Previous Page Next Page

Deploying CS-MARS

There are several ways to deploy CS-MARS appliance into the network. Careful planning is required before considering and selecting the appropriate CS-MARS model. The decision greatly depends on the anticipated events per second (EPS) and NetFlow flows per session (FPS) for that network or segment.

The following are two types of CS-MARS deployment scenarios:

Standalone and Local Controllers (LC)

There is no major difference between LC and standalone CS-MARS deployments. Both scenarios use the same hardware and software. The only difference is that standalone is an independent, fully operated CS-MARS deployment, whereas LC works in conjunction with GC and communicates primarily with the GC.

The LC performs the following functions:

Each LC model differs in its capability to process and store events from various reporting devices.

Table 23-3 shows a complete list of CS-MARS models and their capabilities (EPS and FPS) that can be deployed as local and standalone controllers.

Table 23-3. CS-MARS Local and Standalone Controllers
CS-MARS ModelEvents/SecondNetFlow/SecondRAID LevelPower Supply
20R (CS-MARS-20R-K9)501,500NoneSingle
20 (CS-MARS-20-K9)50015,000NoneSingle
50 (CS-MARS-50-K9)1,00030,0000Single
100E (CS-MARS-100E-K9)3,00075,0001 + 0Redundant
100 (CS-MARS-100-K9)5,000150,0001 + 0Redundant
110R (CS-MARS-110R-K9)4,50075,0001 + 0Redundant
110 (CS-MARS-110-K9)7,500150,0001 + 0Redundant
200 (CS-MARS-200-K9)10,000300,0001 + 0Redundant
210 (CS-MARS-210-K9)15,000300,0001 + 0Redundant
The Events per Second (EPS) listed in Table 23-3 are quoted as the maximum events per second with dynamic correlation and all other features enabled.


If high availability is required in CS-MARS deployment, begin at a CS-MARS model 100 (CS-MARS-100-K9), which has RAID 1 + 0 capabilities. The models with RAID 1 + 0 have redundant power supplies and hot swappable drives. The CS-MARS models 110 (CS-MARS-110-K9) and 210 (CS-MARS-210-K9) have special built-in battery backups for RAID cache.

LCs receive and pull raw data from a wide range of reporting devices, such as routers, switches, firewalls, IDS/IPS systems, and vulnerability assessment systems.

The LC summarizes information about the health of the network based on data it receives from the reporting devices that it monitors.

Figure 23-8 depicts a standalone LC being deployed as an independent appliance and is a fully operated CS-MARS implementation.

Figure 23-8. CS-MARS Standalone Local Controller (LC)


Global Controllers (GC)

The Global Controller (GC) is used to manage two or more LC zone deployments allowing scaling of the network monitoring without increasing the management burden on the LC.

The GC provides complete control and management of the LC across various sites (zones) and provides a single user interface for defining new device types, inspection rules, reports, and queries.

GC provides a central console to manage multiple LCs. It also provides additional capabilities, including

Three basic CS-MARS models are available for GC deployment scenarios.

Table 23-4 shows a complete list of CS-MARS models and their capabilities for GC deployments.

Table 23-4. CS-MARS Global Controllers (GC)
CS-MARS GC ModelModels Supported (LC Management)Max LCRAID Level
CS-MARS-GCM (CS-MARS-GCm-K9)CS-MARS 20R/20/50 only51 + 0
CS-MARS-GC (CS-MARS-GC-K9)CS-MARS 20R/20/50/100/100e/200 onlyUnlimited1 + 0
CS-MARS-GC2R (CS-MARS-GC2R-K9)CS-MARS 20/50 only51 + 0
CS-MARS-GC2 (CS-MARS-GC2-K9)CS-MARS 110/110R/210 onlyUnlimited1 + 0


Note

All CS-MARS GC models have redundant power capability.


Figure 23-9 depicts a GC scenario deployed at the central HQ Data Center managing several LCs across different sites.

Figure 23-9. CS-MARS Global Controller


Software Versioning Information

Two major software versions are available in CS-MARS deployment. There is significant feature parity across the two releases supporting different hardware platforms. The appliance model has little impact on the available features support across the two releases.

