Wedding 

Products. Building an enterprise information security system based on solutions from Cisco Systems Protocols for ciscom mars

Cisco MARS Monitoring, Analysis, and Response System

The Cisco Security Monitoring, Analysis, and Response System (MARS) is a hardware-based, end-to-end platform that providing unparalleled opportunities for close monitoring and control of the existing security system. As a key element of the security management lifecycle, Cisco MARS provides IT and network operations personnel with the ability to detect, manage, and mitigate security threats.

Description

GPL price

CS-MARS 25 Appliance

CSMARS 25R 1RU Appliance;75 EPS; 250GB

CSMARS 55 1RU Appliance;1500EPS;500GB,RAID 1,Redundant

CSMARS 110R 2RU Appliance;4500EPS;1500GB,RAID 10,Redundant

CSMARS 110 2RU Appliance;7500EPS;1500GB,RAID 10,Redundant

CSMARS 210 2RU Appliance;15000EPS;2000GB,RAID10,Redundant

MARS GC2 2RU Appliance;2000GB;RAID10;Redundant PS

CSMARS-GC2-LIC-K9=

Upgrade license for CS-MARS-GC2R to CS-MARS-GC2


Based on existing network and security investments, this system detects and isolates elements that disrupt the normal operation of the network, and also provides administrators with recommendations for their complete elimination. It also provides support for security policy compliance and can be included as part of an overall compliance system.

Network and security administrators face many challenges including:

  • Information complexity of the security system and network.
  • Insufficient means of detecting, prioritizing and developing responses to attacks and failures.
  • Increased complexity, propagation speed, and cost of remediation for attacks.
  • The need to comply with compliance and reporting requirements.
  • Lack of security professionals and funds.

Cisco MARS addresses these challenges through the following steps:

  • Integration into the network of intelligent functions to increase the efficiency of the mechanism for correlation of network anomalies and security events.
  • Visualize confirmed security breaches and automate their investigation.
  • Repel attacks by taking full advantage of your existing network and security infrastructure.
  • Monitor endpoints, network, and security operations to ensure regulatory compliance.
  • Delivering a device that is scalable and easy to implement and use with the lowest total cost of ownership (TCO).

Cisco MARS transforms the raw data about malicious activity provided by the network and security system into understandable information that can be used to address confirmed security violations and ensure regulatory compliance. A suite of easy-to-use hardware-based threat mitigation tools allows administrators to centrally detect, prioritize, and repel threats with network and security appliances already embedded in the infrastructure.

Cisco is one of the leading manufacturers of information security products. This article aims to show examples of using the Cisco Security Agent, Cisco NAC Appliance, and Cisco MARS products to provide internal information security for a company. These products are integrated with each other and allow you to build an easily manageable and reliable system.

The information security department of a modern company faces completely different tasks - this is the support of secure communication channels of the company, support for the user access control subsystem, providing anti-virus protection, combating spam, controlling information leaks, as well as monitoring information security events occurring on the network, and other equally important tasks.

Currently, there are a huge number of developments on the market of information security products that one way or another allow solving the tasks. In our opinion, the most correct way is to build highly integrated protection systems that can most flexibly adapt to the specific processes taking place in the company.

Introduction

Any information security system is built on the basis of an assumed threat model. When planning a security system, two categories of threats need to be considered: external and internal.

External threats are easily predictable, since the company has complete information about what services are available from the outside, what software and hardware resources provide a connection between this service and the Internet.

Fighting insider threats is much more difficult, as users working in a company have different levels of access and build different relationships within the company.

To ensure protection, it is necessary to approach it comprehensively, and not be limited only to technical means. Competent work of the information security service, as well as a well-thought-out administrative policy of the company, will help to achieve maximum results.

Administrative policy is built on the foundation of information security policy. The organization should have a policy on the protection of confidential information and related instructions. These documents should define the rules and criteria for categorizing information resources according to the degree of confidentiality, labeling rules and rules for handling confidential information. Rules for granting access to information resources should be defined, appropriate procedures and control mechanisms should be introduced, including authorization and access audit.

These administrative measures make it possible to successfully deal with the most numerous class of threats - threats of inadvertent disclosure of confidential information, but it is clearly not enough to deal with intruders - it is necessary to use special software and hardware.

End Host Security - Cisco Security Agent

The Cisco Security Agent (CSA) solution is an end-host security system that, in conjunction with other systems, allows you to solve more complex and broad tasks.

CSA provides protection for server systems and desktops. Cisco Security Agents go beyond typical endpoint security solutions by combining advanced protection against targeted attacks, spyware, stealth remote control software, antivirus protection, as well as protection against information leaks and many other types of security breaches in one software tool. computer.

The Cisco Security Agent is a system that uses agent applications to apply information security policies configured on a central server.

CSA combines protection against "zero-day" attacks, ClamAV antivirus, firewall, file and application protection module, "untrusted" applications module and other functions.

The Cisco Security Agent provides a number of valuable features, including the following:

  • monitoring the compliance of the state of network objects with the requirements of the security policy;
  • preventive protection against targeted attacks;
  • control of USB, CD-ROM, PCMCIA, etc.;
  • creation of a closed software environment;
  • the ability to detect and isolate malware for covert remote control;
  • advanced functions for preventing intrusion on network nodes, personal firewall and protection against completely new attacks;
  • information leakage control;
  • control and prevention of booting from unauthorized media;
  • optimization of Wi-Fi bandwidth usage;
  • ensuring the availability of critical client-server applications and the possibility of transactions;
  • network traffic marking;
  • integration with intrusion prevention systems (Cisco IPS);
  • integration with network access control system (Cisco NAC);
  • integration with security management system (Cisco MARS).

The architecture of the Cisco Security Agent system is shown in Figure 1. Agents interact with the management server and receive policy and software updates from it.

Figure 1: CSA System Architecture

End hosts are combined into groups for which information security policies are applied. Policies are sets of rule modules (see Figure 2).

Figure 2: Policies, modules, rules in the CSA architecture

Cisco Security Agent allows you to control the actions of users while they are connected to the data network and the management server is available. But a special set of states is also supported, such as the unreachable management center, in which specialized access policies are enforced for machines.

The second information security system is the system for controlling access to the data transmission network.

Network Access Control - Cisco Network Admission Control (NAC)

The Cisco NAC Appliance (formerly Cisco Clean Access) is a solution designed to automatically detect, isolate, and disinfect infected, vulnerable, or non-compliant hosts accessing corporate resources through wired or wireless access.

Being one of the components of Network Admission Control technology, Clean Access is implemented either as a network module for Cisco ISRs (for networks with less than 100 controlled devices) or as a separate device.

Key features of the Cisco NAC solution are:

  • independence from the network equipment manufacturer (in in-band mode);
  • integration with Kerberos, LDAP, RADIUS, Active Directory, S/Ident and other authentication methods;
  • support for Windows (including Vista), MacOS, Linux, Xbox, PlayStation 2, PDAs, printers, IP phones, etc.;
  • support for CA, F-Secure, Eset, Kaspersky Lab, McAfee, Panda, Dr.Web, Sophos, Symantec, TrendMicro antiviruses and other computer protection tools (250 manufacturers in total);
  • Quarantine an inappropriate host by applying ACLs or VLANs;
  • creation of a "white" list of nodes to speed up their access to network resources;
  • automatic installation of missing updates, new versions of protection tools or updating of outdated anti-virus databases;
  • centralized web-management;
  • Russian language support;
  • conducting a transparent audit.

Cisco NAC Appliance Architecture and Operation

Cisco NAC is an internal security appliance that leverages the network infrastructure by enforcing security policies and restricting network access to devices that do not comply with security policies.

The main functional components of the solution are the Clean Access Server (CAS) and Clean Access Manager (CAM). CAM is responsible for configuring security policies, while CAS is responsible for implementing them.

The hardware can be installed in a failover configuration that performs an Active/Standby Failover.

Figure 3 shows the state of the system, in which the user is in a specially created authentication VLAN from which the user is allowed access to the DHCP service and others, in accordance with the policies configured on the CAM.

Figure 3: No network access

After the user has passed the check for compliance with information security policies, he is allowed into the network by assigning a switch port to a specific VLAN (Figure 4).

Users can go through the authentication procedure both with the help of a specialized agent - Cisco Clean Access, which also collects information for checks, and with the help of web authentication.

Figure 4: Cisco NAC - Network Access Allowed

The logic of the system is made up of components - checks, rules and requirements that apply to each specific user role.

For example, you can create several roles that correspond to departments of the company and for each role set certain requirements, the fulfillment of which becomes a prerequisite for access to the corporate environment.

Figure 5: Cisco NAC - System operation logic

Various verification options are available. You can check the presence of a running application on the PC, the installation of the necessary "patches" for the operating system, the version of anti-virus databases and other checks.

The information security system implies the mandatory presence of a monitoring system for events occurring in the network. For these purposes, it is supposed to use the product Cisco Security Monitoring, Analysis and Response System (Cisco MARS).

Cisco Security Monitoring, Analysis and Response System (MARS)

Modern enterprises are constantly faced with the problems associated with ensuring information security.

The complexity of the network infrastructure entails an increase in the number of protection tools - these devices can be separate firewalls, routers with certain software functionality, switches, various IPS systems, IDS, HIPS systems, as well as various anti-virus systems, mail proxy servers, web -proxy and other similar systems.

