Thursday, September 27, 2007

Cisco MARS 4.3.1 Now Available

Cisco MARS 4.3.1 is now available (and 5.3.1 for Gen2).

There are some great new features, briefly mentioned below...

Data Migration Support

Beginning with this release, you can migrate configuration and event data from a MARS Appliance running 4.x to a newer model running 5.x.

Centralized Password Management—External AAA Server Support

External Authentication, Authorization, and Auditing (AAA) servers can now act as the authentication mechanism for MARS Appliance GUI logins (username and password). Previously, each MARS Appliance authenticated login name/password combinations with the appliance's local user database. Release 4.3.1 supports the following external RADIUS AAA servers:

Cisco Secure Access Control Server (ACS)

Microsoft Internet Authentication Service (IAS) Server

Juniper Networks Steel belted RADIUS

Account Locking—Login Security

Previously, MARS Appliances permitted an unlimited number of login attempts. With Release 4.3.1, the adminstrator can configure the GUI to lock after a specified number of failed login attempts, or can configure the GUI to never lock.

Monitoring Global Controller Connection Status from the Local Controller

Previously, the connection status between a Local Controller and a Global Controller was reported on the Global Controller's Zone Controller Information page

(Admin > System Setup > Local Controller Management).

With Release 4.3.1, the Local Controller now generates syslogs to record communication problems caused by the following events:

Local Controller cannot connect to the Global Controller

Local Controller certificate is not on the Global Controller or vice versa

Local Controller and Global Controller are operating with incompatible MARS release versions

Release 4.3.1 defines seven new events, three new system rules, and two new system reports on the Local Controller to monitor the connection status with the Global Controller.

GUI and CLI Timeout Interval

Previously, the GUI would timeout after 30 minutes of inactivity. With Release 4.3.1, the timeout interval for the GUI can be set at 15, 30 (default), 45, and 60 minutes, or as Never (never will timeout). Different GUI timeout intervals can be set for the Administrator, Security Analyst. and Operator roles. The Administrator parameter also sets the CLI timeout.

Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 4.3.1:

Global Controller-to-Local Controller Communication Enhancements. Enhancements include more efficient data batches, reduced transfer times, and a prioritization on recent data. If a data backlog occurs due to a Global Controller-to-Local Controller disconnect, the Local Controller sends recent data first and stays in sync with new data coming in. The Local Controller catches up with older data over time.

Support for Cisco IPS 6.0 Dynamic Signature Updates. Download new signatures from CCO and correctly process and categorize received events that match those signatures, which includes them in inspection rules and reports. These updates provides event normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero signatures from the IPS devices

Syslog Forwarding. Designate a syslog collector and forward syslog messages received from one or more IP addresses to that collector.

Password Management Enhancement. Non-administrative users can change the password associated with their account. Previously, editing a MARS user was considered an administrative task and limited to those accounts with the admin role.

Raw Message Log Enhancement.To view and delete queries in the local cache, click the View Cache button on the Retrieve Raw Messages page accessed from Admin > System Maintenance > Retrieve Raw Messages.Previously, queries were purged automatically every two weeks; this feature helps avoid disk space shortages that could occur before that period elapsed.

GC2R Support. The 4.3.1 and 5.3.1 releases are interoperable, allowing the GC2R to manage Local Controllers running 4.3.1 on the following models: MARS 20R, MARS 20, and MARS 50.

Enhanced Cisco Device Support:

IPS 6.0

PIX / ASA 7.2

CSA 5.0, 5.1, and 5.2

Cisco IOS P1-5

FWSM 3.1.5

Enhanced 3rd-Party Device Support.

ISS Site Protector 2.0

CheckPoint R61, R62, and R65.

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets.

Bug fixes.

New Vendor Signatures

Release notes for the new version are available HERE.

Look out on the Blog over the next few days, for details on the new features.

No comments: