Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on new features released in CS-MARS including authentication services and Cisco IPS signature dynamic updates with Cisco expert Gary Halleen, CISSP-ISSAP. Gary is a security consulting systems engineer with Cisco. He is the author of "Security Monitoring with Cisco Security MARS", and was a technical editor of "Intrusion Prevention Fundamentals." His diligence was responsible for the first successful computer crimes conviction in the state of Oregon. Halleen is a regular speaker at security events and presents at Cisco Networkers conferences.
Remember to use the rating system to let Gary know if you have received an adequate response.
Gary might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through September 19, 2008. Visit this forum often to view responses to your questions and the questions of other community members.
hi gary great to have u in the forum. i am new to cs-mars i would like to know can we integrate the cs-mars with vulnerability scanners like nessus and if yes is there a guide for integrating third party vendors with cs-mars.
Officially the following three vulnerability scanners are supported:
For devices not supported in MARS, you have to create "User Defined Log Parser Templates". Here is a sample one for Cisco CCA:
There is not currently a way to integrate Nessus into MARS. MARS currently supports some third-party vulnerability scanners, but this is limited to Foundstone, eEye, and Qualys.
Hello Gary, i have a couple of questions.
what type of the authentication services is present in the new features?
i have a doubt from the mars begin, by mitigation on the switches is recommended run the snmp discovery frequently?
Version 4.3/5.3 introduced several new authentication features.
First of all, you are able to point authentication to a radius server instead of relying on the onboard database. If you do this, you still have to create a user on the MARS appliance, where you assign the user to a role. However, password checking is actually done at the radius server instead.
Additionally, MARS also supports account lockouts if a specified number of failed login attempts per-user are attempted.
Lastly, you can specify password requirements (for instance, minimum password length, strong password features).
Welcome to the forum :)
Can you comment on the FWSM 4.x and Cisco CCA support in MARS? When will it be introduced /time-frame etc. I'm already aware of the unofficial CCA parser from a Cisco CSE.
Can you also comment more about the new framework in 6.x which will allow better third-party support?
CCA (Cisco NAC Appliance) version 4.1.3 will be supported in the 6.0 release due out in the next couple of weeks. FWSM 4.0 support will not be in this release, but will be in a follow-on release.
A new feature coming in 6.0 is the ability to modify/add/delete events and event types on supported devices. Additionally, you'll have the ability to share custom parsers that are created by users, partners, etc.
Will V 6.0 support sending e-mails with the whole content of an alert/rule? This is something that is missing from Cisco Works.
Will V 6.0 be supported on the MARS 20? If so, what does the upgrade look like? Is there a migration path from V 4.x.
Do you have any suggested documents for tuning MARS in a Windows environment? I am having a lot of false positives about authentication problems just because of background issues in Windows. But I am finding it difficult to separate these from a real authentication threats.
welcome to the forum ..
1. As you mentioned, vulnerability scanning is limited to 3 3rd party tools, is it possible for the end-user to integerate/add events/event-types in addition to existing events? For instance, a new softwares is to be integerated and one wants to add software exceptions as the events, and he wants to integerate those with his MARS..
I mean anything like custom parser which could integerate the custom events...
2. What could be the reasons when a device MUST manually be added. I mean, i have 2 ASAs at 2 different locations, same bootstrap config, MARS is recieving logs from 1st ASA as it automatically discovered the device, however 2nd ASA was not discovered, but i can see that MARS is able to go through snmpwalk for this ASA. I want to know, why must i add the device manually, not for the reason that i'm shy of doing manual effort :) but just for my information and knoweldge.
3. At times, when we click on an event, reporting device is "pnmars". Why would MARS itself report for a device which is a workstation and is not configured to send events.
On the same note, if we try to find the path information, it says "unable to find path.. and follow the sessions to track" sort of message. Whereas all the session state that MARS was the reporting device. I know i'm missing something here, but whats that?
4. I remember there was an option where MARS gives us the exact port number on the L2 switch and the ACL to perform in mitigation. I did it in my training on PODs, but on my real machine path/mitigation link only takes me to path. How do i activate the mitgation link? (i know its so childish to ask such question but i have wasted lot of time already to search on my own, so please answer this one :) )
waiting eagerly for your response
Let me have a go at these :)
1) For any new softwares/applications not supported in MARS, you would need to add it in the "User Defined Log Parser Templates" page. You can either map the syslogs to existings event types or create your own parser and map those events to new event types etc.
2) Is the second ASA part of the 'Valid Networks' as defined for topology discovery? Is it sending any events to MARS?
3) Perhaps because MARS is 'pulling' logs from these servers?
4) Layer 2 mitigation devices (Switches) are not discovery by the auto-discovery feature, you have to add them manually one-by-one or add all of them together via the seed file import option. All devices must have SNMP RW configured on them for mitigation to work. Also you have to define the RO community in MARS for each device even if the 'access type' is not SNMP.
Thanks for replying.
1. No doubt i missed that part, and i'll do it on my own now.
2. "Valid Networks" has a complete range of 10.0.0.0 255.0.0.0, so that it will start validating the devices that share the same RO/RW string, and is bootstrapped. Both ASA's IPs lie in this range.
3. It can't be, as the server is not even configured for SNMP, and also, my concern is more about the "reporting device", as to why does it not show the reporting device IP, instead it shows "pnmars" as reporting device.
4. Let me rephrase it. I have Layer 3 switches, with some ports working on layer 2, and want to mitigate through those layer 2 ports. Question is, is the RW thingy that should work alone, or do i need to manually put the credentials as well?
With 6.0, you can add or modify existing events and event types for reporting devices.
It is an architectural decision by the product team that a reporting device has to either be added manually, added from an existing database, or imported from a seed file. While it would simplify things if it could happen automatically, that is not a roadmap feature.
If the reporting device is MARS, itself, then the events are generated from MARS. Do you have a specific example I can look at?
The information shown on mitigate is dependent on what MARS has been able to determine. There is no setting to enable this feature. For example, if there are no L3 devices reporting to MARS, it will not be able to determine a L3 path. If your switches are old switches (2900-XL for instance), or are running old software versions, then MARS may not be able to determine which switch port an attacker is connected to.
As far as I know, the e-mail alerts are not changed, but I could be mistaken. I'm not part of the MARS development team. Your choices currently are a fairly generic e-mail message or an e-mail message containing XML with the full text of the alert.
MARS 6.0 will support all the current appliances, from the MARS-20R on up. If you have a 20-R it will convert to a MARS-20 when you do the upgrade, and you are able to upgrade directly from 4.x to 6.0.
I would like to know if MARS does support Mainframe based RACF messages out of the box. If not is there a smart way to get this running?
No, it does not, TIA. If those messages can be sent via either syslog or snmp trap, however, a custom parser can be created to enable support of them. That process is too lengthy to explain it here in the forum, but my book covers it extensively.
Is there any way of creating High Availability in CS MARS in case of one mars product goes down.
Can we use port e1 for monitoring AND REPORTING purpose.
Currently, high availability, as built-in to the appliance is all that is available. This means RAID and redundant power supplies, mainly.
There is work being done to allow enhanced HA, but it's not at a point where I can share details of it.
Both ethernet interfaces can be used. The important thing to remember is that only a single default gateway can be configured on the appliance.
'pnreset' command is present on the CLI for this purpose. You can also just re-image the appliance using the corresponding DVD disk.
The license file should be there in the email you received from Cisco while registering your PAK number.
There are two effective ways to reset MARS back to default configuration, meaning an empty database, blank settings, and no devices.
1. From the command-line, issue the 'pnreset' command. This will wipe everything, with the exception of the pnadmin password. It will delete the license that is installed, so make sure you've recorded it first.
2. Insert a recovery DVD into the drive and reboot the appliance. You'll need to either have a console cable attached or a keyboard and monitor. Follow the onscreen instructions. This wipes everything. If you don't have a recovery DVD, you can download an ISO image from cisco.com.
On the first-generation appliances, you can see the installed license, and simply write down the characters.
You mentioned in an earlier post that specific 'software' versions of layer 2 switches are required for protocol mitigation to work. At one customer, all access layer switches (2960 and 3560) are added into MARS with SNMP communities. The Core Switches and FWSM modules are also added. It is a 'MSFC Outside' topology.
We always get a "No enforcement devices found" no matter where the attack occurs. The access layer switches appear on the network topology connected to the management subnet (due to SVIs in one common management VLAN). This is at Layer 3 (sort of).
However for each incident, the diagram shows the hosts/servers directly connected to the core switch (i.e. the access layer switches are missing from Layer 2). How can I fix this? Which 'specific' version is required on the switches for mitigation to work?
Secondly, we also dont get any ACL 'suggestions' for Layer 3 devices (Netscreen and FWSM). Please suggest some tips to fix this. The MARS supported device table document does not mention specifics, for example for Switches it says '12.2' only.
One more question Gary, can you please explain more about the "Monitored Networks" option for IPS devices in MARS. The documentation is not really clear about it. Is it optional or mandatory? What functionality does it provide? Currently I don't have it added for two of our main IDPs and MARS can parse all events from them. Could this have any link to why mitigation is not working for this box (as per my previous post)?
Current layer 2 flow is something like:
Host >> AccessLayerSw (VLAN 10X) >> Trunk >> IDSM (pair with ECLB load sharing) >> FWSM (VLAN 70X).
VLANS 10X and 70X are bridged by the sensor. User default gateway is a FWSM SVI. Both IDSM/FWSM modules are installed in the core switch.
Have you had a successful SNMP discovery run on MARS yet? Also, when each of the devices have been added, have you made sure to perform a Discovery on that device, and then click Activate?