MARS is one big solution for Network Behaviour Analysis. Have a look at the doc attached..
Today, main goal of the administrators is to have a tool, which coule do the analysis on their part, and could give a BOTTOM line of the incident/anomaly. Consider a network admin taking care of mutliples of routers/firewalls/IPS etc, and has to go through each log from each device seperately for any issue, and even to predict any issue, is some thing impossible for a human being.
So Network Behaviour Analysis tools (MARS is a tool, which makes use of existing techonolgies/methods like SNMP/FTP/TELNET to retrieve events from the devices (Routers/Switches/FWs/IPS and list goes till Workstation XP/2000 e.g), and CORRELATES (compiles the event's and find the similar ones and make them 1 SESSION)them, to present a single line statement to the administrator that something has happened in the network.
Second part of the NBA tool like MARS is to detect any anomaly, meaning, if nothing bad has happened yet in the network, there is something that is going to be done bad. For instance, if a port in the network switch starts using 90% of its traffic volume limit, and stays in that condition for some time, this could be a syptom of a virus starting to get spread in the network, or some sort of broadcast strom that could be triggered from this port. Hence the MARS detects the analomy, and provides precautionary steps to avoid some thing like this to happen in the network.
So, NBA is the superset of "Network events" and "Network behaviour anomaly".
Well, it all depends on the requirement. If it gets fulfilled by Netflow, why would some one bother to go for Sflow or Cflow?
And if its about being futuristic, then yes, but again, some fancy stuff like, "Flexible netflow" and "IPFIX" is not even mentioned in the network world link? so does it mean that those products are just "great" not "big" solution? May be its just a word game, but as i said, NBA is not just anamoly detection, but it is the superset of event generation/correlation and anaomaly detection.
Thank you for your valuable comments, I assume by 'futuristic' you mean 'scalable'?
Because CFlow or SFlow or not things of the future, they run on hunrdreds of networks :)
A good consultant always proposes a scalable solution (subject to cost/other constraints) :). I myself proposed someone the MARS solution (on this same forum) but after looking at it closely in terms of Traffic analysis......
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :