Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CS-MARS Deployment

Hello

My company needs to have an Event Correlation Tool/Management System to capture/correlate the events from Firewalls, IPS/IDS, VPN, Core devices and Internet Gateways in order to mitigate the attacks.

We have high-end Cisco Devices like PIX 535, VPN 3030, 6500 Series Switches and 7000 Series routers.

At an average all these devices collectively send almost 100 events per second. But considering the device capacity and traffic it can be double and may be more while under any kind of attack.

Is one Cisco Security MARS 50 enough to capture all the events from all the devices including PIX 535, VPN 3030, 6500 and 7000 Series routers?

If not then what will be the best approach to deploy MARS in such network infrastructure.

I will really appreciate expert's feedback on this matter who have successfully planned and deployed MARS in their networks.

Thanks

Best regards,

Yasir Ilyas

3 REPLIES
Silver

Re: CS-MARS Deployment

This is a very good question. What we need is an Events Per Second calculator that is specific to Cisco equipment.

If you check the Cisco specifications you find that a MARS 50 supports up to 1000 events per second or up to 30,000 NetFlow events per second. Here's the link:

http://www.cisco.com/en/US/partner/products/ps6241/prod_bulletin0900aecd8034a028.html

Hope this helps.

Silver

Re: CS-MARS Deployment

Here are all the specifications as per Cisco.

Cisco Security MARS-20-K9 (CS-MARS 20)

Cisco Security MARS 1-RU appliance that supports up to 500 events per second or up to 15,000 NetFlow events per second.

Cisco Security MARS-50-K9 (CS-MARS 50)

Cisco Security MARS 1-RU appliance that supports up to 1000 events per second or up to 30,000 NetFlow events per second.

Cisco Security MARS-100E-K9 (CS-MARS 100e)

Cisco Security MARS 3-RU appliance that supports up to 3000 events per second or up to 75,000 NetFlow events per second.

Cisco Security MARS-100-K9 (CS-MARS 100)

Cisco Security MARS 3-RU appliance that supports up to 5000 events per second or up to 150,000 NetFlow events per second.

Cisco Security MARS-200-K9 (CS-MARS 200)

Cisco Security MARS 4-RU appliance that supports up to 10,000 events per second or up to 300,000 NetFlow events per second.

New Member

Re: CS-MARS Deployment

I think it's important to note that the key words are "up to" so many EPS. It's my experience that once you get up to around 12-15 million events per day, the MARS 50 gets slugish in the interface. It isn't hard to get to this level, especially when you consider that you are going to set all of your devices to a level of debug for logging. One of the best determinations for logging requirements is internet bandwidth usage - this typically directly correlates to the amount of logs that your firewalls / IDS systems will produce. These devices are typically the big hitters. Other things to consider is will you be enabling netflow, are you going to also add servers and applications? These things can add considerable amounts of data.

Hope this helps,

Dan

239
Views
0
Helpful
3
Replies