Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
2
Replies

MARS - Organizational Scope

cyee
Level 1
Level 1

‎10-24-2005 05:31 PM - edited ‎03-09-2019 12:49 PM

I'm involved in planning a potential MARS implementation. I have many questions, but will only pose one here:

Is a single MARS capable of monitoring an organization with multiple business units and managing them separately? E.g.; Holding company -> Subsidiary A, B, C, etc.

Alarms, mitigation, and reports for "A" would go to their IT team, ... etc. Consolidated report would go only to holding company.

... or does one MARS need to go into each subsidiary (with subsequent aggregation to large MARS).

TIA

Labels:
0 Helpful
2 Replies 2

ssverma
Level 1
Level 1

‎10-31-2005 10:43 AM

Hi,

As per my understanding, you will not be able to create different BU in MARS. Hence the question of managing them differently is not possible on a single box.

The only way this can be acheived is to have multiple MARS boxes for each BU and each defined as a separate ZONE (as per MARS) for management.

And to manage these multiple boxes you would need a Global Controller box.

Reports for individual teams, well its possible to get that thing configured in MAR so that the corresponding report is e-mailed to that group.

Sachin

0 Helpful

jerrod-howard
Level 1
Level 1
In response to ssverma

‎11-01-2005 07:36 AM

It would depends on how many devices you have. As a comparison, so you have some numbers, we have:

~80 Cisco 4235 IDS sensors

~70 Pix 525/535 Firewalls (11 clusters in Europe)

~3 Checkpoint Firewalls

~12 Cisco 3000 VPN Concentrators

All of these are spread across two PN-200 appliances. We have approximately 15 environments spread across these two boxes. The way we handle reporting and alerting for these environments is create reports that run daily, weekly, and monthly, analyzing only those devices tied to those environments. For example, we have:

Internation Web Page and Reservation (3 centers)

2 Firewalls, 5 IDS sensors per center

Employee Internet Access (2 domestic)

1 Checkpoint, 2 IDS sensors for each center

Business Partners (2 centers)

2 525's, 4 IDS for each center

SMTP/Mail (2 centers)

2 525s and 4 IDS for each center

Etc. Since we've logically separated the environments by hardware, we just make the reports with the pertinent hardware for each environment, and generate reports for those environments. it works just fine (albeit with everything we have, the PN-200's are both pretty slow when doing anything else).

If you have shared infrastructures across the same hardware appliances/devices, it may be tougher to accomplish. However, those environments should be separated across different networks, and in those reports, you could separate what is reported based on what network ranges you use for each environment.

Mutliple MARS appliances would obviously be better, all pointed at a GC, but for most, that's pretty cost prohibitive, especially considering the cost of the GC alone.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents