Email Article
Suggest LinkThe Cisco Security MARS (Monitoring, Analysis and Response System) appliance line correlates data generated from multiple sources on the network, including intrusion detection devices, firewalls, vulnerability scanners, and host syslogs with the actual network topology to identify security intrusions or attacks on the network. Identified incidents are reported to the administrator along with recommended mitigation instructions as to which key device(s) on the network should be reconfigured and potentially the actual commands that can be used to reconfigure those devices to stop the attack.
After plugging the devices into the network, the administrator reconfigures the logging process of each of their target security devices and/or hosts to point to the MARS appliance itself (I.E., the logs of all hosts that need to be monitored are aggregated on the MARS appliance). The devices are not deployed inline and are billed as making "... minimal use of existing software agents" to perform their event collection and analysis; specifically, the vendor states that the product does not depend on agents (since data it pulled from log sources) but can utilize data sent from common agents such as Snare. Multiple external devices and systems are listed as supported; including Cisco IOS, Catalyst, or NetFlow (now including NetFlow 9); the Cisco ASA 5580, Cisco PIX, Checkpoint Firewall-1 NG/VPN-1, NetScreen and Nokia firewalls, Cisco IPS/IDS, Enterasys Dragon, ISS RealSecure, McAfee Intrushield NIDS, Symantec Antivirus, Trend Micro OPS, and more; and logs from operating systems (Windows NT/2000/2003, Solaris, Linux) and Web servers (IIS, iPlanet, Apache). Additionally, the vendor states that the new version of MARS (expected in August) will include a development framework that will enable the incorporation of devices that MARS does not currently support natively.
Once installed and enabled, the MARS appliance then begins analyzing the log and event data steaming to it from the target devices. The appliance starts with a virtual network map of connected devices along with their current configurations (auto-discovered) and then uses this map in conjunction with the events to recognize activity sessions (even if such sessions cross NAT boundaries) and identify potential attacks. The appliance's knowledge of the network topology and device configurations then allows it to graphically (via a Web based user interface) recommend to the administrator the exact device that needs to be addressed--and potentially the actual configuration commands that can be used--to stop the attack.
Other features include predefined and automatically updated signatures for the recognition of attacks; support for onboard storage as well as saving compressed historical data to NFS or sFTP storage devices (the devices own data and configuration can be backed up/recovered via NFS/sFTP); graphical attack replay features; multiple (>100) predefined reports; support for batch and E-mail reporting; and a report generator.
The MARS appliance line is available in multiple models; with primary differences related to speed and capacity. Performance scales from 75 events/second or 1500 NetFlows/second in the 1U 25R to 15,000 events/second or 300,000 NetFlows/second in the 2U MARS 210. In addition to these Local Controllers, Global Controller appliances can be purchased (optional) for the aggregated management of multiple local controllers; including report aggregation; rule, report, and user account definitions (actual controller configuration is performed locally); and remote upgrades of the Local Controllers themselves.
The new Cisco Security MARS release is expected to be available in August of 2008. Visit the Cisco Systems Web site for further information.
product submission by EITPlanet Staff
| |||||||||||||
 |
Latest category updates via our RSS feed
