MARS Implementation

Unanswered Question
Sep 5th, 2010

I want to implement MARS in Internet network and the network contain the below devices:

ASA, IPS, internet router, ISG1000, cisco manager, and cisco core switch.

internet network providing internet for all users in the building and i want to monitor the network using MARS and i have more than 2000 users and  around 40 access switch.

I am planing to configure the all security devices as reporting devices for MARS appliance plus the core switches and the routers.

I am not sure if this is the best practise for this network to have full monitoring.

Any ideas please can help me.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paultribe Tue, 09/07/2010 - 06:45

Cisco CS-MARS is what is known as a security event information management system (SIEM). To understand the systems features and a CS-MARS appliances' suitability you should have a look at:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/data_sheet_c78-458671.html

Where you position your CS-MARS appliance within a network really depends on your companies security policy, when you say that "I want to implement MARS in Internet network", does this mean on a companies internal network as oppossed to the "Internet"? If so the amount of devices you wish to monitor depends on the CS-MARS appliance you implement and amongst other things, how many events per second and/or netflow events it can handle, and the amount of storage capacity for live data. There is a table within the above URL that outlines the ability of all CS-MARS appliances.

You should also have a look at the deployment and planning guidelines, have a look at this URL:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/plan.html

Hope this helps.

Paul

Actions

This Discussion

Related Content