Cisco CS-MARS-20-K9 - Security MARS 20, MARS 20, MARS 50, MARS 100, MARS 200 User Manual

Americas Headquarters

Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

User Guide for Cisco Security MARS
Local Controller

Release 4.2.x
December 2006

Customer Order Number:
Text Part Number: 78-17020-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant
to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required
to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not
installed in accordance with Cisco’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to
comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable
protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

Modifying the equipment without Cisco’s written authorization may result in the equipment no longer complying with FCC requirements for Class A or Class B digital
devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television
communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interference stops, it was probably caused by the Cisco equipment or one of its
peripheral devices. If the equipment causes interference to radio or television reception, try to correct the interference by using one or more of the following measures:

• Turn the television or radio antenna until the interference stops.

• Move the equipment to one side or the other of the television or radio.

• Move the equipment farther away from the television or radio.

• Plug the equipment into an outlet that is on a different circuit from the television or radio. (That is, make certain the equipment and the television or radio are on circuits
controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Cisco Systems, Inc. could void the FCC approval and negate your authority to operate the product.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

User Guide for Cisco Security MARS Local Controller

Copyright © 2006 Cisco Systems, Inc. All rights reserved.

CCVP, the Cisco logo, and the Cisco Square Bridge logo are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a
service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco
Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS,
iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networking Academy,
Network Registrar, Pack e t , PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are
registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0705R)

iii

User Guide for Cisco Security MARS Local Controller

78-17020-01

CONTENTS

Preface xix

Introduction xix

The MARS Appliance xix

The MARS Web Interface xix

About This Manual xx

Obtaining Documentation xxi

Cisco.com xxi
Product Documentation DVD xxi
Ordering Documentation xxii

Documentation Feedback xxii

Cisco Product Security Overview xxii

Reporting Security Problems in Cisco Products xxii

Product Alerts and Field Notices xxiii

Obtaining Technical Assistance xxiii

Cisco Support Website xxiii
Submitting a Service Request xxiv
Definitions of Service Request Severity xxv

Obtaining Additional Publications and Information xxv

CHAPTER

1 STM Task Flow Overview 1-1

Checklist for Provisioning Phase 1-2

Checklist for Monitoring Phase 1-9

Strategies for Monitoring, Notification, Mitigation, Remediation, and Audit 1-16

Appliance-side Tuning Guidelines 1-17

Device Inventory Worksheet 1-18

User Role Worksheet 1-20

CHAPTER

2 Reporting and Mitigation Devices Overview 2-1

Levels of Operation 2-1

Selecting the Devices to Monitor 2-2

Understanding Access IP, Reporting IP, and Interface Settings 2-8

Access IP 2-9

Contents

iv

User Guide for Cisco Security MARS Local Controller

78-17020-01

Reporting IP 2-9
Interface Settings 2-10

Selecting the Access Type 2-10

Configure SNMP Access for Devices in MARS 2-11
Configure Telnet Access for Devices in MARS 2-11
Configure SSH Access for Devices in MARS 2-12
Configure FTP Access for Devices in MARS 2-12

Bootstrap Summary Table 2-12

Adding Reporting and Mitigation Devices 2-16

Add Reporting and Mitigation Devices Individually 2-17
Edit a Device 2-18
Upgrade the Device Type to a Newer Version 2-18
Delete a Device 2-19
Delete All Displayed Reporting Devices 2-20
Add Multiple Reporting and Mitigation Devices Using a Seed File 2-20

Devices that Require Custom Seed Files 2-21
Devices that Require Updates After the Seed File Import 2-21
Seed File Header Columns 2-21

Load Devices From the Seed File 2-24
Adding Reporting and Mitigation Devices Using Automatic Topology Discovery 2-25
Verify Connectivity with the Reporting and Mitigation Devices 2-26

Discover and Testing Connectivity Options 2-26

Run a Reporting Device Query 2-27
Activate the Reporting and Mitigation Devices 2-27

Data Enabling Features 2-28

Layer 2 Discovery and Mitigation 2-29
Networks for Dynamic Vulnerability Scanning 2-29

Select a Network for Scanning 2-30

Create a Network IP Address for Scanning 2-30

Create a Network IP Range for Scanning 2-30
Understanding NetFlow Anomaly Detection 2-30

How MARS Uses NetFlow Data 2-31

Guidelines for Configuring NetFlow on Your Network 2-32

Enable Cisco IOS Routers and Switches to Send NetFlow to MARS 2-32

Configuring Cisco CatIOS Switch 2-34

Enable NetFlow Processing in MARS 2-34
Host and Device Identification and Detail Strategies 2-36
Configuring Layer 3 Topology Discovery 2-37

Add a Community String for a Network 2-37

Contents

v

User Guide for Cisco Security MARS Local Controller

78-17020-01

Add a Community String for an IP Range 2-37
Add Valid Networks to Discovery List 2-38
Remove Networks from Discovery List 2-38
Discover Layer 3 Data On Demand 2-38

Scheduling Topology Updates 2-39

Schedule a Network Discovery 2-40
To edit a scheduled topology discovery 2-40
To delete a scheduled topology discovery 2-41
To run a topology discovery on demand 2-41

Configuring Resource Usage Data 2-41

Enabling the Required SNMP OIDs for Resource Monitoring 2-42

Configuring Network Admission Control Features 2-52

Integrating MARS with 3rd-Party Applications 2-54

Forwarding Alert Data to 3rd-Party Syslog and SNMP Servers 2-54
MARS MIB Format 2-54
Relaying Syslog Messages from 3rd-Party Syslog Servers 2-56

Configure Syslog-ng Server to Forward Events to MARS 2-56
Configure Kiwi Syslog Server to Forward Events to MARS 2-57
Add Syslog Relay Server to MARS 2-57
Add Devices Monitored by Syslog Relay Server 2-58