Note

Database table structure changes between software versions; thus, an existing database cannot be restored onto a different software version, because it can cause data corruption. If you do not require preserving any configuration and event data, it is better to start with a clean system. Reimaging it can be much faster than the upgrade procedure.


Reporting and Mitigation Devices

From a top-down deployment perspective (refer to Figure 23-9), CS-MARS GC monitors the LC, and the LC monitors one or more reporting devices.

A reporting device is any Layer 2 or Layer 3 device (Cisco or non-Cisco) that provides CS-MARS with raw data about the network from traffic flows and the configuration files, allowing CS-MARS to analyze and respond to possible attack targets.

A mitigation device is any reporting device that can deny a traffic flow within the attack path.

CS-MARS provides mitigation support in two forms:

Note

Refer to Table 23-2 for a complete list of the supported reporting devices.


Based on the confirmed incident and correlated data, CS-MARS provides suggested mitigation rules for detected attacks and, in some cases, it can push those rules to the mitigation device, to stop the attack by restricting network access to the infected hosts.

Figure 23-10 illustrates an example of CS-MARS recommendation for enforcement that points along the attack path with a set of corresponding commands to stop the attack.

Figure 23-10. CS-MARS Mitigation Device Identified and Corresponding Commands Recommended


Levels of Operation

Another important consideration to be taken into account when deploying CS-MARS is the type of operation that CS-MARS will perform. This needs to be decided before CS-MARS is configured to receive raw data from reporting devices.

Three basic levels of operation exist in CS-MARS, based on the type of data it can collect from the reporting device. These levels dictate the capability of CS-MARS to identify attacks from end to end:

Table 23-5 summarizes the CS-MARS level of operations and the functionality enabled at each level.

Table 23-5. CS-MARS Level of Operation and Functionality
Level Of OperationFunctionality Enabled
Basic Level 1
  • Basic syslog functionality

  • Event correlation

  • Query, reports, and chart support

  • NetFlow anomaly detection

Intermediate Level 2
  • Event and session-based correlation

  • NAT and PAT resolution

  • IP address lookup of attackers and targets

Advanced Level 3
  • MAC address lookup of attackers and targets

  • Topologies enabled


Traffic Flows and Ports to Be Opened

Required traffic flows identify the necessary protocol and port numbers that must be allowed by gateways/firewalls/ACLs if they separate the CS-MARS appliance from a reporting device, mitigation device, or supporting device (as listed in Table 23-2). Different protocol and port numbers are used for varying functions when CS-MARS communicates with a reporting device.

Additionally, traffic flows between a GC and any monitored LCs must be allowed.

Table 23-6 identifies the various traffic flows and their associated protocol and port numbers that must be opened if there is a gateway, firewall, ACL, or any type of filtering device between CS-MARS and the reporting devices.

Table 23-6. CS-MARS Required Traffic Flows and Ports to Be Opened
CategoryProtocolsComments
Management GUIHTTPS/SSL (TCP port 443)This traffic must be enabled for GC to LC, as well as from the CS-MARS appliance to the computer used to manage the appliance.
Management CLISSH (TCP 22)
Support Servers and ServicesDNS (TCP and UDP port 53)

NTP (TCP/UDP port 123)

SMTP (TCP port 25)

ICMP (IP level service)

NFS
SMTP is used for outgoing mail services. ICMP is useful for diagnostics and troubleshooting and is required by the dynamic vulnerability scanner. NFS is used for network-attached storage (NAS) servers to retain data archives for MARS. Because NFS ports are negotiated, it is recommended that the NAS server be located on the same network segment as the MARS appliance.
Upgrade from GUIHTTPS or FTP (TCP port 20 and 21)Options from within the GUI require it.
Upgrade from CLIHTTPS, HTTP (TCP port 80), or FTPAt the command line, the upgrade can be done from the DVD drive, which does not require extra opened ports.
Discovery of reporting device or mitigation deviceTelnet (TCP port 23)

SSH

FTP

SNMP (TCP 161)
MARS appliance periodically contacts the devices to ensure that they are operational.
Monitoring of reporting device or mitigation deviceHTTPS

SSH

SNMP

Telnet

FTP

PostOffice (UDP port 45000)

RDEP (SSL)

