I am in charge of the security of a big project, including the design and deploying of a SOC.
I will have a central site (site A) and other five operational sites (sites B). In average each site will have the following ITC infrastructure:
- 1 Catalyst 6500 (L3)
- 1 FWSM
- 1 IPS 2Gbps
- 1 Core switch (stack)
- 6 Distribution/Access switches
- NAC Clean Access Server
- 16 blade switches (inside blade enclosures)
- 1 Active Directory (and DNS/DHCP) server
- 1 AV Server (McAfee ePO)
- 60 servers for different applications (the majority for video)
- 120 users on site
Each site B will have 1500 small branches (near 8000 in total). In turn, each branch will have one Cisco ISR router and a 4Mbps ADSL link.
I am considering having Cisco MARS in the SOC to do all the security monitoring, identification and response of incidents. Additionally I will have the NAC manager and an ACS in the SOC.
I have the following questions:
- What type of deployment is better for this project?:
a) A central standalone MARS controller in the SOC, or
b) A central global controller in the SOC and a local controller in each site (one A and five B)
- How can I estimate the EPS at each site if they do not exist yet and I cannot measure anything?
- Does someone have data about EPS (average and peak) for real scenarios for each of the aforementioned infrastructure products?
Thanks a lot in advance and best regards