CHAPTER

3 Configuring Router and Switch Devices 3-1

Cisco Router Devices 3-1

Enable Administrative Access to Devices Running Cisco IOS 12.2 3-1

Enable SNMP Administrative Access 3-2
Enable Telnet Administrative Access 3-2
Enable SSH Administrative Access 3-2
Enable FTP-based Administrative Access 3-2

Configure the Device Running Cisco IOS 12.2 to Generate Required Data 3-3

Enable Syslog Messages 3-3
Enable SNMP RO Strings 3-3
Enable NAC-specific Messages 3-4
Enable SDEE for IOS IPS Software 3-6

Add and Configure a Cisco Router in MARS 3-6

Cisco Switch Devices 3-9

Enable Communications Between Devices Running CatOS and MARS 3-9

Enable SNMP Administrative Access 3-10
Enable Telnet Administrative Access 3-10
Enable SSH Administrative Access 3-10

Contents

vi

User Guide for Cisco Security MARS Local Controller

78-17020-01

Enable FTP-based Administrative Access 3-10
Configure the Device Running CatOS to Generate Required Data 3-11

Enable SNMP RO Strings on CatOS 3-11

Enable Syslog Messages on CatOS 3-11

Enable L2 Discovery Messages 3-12
Add and Configure a Cisco Switch in MARS 3-13
Adding Modules to a Cisco Switch 3-14

Add Available Modules 3-14

Add Cisco IOS 12.2 Modules Manually 3-15

Extreme ExtremeWare 6.x 3-17

Configure ExtremeWare to Generate the Required Data 3-17
Add and Configure an ExtremeWare Switch in MARS 3-18

Generic Router Device 3-18

Add and Configure a Generic Router in MARS 3-19

CHAPTER

4 Configuring Firewall Devices 4-1

Cisco Firewall Devices (PIX, ASA, and FWSM) 4-1

Bootstrap the Cisco Firewall Device 4-2

Enable Telnet Access on a Cisco Firewall Device 4-4

Enable SSH Access on a Cisco Firewall Device 4-4

Send Syslog Files From Cisco Firewall Device to MARS 4-4
Device-Side Tuning for Cisco Firewall Device Syslogs 4-6

Logging Message Command 4-6

List of Cisco Firewall Message Events Processed by MARS 4-7
Add and Configure a Cisco Firewall Device in MARS 4-8

Add Security Contexts Manually 4-11

Add Discovered Contexts 4-12

Edit Discovered Security Contexts 4-13

NetScreen ScreenOS Devices 4-14

Bootstrap the NetScreen Device 4-15
Add the NetScreen Device to MARS 4-20

Check Point Devices 4-22

Determine Devices to Monitor and Restrictions 4-24
Bootstrap the Check Point Devices 4-25

Add the MARS Appliance as a Host in Check Point 4-26

Define an OPSEC Application that Represents MARS 4-27

Obtain the Server Entity SIC Name 4-30

Select the Access Type for LEA and CPMI Traffic 4-32

Create and Install Policies 4-34

Contents

vii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Verify Communication Path Between MARS Appliance and Check Point Devices 4-36
Reset the OPSEC Application Certificate of the MARS Appliance 4-36

Add and Configure Check Point Devices in MARS 4-39

Add a Check Point Primary Management Station to MARS 4-40
Manually Add a Child Enforcement Module or Log Server to a Check Point Primary Management

Station

4-44

Add a Check Point Certificate Server 4-47
Edit Discovered Log Servers on a Check Point Primary Management Station 4-48
Edit Discovered Firewall on a Check Point Primary Management Station 4-50
Define Route Information for Check Point Firewall Modules 4-50
Specify Log Info Settings for a Child Enforcement Module or Log Server 4-52
Verify Connectivity Between MARS and Check Point Devices 4-55
Remove a Firewall or Log Server from a Check Point Primary Management Station 4-55

Troubleshooting MARS and Check Point 4-56

CHAPTER

5 Configuring VPN Devices 5-1

Cisco VPN 3000 Concentrator 5-1

Bootstrap the VPN 3000 Concentrator 5-1
Add the VPN 3000 Concentrator to MARS 5-2

CHAPTER

6 Configuring Network-based IDS and IPS Devices 6-1

Cisco IDS 3.1 Sensors 6-1

Configure Sensors Running IDS 3.1 6-1
Add and Configure a Cisco IDS 3.1 Device in MARS 6-4

Cisco IDS 4.0 and IPS 5.x Sensors 6-5

Bootstrap the Sensor 6-5

Enable the Access Protocol on the Sensor 6-6

Enable the Correct Signatures and Actions 6-6
Add and Configure a Cisco IDS or IPS Device in MARS 6-6
Specify the Monitored Networks for Cisco IPS or IDS Device Imported from a Seed File 6-8
View Detailed Event Data for Cisco IPS Devices 6-9
Verify that MARS Pulls Events from a Cisco IPS Device 6-10

Cisco IPS Modules 6-10

Enable DTM Support 6-10
Enable SDEE on the Cisco IOS Device with an IPS Module 6-11
Add an IPS Module to a Cisco Switch or Cisco ASA 6-11

ISS Site Protector 6-13

ISS RealSecure 6.5 and 7.0 6-17

Configure ISS RealSecure to Send SNMP Traps to MARS 6-18

Contents

viii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Add an ISS RealSecure Device as a NIDS 6-19
Add an ISS RealSecure Device as a HIDS 6-20

IntruVert IntruShield 6-22

Extracting Intruvert Sensor Information from the IntruShield Manager 6-22
Configure IntruShield Version 1.5 to Send SNMP traps to MARS 6-23
Configure IntruShield Version 1.8 to Send SNMP Traps to MARS 6-23
Add and Configure an IntruShield Manager and its Sensors in MARS 6-25

Add the IntruShield Manager Host to MARS 6-26
Add IntruShield Sensors Manually 6-26
Add IntruShield Sensors Using a Seed File 6-27

Snort 2.0 6-28

MARS Expectations of the Snort Syslog Format 6-28
Configure Snort to Send Syslogs to MARS 6-28
Add the Snort Device to MARS 6-28

Symantec ManHunt 6-29

Symantec ManHunt Side Configuration 6-29
MARS Side Configuration 6-31

Add Configuration Information for Symantec ManHunt 3.x 6-31

NetScreen IDP 2.1 6-31

IDP-side Configuration 6-31
MARS-side Configuration 6-32

Add Configuration Information for the IDP 6-32
Add NetScreen IDP 2.1 Sensors Manually 6-32

Enterasys Dragon 6.x 6-33

DPM/EFP Configuration 6-33

Configure the DPM or EFP 6-33

Host-side Configuration 6-34

Configure the syslog on the UNIX host 6-34

MARS-side Configuration 6-34

Add Configuration Information for the Enterasys Dragon 6-34
Add a Dragon NIDS Device 6-35

Contents

ix

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

7 Configuring Host-Based IDS and IPS Devices 7-1

Entercept Entercept 2.5 and 4.0 7-1

Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5) 7-1

Create a CSV file for Entercept Agents in Version 2.5 7-2
Define the MARS Appliance as an SNMP Trap Target 7-2
Specific the Events to Generate SNMP Traps for MARS 7-2
Add and Configure an Entercept Console and its Agents in MARS 7-3

Add the Entercept Console Host to MARS 7-3

Add Entercept Agents Manually 7-4

Add Entercept Agents Using a Seed File 7-4

Cisco Security Agent 4.x Device 7-5

Configure CSA Management Center to Generate Required Data 7-5

Configure CSA MC to Forward SNMP Notifications to MARS 7-6

Export CSA Agent Information to File 7-6
Add and Configure a CSA MC Device in MARS 7-7

Add a CSA Agent Manually 7-8

Add CSA Agents From File 7-9
Troubleshooting CSA Agent Installs 7-10

CHAPTER

8 Configuring Antivirus Devices 8-1

Symantec AntiVirus Configuration 8-1

Configure the AV Server to Publish Events to MARS Appliance 8-1
Export the AntiVirus Agent List 8-7
Add the Device to MARS 8-7

Add Agent Manually 8-7

Add Agents from a CSV File 8-8

McAfee ePolicy Orchestrator Devices 8-8

Configure ePolicy Orchestrator to Generate Required Data 8-8
Add and Configure ePolicy Orchestrator Server in MARS 8-12

Cisco Incident Control Server 8-13

Configure Cisco ICS to Send Syslogs to MARS 8-14
Add the Cisco ICS Device to MARS 8-15
Define Rules and Reports for Cisco ICS Events 8-15

Contents

x

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

9 Configuring Vulnerability Assessment Devices 9-1

Foundstone FoundScan 3.0 9-1

Configure FoundScan to Generate Required Data 9-2
Add and Configure a FoundScan Device in MARS 9-2

eEye REM 1.0 9-3

Configure eEye REM to Generate Required Data 9-4
Add and Configure the eEye REM Device in MARS 9-4

Qualys QualysGuard Devices 9-5

Configure QualysGuard to Scan the Network 9-6
Add and Configure a QualysGuard Device in MARS 9-6
Schedule the Interval at Which Data is Pulled 9-8
Troubleshooting QualysGuard Integration 9-9

CHAPTER

10 Configuring Generic, Solaris, Linux, and Windows Application Hosts 10-1

Adding Generic Devices 10-1

Sun Solaris and Linux Hosts 10-2

Configure the Solaris or Linux Host to Generate Events 10-2
Configure Syslogd to Publish to the MARS Appliance 10-2
Configure MARS to Receive the Solaris or Linux Host Logs 10-3

Microsoft Windows Hosts 10-4

Push Method: Configure Generic Microsoft Windows Hosts 10-5

Install the SNARE Agent on the Microsoft Windows Host 10-5
Enable SNARE on the Microsoft Windows Host 10-6

Pull Method: Configure the Microsoft Windows Host 10-6

Enable Windows Pulling Using a Domain User 10-7
Enable Windows Pulling from Windows NT 10-7
Enable Windows Pulling from a Windows 2000 Server 10-7

Windows Pulling from a Windows Server 2003 or Windows XP Host 10-8
Configure the MARS to Pull or Receive Windows Host Logs 10-9
Windows Event Log Pulling Time Interval 10-11

Define Vulnerability Assessment Information 10-12

Identify Network Services Running on the Host 10-14

Contents

xi

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

11 Configuring Database Applications 11-1

Oracle Database Server Generic 11-1

Configure the Oracle Database Server to Generate Audit Logs 11-1
Add the Oracle Database Server to MARS 11-2
Configure Interval for Pulling Oracle Event Logs 11-3

CHAPTER

12 Configuring Web Server Devices 12-1

Microsoft Internet Information Sever 12-1

Install and Configure the Snare Agent for IIS 12-1

To configure IIS for web logging 12-2

MARS-side Configuration 12-5

To add configuration information for the host 12-5

Apache Web Server on Solaris or RedHat Linux 12-7

Sun Java System Web Server on Solaris 12-7

Generic Web Server Generic 12-7

Solaris or Linux-side Configuration 12-7
Install and Configure the Web Agent on UNIX or Linux 12-7
Web Server Configuration 12-8

To configure the Apache web server for the agent 12-8
To configure the iPlanet web server for the agent 12-8

MARS-side Configuration 12-9

To add configuration information for the host 12-9

CHAPTER

13 Configuring Web Proxy Devices 13-1

Network Appliance NetCache Generic 13-1

Configure NetCache to Send Syslog to MARS 13-1
Add and Configure NetCache in MARS 13-2

CHAPTER

14 Configuring AAA Devices 14-1

Supporting Cisco Secure ACS Server 14-2

Supporting Cisco Secure ACS Solution Engine 14-2

Bootstrap Cisco Secure ACS 14-3

Configure Cisco Secure ACS to Generate Logs 14-3
Define AAA Clients 14-5
Configure TACACS+ Command Authorization for Cisco Routers and Switches 14-7

Install and Configure the PN Log Agent 14-7

Upgrade PN Log Agent to a Newer Version 14-10
Application Log Messages for the PN Log Agent 14-10

Contents

xii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Add and Configure the Cisco ACS Device in MARS 14-12

CHAPTER

15 Configuring Custom Devices 15-1

Adding User Defined Log Parser Templates 15-1

Define a Custom Device/Application Type 15-2
Add Parser Log Templates for the Custom Device/Application 15-3
Add Custom Device or Application as Reporting Device 15-13

CHAPTER

16 Policy Table Lookup on Cisco Security Manager 16-1

Overview of Cisco Security Manager Policy Table Lookup 16-1

More About Cisco Security Manager Device Lookup 16-3
More About Cisco Security Manager Policy Table Lookup 16-4
Prerequisites for Policy Table Lookup 16-4
Restrictions for Policy Table Lookup 16-5

Checklist for Security Manager-to-MARS Integration 16-6

Bootstrapping Cisco Security Manager Server to Communicate with MARS 16-12

Add a Cisco Security Manager Server to MARS 16-13

Procedure for Invoking Cisco Security Manager Policy Table Lookup from Cisco Security MARS 16-14

CHAPTER

17 Network Summary 17-1

Navigation within the MARS Appliance 17-1

Logging In 17-1
Basic Navigation 17-2
Help Page 17-4

Your Suggestions Welcomed 17-4

Summary Page 17-6

Dashboard 17-6

Recent Incidents 17-8

Sessions and Events 17-8

Data Reduction 17-9

Page Refresh 17-9
Diagrams 17-9

Manipulating the Diagrams 17-11

Display Devices in Topology 17-12
Network Status 17-12

Reading Charts 17-13
My Reports 17-15

To set up reports for viewing 17-15

Contents

xiii

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

18 Case Management 18-1

Case Management Overview 18-1

Case Management Considerations for the Global Controller 18-3

Hide and Display the Case Bar 18-3

Create a New Case 18-4

Edit and Change the Current Case 18-5

Add Data to a Case 18-6

Generate and Email a Case Report 18-7

CHAPTER

19 Incident Investigation and Mitigation 19-1

Incidents Overview 19-1

The Incidents Page 19-2

Time ranges for Incidents 19-4

Incident Details Page 19-4

To Search for a Session ID or Incident ID 19-4
Incident Details Table 19-5

False Positive Confirmation 19-6

The False Positive Page 19-8

To Tune a False Positive 19-9
To Tune an Unconfirmed False Positive to False Positive 19-9
To Tune an Unconfirmed False Positive to True Positive 19-9
To Activate False Positive Drop Rules 19-10

Mitigation 19-10

802.1X Mitigation Example 19-11
Prerequisites for Mitigation with 802.1X Network Mapping 19-11
Procedure for Mitigation with 802.1X Network Mapping 19-11

Display Dynamic Device Information 19-15
Virtual Private Network Considerations 19-17

Layer 2 Path and Mitigation Configuration Example 19-17

Prerequisites for Layer 2 Path and Mitigation 19-17
Components Used 19-17
Network Diagram 19-18
Procedures for Layer 2 Path and Mitigation 19-19

Add the Cisco Catalyst 5000 with SNMP as the Access Type. 19-19
Add the Cisco Catalyst 6500 with SNMP as Access Type (Layer 2 only). 19-20
Add the Cisco 7500 Router with TELNET as the Access Type 19-21
Verify the Connectivity Paths for Layer 3 and Layer 2 19-22
Perform Mitigation 19-26

Contents

xiv

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

20 Queries and Reports 20-1

Queries 20-1

To Run a Quick Query 20-2
To Run a Free-form Query 20-2
To Run a Batch Query 20-3
To Stop a Batch Query 20-4
To Resubmit a Batch Query 20-4

To Delete a Batch Query 20-5
Selecting the Query Type 20-5
Result Format 20-5

Order/Rank By 20-7

Filter By Time 20-8

Use Only Firing Events 20-8

Maximum Number of Rows Returned 20-8
Selecting Query Criteria 20-9

To Select a Criterion 20-9
Query Criteria 20-10

Source IP 20-10

Destination IP 20-11

Service 20-11

Event Types 20-11

Device 20-11

Severity/Zone 20-12

Operation 20-12

Rule 20-12

Action 20-12
Saving the Query 20-13

Viewing Events in Real-time 20-13

Restrictions for Real-time Event Viewer 20-13
Procedure for Invoking the Real-Time Event Viewer 20-14

Perform a Long-Duration Query Using a Report 20-17

View a Query Result in the Report Tab 20-19

Perform a Batch Query 20-20

Reports 20-23

Report Type Views: Total vs. Peak vs. Recent 20-24
Creating a Report 20-25

Working With Existing Reports 20-25

Contents

xv

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

21 Rules 21-1

Rules Overview 21-1

Prioritizing and Identifying 21-2
Think Like a Black Hat 21-2
Planning an Attack 21-2
Back to Being the Admin 21-3
Types of Rules 21-4

Inspection Rules 21-4

Global User Inspection Rules 21-4
Drop Rules 21-4

Constructing a Rule 21-5

Working Examples 21-16

Example A: Excessive Denies to a Particular Port on the Same Host 21-16
Example B: Same Source Causing Excessive Denies on a Particular Port 21-16
Example C: Same Host, Same Destination, Same Port Denied 21-16

Working with System and User Inspection Rules 21-17

Change Rule Status—Active and Inactive 21-17
Duplicate a Rule 21-17
Edit a Rule 21-18
Add an Inspection Rule 21-19

Working with Drop Rules 21-21

Change Drop Rule Status— Active and Inactive 21-21
Duplicate a Drop Rule 21-21
Edit a Drop Rule 21-22
Add a Drop Rule 21-22

Setting Alerts 21-23

Configure an Alert for an Existing Rule 21-24

Rule and Report Groups 21-24

Rule and Report Group Overview 21-25
Global Controller and Local Controller Restrictions for Rule and Report Groups 21-26
Add, Modify, and Delete a Rule Group 21-27
Add, Modify, and Delete a Report Group 21-30
Display Incidents Related to a Rule Group 21-32
Create Query Criteria with Report Groups 21-33
Using Rule Groups in Query Criteria 21-34

Contents

xvi

User Guide for Cisco Security MARS Local Controller

78-17020-01

CHAPTER

22 Sending Alerts and Incident Notifications 22-1

Configure the E-mail Server Settings 22-4

Configure a Rule to Send an Alert Action 22-5

Create a New User—Role, Identity, Password, and Notification Information 22-10

Create a Custom User Group 22-12

Add a User to a Custom User Group 22-13

CHAPTER

23 Management Tab Overview 23-1

Activating 23-1

To activate a set of management additions or changes 23-1

Event Management 23-1

Search for an Event Description or CVE Names 23-2
To view a list of all currently supported CVEs 23-2

Event Groups 23-2

To filter by event groups or severity 23-2
Edit a Group of Events 23-2
Add a Group 23-3

IP Management 23-3

Search for an Address, Network, Variable, or Host 23-3
Filter by Groups 23-3
Edit a Group 23-4
Add a Group 23-4
Add a Network, IP Range, or Variable 23-4
Add a Host 23-5
Edit Host Information 23-6

Service Management 23-7

Search for a Service 23-7
Add a Group of Services 23-7
Edit a Group of Services 23-7
Add a Service 23-8
Edit a Service 23-8
Delete a Service 23-8

User Management 23-8

Add a New User 23-9
Add a Service Provider (Cell phone/Pager) 23-11
Search for a User 23-11
Edit or Remove a User 23-12
Create a User Group 23-12

Contents

xvii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Add or Remove a User from a User Group 23-12
Filter by Groups 23-13

CHAPTER

24 System Maintenance 24-1

Setting Runtime Logging Levels 24-1

Viewing the MARS Backend Log Files 24-2

View the Backend Log 24-2

Viewing the Audit Trail 24-3

View an Audit Trail 24-3

Retrieving Raw Messages 24-3

Retrieve Raw Messages From Archive Server 24-4
Retrieve Raw Messages From a Local Controller 24-5

Change the Default Password of the Administrator Account 24-7

Understanding Certificate and Fingerprint Validation and Management 24-7

Setting the Global Certificate and Fingerprint Response 24-9
Upgrading from an Expired Certificate or Fingerprint 24-9

Upgrade a Certificate or Fingerprint Interactively 24-10
Upgrade a Certificate Manually 24-10
Upgrade a Fingerprint Manually 24-10

Monitoring Certificate Status and Changes 24-10

Hardware Maintenance Tasks—MARS 100, 100E, 200, GCM,
and GC

24-11

Replacing the Lithium Cell CMOS Battery 24-11
Hard Drive Troubleshooting and Replacement 24-12

Status Lights 24-12
Partition Checking 24-12
Hotswapping Hard Drives 24-12
Overview of MARS RAID 10 Subsystem 24-12
RAID Procedures for MARS Appliances 100, 100E, 200, GCM, and GC 24-13
Correlating Hard Drive Slots to RAIDSTATUS Command Physical Port Numbers 24-16
Hotswap Procedure To Remove and Add a Hard Drive 24-18
Hotswap CLI Example 24-19
Procedures for the MARS RAID Utility 24-20

24-25

Contents

xviii

User Guide for Cisco Security MARS Local Controller

78-17020-01

APPENDIX

A Cisco Security MARS XML API Reference A-1

XML Schema Overview A-1

XML Incident Notification Data File and Schema A-1

XML Incident Notification Data File Sample Output A-2

XML Incident Notification Schema A-6

Usage Guidelines and Conventions for XML Incident Notification A-6

APPENDIX

B Regular Expression Reference B-1

PCRE Regular Expression Details B-1

Backslash B-2

Non-printing Characters B-3
Generic Character Types B-4
Unicode Character Properties B-5
Simple Assertions B-6

Circumflex and Dollar B-7

Full Stop (Period, Dot) B-8

Matching a Single Byte B-8

Square Brackets and Character Classes B-8

Posix Character Classes B-9

Vertical Bar B-10

Internal Option Setting B-10

Subpatterns B-11

Named Subpatterns B-12

Repetition B-12

Atomic Grouping and Possessive Quantifiers B-14

Back References B-15

Assertions B-16

Lookahead Assertions B-17
Lookbehind Assertions B-17
Using Multiple Assertions B-18

Conditional Subpatterns B-19

Comments B-20

Recursive Patterns B-20

Subpatterns as Subroutines B-21

Callouts B-22

Contents

xix

User Guide for Cisco Security MARS Local Controller

78-17020-01

APPENDIX

C Date/Time Format Specfication C-1

APPENDIX

D System Rules and Reports D-1

List of System Rules D-1

List of System Reports D-13

G

LOSSARY

I

NDEX

Contents

xx

User Guide for Cisco Security MARS Local Controller

78-17020-01

xxi

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Introduction

Thank you for purchasing the Cisco Security Monitoring, Analysis, and Response System (MARS)
Local Controller. appliance. This guide will help you get the most value from your MARS Appliance.

Note The information in this document referring to a “MARS appliance” also applies to MARS use as Local

Controller in a Global Controller architecture.

The MARS Appliance

The Cisco Security Monitoring, Analysis, and Response System Appliance (MARS Appliance)– the
MARS 20, MARS 50, MARS 100, and MARS 200 – is a Security Threat Mitigation (STM) appliance.
It delivers a range of information about your networks’ health as seen through the “eyes” and “ears” of
the reporting devices in your networks. It takes in all of the raw events from your reporting devices,
sessionizes them across different devices, fires default rules for incidents, determines false positives, and
delivers consolidated information through diagrams, charts, queries, reports, and rules.

The MARS operates at distinct and separate levels based on how much information is provided about
your networks’ devices. At its most basic level, MARS functions as a syslog server. As you add
information about reporting devices, it starts sessionizing, and when fully enabled, it presents a
bird’s-eye view of your networks with the ability to quickly drill-down to a specific MAC address.

The MARS Web Interface

The MARS user interface uses a tabbed, hyperlinked, browser-based interface. If you have used the Web,
you have used similar Web pages.

Note When using the MARS user interface, avoid using the Back and Forward arrows in the browser. Using

these arrows can lead to unpredictable behavior.

xxii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

About This Manual

About This Manual

This manual describes the features and functionality of the Local Controller. The layout of this manual
is as follows:

• Chapter 1, “STM Task Flow Overview,” recommends a taskflow for planning and implementing

your security threat mitigation system. It ties back to your corporate security policies and presents
a structure deployment and configuration strategy based on two phases: provisioning and
monitoring.

Part 1: Provisioning Phase. This part details provisioning your network devices to communicate with
MARS. It involves performing device inventories, bootstrapping and configuring the reporting devices
and mitigation devices to communicate with the MARS Appliance, and performing device-side tuning.

• Chapter 2, “Reporting and Mitigation Devices Overview,”discusses concepts important to a

successful deployment of MARS. These concepts include selecting among the devices on your
network, understanding the levels of operation, and performing those tasks that affect many devices,
such as defining data pulling schedules.

• Chapter 3, “Configuring Router and Switch Devices.”

• Chapter 4, “Configuring Firewall Devices.”

• Chapter 5, “Configuring VPN Devices.”

• Chapter 6, “Configuring Network-based IDS and IPS Devices.”

• Chapter 7, “Configuring Host-Based IDS and IPS Devices.”

• Chapter 8, “Configuring Antivirus Devices.”

• Chapter 9, “Configuring Vulnerability Assessment Devices.”

• Chapter 10, “Configuring Generic, Solaris, Linux, and Windows Application Hosts.”

• Chapter 11, “Configuring Database Applications.”

• Chapter 12, “Configuring Web Server Devices.”

• Chapter 13, “Configuring Web Proxy Devices.”

• Chapter 14, “Configuring AAA Devices.”

• Chapter 15, “Configuring Custom Devices.”

Part II: Monitoring Phase. This part concepts important to successfully using MARS to monitor your
network. These concepts include defining inspection rules and investigating incidents.

• Chapter 16, “Policy Table Lookup on Cisco Security Manager” explains how to integrate with

Cisco Security Manager and use the policy lookup features in MARS.

• Chapter 17, “Network Summary” covers the Summary pages which includes the Dashboard, the

Network Status, and the My Reports pages.

• Chapter 18, “Case Management” covers using cases to provide accountability and improve

workflow.

• Chapter 19, “Incident Investigation and Mitigation” covers incidents and false positives and

provides a starting point for configuring a Layer 2 path and mitigation to work with a MARS.

• Chapter 20, “Queries and Reports” covers working with scheduled and on-demand reports and

queries. It also discussing using the real-time event viewer.

• Chapter 21, “Rules” covers defining and use inspection rules.

xxiii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Obtaining Documentation

• Chapter 22, “Sending Alerts and Incident Notifications” explains how to configure the MARS to

send an alert based on an inspection rule.

• Chapter 23, “Management Tab Overview” covers managing events, networks, variables, hosts,

services, and MARS users.

• Chapter 24, “System Maintenance” covers some of the maintenance chores for the MARS.

Additionally, the following appendices are provided:

• Appendix A, “Cisco Security MARS XML API Reference” presents the XML schema used by

MARS for XML-based notifications.

• Appendix B, “Regular Expression Reference” The syntax and semantics of the regular expressions

supported by PCRE are described in this appendix.

• Appendix C, “Date/Time Format Specfication” The date/time field parsing is supported using the

Unix strptime() standard C library function.

• Glossary — A glossary of terms as they relate to MARS.

Obtaining Documentation

Cisco documentation and additional literature are available on Cisco.com. This section explains the
product documentation resources that Cisco offers.

Cisco.com

You can access the most current Cisco documentation at this URL:

http://www.cisco.com/techsupport

You can access the Cisco website at this URL:

http://www.cisco.com

You can access international Cisco websites at this URL:

http://www.cisco.com/public/countries_languages.shtml

Product Documentation DVD

The Product Documentation DVD is a library of technical product documentation on a portable medium.
The DVD enables you to access installation, configuration, and command guides for Cisco hardware and
software products. With the DVD, you have access to the HTML documentation and some of the
PDF files found on the Cisco website at this URL:

http://www.cisco.com/univercd/home/home.htm

The Product Documentation DVD is created and released regularly. DVDs are available singly or by
subscription. Registered Cisco.com users can order a Product Documentation DVD (product number
DOC-DOCDVD= or DOC-DOCDVD=SUB) from Cisco Marketplace at the Product Documentation
Store at this URL:

http://www.cisco.com/go/marketplace/docstore

xxiv

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Documentation Feedback

Ordering Documentation

You must be a registered Cisco.com user to access Cisco Marketplace. Registered users may order Cisco
documentation at the Product Documentation Store at this URL:

http://www.cisco.com/go/marketplace/docstore

If you do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

Documentation Feedback

You can provide feedback about Cisco technical documentation on the Cisco Support site area by
entering your comments in the feedback form available in every online document.

