MARS & Netflow

Mohammed Attif Qasim Bazi · ‎10-09-2010

I am going to implement MARS to monitor my network and i want to monitor the internet traffic but i have some questions:

_is it enough to configure SNMP & Syslog in all devices to report to MARS or i need to send netflow traffic also?

_if i need Netflow which devices will be the best devices to report Netflow to MARS?

i have internet router access,distribution and core switches and some security devices.

Scott Fringer · ‎10-12-2010

Mohammed;

CS-MARS primarliy makes use of syslog, SNMP traps and IPS events for incident generation. By confgiuring your various security devices (firewalls, IPS devices, AAA servers, Windows domain controllers, etc) CS-MARS can effectively inform you of potential security incidents within your network.

By adding netflow data to the CS-MARS it is now possible for CS-MARS to provide anomaly-based incidents that can alert you to changes in traffic patterns on your network. In most instances, you do not need netflow being sent from every netflow-capable device in your network. By configuring devices in locations that have the best "view" into the traffic on your network, the CS-MARS should be able to successfully detect these anomalous changes. You can read more in the user guide here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wpmkr180414

Scott