About This Manual

This manual describes the features and functionality of the Local Controller. The layout of this manual is as follows Chapter 1, STM Task Flow Overview, recommends a taskflow for planning and implementing your security threat mitigation system. It ties back to your corporate security policies and presents a structure deployment and configuration strategy based on two phases provisioning and monitoring. Part 1 Provisioning Phase. This part details provisioning your network devices to communicate...

Add a Community String for a Network

To add a community string for a network IP, follow these steps Step 1 To open the Community Strings and Networks page, click Admin > Community Strings and Networks. Step 2 Click the Network IP radio button. Step 3 Enter the Community String, Network IP address, and Mask. Step 4 Click Add. Step 5 Repeat Step 2 through Step 4 for all the community strings that you want to add. Step 6 Click Submit to commit these additions.

Add a Host

Within MARS, a host is manually or automatically defined as the result of one of the following options A reporting device or mitigation device defined under the Admin > Security and Monitoring Devices tab. A host managed by a reporting device defined under the Admin > Security and Monitoring Devices tab, such as a host running Cisco Security Agent and discovered by MARS when processing the logs provided by the CSA Management Console. An asset that you want to identify for the purpose of...

Add an Inspection Rule

Rules that you add are called User Inspection Rules. Navigate to the Inspection Rules page. Click Add. Enter a name and description for the rule, then click Next. Select Source IP address . The following numbers correspond to the numbers shown in Figure 21-6. 1 Check the boxes next to the items in the Sources Selected field to select them, and click the Toggle Equal button to change them between equal and not equal. Click the Select All button to select all items in the Sources Selected field....

Add an ISS Real Secure Device as a HIDS

Step 1 Click Admin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 5 Click on Reporting Applications tab. Step 6 From the Select Application list, select RealSecure (6.5 or 7.0). Step 8 Click the HIDS radio button. Figure 6-10 Configure ISS Real Secure HIDS Figure 6-10 Configure ISS Real Secure HIDS Step 10 For multiple interfaces, click on General Tab, and add...

Add and Configure a Cisco Firewall Device in MARS

The process of adding a PIX security appliance, Cisco ASA, or FWSM to MARS involves many of the same steps, regardless of the version of software that is running. The process is exactly the same for PIX software versions 6.0, 6.1, 6.2, and 6.3. However, Cisco ASA, PIX 7.0, and FWSM provide the ability to define multiple security contexts, or virtual firewalls. Adding a Cisco ASA, PIX 7.0, and FWSM to MARS has two distinct steps. First, you must define the settings for the admin context. Then,...

Add and Configure a Csa Mc Device in MARS

Before you can identify the agents, you must add the CSA MC to MARS. All CSA agents forward notifications to the CSA MC, and the CSA MC forwards SNMP notifications to MARS. Once you define the CSA MC and activate the device. MARS can discover the agents that are managed by that CSA MC. However, you can also chose to manually add the agents. To add a CSA MC to MARS, follow these steps Click Admin > Security and Monitor Devices > Add. From the Device Type list, select Add SW security apps on...

Add and Configure a Generic Router in MARS

To add and configure a generic router device in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Generic Router version unknown from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and...

Add and Configure an Extreme Ware Switch in MARS

To add and configure an ExtremeWare switch in MARS, follow these steps Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select Extreme ExtremeWare 6.x from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls,...

Add and Configure an Intru Shield Manager and its Sensors in MARS

Adding an IntruVert device has two distinct steps. First, you add configuration information for the for the IntruShield Manager host. Second, you add the sensors managed by that host. Add the IntruShield Manager Host to MARS, page 6-26 Add IntruShield Sensors Manually, page 6-26 Add IntruShield Sensors Using a Seed File, page 6-27 Add the IntruShield Manager Host to MARS To define the host and represent the management console for IntruShield, follow these steps Step 1 Click Admin > System...

Add and Configure Check Point Devices in MARS

After you identify and bootstrap the Check Point reporting devices and install the policies that enable the required traffic flows, you must represent those devices in MARS, which uses this information to communicate with the devices. When adding a Check Point device, you add two types of devices Primary management station. The primary management station represents the SmartCenter server or CMA that manages other Check Point components. In the web interface, the bases module is defined as a...

Add Cisco IOS 122 Modules Manually

To add a module manually, follow these steps Step 1 Click Add Module. Step 2 Select Cisco IOS 12.2 from the Device Type list. _Chapter 3 Configuring Router and Switch Devices Step 3 Enter the name of the module in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For modules that support the discovery operation, such as router and firewall modules, MARS renames this field's value...

Add Modify and Delete a Rule Group

To add a rule group follow these steps Step 1 Navigate to the Inspection Rules page, as shown in Figure 21-10. Figure 21-10 Inspection Rules Page The Add Group dialog box appears, as shown in Figure 21-11. The Add Group dialog box appears, as shown in Figure 21-11. Step 3 Enter the new group name in the Name field. Step 4 Click the checkboxes of the rules to be added to the new rule group. Tip The dropdown list above the list of rules can limit the display of rules to active system rules,...

Add Multiple Reporting and Mitigation Devices Using a Seed File

The seed file is a comma-delimited file with the file extension .csv (comma-separated value). Most spreadsheet programs let you import and export files as CSV files. The following is a sample seed file as exported from a popular spreadsheet program 10.1.1.1, ,,,PIX,TELNET,,,cisco,,, ,,,,,,,, With the CSV file, you can enter the values, passwords, and information for each device that you want the MARS Appliance to monitor in its appropriate row and column. While the seed file is useful for...

Add Reporting and Mitigation Devices Individually

In general, you have two choices for adding devices that you want to monitor into your MARS. You can create a seed file or you can add each device manually. Seed file support is limited to a few device types, see Column E, page 2-23 for the devices supported. When manually configuring devices, select the devices that are most interesting to you. Once added, you can come back and edit them as necessary. Manual configuration is also useful when you add or change a single security device on your...

Add Security Contexts Manually

You can manually define security contexts in PIX 7.0, Cisco ASA, or FWSM. (PIX 7.0 and FWSM) Click Add Context. (Cisco ASA) Click Add Module. Device Type Cisco PIX 7.0 v Device Type Cisco PIX 7.0 v Step 2 In the Device Type list, do one of the following For Cisco ASA, select Cisco ASA 7.0. For PIX 7.0, select Cisco PIX 7.0. For FWSM, select Cisco FWSM x.y, where x.y is the version number of the software running on the module. Step 3 Enter the name of the firewall device in the Device Name...

Add the Net Screen Device to MARS

Step 1 Select Admin > System Setup > Security and Monitor Devices > Add. Step 2 Select the appropriate version of NetScreen ScreenOS from the Device Type list. Step 3 Enter the name of the device in the Device Name field. MARS maps this name to the reporting IP address. This name is used in topology maps, queries, and in the Security and Monitoring Device list. For devices that support the discovery operation, such as routers and firewalls, MARS renames this field's value to match the...

Add the VPN 3000 Concentrator to MARS

To add the VPN 3000 Concentrator to MARS, follow these steps Step 1 Select Admin > Security and Monitor Devices > Add. Step 2 Select either Cisco VPN Concentrator 4.0.1 or Cisco VPN Concentrator 4.7 from the Device Type list. Enter the name of the VPN Concentrator in the Device Name field. Enter the IP address used to administer the VPN Concentrator in the Access IP field. Enter the IP address from which the syslog messages are sent to MARS in the Reporting IP field. Select SNMP from the...

Adding Reporting and Mitigation Devices Using Automatic Topology Discovery

On the Admin page, under the Topology Discovery Information section, three links exist, allowing you to define the settings required to discover reporting and mitigation devices automatically. These links are Community String and Networks. Allows you to define SNMP RO community strings on a per network or IP range basis. Networks and SNMP RO stings can overlap. At least one SNMP string must be defined before discovery is attempted. Valid Networks. Identifies the set of networks and IP ranges...

Application Log Messages for the PN Log Agent

The PN Log Agent service writes events to the Application Log of Event Viewer on the Cisco Secure ACS server. The agent, identified in the log messages as PNLogAgentService, writes status messages, such as successful service start and stop. It also writes error messages for incomplete configuration and error conditions, such as when the service is out of memory. Table 14-1 categories the types of messages that can occur and explains their affects on the PNLog Agent service. Table 14-1 Possible...

Back to Being the Admin

You must now express the plan in terms of information that is reported to you. This attack plan contains an attack with a follow up of some kind. You might write your plan like attacker to target, buffer overflow attacker to target, root login (compromised host) At this point, the black hat has compromised the host. What happens next is up to the attacker. This makes the next few steps especially hard to predict. They want to be able to manipulate the world, they want to make change. Your newly...

Bootstrap the Sensor

Preparing a sensor to be monitored by MARS involves two steps Enable the Access Protocol on the Sensor, page 6-6 Enable the Correct Signatures and Actions, page 6-6 Enable the Access Protocol on the Sensor The configuration of the sensor depends on the version of the software that is running on the sensor. The following topics identify the requirements of each version Cisco IDS 4.x Software, page 6-6 Cisco IPS 5.x Software, page 6-6 For Cisco IDS 4.x devices, MARS pulls the logs using RDEP over...

Chapter 10Configuring Generic Solaris Linux and Windows Application Hosts 101

Adding Generic Devices 10-1 Sun Solaris and Linux Hosts 10-2 Configure the Solaris or Linux Host to Generate Events 10-2 Configure Syslogd to Publish to the MARS Appliance 10-2 Configure MARS to Receive the Solaris or Linux Host Logs 10-3 Push Method Configure Generic Microsoft Windows Hosts 10-5 Install the SNARE Agent on the Microsoft Windows Host 10-5 Enable SNARE on the Microsoft Windows Host 10-6 Pull Method Configure the Microsoft Windows Host 10-6 Enable Windows Pulling Using a Domain...

Chapter 6Configuring Networkbased IDS and IPS Devices

Configure Sensors Running IDS 3.1 6-1 Add and Configure a Cisco IDS 3.1 Device in MARS 6-4 Cisco IDS 4.0 and IPS 5.x Sensors 6-5 Bootstrap the Sensor 6-5 Enable the Access Protocol on the Sensor 6-6 Enable the Correct Signatures and Actions 6-6 Add and Configure a Cisco IDS or IPS Device in MARS 6-6 Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File 6-8 View Detailed Event Data for Cisco IPS Devices 6-9 Cisco IPS Modules 6-9 Enable SDEE on the Cisco IOS Device...

Chapter 8Configuring Antivirus Devices

Symantec AntiVirus Configuration 8-1 Configure the AV Server to Publish Events to MARS Appliance 8-1 Export the AntiVirus Agent List 8-7 Add the Device to MARS 8-7 Add Agent Manually 8-7 Add Agents from a CSV File 8-8 McAfee ePolicy Orchestrator Devices 8-8 Configure ePolicy Orchestrator to Generate Required Data 8-8 Add and Configure ePolicy Orchestrator Server in MARS 8-12 Cisco Incident Control Server 8-13 Configure Cisco ICS to Send Syslogs to MARS 8-14 Add the Cisco ICS Device to MARS 8-15...

Check Point Devices

The Check Point security product family can be distributed and tiered. As such, you must understand the deployment method, components, and release versions of this product family, their relationships, and how MARS interacts with them. You must also understand the many acronyms and abbreviations associated with this product family. Table 4-1 lists the abbreviations and acronyms used in the topics that follow. Table 4-1 Check Point Abbreviations and Acronyms Table 4-1 Check Point Abbreviations...

Checklist for Monitoring Phase

After you complete the provisioning phase, you must configure MARS to help you realize your broader security goals and requirements. During the monitoring phase, your primary goal is to effectively realize your monitoring, mitigation, and remediation policies. This phase involves defining the strategies, rules, reports, and other settings required to achieve this goal. You must prepare MARS to closely adhere to your corporate security policy before you begin monitoring traffic flows, as you...

Checklist for Provisioning Phase

Inventory and review possible reporting devices, mitigation devices, and supporting devices. Reporting devices provide logs about user and network activities and device status and configuration. Mitigation devices can be used to respond to detected attacks. They also act as reporting devices. Supporting devices provide network services to reporting devices, mitigation devices, or a MARS Appliance. Identifying which devices on your network to monitor depends on multiple factors, including their...

Checklist for Security ManagertoMARS Integration

Security Manager-to-MARS integration deals with identifying the required and optional points of integration, configuring the applications and devices, and ensuring proper authorization among the two management platforms. This checklist assumes a greenfield install of both Security Manager and MARS. The following checklist describes the tasks required to understand the decision-making process and the basic flow required to integrate MARS with a Security Manager server and the reporting and...

Circumflex and Dollar

Outside a character class, in the default matching mode, the circumflex character is an assertion that is true only if the current matching point is at the start of the subject string. If the startoffset argument of pcre_exec() is non-zero, circumflex can never match if the PCRE_MULTILINE option is unset. Inside a character class, circumflex has an entirely different meaning (see Square Brackets and Character Classes, page B-8 and Posix Character Classes, page B-9). Circumflex need not be the...

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL From this site, you can perform these tasks Report security vulnerabilities in Cisco products. Obtain assistance with security incidents that involve Cisco products. Register to receive security information from Cisco. A current list of security advisories and notices for Cisco products is available at this URL http www.cisco.com go psirt If you prefer to see advisories and notices as they are updated in real time,...

Configure a Rule to Send an Alert Action

To send alert notifications to individual users or groups of users, configure the Action parameters of a rule to create an alert action. This procedure configures alerts for pre-existing rules. When you create a rule, the Action parameters are configured after the count number parameter. Drop rules do not have Action parameters and cannot trigger alerts. To modify or create an alert for an existing rule, follow these steps Step 1 Click the RULES tab to navigate to the Inspection Rules page....

Configure Cisco Secure ACS to Generate Logs

To configure Cisco Secure ACS to generate the audit logs required by MARS, follow these steps Step 1 Log in to the Cisco Secure ACS server or Solution Engine. Step 2 Select System Configuration > Logging. Step 3 Verify that CVS Failed Attempts, CVS Passed Authentications and CVS RADIUS Accounting Logging are enabled. Step 4 Click CSV Failed Attempts, and verify that the following attributes appear in the Logged Attributes list Step 6 Click CVS Passed Authentications, and verify that the...

Configure CSA Management Center to Generate Required Data

To bootstrap CSA, you must configure the CSA MC to forward SNMP notifications to the MARS Appliance. In addition, you can export the list of CSA agents in a format that MARS can import. However, this export operation is not necessary, as MARS discovers the agents as they generate notifications. This section contains the following topics Configure CSA MC to Forward SNMP Notifications to MARS, page 7-6 Export CSA Agent Information to File, page 7-6 _Chapter 7 Configuring Host-Based IDS and IPS...

Configure eEye REM to Generate Required Data

To configure eEye REM to provide the correct data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where eEye REM 1.0 is installed. M ICA WINNT> y > B w5g cmrf_Kiae Microsoft Uindoirs 2B0B IUei*sion 5.00,21951 < C> Copyright 1985-2BB9 Micros ft Corp. C-NDocunents and Settin fi fldrain i trat& r> srvnetcn arwnetcnJ is not recognized as an internal or external uperable yroyrun ur batch file. C SDucun ntx mid Sett in g s fi dm in istr tur i...

Configure ePolicy Orchestrator to Generate Required Data

To prepare the ePolicy Orchestrator server to forward SNMP events to MARS, follow these steps Step 1 Select Start > Program Files > Network Associates > ePolicy Orchestrator 3.x Console. Step 2 In the tree, select McAfee Security > ePolicy Orchestrator, and click the Log on to server link under Global Task List. Step 3 In the Log On to Server dialog box, enter the username and password required to access the ePolicy Orchestrator server, and click OK. Step 4 In the tree, select McAfee...

Configure Found Scan to Generate Required Data

To configure FoundScan to provide data to MARS, follow these steps Step 1 Run command svrnetcn at the DOS prompt on the host where FoundScan is installed. Microsoft Uindotrs 2000 Wars ion 8,00,2195 < C> Copyright 1985-2099 Nicros ft Corp. C SDbCufients and SettirysNfldnln i tratar> rvnetcn 'srunetcn' Is not racupized as an internal or external camand C'SDncumnts mid Sell inysXAdmin strdtur vrneLcn C'SDocunents und Sett in 5fs fi drain is trat or cd Step 2 In the SQL Server Network Utility...

Configure Kiwi Syslog Server to Forward Events to MARS

We recommend the following settings in the configuration options of the Kiwi Syslog Daemon to ensure good integration of Kiwi with MARS Expand the File > Setup > Rules > Actions tree. Right on Actions and click Add an Action. Enter a name for the action, such as Forward to pncop. For the following fields, enter the following values Destination IP address or hostname Enter the IP address of the MARS Appliance. Send with RFC 3164 header information Selected if the syslog server receives...

Configure MARS to Receive the Solaris or Linux Host Logs

To add a generic device to MARS, follow these steps Step 1 Click Admin > Security and Monitor Devices > Add. Add SW security apps on existing host Step 2 From the Device Type list, select Add SW Security apps on a new host. Figure 10-2 Adding a Generic Device to receive logs Figure 10-2 Adding a Generic Device to receive logs Step 3 Enter the Device Name, and its Reporting IP address. Step 4 Select Operating System as Generic. Step 5 Select Logging Info and select Receive, then click...

Configure Qualys Guard to Scan the Network

MARS uses the QualysGuard XML API and password-based authentication over SSL (TCP port 443) to retrieve scan reports from the QualysGuard API Server. As such, you do not need to configure the QualysGuard server to accept connections from MARS. The only required configuration is that you have an active account and Qualys subscription that is configured correctly to scan your network. By default, MARS assumes that you want to retrieve the most recent scan report saved on the QualysGuard server....

Configure Sensors Running IDS

Step 1 Log in to the Cisco IDS device. Step 2 Change to directory that has all the configurations files that need to be edited Step 3 You need to edit 4 files (organizations, hosts, routes and destinations) that are in this directory. In the organizations file add a line indicating your organization name or grouping where 1 is the item number followed by the organization name protego . If there is already item in this file, simply increase the item number (has to be unique). Figure 6-1 Add MARS...

Configure the AV Server to Publish Events to MARS Appliance

To configure the AV server to publish events to MARS, follow these steps Step 1 Log in to the Windows server running Symantec AV. Step 2 To identify the Local Controller as a valid SNMP trap destination, click Administrative Tools > Services > SNMP Service > Traps > Trap destinations. Step 3 Enter the IP address of the Local Controller in the Trap Destination page, and click OK to close all open windows. Step 4 Select Start > All Programs > Symantec System Center Console. Step 5 In...

Configure the Email Server Settings

To send alert actions, MARS must be configured to communicate with an e-mail server. To configure the e-mail server settings, follow these steps Step 1 Click Admin > Configuration Information. The Device Configuration window appears, as shown in Figure 22-1. Configure a Rule to Send an Alert Action H Figure 22-1 MARS Device Configuration Window Figure 22-1 MARS Device Configuration Window Step 2 In the IP Port field of the Mail Gateway section, enter the IP address and Email Domain Name of...

Configure the Solaris or Linux Host to Generate Events

MARS Appliance can receive syslog information from a Linux Solaris host. To configure the Linux Solaris applications, you must configure the following applications to write to syslog To configure these applications to write to the system log, follow these steps Step 1 xferlog (which provides transfer logging information from the FTP server) For ftpd, add the following to etc ftpd ftpaccess log transfers real,guest,anonymous inbound,outbound log syslog+xferlog Step 2 inetd trace messages (which...

Configuring Router and Switch Devices

User Guide for Cisco Security MARS Local Controller User Guide for Cisco Security MARS Local Controller Enable Syslog Messages on CatOS 3-11 Enable L2 Discovery Messages 3-12 Add and Configure a Cisco Switch in MARS 3-13 Adding Modules to a Cisco Switch 3-14 Add Available Modules 3-14 Add Cisco IOS 12.2 Modules Manually 3-15 Extreme ExtremeWare 6.x 3-17 Configure ExtremeWare to Generate the Required Data 3-17 Add and Configure an ExtremeWare Switch in MARS 3-18 Generic Router Device 3-18 Add...

Configuring Vulnerability Assessment Devices

Vulnerability assessment (VA) devices provide MARS with valuable information about many of the possible targets of attacks and threats. They provide information useful for accurately assessing false positives. This information includes the operating system (OS) running on a host, the patch level of the OS, the type of applications running on the host, as well as detailed logs about the activities occurring on that host. This chapter explains how to bootstrap and add the following VA devices to...

Configuring Web Server Devices

To use web logging with MARS, you need to configure the host, the webserver, and MARS. MARS can process up to 100 MB of web log data per receive from your host. _ Note Web logging is only supported on hosts running Microsoft IIS on Windows, Apache on Solaris or Linux, or iPlanet on Solaris. This chapter explains how to bootstrap and add the following web sever devices to MARS Microsoft Internet Information Sever, page 12-1 Apache Web Server on Solaris or RedHat Linux, page 12-7 Sun Java System...

Constructing a Rule

Each step of your plan corresponds to a line of a rule. Each line identifies a set of conditions. A rule can have a single line, two lines, or multiple lines. You link these lines together using the logical operators, AND, OR, FOLLOWED-BY (in time). For more information on the conditions and operators found in a rule, see Table 21-1 on page 21-6. The first step of the example plan, identified in Back to Being the Admin, page 21-3, involved probing the target host. You can express a probe by...

Create a New Case

To create a new case, perform the following procedure Step 1 Display the Case Bar as described in the section, Hide and Display the Case Bar. The Add a New Case Dialog box appears, as shown in Figure 18-5. Figure 18-5 Add a New Case Dialog Box Figure 18-5 Add a New Case Dialog Box Step 3 Select a severity color, change the state from new to assigned if appropriate, select the owner, replace the default summary name (default is New Case). Figure 18-5 shows a case with case summary of...

Create and Install Policies

You must create firewall policies that permit the MARS Appliance to access the relevant ports of the Check Point central management server and any remote log servers. The default ports are as follows TCP port 18190. Used by CPMI to discover configuration settings. TCP port 18210. Used to retrieve the certificate from the Certificate Authority on the SmartCenter, MDS, MLM, CMA, or CLM. TCP port 18184. Used to pull security event logs from the log servers, such as the MLM or CLM. However, you...

Create Query Criteria with Report Groups

To create queries from report groups, follow these steps Step 2 Select a report group in the Load Report as On-Demand Query with Filter dropdown filter, as shown in Figure 21-17. Only the reports that comprise the report group can now display in the Select Report dropdown list, as shown in Figure 21-18. Figure 21-17 Selecting A Report Group to Make a Query Figure 21-17 Selecting A Report Group to Make a Query Figure 21-18 Selecting a Report Within the Report Group to Make a Query Figure 21-18...

Creating a Report

You can create a report through the Query page, or you can create a report from scratch on the Reports page. These instructions detail creating a report from the Reports page, but are applicable to editing reports and to creating reports from the Query page. Step 1 On the Reports page, click the Add button. Step 2 In the Report Name and Report Description fields, enter a report name and description. Click the Next button. Step 3 Select the schedule parameters for the report. Step 4 Select a...

Data Enabling Features

Adding a the reporting devices and mitigation devices is the primary method of providing MARS with the data required to study the activities on your network. However, other features, both within the web interface and as part of configuring the devices, can provide MARS with additional data, which is used to refine the views it provides and to assist in the improving the overall effectiveness of the system. We think of these features as data enabling features. This section contains the following...

Date Time Format Specfication

The date time field parsing is supported using the Unix strptime () standard C library function. The strptime() function is the converse function to strftime() and converts the character string pointed to by s to values which are stored in the tm structure pointed to by tm, using the format specified by format. Here format is a character string that consists of field descriptors and text characters, reminiscent of scanf(3). Each field descriptor consists of a character followed by another...

Define AAA Clients

To support the 802.1x features of NAC, you must also define the Cisco switches as AAA clients within Cisco Secure ACS. When defining a AAA client, verify the following settings RADIUS (IETF) is selected in the Using Authentication box, as other RADIUS implementations may not support 802.1x correctly. The Log Update Watchdog Packets from this AAA Client box is selected. Figure 14-1 displays the correct settings for such a client. Figure 14-1 Configure a AAA Client to Support 802.1x Figure 14-1...

Define an Opsec Application that Represents MARS

To integrate a third-party OPSEC application with Check Point components, you must define the application and associate it with the host on which the application is running. In addition to identifying this OPSEC application to the Check Point system, this procedure results in the generation of the client SIC DN for the MARS Appliance. Both the client SIC DN and the server SIC DN, obtained in Obtain the Server Entity SIC Name, page 4-27, are required to enable secure communications between the...

Define Vulnerability Assessment Information

For each host that you define in MARS, you can specify information about that host that assists MARS in assessing whether that host is vulnerable to the attacks that MARS detects. For example, you can identify the operating system running on the host, even providing the latest or nearest patch level. When an attack is detected that is targeted toward a specific operating system, then MARS can quickly determine whether the host is running the operating system that is targeted. For hosts that are...

Determine Devices to Monitor and Restrictions

To configure Check Point devices, you must identify the central management server and managed components, bootstrap them, and add and configure them in the MARS web interface. The Check Point product line and release, as well as the number of devices managed, determines which tasks you must perform to configure MARS to monitor your Check Point devices. Representing a Check Point device in MARS involve two steps 1. Define a primary management station. This primary management station represents...

Display Dynamic Device Information

To display current, session, and all historical information for an IP address on an 802.1X connection, follow these steps Click on the Incident ID to display the session summaries as shown in Figure 19-8. Click on the Source IP Port or Destination IP link of a session. When examining an attacking host, the Source IP address is more relevant. The current connection information pop-up window appears to display any static connection information. Click Dynamic Info to display current connection...

Duplicate a Rule

Duplicating a rule creates a new rule that is a copy of an existing system or user inspection rule. You can edit all of the fields of a duplicate rule, but only the Source IP, Destination IP, and Device fields of a system inspection rule. The original rule is left unchanged after duplication. You cannot delete a rule after it is created by Duplicate or Add. To duplicate a rule, follow these steps Select the checkbox of the rule to duplicate. The name of duplicated rule is the name of the...

Enable FTPbased Administrative Access

To enable configuration discovery using FTP access, you must place a copy the Cisco router's or switch's configuration file on an FTP server to which the MARS Appliance has access. This FTP server must have Note TFTP is not supported. You must use an FTP server. You must copy the running configuration from the Cisco router or switch. For information on copying the running configuration, refer to your device documentation or the following URL .shtml

Enable NACspecific Messages

Cisco routers and switches that are running Cisco IOS Software release 12.2 or CatOS can enable network Admission Control (NAC) specific data. This data includes Client logs. These logs relate the activities of the client software. RADIUS server logs. These logs relate the authorization communications between clients and the posture validation servers. Network access device logs. These logs relate connection attempts by clients and final authorizations provided by the AAA server enforcing the...

Enable Syslog Messages on CatOS

To configure a Cisco switch running CatOS to send syslog information to MARS, follow these steps Step 1 To enable the syslog server on the switch, enter Step 2 To identify the MARS Appliance as a destination for syslog messages, enter the following command set logging server < IP address of MARS Appliance> Step 3 The remaining commands tell the switch what kinds of logging information to provide and at what level. The commands in the following example can be changed to suit your...

Example A Excessive Denies to a Particular Port on the Same Host

Figure 21-3 Rule for Excessive Denies to a Particular Port on the Same Host Figure 21-3 Rule for Excessive Denies to a Particular Port on the Same Host Description Excessive denies to a particular port on the same host. offset open ( source IP Destination ip service Name Event Device severity counts zone ) Closejoperation 1 ANY tTARGETOl A NY_D E ST_P O RT1 FirewallPolicy Violation ACL ANY ANY 100 Training 5 1 ANY tTARGETOl A NY_D E ST_P O RT1 FirewallPolicy Violation ACL ANY ANY 100 Training 5...

Filter By Time

The present time minus the number of days, hours, and minutes entered. Absolute literal time ranges defined by the date to the minute. Streams rolling real-time results from recent past to current time. Result Formats that work in real time are All Matching Sessions, page 20-7, All Matching Events, page 20-7, and All Matching Event Raw Messages, page 20-7. Real Time results appear in a normal browser window. Moving the scroll bar stops the rolling behavior. Clicking the Resume button on the...

Generic Character Types

The third use of backslash is for specifying generic character types. The following are always recognized Each pair of escape sequences partitions the complete set of characters into two disjoint sets. Any given character matches one, and only one, of each pair. These character type sequences can appear both inside and outside character classes. They each match one character of the appropriate type. If the current matching point is at the end of the subject string, all of them fail, since there...

Guidelines for Configuring Net Flow on Your Network

Ideally NetFlow should be collected from the core and distribution switches in your network. These switches, together with the NetFlow from Internet-facing routers or SYSLOG from firewalls, typically represent the entire network. With this in mind, review the following guidelines before deploying NetFlow in your network MARS normalizes NetFlow and SYSLOG events to prevent duplicate event reporting from the same reporting device. Review VLANS in switches and pick several VLANs for which the...

Incident Details Page

Clicking the Incident ID takes you to its Incident Details page. The Incident Details page is rich in information and information gathering tools. This page answers questions, such as who did it, what event types happened, when it happened, and to whom it happened. On the top of this page are the tools that let you search for Incident and Session ID and view the Matched Rule.

Incident Details Table

Each row of the Incident Details table represents either a session or the information common to a group of sessions. You can see all of the collapsed session information by clicking the plus signs to expand the group. You can expand or collapse all of the incident's information by clicking the Expand All or Collapse All buttons. OffsetlSession lEwentType 1 incident ID Source IP Port D esti nati on IP Po rt Built teardown permitte d IP connection 0 1 Builtfteardown p ermitte d IP connection 0...

Manually Add a Child Enforcement Module or Log Server to a Check Point Primary Management Station

If you have not enabled configuration discovery on the primary management station or if one or more of the managed firewalls uses a log server that is not managed by the primary management station, you can manually define firewalls or log servers. Your goal should be to represent all of the firewalls managed by this primary management station and all log servers used by those firewalls and the primary management station. While MARS does not discover configuration settings of the firewalls, it...

Mars Mib Format

The MARS management information base (MIB) is defined for all MARS releases. The SNMP notification contains the same content as the syslog generated by MARS. The MARS MIB definition is as follows enterprises.16686.1.0 string MARS-1-101 enterprises.16686.2.0 string < alert_content> The MARS private enterprise number is 16686 and < alert_content> is defined as follows < < priorityInfo> > < current_time> MARS-1-101 Rule < ruleid> (< rulename> ) fired and caused <...

Nonprinting Characters

A second use of backslash provides a way of encoding non-printing characters in patterns in a visible manner. There is no restriction on the appearance of non-printing characters, apart from the binary zero that terminates a pattern, but when a pattern is being prepared by text editing, it is usually easier to use one of the following escape sequences than the binary character it represents a alarm, that is, the BEL character (hex 07) cx control-x, where x is any character ddd character with...

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online and printed sources. Cisco Marketplace provides a variety of Cisco books, reference guides, and logo merchandise. Visit Cisco Marketplace, the company store, at this URL Cisco Press publishes a wide range of general networking, training and certification titles. Both new and experienced users will benefit from these publications. For current Cisco Press titles and other information, go to...

Ordering Documentation

You can find instructions for ordering documentation at this URL You can order Cisco documentation in these ways Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Ordering tool Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, USA) at 408 526-7208 or, elsewhere in North America, by calling 1 800 553-NETS (6387).

Overview of Cisco Security Manager Policy Table Lookup

When MARS receives a syslog from a Cisco PIX firewall, Cisco Adaptive Security Appliance (Cisco ASA), Cisco Firewall Services Module (Cisco FWSM), or Cisco IOS, and can derive the five tuple information required to establish an event (source IP, destination IP, source port, destination port, and protocol) the Security Manager Policy Table Lookup icon J g appears in the Reporting Device column of the MARS session display. Clicking the icon invokes a query to the Security Manager, the result of...

Page Refresh

Data Reduction is a representation of how much event data the Local Controller collapsed into sessions. For example a data reduction of 66 measures three events per session on the average - this number is dependent on many variables particular to your network. The Page Refresh Rate polls the Local Controller according to the setting you assign. The default setting is fifteen minutes. The refresh setting remains the same until you log out. This setting only applies to the pages that have the...

Perform

This section explains how to create and view a long-duration query on the MARS. There are two ways to perform a long-duration query on the MARS 1. Modifying an existing report. The report is compiled relatively quickly. You can compile data gathered over a longer time period Disadvantage. This type of query can only be used without any changes to query criteria other than time range, and can only be used with the following reports Activity All - Top Destination Ports Activity All - Top...

Perform a Batch Query

This type of long-duration query can take a long time to perform and is more suitable for a shorter duration of time. Note Only Admin users can perform a batch query. To perform a batch query, follow these steps Step 1 Click the QUERY REPORTS > Query tab. The Query window appears. Figure 20-22 Query window Click the cells below to change query criteria Query type Event Types ranked by Sessions, 0hh 10mm 0ss Edit clear Query type Event Types ranked by Sessions, 0hh 10mm 0ss Edit clear Step 2...

Prerequisites for Mitigation with 8021X Network Mapping

To perform mitigation with 802.1X network mapping with CS-MARS, the following prerequisites are required Cisco switch running Cisco CatOS or IOS and configured with IEEE 802.1X Port Based Network Access Control protocol The switch Reporting IP address must be configured on the CS-MARS Security and Monitoring Information page (Admin > Security and Monitor Devices). Cisco DHCP-Snooping enabled on the switch The switch performs Remote Access Dial-In User Service (RADIUS) authentication,...

Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS

Do the following steps to view a Cisco Security Manager policy table from the Cisco Security MARS Step 1 Log on to MARS as an Administrator or Security Analyst. Step 2 Identify the incident or event to investigate. In this procedure, and incident to investigate appears on the Recent Incidents section of the Dashboard, as shown in Figure 16-2. Chapter 16 Policy Table Lookup on Cisco Security Manager_ Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS H...

Procedure for Invoking the Real Time Event Viewer

To invoke the real-time event viewer, complete the following steps Step 1 Navigate to the Query home page as shown in Figure 20-13. SUMMARY INCIDENTS QUERY REPORTS RULES MANAGEMENT ADMIN HELP QUERY REPORTS CS-MARS Standalone earth2 vO.O Load Report as On-Demand Query with Filter Load Report as On-Demand Query with Filter Click the cells below to chenge quer c Click the cells below to chenge quer c I Saw As Report Save As Rule Submit Inline Summary Incidents Query Reports Rules Management Admin...

Pull Method Configure the Microsoft Windows Host

As an alternative to the push method, you can configure MARS to pull event log data (security, application, and system event logs) from Microsoft Windows hosts. The pull method requires four steps 1. Ensure that the Windows host and MARS Appliance clocks are synchronized. It is recommend that you configure a NTP server for this purpose. For more information, see Specify the Time Settings, page 5-10. 1. Select an existing or define a new user account on the Windows host that the MARS Appliance...

Queries and Reports 201

User Guide for Cisco Security MARS Local Controller User Guide for Cisco Security MARS Local Controller Action 20-12 Saving the Query 20-13 Viewing Events in Real-time 20-13 Restrictions for Real-time Event Viewer 20-13 Procedure for Invoking the Real-Time Event Viewer 20-13 Perform a Long-Duration Query Using a Report 20-17 View a Query Result in the Report Tab 20-19 Perform a Batch Query 20-19 Reports 20-22 Report Type Views Total vs. Peak vs. Recent 20-23 Creating a Report 20-24 Prioritizing...

Reading Charts

Activity All - Top Reporting Devices Rated by the total number of events reported by each security device. Activity All - Top Sources The top IP addresses that appear as session sources, ranked by session count. Activity All - Top Destinations The top IP addresses that appear as session destinations, ranked by session count. For all of the charts on this page, you can set different time frames, the size of the chart, view the latest report, and so on, by clicking on the buttons in the chart's...

Recent Incidents

The first feature to notice about the Dashboard are the recent incidents that have fired. The Local Controller comes with pre-defined rules, and these incidents are the result of those rules firing. These rules are generic, globally applicable, and should serve you well as a starting point once you begin to tune the Local Controller. Figure 17-14 Drilling-down into Incidents Figure 17-14 Drilling-down into Incidents 1 10300958jgf Inactive Try it-Dub05.03.08 09 01 23 q k reporting A C 119753...

Report Type Views Total vs Peak vs Recent

Where alerts provide up-to-the-minute views of high-priority incidents, reports aggregate sessions into different views. Reports correlate based on the three data points The period of time defines boundaries around the analyzed session data based on when it was recorded. Query criteria restrict the set of sessions that will be aggregated to that which matches your criteria. Criteria can include source address, destination address, network service, event, reported user, and reporting device. The...

Reporting and Mitigation Devices Overview

After you complete the initial configuration of Local Controller as described in Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, you must determine a monitoring strategy to use for your network. You must also determine a mitigation strategy, if you chose to take advantage of the MARS mitigation features. For guidance on how to determine the monitoring and mitigation strategies, see STM Task Flow Overview, page 1-1. This chapters assumes that you have made...

Reset the Opsec Application Certificate of the MARS Appliance

If you encounter an error when pulling the certificate as part of defining the Check Point devices in the MARS web interface, you must reset the certificate before you can attempt to pull it again. This procedure details how to reset the certificate, or SIC, associated with the OPSEC Application that is associated with the host that represents the MARS Appliance. To reset the OPSEC application certificate, follow these steps Step 1 Log in to the correct Check Point user interface using an...

Retrieve Raw Messages From Archive Server

Use this selection if archiving is enabled. To retrieve event data from an archive server, follow these steps Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Specify the time range by specifying values in the Start and End fields. Verify that Retrieve Data From Archived Files is selected. The data will be retrieved from the server identified under Admin > System Maintenance > Data Archiving. While MARS...

Retrieve Raw Messages From the Database of a Local Controller

Use this selection if archiving is not enabled or if you need to view event data that was received within the past hour. To retrieve event data from the database, follow these steps Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Step 1 Click Admin > System Maintenance > Retrieve Raw Messages. Specify the time range by specifying values in the Start and End fields. Select Retrieve from Database. Select one of the following options Save to Local. This option retrieves...

Rule and Report Group Overview

Rule and report groups help you manage rules and reports by speeding access to those rules and reports relevant to your task at hand. You can create groups, or use the groups provided with CS-MARS (System groups). Groups act as filters to limit the display of rules, reports, and incidents in the CS-MARS HTML interface. All groups can be modified or deleted. CS-MARS provides over 100 system rules and 150 system reports. More can be added by creating custom rules and reports, and by performing...

Search for a User

Step 1 Enter the text that you want to search for in the Search field. Step 2 Click Search. Form the Management User tab, check the box next to the user's name. Click Edit to change the user's configuration information. The User Configuration page appears. In the Name field, enter a name for the group. To add to the group, check the users from the list on the right hand side. Click Add. The checked names move to the lefthand side of the dialog box. To remove users from the group, select the...

Seed File Header Columns

Table 2-4 describes the columns in the seed files and identifies valid values. If you do not enter a value for a given column, you must enter a comma to delineate that column. Note Remember that you do not have to add all of the devices' configuration information at once. You can start by adding the device's name and its access IP address. You can always return later, when the MARS starts to report to you, and provide more details. Table 2-4 Seed File Column Description Table 2-4 Seed File...

Selecting the Access Type

The access type refers to the administrative protocol that MARS uses to access a reporting device or mitigation device. For most devices monitored by MARS, you can choose from among four administrative access protocols SNMP. SNMP access provides administrative access to the device using a secured connection. It allows for the discovery of the settings using SNMPwalk, such as routes, connected networks, ARP tables, and address translations. If granted read-write access, SNMP also allows for...

Selecting the Devices to Monitor

All monitoring strategies involve selecting the types of devices to monitor and how much data to provide the MARS Appliance. All devices on your network, be they hosts, gateways, security devices, or servers, provide some level of data that MARS can use to improve the accuracy of security incident identification. However, careful consideration of what data to provide can improve the attack identification response time by ensuring that MARS does not perform necessary or redundant event...

Sessions and Events

Within a given time window, a session is a collection of events that all share a common end-to-end Source and destination address Source and destination port Event sessionization aggregates event data making it easier to sort and examine. Event sessionization lets the system treat events as single units of information and helps you understand if an attack truly has materialized. It gives you the context of the attack by giving you all the events on that session. Sessionization works across NAT...

Specify Log Info Settings for a Child Enforcement Module or Log Server

There are two occasions when you must define the log settings manually If you do not discover the settings of the primary management station, which does discover the log settings. If the child enforcement module does not propagate its logs up to the primary management station. Three options exist for manually specifying the log settings Management. Identifies that the child enforcement module propagates it logs up to the primary management station, the MLM or the SmartCenter server. You do not...

Square Brackets and Character Classes

An opening square bracket introduces a character class, terminated by a closing square bracket. A closing square bracket on its own is not special. If a closing square bracket is required as a member of the class, it should be the first data character in the class (after an initial circumflex, if present) or escaped with a backslash. A character class matches a single character in the subject. In UTF-8 mode, the character may occupy more than one byte. A matched character must be in the set of...

STM Task Flow Overview

This chapter describes the project phases and task flows that you should follow when you deploy MARS as a security threat mitigation (STM) system in your network. First, however, you must develop a set of policies that enables the application of security measures. Identify security objectives for your organization. Document the resources to protect. Identify the network infrastructure with current maps and inventories. Identify the critical resources (such as research and development, finance,...

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL For...