Solved: Do you have your perimiter firewall sending to MARS

nagel · ‎05-12-2009

Just trying to wrap my brain around what should be sending to a new MARS implementation. We have several interior ASAs (which I have included), several distribution layer switches (which I have included), a WAN Router (P2P which I have included) and a perimiter PIX. Note that our Internet router belongs to our ISP so pointing that at the MARS is not an option. When I point the PIX to the MARS, reporting is significantly increased (even to the point of not sure whether incidents are significant or not). We are currently not using any IDS/IPS so the PIX is pretty much it for perimiter (we do have a shaper on this side of the PIX). Would like to know what items are "best practice" to point at the MARS. Do you include access layer switches? Do you include servers? Thanks in advance.

mhellman · ‎05-18-2009

You could talk to your ISP about sending the logs to MARS or allowing SNMP read access, many of them will. The firewall information is IMHO the most valuable information MARS can get, so keep the PIX reporting in. The next most valuable data is logs from authentication/access control points. This includes domain controllers, member servers, VPN devices, thin client servers, etc.

As far as "reporting is significantly increased", I assume you mean incidents go up? You will need to tune the system to reduce those to a manageable and [hopefully] meaningful amount. If you don't have significant tuning to do after implementing MARS...then you don't have the right data going into it;-)

View solution in original post

RicheeJJJ_2 · ‎05-12-2009

Well, you point whatever device you want MARS to collect data from. Doesn't always have to be a cisco device either.

The time when MARS really shines is when IPS/IDS devices are reporting to MARS. So without thinking those devices absolutely should go to MARS. But this isn't something you have.

I would put crucial and key devices into MARS. Perimeter devices are good and ASA's are good to have. Anything that you have as mission critical should probably go in there too.

eegilbert · ‎05-13-2009

I certainly have all my firewalls pointing at mars via opsec. I guess it all depends on what you're looking for. For me, the best picture includes DMZ traffic as well as traffic entering and leaving the network.

On a personal note, I'd see about getting your own Internet router at your company ;-)

mhellman · ‎05-18-2009

You could talk to your ISP about sending the logs to MARS or allowing SNMP read access, many of them will. The firewall information is IMHO the most valuable information MARS can get, so keep the PIX reporting in. The next most valuable data is logs from authentication/access control points. This includes domain controllers, member servers, VPN devices, thin client servers, etc.

As far as "reporting is significantly increased", I assume you mean incidents go up? You will need to tune the system to reduce those to a manageable and [hopefully] meaningful amount. If you don't have significant tuning to do after implementing MARS...then you don't have the right data going into it;-)