Tuesday, January 16, 2007

CS-MARS with the Cisco VPN Concentrator

The Cisco ASA Firewall/VPN device maybe at the forefront of most Cisco VPN deals recently, but there are thousands of Cisco VPN Concentrators in use around the world.

And coming back to the Integration Series, MARS will accept Syslog from these devices.

Now MARS knows over 150 different events, that can occur on the VPN Concentrator, with a few shown below.

And looking further into the actual events, we can see there is a varied range, of not just Admin logon or off events, but also VRRP, Webvpn etc.

Now looking at an easy to fire Incident, which in this case would be an authentication failure for an Admin account, we can see the reporting device, the rule which fired, and also the actual user that failed authentication.

With the RAW Event message forwarded by the VPN Concentrator.

Now the benefit of any event management system is the ability to query the data, either historical events or in real time.

Below i have run a real time query, but searching for a particular event type, which is to report the VPN Client application version.

But we can query on any source/destination ip, from any number of devices, and also use keywords in the queries. As this last example shows looking for a particular VPN group..

If this post has been of interest, you may also find these posts useful as well, which i have previously posted.

Cisco MARS Integration with McAfee ePO
Cisco MARS Integration with SNORT
Cisco MARS Integration with the Cisco Security Manager - Policy Lookups

And also remember you will find some live demos and PDF copies of some articles over at the Demolabs website.

No comments: