Cisco MARS .. has anyone here truly implemented this

[blade10]

All-

I have read the benefits of this on numerous Cisco links. I've explored the white papers... but has anyone here truly brought this security policy into their production environment.. can anyone just suggest some pros and cons

thanks

blade

 

[jneiberger]

I've seen them implemented in two places and my personal opinion is they're a total waste of time and money. I'm not very popular with the security folks because I feel the same way about IDS/IPS. You spend a lot of time and money configuring them and training the devices to ignore the false positives. A couple of years later you realize that nearly 99.999% of the alerts you got were false positives.

I think you're better off spending your money on creating a secure infrastructure in the first place. If you want a monitoring solution, there are probably better options out there than MARS.

Just my opinion, of course.

 

[ADB100]

I put one in at an educational establishment a while ago; apart from a few presentations and the documentation I knew very little about them. At the site they have a reasonably secure campus infrastructure but they also have a student accomodation infrastructure (i.e. Ethernet port in your room). The two networks don't meet until they hit a failover pair of ASA's where there is very restrictive access from the student network to the internal campus network. However from the student network out to the Internet it is a pretty much free-for-all.
The CS-MARS appliance is receiving NetFlow from the campus Catalyst 6500's and syslog from the ASA as well as an IPS device sat listening to all traffic to/from the campus (the IPS is not in a physical position to monitor student traffic though).

We explained that the tuning of the CS-MARS would have to be performed by someone internally who could determine false-positives etc as they would need to know the various systems as well as the people responsible for them. The reporting does look relatively intuative however I think I could see the same information from a good NetFlow analyser - i.e. I would know the top-talkers, top protocols, potential infected machines etc. I am sure it does have it's benefits when fully deployed with pro-active triggers etc but I am not convinced....

Andy

 

[blade10]

Thanks to both of you for responding!

So from what I'm getting out of this, I shouldn't waste my time. I'll continue using NetFlow via the individual routers I have the feature turned on to and via Solarwinds which offers the installation piece thru the Engineer toolkit


thanks again!

blade

 

[encarter]

just before i joined my current company they ripped out MARS, and many techs here said it was a pile of s**t. I didnt get a technical answer, sorry.

 

[blade10]

ADB100-

Hope all is well. The company bought a 20R.. you mentioned that you installed one at a school. Just curious but what device does the MARS appliance plug into? I have 3750E core switches.. would that suffice? would I need place the port in the 3750 in SPAN mode?

I can't seem to find any good visio's on Cisco's site that actaully shows WHERE to plug this appliance in and show flow of traffic it monitors..

If you can point me to some decent urls -I would really appreciate it..

Thanks again

blade

 

[jneiberger]

I'm sorry to hear that your company bought Cisco's marketing hype.

 

[lockcole]

The best IDS is one studied and self written. Packages which autocreate IDS created of SNMP(netflow)/syslog can give fault negitives/positives.

MARS would be great for a fresh roleout during implementation/testing

 

[ADB100]

ADB100-

Hope all is well. The company bought a 20R.. you mentioned that you installed one at a school. Just curious but what device does the MARS appliance plug into? I have 3750E core switches.. would that suffice? would I need place the port in the 3750 in SPAN mode?

I can't seem to find any good visio's on Cisco's site that actaully shows WHERE to plug this appliance in and show flow of traffic it monitors..

If you can point me to some decent urls -I would really appreciate it..

Thanks again

blade

The CS-MARS isn't an IDS type device and doesn't directly sniff traffic, it just plugs into the network and is an IP Host. It relies on receiving NetFlow & Syslog information from infrastructure devices such as routers and firewalls. It can also receive information from any IDS devices you have. It uses this information to put together a picture of what is going on (you MUST have NTP running and all your devices synchronised so it can accuratley interpret the information it is receiving). I can the act on specific attack/threat signatures to prevent DoS attacks etc. By default it just monitors and reports though.

You list Catalyst 3750's, unfortunately these don't support NetFlow so can be used to provide flow information to the CS-MARS. They can though send Syslog but the information it reports would be limited to what Syslog traps are supported by the 3750.

HTH

Andy

 

[jneiberger]

blade10, can you tell us more about what you expect the MARS to do from a technical perspective? It sounds like your management bought a "solution" to some supposed problem without going into the technical details, and now they've handed you this "solution" and want you to implement it. I fear that it may not do what they (or you) think it will do.

 

[ADB100]

I can the act on specific attack/threat signatures to prevent DoS attacks etc. By default it just monitors and reports though.

You list Catalyst 3750's, unfortunately these don't support NetFlow so can be used to provide flow information to the CS-MARS

Sorry, fat fingers and trying to talk on the phone there....
It should have read:
"It can then act on specific attack/threat signatures to prevent DoS attacks etc. By default it just monitors and reports though.

You list Catalyst 3750's, unfortunately these don't support NetFlow so can't be used to provide flow information to the CS-MARS"

Andy