New MARS Ask the Expert Discussion

There is a new Net Pro, ask the Expert discussion, regarding the new features is MARS 4.3.1

This is with Gary Halleen one of the authors of, the latest Cisco MARS Book.

You can find this HERE.

Extending CS-MARS Forensics and Reporting

You may of heard of products that can make use of the Cisco MARS Archive data. There are 3 i`ve heard of that can do this, once such product is SecureVue from EIQNetworks.

eIQ SecureVue provides extended forensics and investigative search capabilities that allow Cisco Security MARS customers to quickly search volumes of archived log data collected across the enterprise.

SecureVue processes Cisco Security MARS archived log data and generates comprehensive SOX, PCI, GLBA, FISMA, HIPAA and other compliance-specific reports to meet evolving federal, state and industry regulatory mandates and audit requirements.

You can find a data sheet on the MARS - EIQNetworks Integration here.

Netflow Performance Analysis

Thanks to Joe Harris` 6200 Networks Blog, for a great link to Netflow Performance Analysis.

"Although many Cisco customers want to deploy NetFlow services, they are naturally cautious about introducing new technology into their network without completely understanding the potential performance impact. This paper examines the CPU impact of enabling NetFlow services in various scenarios on several different Cisco hardware platforms."

You can find a direct link to the Article Here.

MARS Cisco IPS 6 Dynamic Updates

Beginning in 4.3.1 and 5.3.1, MARS can discover new Cisco IPS signatures and correctly process and categorize received events that match those signatures.

Note, the Dynamic IPS Update feature is not enabled by default, and has to be configured as pictured above. Now there are two ways to get the updates. One is automatically (via a schedule) from Cisco, where a valid username and password is required. (ie, CCO Account). The second is to download the files manually from CCO, and place these on a server that MARS will have access too.

You can from the page above, Test your connectivity or perform an immediate update.


What is in these updates? These updates provides event normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero signatures from the IPS devices. They are in the format of an xml file, as pictured below..


Note, these file do not contain detailed information, such as vulnerability information. Detailed signature information is provided in later MARS signature upgrade packages just as with 3rd-party signatures. Also Custom Signatures are not supported.

What happens once MARS gets the update file? The MARS Appliance performs an auto-activate to load the new signature information.

What happens if I do not enable this feature? If this feature is not configured, the events appears as unknown event type in queries and reports, and MARS does not include these events in inspection rules.

How Often Does MARS Check for Updates? This is scheduled, and can be hourly or daily, see below..


Two types of failures can occur, and they are identified in the Status field of the IPS Signature Dynamic Update Settings page:

• Failure to download the package. Verify that the MARS Appliance has connectivity to the specified destination and that it is using the correct username and password.

• Failure to install. Indicates a problem with the package itself, possibly corrupted during the download.

Another thing to check is the Autoupdate process, in the MARS CLI....

This is the process that handles the IPS Signature updates, you can see its status, via a pnstatus.

How do i check the version of update, i have on my MARS Appliance? This is done, by going to Help/About...


New Events/Rules related to the IPS Feature. I have listed some of the new events below, that relate to the IPS Feature, you will get an incident fired, if say your IPS update was not successful..



Lastly, there are some important considerations in a GC/LC environment. In a Global Controller-Local Controller deployment, you should configure the dynamic signature URL and all relevant settings on the Global Controller.

When the Global Controller pulls the new signatures from CCO, all managed Local Controllers download the new signatures from the Global Controller.

You may get communication failures if your GC and LC`s are running different versions of the IPS update files.

Book Review: LAN Switch Security

Title: LAN Switch Security: What Hackers Know About Your Switches
Authors: Eric Vyncke and Christopher Paggen
Publisher: Cisco Press

Quote "Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks."

Go into some (or most!) networks today, that run cisco switches, and you will see the majority of the security functions not enabled, or simply un or misconfigured. When you read this book, i`m sure you`ll start to review the security of your switch infrastructure right away. When you discover the insecurities of individual protocols, and the freely available tools on the internet that could bring you Network Meltdown!

Now before i start, for anyone that has read the famous "Hacking Exposed: Cisco Networks" book, that came out in 2006, LAN Switch Security:What hackers know about your switches will be pretty much overlap.

But if you havent read the previous mentioned book, then LAN Switch security is a definite read.

I think the book is well written, and includes many references to "hacking tools" on the web, with explanations of how attacks work, and examples of how to mitigate. For example, VLAN Hopping, DHCP Weaknesses, Arp Spoofing, HSRP etc.

You`ll have great fun in testing with tools like the famous "yershina". (Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols.)

Though a couple sections in the book are thin on the ground in terms of configuration examples, for example the ACL section, i`d still recommend this book as a great read, to anyone looking to improve switch security in a Cisco Network.