A large number of protections gives rise to management problems, as the number of control points increases, the number of recorded events increases and, as a result, the time required for decision making increases (see Figure 6).

Figure 6: Decision process for attack prevention

In this regard, for the enterprise there is a need for a higher-level system capable of assessing the existing level of information security by registering and correlating events received by the system.

The Cisco MARS Monitoring and Response System provides these functions.

Key Features of Cisco MARS

Cisco MARS is a server-based hardware and software solution. The system software is based on the Linux operating system (kernel 2.6). The main component of the system is the Oracle database used to store information.

Cisco MARS has the ability to collect information from various devices using the Syslog, SNMP, NetFlow protocols, and also has the ability to receive system log files.

MARS supports equipment from various vendors such as Cisco, IBM, Check Point, Nokia, Symantec, McAfee, Netscape and others.

The logic of the Cisco MARS system is based on queries to the database. You can select information and refine it by source IP address, destination IP address, ports, event types, devices, keywords, and so on.

On the basis of requests, certain rules are based, which are grouped in the system. The Cisco MARS database contains more than 2000 rules. You can create your own rules, thereby flexibly adapting the system to specific types of alleged threats.

After saving the rule and finding information that satisfies this rule, an incident is formed.

Considering the work of Cisco MARS, we can offer a specific example of performing an attack on a host (see Figure 7).

Figure 7: Performing an attack on a host

A stand was assembled containing Cisco MARS, several switches, and a laptop with the Cisco Security Agent product installed. To emulate the attack, host services were scanned using the NMAP utility.

The events look like this:

  • Cisco Security Agent detected a port scan;
  • Information about this got to the management center of the Cisco Security Agent system, which in turn sent a message to MARS;
  • MARS parsed and normalized the received message to a single form provided by the MARS database;
  • MARS produced session correlation;
  • This event was checked using rules configured on MARS in order to log information security incidents;
  • Checked for false positives;
  • An incident was generated and information was displayed to the administrator.

The Cisco MARS home page has information that a security incident has occurred from the network (see Figure 8) and shows the attack propagation path (see Figure 9).

Figure 8: Displaying information about the attack in the Cisco panel MARS

Figure 9: Attack Propagation Path in Cisco Panel MARS

By clicking on the "Toggle Topology" button, you can see the real network topology and see the attack propagation path (see Figure 10).

Figure 10: Network Topology of Attack Propagation Path in Cisco Panel MARS

As a response to an incident, Cisco MARS offers several options to prevent a network device-bound attack (see Figure 11):

Figure 11: Attack Prevention Response

Cisco MARS also has a flexible reporting system that allows you to get detailed data on all registered events. This makes it possible to implement the principle of improving protection (see Figure 12).

Figure 12: The principle of improving protection

Example of a complete solution

Consider a comprehensive solution based on the above products for the central office of the company K.

Company K's head office has 100 employees in three departments. Microsoft Active Directory is used to control user access.

It is necessary to solve the following tasks:

  • ensure the implementation of information security policies created for employees of each department;
  • have up-to-date information about software running on specific hosts;
  • be able to control access to external systems for hosts outside the corporate environment;
  • provide access to the network based on the specified information security policies;
  • ensure that the specified checks are performed for the host based on the user's domain account;
  • provide monitoring of events occurring in the network, as well as the collection of information using the NetFlow protocol.

Configuring Cisco Security Agent Policies

First, we define the access rights for each user group. In accordance with these access rules, domain access rights and filtering rules are configured on active network equipment.

You can create network access rules using the Cisco Security Agent, but these rules are more of a proprietary nature. For example, you can deny a specific user access to a specific resource (IP, TCP/IP). In this example, network rules for the CSA are not created.

First of all, a policy is created for all user groups in the CSA that makes it impossible to disable the agent application. This policy applies to all users, including local administrators.

Then a process is launched that collects information about the software installed on computers - a process called Application Deployment Investigation. As a result, we get a report (see Figure 13).

Figure 13: Installed Applications Report Using Cisco security agent

In the future, we can classify these applications, for example, by highlighting office applications, ICQ clients, P2P applications, mail applications, and so on from the total number. Also, using CSA, it is possible to analyze the behavior of a particular application for further creation of information security policies.

For all users of the head office, common rules are created for all identified applications. Implementation is carried out in stages - first, the information security policy is implemented in audit mode, which allows you to control all events, but not affect the current actions of users. In the future, the finalized policy is translated into operational mode.

In addition to the static classification of applications, CSA provides for dynamic classification - the method of dynamic classes. For example, the Microsoft Word application can be classified into two classes of applications - local and network, and depending on this, different security policies can be applied to it (see Figure 14).

Figure 14: Dynamic classes for classifying applications

For anti-virus protection, CSA has a built-in ClamAV anti-virus module. If you have an antivirus, this module can be disabled.

Information leakage control

To prevent leaks of confidential information, CSA provides a special module called Data Loss Prevention.

When this plug-in is activated, the CSA agent scans files for sensitive information. Information classification is set manually based on templates - scanning tags (see Figure 15). It is possible to perform shadow scanning, as well as scanning when opening/closing files.

Figure 15: Classification of sensitive information

After the classification has been completed, it is necessary to create and apply information security policies for applications that work with these files. It is necessary to control access to these files, printing, transfer to external media, copying to the clipboard and other events. All this can be done using standard templates and rules that are preinstalled in the Cisco Security Agent.

Configuring Cisco NAC (Clean Access)

Starting to configure Cisco NAC, you need to clearly understand the logic of this system for each specific user group.

In the case of implementation in company K, it is planned that all users will first fall into a single VLAN (Vlan 110 in Figure 16). Being in this VLAN, they undergo an authentication procedure and check for compliance with the requirements of information security policies. Access from this VLAN to corporate network resources is restricted. At the second level of the OSI model, only Clean Access Server is available to users. At the same time, via DHCP, users receive IP addresses from working VLANs, which eliminates the need to re-obtain an IP address.

Figure 16: Authentication VLAN

In case of successful verification, the user is transferred to the “working” VLAN (Vlan 10 in Figure 17). This VLAN number is assigned according to the Organizational Unit (OU) to which this user belongs in Active Directory. This functionality is made possible through the use of user roles in the NAC system.

Figure 17: Transferring a user to a "working" VLAN

All Company K users are configured to meet the latest critical updates for the Windows operating system and have the Cisco Security Agent running.

Consider how you can check the status of the Cisco Security Agent on users' personal computers:

  • a new check is created (see Figure 18);
  • then a rule is created (see figure 19);
  • a requirement is created (see Figure 20);
  • this requirement ultimately applies to the user role.

Figure 18: Creating a New Cisco Security Agent Status Check

Figure 19: Creating a Rule for a New Cisco Security Agent Status Check

Figure 20: Creating Requirements for the New Cisco Security Agent Status Check

As a result of the configuration performed for all users of the HR group, in order to access network resources, the condition for the operation of the Cisco Security Agent must be met.

With the help of Cisco NAC, it is possible to check the relevance of anti-virus databases, the status of services on end hosts, and other important things.

Each configuration option is individual, but at the same time, the system initially has a rich set of requirements that contribute to its rapid deployment.

Configuring Cisco MARS

Cisco Security Agent and Cisco NAC have a rich reporting system, but for the ability to correlate events, as well as the ability to collect information about events from various devices, it is proposed to use the Cisco MARS system.

As basic settings for the Cisco MARS system, you can specify adding devices to the system (firewalls, IPS, IDS, anti-virus systems, mail systems, etc.), configuring NetFlow export to the MARS server, and configuring users.

MARS already has a large number of predefined rules (see Figure 21), which allows you to quickly put the system into operation and receive up-to-date information about the state of information security.

Figure 21: Predefined rules with Cisco MARS

For deeper customization, it is required, in accordance with predictable threat models, to create your own rules that will analyze incoming information.

If all the necessary conditions specified in the rule are present, an incident is created, which can be seen on the main system panel. It is also possible to send an email notification to Cisco MARS service personnel.

In this way, Cisco MARS ensures that the raw network and security information about malicious activity is translated into understandable information that is used to remediate security breaches using equipment already on the network.

Conclusion

The considered complex system solves a wide range of tasks, allowing administrators to identify and eliminate violations of company security policies as soon as possible.

The products used for the article are complete systems and are able to work separately from each other, but in combining these systems lies the strategy of a self-protecting network that can withstand the latest threats (zero-day) security.

Zabiyakin Igor
Lead Engineer, NTS Ltd. (NTS Ltd.)

If you are interested in implementing information security products from Cisco Systems, then you can contact NTS representatives.

The CISCO MARS software and hardware complex is designed to manage security threats. The sources of information about them can be: network equipment (routers and switches), protection tools (firewalls, antiviruses, intrusion detection systems and security scanners), OS logs (Solaris, Windows NT, 2000, 2003, Linux) and applications (DBMS, web, etc.), as well as network traffic (for example, Cisco Netflow). Cisco MARS supports solutions from various vendors - Cisco, ISS, Check Point, Symantec, NetScreen, Extreme, Snort, McAfee, eEye, Oracle, Microsoft, etc.

The ContextCorrelation TM mechanism allows you to analyze and compare events from heterogeneous security tools. Their visualization on the network map in real time is achieved using the SureVector TM mechanism. These mechanisms allow you to display the attack propagation path in real time. Automatic blocking of detected attacks is achieved using the AutoMitigate TM mechanism, which allows you to reconfigure various security tools and network equipment.

Key features

  • Processing up to 10,000 events per second and over 300,000 Netflow events per second
  • Ability to create your own correlation rules
  • Notification of detected problems by e-mail, SNMP, via syslog and pager
  • Visualization of an attack at the data link and network layers
  • Support for Syslog, SNMP, RDEP, SDEE, Netflow, system and user logs as information sources
  • Ability to connect your own protection tools for analysis
  • Effective rejection of false positives and noise, as well as detection of attacks missed by individual protection tools
  • Anomaly Detection with NetFlow Protocol
  • Create and automatically update a network map, including import from CiscoWorks and other network management systems
  • Support IOS 802.1x, NAC (Phase 2)
  • Monitoring of switch protection mechanisms (Dynamic ARP Inspection, IP Source Guard, etc.)
  • Integration with Cisco Security Manager (CSM Police Lookup)
  • Integration with incident management systems using
  • RADIUS Server Authentication
  • Monitoring the Health of Cisco MARS Components
  • Syslog forwarding
  • Dynamic recognition of new attack signatures on Cisco IPS and uploading them to Cisco MARS

CiscoWorks Security Information Management Solution (SIMS)

We present a description of the network monitoring system, data collection, processing and management of network devices.

CiscoWorks Security Information Management Solution (SIMS)- this is a system for managing, monitoring and collecting statistics, the architecture of which includes a multi-level model (Fig. 1), which allows you to build up the system in stages as the network infrastructure of the enterprise grows.
SIMS is the core - a single point of collection of all incidents in the network, their classification and continuous monitoring.

Main tasks of SIMS:

  • monitoring;
  • collection of data received from firewalls, devices, intrusion detection, antivirus and operating systems, and applications;
  • data analysis and processing;
  • presentation of the final result in a graphical form - reports and diagrams;

SIMS allows you to obtain data on possible security violations not only of a single device, such as IDS, but of the network as a whole, and this makes it possible to see the strengths / weaknesses in the organization of network security.
SIMS is designed for networks of large enterprises and Internet providers with 30 to several thousand nodes in the network, it can work together with systems such as HP Openview and Micromuse. Also, when network intrusions are detected, SIMS can create incidents with a description of the problem and send them to the corporate network technical support service.

The central component of the system is the kernel. It is a rapid response system that is a distributed application. SIMS allows you to receive notifications of violations of security policies anywhere in the corporate network, generates reports and provides access to them from any application that supports the web interface.

The principle of operation of SIMS technology can be divided into 4 parts:

1. Standardization.

Data from various network devices is collected by agents (Fig. 2), which process events, collect them into groups (recognize up to 20 thousand different events), lead to one type of data (IDMEF) and send them via TCP to a server with a master installed on it. application (SIMS core) for data processing.

2. Association.

The SIMS core distributes the received data into 9 groups (Fig. 3) depending on the degree of importance from the point of view of safety. In large networks, due to the scalability of the system, several of these servers can be used to provide distributed processing.

3. Analysis of the received data.
The system analyzes and processes the received data. At this stage of the system operation, you can set the settings for templates, security policies and differentiation of protection levels for different sections of the network.

4.Visualization.

At the fourth and last stage, SIMS presents the result of its work in a convenient graphical form (Fig. 4). The system allows you to create various graphs, tables and charts for visual presentation of data. Using the parameters stored in the system database, it is possible to conduct a comparative analysis both by individual criteria and the system as a whole.

Product advantages:

  • Scalability
  • Distributed architecture
  • Integration with Openview and Micromuse

SIMS can be purchased as standalone software and installed on a server, or already installed on a high-performance server platform.

Table 1. Ordering information for SIMS 3.1 solution with hardware platform.

Table 2. Ordering information SIMS 3.1 (software only)

Product numbers Description
CWSIM-3.1-SS-K9 SIMS 3.1 base configuration for OC Solaris; Includes a license to monitor up to 30 network devices, a license for 1 main server for data processing, 1 additional server for distributed data processing and 1 for one database server.
CWSIM-3.1-SL-K9 SIMS 3.1 basic configuration for OC Linux; Includes a license to monitor up to 30 network devices, a license for 1 main server for data processing, 1 additional server for distributed data processing and 1 for one database server.
CWSIM-3.1-DS-K9 An additional storage server license for an existing CiscoWorks SIMS 3.1 solution running the Solaris OS.
CWSIM-3.1-DL-K9 An additional storage server license for an existing CiscoWorks SIMS 3.1 solution running Linux.
CWSIM-3.1-ADD20-K9 License to add 20 agents to a working CiscoWorks SIMS 3.1 solution running OC Solaris or Linux.
CWSIM-3.1-MON30-K9 Cisco Secure Agent SIM 3.1 license to monitor 30 servers 300 workstations
CWSIM-3.1-MON75-K9 Cisco Secure Agent SIM 3.1 license to monitor 75 servers 750 workstations
CWSIM-3.1-EN-K9 License to add a distributed processing server running Solaris or Linux.
CWSIM-3.1-20LND-K9 Monitoring license for up to 20 low-end devices and OCs on servers
CWSIM-3.1-100LNDK9 Monitoring license for up to 100 low-end devices and OCs on servers
CWSIM-3.1-500LNDK9 Monitoring license for up to 500 low-end devices and OCs on servers

Table 3 Minimum requirements for installing SIMS 3.1 software.

Hardware Requirements
CPU Linux: Dual Intel Pentium 4 1.5 GHz (server class)
Solaris: Dual UltraSPARC-IIi 444 MHz (server class)
RAM 4 GB
Free disk space 18GB
storage device CD-ROM

Additional information can be found on the Cisco Systems website http://www.cisco.com/go/sims

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

Cisco Security Monitoring, Analysis and Response System (CS-MARS) - It is a network monitoring system that correlates network security events and enforces policy enforcement to proactively respond to unauthorized network access and intrusion. The system consists of software installed on a high-performance server.

The main functions of the system:

  • network monitoring;
  • building a network graph;
  • detection of network attacks and their graphic rendering;
  • studying the settings of network devices;
  • data collection analysis and processing of data received from various network devices;
  • presentation of the final result in the form of graphs, reports and diagrams;

MARS provides a graphical representation of the network infrastructure, drawing in real time the propagation of network attacks (Fig. 1). By analyzing the configurations of routers, switches, and firewalls (FIWs), MARS is smart enough to trace the source of infection from which unauthorized access is made, even if it is behind the ITU.

To build a network topology (Fig. 2), interact with switches (should support SNMP STP MIB) and routers (should support SNMP MIB II), MARS uses the snmp protocol, and to interact with the ITU and receive their configuration, the system uses telnet, SSH and CPMI.

MARS keeps track of and recognizes events that can be generated by almost all network devices:

  • network devices: Cisco IOS 11.x, 12.2, Catalyst OS 6.x, NetFlow 5.0, 7.0, Extreme Extremeware 6.x;
  • ITU/VPN: Cisco PIX Firewall 6.x, IOS Firewall, FWSM 1.x, 2.2, Concentrator 4.0, Checkpoint Firewall-1 NGx, VPN-1, NetScreen Firewall 4.0, 5.0, Nokia Firewall;
  • IDS: Cisco NIDS 3.x, 4.x, Network IDS module 3.x, 4.x, Enterasys Dragon NIDS 6.x ISS RealSecure Network Sensor 6.5, 7.0, Snort NIDS 2.x, McAfee Intushield NIDS 1.x, NetScreen IDP 2.x, OS 4.x, 5.x, Symantec MANHUNT;
  • Antivirus software: Symantec A/V;
  • Authentication Servers: Cisco ACS;
  • Operating systems: Windows NT, 2000, 2003 (with or without agents), Solaris, Linux (requires agent installation);
  • Applications: Web Servers (ISS, iPlanet, Apache), Oracle 9i, 10i audit logs, Network Appliance NetCache, Oracle 9i and 10i;

MARS can process up to 10 thousand events per second. The system supports scalability, for this, in the networks of large enterprises and Internet providers, you can create a two-tier architecture by using MARS controllers, to which several MARS servers can connect. When using this architecture, the network is divided into "zones" and each is assigned to a specific MARS server.
The MARS system allows you to centrally configure network policies, collect data and create up to 80 different types of standard reports.
MARS can report recorded violations via the snmp protocol, e-mail, send messages to a pager, or keep a record of syslog events.
The MARS system does not require the purchase of agent and/or database licenses.

Product advantages:

  • Scalability
  • Distributed architecture
  • No licensing system

Order Information:

MARS - servers Performance (events per second) NetFlows events per second Data storage Form factor Power Supply
Cisco Security MARS-20-K9 (PN-MARS 20) 500 15000 120GB (non-RAID) 1RUx16” 300W
Cisco Security MARS-50-K9 (PN-MARS 50) 1000 30000 240GB RAID0 1RUx25.6” 300W
Cisco Security MARS-100E-K9 (PN-MARS 100e) 3000 75000 3RUx25.6" two 500W each (one spare)
Cisco Security MARS-100-K9 (PN-MARS 100) 5000 150000 750GB RAID10 hot swap support 3RUx25.6" two 500W each (one spare)
Cisco Security MARS-200-K9 (PN-MARS 200) 10000 300000 4RUx25.6” two 500W each (one spare)
MARS - controllers Connected devices Number of connections Data storage Form factor Power Supply
Cisco Security MARS-GCMK9 (PN-MARS GCm) only MARS servers 20/50 up to 5 1TB RAID10 hot swap support 4RUx25.6” two 500W each (one spare)
Cisco Security MARS-GC-K9 (PN-MARS GC) Any MARS servers Currently there are no restrictions 1TB RAID10 hot swap support 4RUx25.6” two 500W each (one spare)

The Cisco Security Monitoring, Analysis, and Response System (MARS) is a hardware device that provides detailed monitoring and control of an existing security system, detection, management and reflection of security threats.

Network and security administrators may encounter the following issues:

  • A very large amount of information about the state of the network and system security;
  • Insufficient effectiveness of detection tools, determining the significance of attacks and failures and developing response actions;
  • High speed and complexity of attacks and high cost of recovery after attacks;
  • The need to create reports to pass audits and compliance reviews.

Cisco MARS Capabilities

Collection and processing of information

Cisco Security MARS collects and integrates all information about the network topology, network device configuration and security rules, receiving it from network devices and security systems, as well as by analyzing network traffic. At the same time, the use of agents is minimal, which does not reduce the performance of the network and the system as a whole.

Cisco Security MARS centrally collects log files from routers, switches, firewalls, intrusion detection systems, vulnerability scanners, antivirus applications, servers running Windows, Solaris, Linux operating systems, application programs (for example, web servers, authentication servers), DBMS, as well as traffic processing programs (for example, Cisco NetFlow).

Event Correlation Detection

The collected information is ordered according to the network topology, device configuration, source and destination addresses. Based on the information received, related events are grouped into sessions in real time. In accordance with system and administrator-defined rules, Cisco MARS analyzes sessions to identify incidents, failures, and attacks.

Cisco MARS comes with a large set of system rules that are regularly updated and include detection of most compound attacks, zero - day attacks, network worms, etc. The administrator can create rules for any application using a graphical interface.

Event correlation detection structures information about the network and system security, which reduces the amount of information needed for decision making and helps to prioritize actions to respond to attacks, and as a result, increases the effectiveness of the measures taken.

Collection and accumulation of large amounts of data

Cisco MARS receives information about a variety of events in the network, then structures the data, and compresses the data for archiving. Processing huge amounts of data is possible thanks to the use of efficient algorithms and a built-in high-performance database, the configuration of which is completely transparent to the administrator.

Cisco MARS supports the NFS network file system and the secure FTP protocol to migrate data to auxiliary archive devices, as well as to enable configuration recovery after failures.

Visualization of incidents and reflection of attacks

Cisco Security MARS can help administrators more quickly and easily identify attacks and outages, validate incidents, and implement remedial actions.

Cisco MARS provides powerful graphical tools with which you can build a network map (including attacked nodes, attack paths), display full information about attacks and incidents. This allows you to quickly take action to repel attacks.

MARS analyzes event sessions to detect and confirm attacks and collect information about them (down to MAC addresses of end nodes). This automated process is complemented by analysis of security log files (firewalls, intrusion detection systems, etc.) and Cisco's own MARS false positive checks.

In addition to the fact that Cisco MARS allows you to get complete information about the attack, the system automatically determines the nodes vulnerable to the attack and generates commands that the user can execute to repel the attack.

Collection of information and reports on compliance in real time

The hallmark of Cisco Security MARS are easy-to-use network and system security information structuring tools that provide automatic detection of system status, incidents, and responses both in daily work and for inspections and audits.

Cisco MARS provides the ability to graphically display attacks both in real time and to recreate attack and incident patterns by analyzing past events.

Cisco Security MARS provides reporting capabilities for various purposes: to develop disaster recovery plans, to analyze incidents and network activity, to audit the current state of security, while reports can be created in the form of text, tables, graphs and diagrams. There are also opportunities to create reports for compliance with a variety of foreign standards (PCI DSS, Sarbanes - Oxley, HIPAA, etc.).

Rapid implementation and flexible management

Cisco Security MARS requires a network connection with the ability to send and receive log files, SNMP messages, and establish sessions with network devices and security tools using standard or vendor-specific secure protocols.

Installing Cisco MARS does not require additional hardware, operating system updates, additional licenses, or maintenance. To work, it is only necessary, using the web interface, to configure network devices and security tools to connect to Cisco MARS, as well as configure networks and network nodes that need to be monitored.

Cisco MARS allows you to transfer log files to an external server for integration with your existing network infrastructure. Cisco Security MARS also allows you to install an additional control device (Global Controller) that provides: hierarchical management of multiple Cisco MARS systems, consolidation of reports from individual systems, setting rules and report templates, and updates for local Cisco MARS systems.

Detailed Description of Cisco MARS Features

Dynamic session correlation:

  • Anomaly detection including NetFlow information
  • Correlation of events based on behavior and rules
  • Common built-in and user-defined rules
  • Automatic normalization of translated network addresses

Building a topological scheme:

  • Routers, Switches, and Layer 2 and 3 Firewalls
  • Modules and devices of the network intrusion detection system
  • Manual or Scheduled Building
  • SSH, SNMP, Telnet, and device-specific interactions

Vulnerability Analysis:

  • Removal of traces of violations based on the network or endpoint
  • Analysis of the configuration of switches, routers, firewalls and NAT
  • Automatic processing of vulnerability scan data
  • Automatic and user-defined false positive analysis

Violation analysis and response:

  • Dashboard for managing individual security events
  • Combining session event data with the context of all rules
  • Graphical representation of the attack path with detailed analysis
  • Device profiles on the attack path with the determination of the MAC addresses of end nodes
  • Graphical and detailed sequential representation of the type of attack
  • Detailed violation data, including rules, unhandled events, general vulnerabilities and how the network is affected, and reflection options
  • Instant analysis of violations and identification of false positives
  • Define rules using GUI to support custom rules and keyword analysis
  • Evaluation of violations with the issuance by users of a worksheet describing step-by-step actions
  • Alert including email, pager, syslog and SNMP

Formation of requests and reports:

  • Graphical user interface that supports a large number of standard and custom queries
  • Over 80 prevalent reports including management, operations and compliance reports
  • Report generator with an intuitive interface that allows you to create an unlimited number of custom reports
  • Text, graphics, and general reporting format that supports export to HTML and CSV files
  • Creation of print-ready, group, standard and other reports

Administration:

  • HTTPS web interface; role-based administration with defined permissions
  • Hierarchical Management of Multiple Cisco MARS Systems with a Global Controller
  • Automatic updates including support for devices, new rules and features
  • Permanent migration of archives of raw violation data to offline NFS repositories

Device Support:

  • Network Active Equipment: Cisco IOS Software, Releases 11.x and 12.x; Cisco Catalyst OS version 6.x; Cisco NetFlow releases 5.0 and 7.0; Extreme Extremeware version 6.x.
  • Firewalls/VPNs: Cisco Adaptive Security Appliance Release 7.0, Cisco PIX Security Appliance Software Release 6.x and 7.0; Cisco IOS Firewall Release 12.2(T) or higher; Cisco Firewall Feature Module (FWSM) versions 1.x, 2.1, and 2.2; software for Cisco VPN 3000 version 4.0; firewall Checkpoint Firewall-1 NG FP-x and VPN-1 version FP3, FP4 and AI; NetScreen firewall version 4.x and 5.x; Nokia firewall versions FP3, FP4 and AI.
  • IDS systems: Cisco IDS Release 3.x, 4.x, and 5.0; Cisco IDS module version 3.x and 4.x; Cisco IOS IPS Release 12.2; Enterasys Dragon NIDS version 6.x; network sensor ISS RealSecure versions 6.5 and 7.0; Snort NIDS version 2.x; McAfee Intushield NIDS version 1.5 and 1.8; NetScreen IDP version 2.x; OS version 4.x and 5.x; Symantec MANHUNT system.
  • Vulnerability assessment systems: eEye REM version 1.x and FoundStone FoundScan version 3.x.
  • Endpoint security systems: Cisco Security Agent version 4.x; McAfee Entercept system version 2.5 and 4.x; sensor for end nodes ISS RealSecure Host Sensor version 6.5 and 7.0.
  • Antivirus software: Symantec Antivirus version 9.x.
  • Authentication Servers: Cisco ACS Server Release 3.x and 4.x.
  • Operating systems of end nodes: OS Windows NT, 2000 and 2003 (with and without agents); Solaris OS version 8.x, 9.x and 10.x; OS Linux version 7.x.
  • Applications: Web servers (ISS, iPlanet and Apache); Oracle 9i and 10g; netcache.
  • Universal device support for aggregating and monitoring system logs of any application.

Additional hardware features:

  • Special Purpose Devices, 19" Rack Mount; UL certified.
  • OS with enhanced protection; firewall with a reduced set of functions.
  • Two Ethernet 10/100/1000 interfaces.
  • Recovery DVD-ROM.