SDEE (SSL)

syslog (UDP port 514)
 
Policy query to Cisco Security ManagerHTTPSEnable HTTPS access to the Common Services 3.0 server by the CS-MARS appliance.
Global Controller and Local Controller data synchronizationProprietary (port 8444)This port must remain open on the outside and inside interfaces to ensure accurate data correlation operations of the GC.
NetFlowNetFlow (TCP port 2055)Enable Spanning Trees between switches (distribution and access switch, not the core). Ports can be changed on which the appliance listens for NetFlow traffic on the Admin, NetFlow Config page.
CheckpointOPSEC-LEA (TCP port 18184)

OPSEC-CA (TCP 18210)

SSLCA (TCP port 18184)

OPSEC-CPMI (TCP port 18190)
Used by Checkpoint devices only. CA is used for pulling a certificate for the OPSEC application.
Oracle DatabaseOracle Database Listener (TCP port 1521)Used by Oracle only.
Microsoft SQL ServerMS SQL (TCP port 1433)Used by FoundStone and eEye.
The information in Table 23-6 is compiled from "Install and Setup Guide for Cisco Security MARS, Release 5.2.x" at http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.2/installation/guide/plan.html.


In addition to the listings in Table 23-6, if the GC and LC are separated by a firewall or any type of filtering device, the ports listed in Table 23-7 need to be allowed explicitly, on both the inside and outside interfaces of the firewall, to ensure proper operation of the GC.

Table 23-7. CS-MARS Required Traffic Ports to Be Opened for Global Controller to Local Controller Communication
TCP PortFunction
22Secure Shell (SSH) used by LC for topology and device discovery
443Hypertext Transport Protocol with Secure Sockets Layer (HTTPS) used for user interface access
8444Cisco Proprietary data synchronization between a GC and LCs
The information in Table 23-7 is compiled from "User Guide for Cisco Security MARS Global Controller, Release 5.2.x" at http://www.cisco.com/en/US/docs/security/security_management/cs-mars/5.2/user/guide/global_controller/gccfg.html.


Web-Based Management Interface

The CS-MARS appliance can be centrally managed through a secure web-based interface supporting role-based administration.

The web-based management interface is easy to use and user friendly using a tabbed, hyperlinked, browser-based interface approach. The web-based interface can be accessed from any computer on the network that has IP reachability to the CS-MARS appliance. The web-based management interface can be used to perform all administrative functions.

Figure 23-11 shows a sample output of CS-MARS web-based management interface dashboard (Summary page).

Figure 23-11. CS-MARS—Management Dashboard Summary Page


As shown in Figure 23-12, the web-based management interface offers seven menu option tabs in the right corner, which further allow navigating to the pages relevant to the tab's subtabs. Figure 23-12 shows sample outputs from each of the seven menu option tabs and their subtabs from the management interface dashboard.

Figure 23-12. CS-MARS Web-Based Management—Seven Menu Option Tabs and Subtabs


Initializing CS-MARS

Depending on the LC or GC, and whether you are using software version 4.3.x or version 5.3.x, several parameters need to be configured on the CS-MARS appliance system. These can either be configured via the CLI console or the web-based management interface.

After booting the CS-MARS appliance for the first time, you need to configure the following basic parameters as part of the initialization process using the CLI console. Basic parameters include the following:

Login via the console access to the CS-MARS system using the default administrative user account and password (pnadmin/pnadmin) to complete the basic initialization process.

After the CS-MARS appliance is initialized, all the remaining tasks, such as adding the reporting and mitigation devices, can be completed using the web-based management interface, as shown in Figure 23-12, using a standard web browser from any client PC on the network as follows:

https://CS-MARS_ip_address

Note

Prior to using the system, the device license must be installed from the web console as the first step.


Figure 23-13 shows the default login page for the CS-MARS appliance. Indicate whether it is an LC or a GC and log in using the default administrative user account and password (pnadmin/pnadmin) or any other user account provided by the administrator.

Figure 23-13. Default Login Page for CS-MARS Appliance


Tip

For a comprehensive list of configurations and the user guide, refer to the following Cisco documentation pages: http://www.cisco.com/en/US/products/ps6241/products_user_guide_list.html.


Previous Page Next Page