Foundstone database for incoming requests from MARS, I'm unable to verify that MARS is actually querying and using vulnerability information from Foundstone.


Thanks again



*Edit*

Progressing through this issue. I found that if I go to Management > IP Management > "Device_Name" > Edit > Vulnerability Assessment that I should be able to see the detected OS and services running on the machines. I do not see that information.


Upon review of the logs, I found the following:


pn va VulnerabilityDiscovererFActory PN-1100: Java message: Unsupported device type: Microsoft,Windows,Generic, use Dummy VulnerabilityDiscoverer


pn va foundstone FoundstoneVulnDiscoverer PN-1100: Java message: Exception caught in getting JDBC connection: Db server closed connection.


pn va ThirdPartyVulnDiscoverer PN-1100: Java message: Foundstone: Can not get JDBC connection.


So it appears to be a configuration issue or at least a database communication issue. I will continue to pursue it.


Thanks


thebigch1980 Tue, 12/23/2008 - 07:11
User Badges:

Another question to tack on to this thread, I hope nobody minds:


5) Our MARS is collecting data from multiple sites on our MPLS cloud, however the topology within MARS is not aware of the connection between each of the sites. The cloud is not managed by us and therefore, we cannot add the necessary devices to mars to link the devices. Is it possible to create a "generic router" device and add manual routes to this device so that we can simulate the cloud routing and complete the topology and attack paths? We tried this with a generic linux machine with multiple interfaces, but MARS did not understand that this device could route traffic. Also, we've tried a few other devices, but MARS always wants to pull routing information via SNMP, which a fake device will not have.


I hope it's clear what I'm trying to accomplish. Please let me know if I can provide more information.


Thanks



Farrukh Haroon Wed, 12/24/2008 - 00:03
User Badges:
  • Red, 2250 points or more

This is not possible. If you need to see the MPLS endpoints as next-hops you need to run Layer 2 MPLS VPNs. In Layer 3 VPNs the provider is never really going to open SNMP etc. for you. Even if he does, the ISP usually hides the underlying MPLS network from you. If you do a traceroute to a remote location you will find that it shows only a few hops, even tough in reality the traffic traverses many more hops than what is seen in the Traceroute output.


Regards


Farrukh

Actions

This Discussion