cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1198
Views
0
Helpful
1
Replies

MARS Implementation

I want to implement MARS in Internet network and the network contain the below devices:

ASA, IPS, internet router, ISG1000, cisco manager, and cisco core switch.

internet network providing internet for all users in the building and i want to monitor the network using MARS and i have more than 2000 users and  around 40 access switch.

I am planing to configure the all security devices as reporting devices for MARS appliance plus the core switches and the routers.

I am not sure if this is the best practise for this network to have full monitoring.

Any ideas please can help me.

Thank you

1 Reply 1

paultribe
Level 1
Level 1

Cisco CS-MARS is what is known as a security event information management system (SIEM). To understand the systems features and a CS-MARS appliances' suitability you should have a look at:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/data_sheet_c78-458671.html

Where you position your CS-MARS appliance within a network really depends on your companies security policy, when you say that "I want to implement MARS in Internet network", does this mean on a companies internal network as oppossed to the "Internet"? If so the amount of devices you wish to monitor depends on the CS-MARS appliance you implement and amongst other things, how many events per second and/or netflow events it can handle, and the amount of storage capacity for live data. There is a table within the above URL that outlines the ability of all CS-MARS appliances.

You should also have a look at the deployment and planning guidelines, have a look at this URL:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/plan.html

Hope this helps.

Paul

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: