05-12-2009 07:09 AM
Just trying to wrap my brain around what should be sending to a new MARS implementation. We have several interior ASAs (which I have included), several distribution layer switches (which I have included), a WAN Router (P2P which I have included) and a perimiter PIX. Note that our Internet router belongs to our ISP so pointing that at the MARS is not an option. When I point the PIX to the MARS, reporting is significantly increased (even to the point of not sure whether incidents are significant or not). We are currently not using any IDS/IPS so the PIX is pretty much it for perimiter (we do have a shaper on this side of the PIX). Would like to know what items are "best practice" to point at the MARS. Do you include access layer switches? Do you include servers? Thanks in advance.
Solved! Go to Solution.
05-18-2009 07:35 AM
You could talk to your ISP about sending the logs to MARS or allowing SNMP read access, many of them will. The firewall information is IMHO the most valuable information MARS can get, so keep the PIX reporting in. The next most valuable data is logs from authentication/access control points. This includes domain controllers, member servers, VPN devices, thin client servers, etc.
As far as "reporting is significantly increased", I assume you mean incidents go up? You will need to tune the system to reduce those to a manageable and [hopefully] meaningful amount. If you don't have significant tuning to do after implementing MARS...then you don't have the right data going into it;-)
05-12-2009 09:25 AM
Well, you point whatever device you want MARS to collect data from. Doesn't always have to be a cisco device either.
The time when MARS really shines is when IPS/IDS devices are reporting to MARS. So without thinking those devices absolutely should go to MARS. But this isn't something you have.
I would put crucial and key devices into MARS. Perimeter devices are good and ASA's are good to have. Anything that you have as mission critical should probably go in there too.
05-13-2009 01:02 PM
I certainly have all my firewalls pointing at mars via opsec. I guess it all depends on what you're looking for. For me, the best picture includes DMZ traffic as well as traffic entering and leaving the network.
On a personal note, I'd see about getting your own Internet router at your company ;-)
05-18-2009 07:35 AM
You could talk to your ISP about sending the logs to MARS or allowing SNMP read access, many of them will. The firewall information is IMHO the most valuable information MARS can get, so keep the PIX reporting in. The next most valuable data is logs from authentication/access control points. This includes domain controllers, member servers, VPN devices, thin client servers, etc.
As far as "reporting is significantly increased", I assume you mean incidents go up? You will need to tune the system to reduce those to a manageable and [hopefully] meaningful amount. If you don't have significant tuning to do after implementing MARS...then you don't have the right data going into it;-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide