Possible MARS Deployment

Unanswered Question
Oct 16th, 2009

I am going to do a small install (less than 300 users) with some very high end servers. All the traffic will be going through my redundant 6513s with Firewall and Intrusion Detection modules.

I will NOT be running CSA on the 200 workstations.

How beneficial will something like MARS be for me? What sort of things can I track that will help me mitigate/diagnose/and predict threats?

Thanks in advance. I haven't used MARS before and need as much info as possible- not from the sales staff.

James

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Erik Ingeberg Mon, 10/19/2009 - 00:29

The first point of having a MARS is to be able to store logs. Without MARS or another syslog server, you cannot go back in time to see what happened in your network.

Next point is that the MARS is very good at correlating syslog events from Cisco devices. Since you have IPS modules, you will get a lot of information.

Without a MARS or another SIEM system it is very difficult to get alerted when something goes wrong. But you still need to find the time to actually look at it once in a while and take action on the events you find. Otherwise you might as well send everything to something like syslog-ng.

jfraasch Mon, 10/19/2009 - 04:15

So what I will do is point all my Cisco devices to it to record events and then the MARS software will look at those logs to see if there is any security issue on my network. I would then still have to take action on the problem.

It will correlate all my logs. It will be installed at a customer site to which I will have remote access.

I am guessing with the IPS that this would be the thing to get to correlate those events.

Thanks for the info.

James

RicheeJJJ_2 Mon, 10/19/2009 - 15:38

MARS will not show you what's up or down. Are you going to use anything to track uptime that maybe will ping all your servers every few seconds perhaps?

MARS does collect syslogs which you can use to run reports on and look at the data collected.

jfraasch Tue, 10/20/2009 - 02:27

Yes, we are going to use a Nimbus-like product to help with that.

Actions

This Discussion