Making the Shoe Fit - CS-MARS Sizing

So you want a MARS box but don't know which one to buy? Cisco offers many options as to which appliance you can purchase and even has details online as to how each appliance is sized.



So as you can see the sizing is based upon events per second. So how excactly can you measure you events per second? Let me clarify this by showing you the devices we monitor and all together the events per second we generate. Here' our monitored devices:

4 x Windows Server
121 x Cisco 2811 IOS Routers
384 x Cisco 3750 IOS Switches
117 x PIX 506E Firewalls
2 x PIX 520 Firewalls
2 x PIX 515E Firewalls
7 x Cisco 3825/3845 Routers
2 x Cisco 4215 IPS 5.1 Sensors
6 x Unix Servers with Snort

So all together we have a relatively large infrastructure monitored by MARS. So events per second comes to what excactly? At peak usage during the day we generate about only 57 events per second. Which CS-MARS version do we run? We're currently running the 100e, which is capable of 3000 events per second! Wow... that's pretty damn powerful! We bought this size knowing that our infrastructure will soon include more servers along with NAC reporting to MARS. Hopefully this sizing overview helps when making the decision to purchase a CS-MARS appliance. If you ever need any help or recommendations, just ask!

A Visual Intro to CS-MARS

So what is CS-MARS and why does it deserve a blog? CS-MARS (short for Cisco Security Monitoring, Analysis and Response System) is a security aggregation point for network devices. I could sit here and talk about all the blah blah that the PDFs on Cisco.com provide, but I think a visual tour of our implementation of MARS will best describe this powerful network security tool.

1) Incident Dashboard - The CS-MARS homepage for events. Shows the 5 most recent secuirty events along with daily statistics and brief security diagrams.


2) Incident Listing - Here we see the most recent Incidents as recorded by MARS. You get all the basic information on the Incident triggered, and from here you drill into specific Incidents.


3) Rule View - Here we can see the rules the come built-into the MARS system. There are current 124 system rules. This sounds very minimal, but think of rules as the aggregation of multiple events (which we'll see soon). Rules are what generate incidents and can notify us.


4) Event View - Here is where we see the invidual events that MARS recognizes coming from devices. As of version 4.2.1 there are over 16,000! These are the events that are triggered from logs/polling of the monitored devices. The events are then correlated to the above rules and grouped to form incidents that represent security events.


5) Incident Details - On the final part of this tour I'll drill into a specific incident. Here we see a supposed VPN attack that was successful. This was the result of a user, christine, failing login to our VPN endpoint, disconnecting, then connecting succesfully. MARS detects this as a successful VPN password attack and generates an incident. As a network engineer I know this is a real user and that this incident is the result of a user mistyping credentials. In the event this user was not a real user, we would have an incident to now investigate further.



I hope this introduction showed how much power is behind this appliance. It's been a really exciting system to work on and I'm constantly learning more and more about the true capabilities of it. Now if I can just make it take my off-hour calls I'll be one happy network engineer...

Mobile Messaging Using the Sprint PPC-6700

Eat this Blackberry! In a company that's pretty large (25,000+ employees), we have an under-staffed IT department. Surprising right? Anyways, when the CS-MARS device was installed we started receiving the built-in e-mail alerts about security events. The issue was that we had no mobile devices to receive the alerts on. Though the e-mail alerts are pretty cheesy, but I have a notification enhancement I'll share on one of these posts (all written in a network engineer's favorite language Perl). So with my large paycheck (pfft!) I purchased a Sprint PPC-6700. This is everything a Blackberry is and more. We're in the process of an MS Exchange 2003 migration and thanks to our awesome Windows admin, he configured Microsoft DirectPush e-mail. This means that the Blackberry "push" functionality is built-in to my device and our new mail environment. I now receive alerts as they occur and can more easily respond to them. Plus it's a cool phone everyone is jealous of. If we could only get EVDO coverage up here!

An Introduction

A brief introduction of who I am and what I do. My name's Mike and I'm a Cisco-certified network engineer. I'm 22 years old and have worked on networks for the past 5 years. I current works in the private sector as a Network Engineer for a local food retailer. We are based in 6 states in the Northeast. My responsibilities include maintaining the operation of our MPLS network, along with investigate new technologies to enhance services on our network. My main focus now is business continuity connectivity along with investigating the newest network security technologies. My primary focus has been the installation and operation of the Cisco CS-MARS security event manager. This robust product offers a lot, but I find that Cisco falls short on providing an in-depth view of the power of the device and how it benefits any company that operates a secure network. My hope is that this blog will provide insight into the security technologies offered by Cisco, with a focus on the CS-MARS device. Along the way I'll share my experiences in networking and hopefully hear input for fellow engineers out there.