Cisco Product Security Overview

Cisco provides a free online Security Vulnerability Policy portal at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

From this site, you will find information about how to do the following:

• Report security vulnerabilities in Cisco products

• Obtain assistance with security incidents that involve Cisco products

• Register to receive security information from Cisco

A current list of security advisories, security notices, and security responses for Cisco products is
available at this URL:

http://www.cisco.com/go/psirt

To see security advisories, security notices, and security responses as they are updated in real time, you
can subscribe to the Product Security Incident Response Team Really Simple Syndication (PSIRT RSS)
feed. Information about how to subscribe to the PSIRT RSS feed is found at this URL:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Reporting Security Problems in Cisco Products

Cisco is committed to delivering secure products. We test our products internally before we release them,
and we strive to correct all vulnerabilities quickly. If you think that you have identified a vulnerability
in a Cisco product, contact PSIRT:

• For emergencies only—security-alert@cisco.com

An emergency is either a condition in which a system is under active attack or a condition for which
a severe and urgent security vulnerability should be reported. All other conditions are considered
nonemergencies.

• For nonemergencies— psirt@cisco.com

In an emergency, you can also reach PSIRT by telephone:

• 1 877 228-7302

xxv

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Product Alerts and Field Notices

• 1 408 525-6532

Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product (for example, GnuPG) to

encrypt any sensitive information that you send to Cisco. PSIRT can work with information that has been
encrypted with PGP versions 2.x through 9.x.

Never use a revoked encryption key or an expired encryption key. The correct public key to use in your
correspondence with PSIRT is the one linked in the Contact Summary section of the Security
Vulnerability Policy page at this URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

The link on this page has the current PGP key ID in use.

If you do not have or use PGP, contact PSIRT to find other means of encrypting the data before sending
any sensitive material.

Product Alerts and Field Notices

Modifications to or updates about Cisco products are announced in Cisco Product Alerts and Cisco Field
Notices. You can receive these announcements by using the Product Alert Tool on Cisco.com. This tool
enables you to create a profile and choose those products for which you want to receive information.

To access the Product Alert Tool, you must be a registered Cisco.com user. Registered users can access
the tool at this URL:

http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do?local=en

To register as a Cisco.com user, go to this URL:

http://tools.cisco.com/RPF/register/register.do

Obtaining Technical Assistance

Cisco Technical Support provides 24-hour-a-day award-winning technical assistance. The
Cisco Support website on Cisco.com features extensive online support resources. In addition, if you
have a valid Cisco service contract, Cisco Technical Assistance Center (TAC) engineers provide
telephone support. If you do not have a valid Cisco service contract, contact your reseller.

Cisco Support Website

The Cisco Support website provides online documents and tools for troubleshooting and resolving
technical issues with Cisco products and technologies. The website is available 24 hours a day at
this URL:

http://www.cisco.com/en/US/support/index.html

Access to all tools on the Cisco Support website requires a Cisco.com user ID and password. If you have
a valid service contract but do not have a user ID or password, you can register at this URL:

http://tools.cisco.com/RPF/register/register.do

xxvi

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Obtaining Technical Assistance

Note Before you submit a request for service online or by phone, use the Cisco Product Identification Tool

to locate your product serial number. You can access this tool from the Cisco Support website
by clicking the Get Tools & Resources link, clicking the All Tools (A-Z) tab, and then choosing
Cisco Product Identification Tool from the alphabetical list. This tool offers three search options:
by product ID or model name; by tree view; or, for certain products, by copying and pasting show
command output. Search results show an illustration of your product with the serial number label
location highlighted. Locate the serial number label on your product and record the information
before placing a service call.

Tip Displaying and Searching on Cisco.com

If you suspect that the browser is not refreshing a web page, force the browser to update the web page
by holding down the Ctrl key while pressing F5.

To find technical information, narrow your search to look in technical documentation, not the
entire Cisco.com website. After using the Search box on the Cisco.com home page, click the

Advanced Search link next to the Search box on the resulting page and then click the
Technical Support & Documentation radio button.

To provide feedback about the Cisco.com website or a particular technical document, click
Contacts & Feedback at the top of any Cisco.com web page.

Submitting a Service Request

Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and
S4 service requests are those in which your network is minimally impaired or for which you require
product information.) After you describe your situation, the TAC Service Request Tool provides
recommended solutions. If your issue is not resolved using the recommended resources, your service
request is assigned to a Cisco engineer. The TAC Service Request Tool is located at this URL:

http://www.cisco.com/techsupport/servicerequest

For S1 or S2 service requests, or if you do not have Internet access, contact the Cisco TAC by telephone.
(S1 or S2 service requests are those in which your production network is down or severely degraded.)
Cisco engineers are assigned immediately to S1 and S2 service requests to help keep your business
operations running smoothly.

To open a service request by telephone, use one of the following numbers:

Asia-Pacific: +61 2 8446 7411
Australia: 1 800 805 227
EMEA: +32 2 704 55 55
USA: 1 800 553 2447

For a complete list of Cisco TAC contacts, go to this URL:

http://www.cisco.com/techsupport/contacts

xxvii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Obtaining Additional Publications and Information

Definitions of Service Request Severity

To ensure that all service requests are reported in a standard format, Cisco has established severity
definitions.

Severity 1 (S1)—An existing network is “down” or there is a critical impact to your business operations.
You and Cisco will commit all necessary resources around the clock to resolve the situation.

Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your
business operations are negatively affected by inadequate performance of Cisco products. You and Cisco
will commit full-time resources during normal business hours to resolve the situation.

Severity 3 (S3)—Operational performance of the network is impaired while most business operations
remain functional. You and Cisco will commit resources during normal business hours to restore service
to satisfactory levels.

Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or
configuration. There is little or no effect on your business operations.

Obtaining Additional Publications and Information

Information about Cisco products, technologies, and network solutions is available from various online
and printed sources.

• The Cisco Online Subscription Center is the website where you can sign up for a variety of Cisco

e-mail newsletters and other communications. Create a profile and then select the subscriptions that
you would like to receive. To visit the Cisco Online Subscription Center, go to this URL:

http://www.cisco.com/offer/subscribe

• The Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief

product overviews, key features, sample part numbers, and abbreviated technical specifications for
many Cisco products that are sold through channel partners. It is updated twice a year and includes
the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick
Reference Guide, go to this URL:

http://www.cisco.com/go/guide

• Cisco Marketplace provides a variety of Cisco books, reference guides, documentation, and logo

merchandise. Visit Cisco Marketplace, the company store, at this URL:

http://www.cisco.com/go/marketplace/

• Cisco Press publishes a wide range of general networking, training, and certification titles. Both new

and experienced users will benefit from these publications. For current Cisco Press titles and other
information, go to Cisco Press at this URL:

http://www.ciscopress.com

• Internet Protocol Journal is s a quarterly journal published by Cisco for engineering professionals

involved in designing, developing, and operating public and private internets and intranets. You can
access the Internet Protocol Journal at this URL:

http://www.cisco.com/ipj

• Networking products offered by Cisco, as well as customer support services, can be obtained at

this URL:

http://www.cisco.com/en/US/products/index.html

xxviii

User Guide for Cisco Security MARS Local Controller

78-17020-01

Preface

Obtaining Additional Publications and Information

• Networking Professionals Connection is an interactive website where networking professionals

share questions, suggestions, and information about networking products and technologies with
Cisco experts and other networking professionals. Join a discussion at this URL:

http://www.cisco.com/discuss/networking

• “What’s New in Cisco Documentation” is an online publication that provides information about the

latest documentation releases for Cisco products. Updated monthly, this online publication is
organized by product category to direct you quickly to the documentation for your products. You
can view the latest release of “What’s New in Cisco Documentation” at this URL:

http://www.cisco.com/univercd/cc/td/doc/abtunicd/136957.htm

• World-class networking training is available from Cisco. You can view current offerings at

this URL:

http://www.cisco.com/en/US/learning/index.html

CHA P T ER

1-1

User Guide for Cisco Security MARS Local Controller

78-17020-01

1

STM Task Flow Overview

This chapter describes the project phases and task flows that you should follow when you deploy MARS
as a security threat mitigation (STM) system in your network. First, however, you must develop a set of
policies that enables the application of security measures.

Your security policy should:

• Identify security objectives for your organization.

• Document the resources to protect.

• Identify the network infrastructure with current maps and inventories.

• Identify the critical resources (such as research and development, finance, and human resources)

that require extra protection.

Your monitoring policy should:

• Identify the expected administrative traffic flows across your network, including user, source,

destination, services, and hours of operation.

• Identify expected network traffic for security probing and vulnerability testing, including user,

source, destination, services, and hours of operation.

• Identify the network infrastructure able to provide audit data in “network proximity” to the critical

resources.

• Identify the various event logging levels available from the devices and hosts in the network

infrastructure.

• Identify the devices and techniques used to investigate

Your mitigation policy should:

• Identify the choke points on your network relative to the critical resources.

• Define your process for documenting mitigated attacks on layer 2 and layer 3 devices.

• Define your process for documenting mitigated attacks at the host and application layer.

• Resolve corporate ownership issues among network operations, security operations, host owners

and application owners on shared hosts.

• Identify your policy for notifying security response teams and remediation teams.

• Identify vendor detection tool prioritization process, such as IOS IPS Dynamic Attack Mitigation

(DAM).

• Identify how you want to block detected attacks: block them temporarily or permanently, block

them using MARS-generated rules, using custom rules defined by security operations team, etc.

Your remediation policy should:

1-2

User Guide for Cisco Security MARS Local Controller

78-17020-01

Chapter 1 STM Task Flow Overview

Checklist for Provisioning Phase

• Identify the responses to detected but unmitigated attacks for each type of node in your network.

• Identify tool vendor update policies to ensure proper remediation of hosts and applications.

• Identify the policies and procedures for isolating infected legacy hosts where remediation options

are unavailable. These procedures may include restoring from backups or network isolation.

After you develop your policies, they become the hub of the Cisco Security Wheel, (Figure 1-1).

Figure 1-1 Cisco Security Wheel

The spokes of the Cisco Security Wheel represent network security as a continual process consisting of
four steps:

1. Secure your system.

2. Monitor the network for violations and attacks against your security policy and respond to them.

3. Test the effectiveness of the security safeguards in place.

4. Manage and improve corporate security.

You should perform all four steps continually, and you should consider each of them when you create
and update your corporate security policy.

The remainder of this section details recommended task flows according to the following project phases:

• Provisioning (see Checklist for Provisioning Phase, page 1-2).

• Monitoring (see Checklist for Monitoring Phase, page 1-9).

Check out http://www.cisco.com/web/about/security/intelligence/articles.html for more planning ideas.
Look closely at the SAFE information.

Checklist for Provisioning Phase

Provisioning deals with planning, setting up and configuring the hardware, software, and networks that
actually provide access to the data and network resources for the MARS Appliance. This phase takes
place after you successfully complete the installation, which was detailed in the Install and Setup Guide

for Cisco Security Monitoring, Analysis, and Response System.

The following checklist describes the tasks required to understand the decision-making process and the
basic flow required to provision MARS in the most productive manner. Each step might contain several
substeps; the steps and substeps should be performed in order. The checklist contains references to the
specific procedures used to perform each task.