Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Jazib Frahim about the deployment and implementation techniques for Cisco Security Monitoring, Analysis Response System Appliances. Jazib is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Jazib holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has presented at Networkers on multiple occasions. He recently authored a book "Cisco ASA, all-in-one firewall, IPS and VPN appliance".

Remember to use the rating system to let Jazib know if you have received an adequate response.

Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 15, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

71 REPLIES

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Thanx for having this. What is the protocol for posting to this event? A specific subject in the General List, which he will monitor, or replies to this thread?

TIA

Paul Trivino

Cisco Employee

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Please ask you questions in this thread.

This thread will be active and bumped to the top with every question.

thxs!

peter

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

I want to change up the current config of my 4250 to use two ports for a IPS pass thru setup. Can you link the relevant documentation to your reply. I currently have 5 interfaces and will use 2 of the Fa interfaces to handle the traffic leaving 2 Fa interfaces an 1 Gb interface for monitoring.

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi there,

Since this forum is on MARs, can you clarify what you are asking in terms of MARS?

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Yes sorry about that posted and then realized wrong form feel free to remove this post and the other. I did find the documentation.

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

MARS General FP Drop Rule vs. Listed Unconf. FPs

I'm reposting this from its originally-standalone post:

I have a gazillion (really!) Unconfirmed False Positive events listed on that Tab in MARS. The specific event is "Windows SMB Enum Share DoS" and I created a Drop Rule for ANY of these events, with Source and Destination from my inside networks. I know all of my systems are patched against it.

It appears my Drop Rule is working, since viewing the Sessions associated with these (clicking the "Show" link at the right of each) shows no sessions after I installed the Drop Rule.

But I still have all of these Events in the Unconf. FP list. I would like to avoid doing the "False Positive" procedure for each, for two reasons:

1. It will take a long time.

2. I will also wind up with a gazillion Drop Rules, which the system will either have to process OR I'll have to go through THEM and Inactivate them.

Any ideas?

Paul Trivino

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi Paul,

Unfortunately, if you are using MARS and setting up drop rules, you are going to get those FPs. I think you should see if you could tune out those messages at the reporting device (IPS/IDS box) if at all possible. This way MARS will not even receive those events and you would not have to do manual FP confirmation.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Jazib - what is the logic behind this.

If you create a drop rule for ANY device for a particular event - surely you are indicating you want to ignore this event.

Why should it then ask you to confirm fp rules for every single device reporting this event?

Also - I have seen multiple fp incidents from a single host. When these are tuned duplicate drop rules get created for the same device.

As you cannot delete rules - is this not a waste of disk space?

Also - it makes managing drop rules very untidy.

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

The eason why the drop rules cannot be deleted is because of incident forensics. For example, if an incident is fired today because events match a rule, and you delete this rule from the MARS appliance, then you will not be able to find out why this incident was generated without a corresponding rule.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Jazib - I am aware of the reason rules cannot be deleted.

If you create a drop rule for ANY device for a particular event - surely you are indicating you want to ignore this event.

Why should it then ask you to confirm fp rules for every single device reporting this event?

Also - I have seen multiple fp incidents from a single host. When these are tuned duplicate drop rules get created for the same device.

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi Jazib - any thoughts on this posting,

thanks

Mick.

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi there,

I am actually checking with the development team to shed more light on this. I will keep you posted as soon as I hear something back from them

Thanks for your patience

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi,

I was wondering when Cisco MARS would implement auto-mitigation. That would be a big feature. Will it be released in version 4.3? When is version 4.3 coming out?

Thanks,

Herman Choi

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Herman,

I cant discuss MARS roadmap on this thread. You may want to discuss it with your local Cisco account team. However, many network administrators do not want to have auto-mitigation type functionality as they want to ensure that things are not being dynamically filtered in their infrastucture.

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Is there any means through which one can configure a rule action to send a plain text email describing an event, as opposed to an XML formatted one? Thanks in advance!

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi there,

If you are looking for a description of an incident, then you have to use XML notification. The plain email notification send you a brief summary of the incident, but this may not be what you are looking for.

regards,

Jazib

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi Jazib,

I thank you and Cisco Systems for this thread.

I have been a newbie to MARS, having separated my ways from CSA 4.0 / IDS 42XX /PIX 6.3 over VMS.

Now when I see IPS 42XX sensors, I find or understand that, MARS is acutally a paradigm shift in the implementation for IDS / IPS (or in other words, Threat Mitigation).

So, my question would be as following:-

1. Is there any document that describes the overall implementation scenarios (like SRNDs) for MARS

2. How can we actually use the XML notificiation emails?

3. Can we use MARS to get information from Routers and Switches also ? Please provide the URL for Config Guide.

Looking forward from yourside,

Kind Regards,

Wilson Samuel

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Wilson, I can give you the URL of the CS-MARS Support stuff: http://www.cisco.com/en/US/customer/products/ps6241/tsd_products_support_series_home.html

The User Guide provides procedures to provision routers, switches, ACS, servers, firewalls, the whole schmere. There are *some* white papers there too. Apparently the SRND list page has moved or I'd check that and give it to you.

Paul

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi Paul,

Thanks for the info, however I'm still bit puzzled, please help on this point:-

1. If Router/Switch are configured for MARS, what is that they are going to report (presuming that none of them have IDSM on it)

Regards,

Wilson Samuel

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

All KINDS of stuff: I can't even begin to list them, PLUS MARS will then understand network topology AND switches can be used to mitigate certain threats. If you have a list of your devices, make a MARS seed file, run it in, let them be discovered, and you're away.

Paul

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi Wilson,

1. Is there any document that describes the overall implementation scenarios (like SRNDs) for MARS

Jazib>> There are any published docuements on MARS SRND. However, Cisco advanced services has a MARS design and implementation services that you can get assistance from on this.

2. How can we actually use the XML notificiation emails?

Jazib>> Please consult this URL:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_2/uglc/appalert.htm

3. Can we use MARS to get information from Routers and Switches also ? Please provide the URL for Config Guide.

Jazib>> Here it is:

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_2/uglc/cfgrtrsw.htm

Hope that helps

-Jazib

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Jazib, have you been able to look at my post from Jun 2 10:13AM? TIA

Paul

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Thanks Jazib,

However one more query:-

1. The configuration of Routers/Switches are required in order to gather the topology information and basic Mitigation techniques like shutdown a port or put an ACL or send a TCP Reset command.

Will it be able to gather the information regarding an Attach / Intrusion from Routers / Switches also?

Regards,

Wilson Samuel

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Wilson,

The current mitigation technique are to shut down the switch port using SNMP RW string and to provide ACL recommendations for layer 3 devices. I am not following you on your question, are you asking me if the MARS appliance can gather information from a router, switch and an intrusion detection box?

-Jazib

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Jazib,

Thanks for the information regarding the Threat Mitigation using MARS (The current mitigation technique are to shut down the switch port using SNMP RW string and to provide ACL recommendations for layer 3 devices)

However it seems I didnt put my questions correctly or clearly

Let me put this way:-

1. MARS can gather the topological details provided we configure the Routers / Swtiches in MARS Appliance

Having said that, can it also gather the information regarding any intrusion from the Routers and Switches also, like that it gets from any IPS / IDS device or Module?

I hope its clearer this time,

Kind Regards,

Wilson Samuel

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Wilson,

I believe you're wondering whether MARS will detect intrusions or anomalies directed at your router or switch, rather than a device that requires traversing their path. The answer is yes. Typically an intrusion attempt is made using ssh/telnet/http/https/snmp to gain access to the router/switch. By following best practice, all of these management protocols should be filtered using an ACL (access control list). An intrusion would thus cause the ACL to fire a deny, which in turn is logged (in a Cisco world... by doing something like "deny tcp any any eq 22 log). MARS can parse ACLs and after parsing you can now generate events. I have a great example of this on my blog. Out-of-the box MARS does not detect this, but the required parsing is present. Hope this helps!

-Mike

http://cs-mars.blogspot.com

Bronze

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Thanks Wilson for your great explanation. Just to add what you mentioned earlier, MARS relies on the events generated by the reporting devices. So if a device (in your case a router generates an event through ACL log or any other method) then MARS should receive that and based on the configured rules, should take appropriate actions

Hope that helps

-Jazib

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi,

i want to disable the logs created by csmars which are not useful & i want to check the other device logs which is mapped on csmars and how to filter the logs

Thanks

New Member

Re: ASK THE EXPERT - IMPLEMENTING CS - MARS APPLIANCES

Hi,

Any update

Thanks

276
Views
21
Helpful
71
Replies