MARS Implementation

Unanswered Question
Sep 5th, 2010
User Badges:

I want to implement MARS in Internet network and the network contain the below devices:


ASA, IPS, internet router, ISG1000, cisco manager, and cisco core switch.


internet network providing internet for all users in the building and i want to monitor the network using MARS and i have more than 2000 users and  around 40 access switch.


I am planing to configure the all security devices as reporting devices for MARS appliance plus the core switches and the routers.


I am not sure if this is the best practise for this network to have full monitoring.


Any ideas please can help me.


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
paultribe Tue, 09/07/2010 - 06:45
User Badges:

Cisco CS-MARS is what is known as a security event information management system (SIEM). To understand the systems features and a CS-MARS appliances' suitability you should have a look at:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/data_sheet_c78-458671.html


Where you position your CS-MARS appliance within a network really depends on your companies security policy, when you say that "I want to implement MARS in Internet network", does this mean on a companies internal network as oppossed to the "Internet"? If so the amount of devices you wish to monitor depends on the CS-MARS appliance you implement and amongst other things, how many events per second and/or netflow events it can handle, and the amount of storage capacity for live data. There is a table within the above URL that outlines the ability of all CS-MARS appliances.


You should also have a look at the deployment and planning guidelines, have a look at this URL:


http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/plan.html


Hope this helps.

Paul

Actions

This Discussion

Related Content