Thursday, April 17, 2008

Cisco MARS 4.3.4 and 5.3.4 Out Now

Cisco MARS Versions 4.3.4 for Gen1 Appliances, and 5.3.4 for Gen2 Appliances has just been released.

You can find here, the release notes for 4.3.4 and 5.3.4

New Features

As mentioned on an earlier post, the CSM 3.2 Video i created on Demolabs, was done with a 5.34 Beta Code, these features are now possible!

Improved CSM-MARS Linkage. "With Security Manager 3.2 and MARS 4.3.4 and 5.3.4, you can modify access rules generating the MARS event seamlessly from the read-only policy table popup window, which displays all rules associated with an event, by clicking the highlighted access rule number without starting Security Manager separately. Similarly, you can navigate to the signature summary table in Security Manager from MARS events associated with IPS sensors and IOS IPS devices and alter the signature properties. This feature enables you to map a syslog message to the policy that triggered that message and modify it simultaneously, thereby reducing time spent configuring and troubleshooting access rules in large or complex networks.

Additional improved support includes:

Support for MARS to launch CSM and authenticate using stored login credentials.

Improved support for firewall and IPS policy rule lookups.

From Policy Query, you can edit a signature on an event or define a filter on the CSM device to perform device-side tuning.

Edit IPS signatures that fired an inspection rule.

Edit IPS signatures that fired an inspection rule."

Improved Global Controller-Local Controller Group Synchronization. "In the x.3.4 releases, MARS changes how source and destination information found in Global Controller rules is shared with managed Local Controllers. (This change is in support of CSCse03237: Changes made to GC network groups are not propagated to active LC rules.) "

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets

And of course the usual bugfixes.

Tuesday, April 08, 2008

Cisco MARS 6.0

Cisco yesterday released a bulletin and datasheet for the forthcoming Cisco MARS version 6.0

You can find the Bulletin HERE, and the Datasheet HERE.

It looks like there are going to be some great new features, i`ll look forward to it!

"Cisco Security MARS Release 6.0 will be included in all appliances purchased beginning approximately August 2008. Current Cisco Security MARS customers who have valid Cisco SMARTnet® Service contracts when released can also download the release at the Cisco Software Center."

"New Features
Cisco Security MARS Release 6.0 enhancements make Cisco Security MARS more open, with the ability to use the greater Cisco Security MARS community to improve security device support. Some enhancements include:
Cisco Security MARS device support framework: Framework to add velocity and flexibility to the Cisco Security MARS system, allowing faster, more flexible, and more scalable security device log support for existing and new Cisco and third-party vendor devices.
Support for the ASA 5580: MARS becomes the first Security Threat Management appliance to be capable of accepting logs from high output devices such as the ASA 5580.
Cisco Security MARS forum on NetPro: Community enablement for Cisco Security MARS users, partners, and third-party vendors interested in discussing, sharing, and rating Cisco Security MARS device support packages.
Cisco IPS Sensor Software Version 6.0 rules and report enhancements: Native support of IPS risk rating, threat rating, and virtual sensor in Cisco Security MARS will competitively differentiate the Cisco IPS and Cisco Security MARS value proposition by enabling Cisco Security MARS to further refine IPS event data to more effectively define threat detection and attack fidelity of the incident. "

And a sneak of the new supported devices looks interesting.....

Friday, April 04, 2008

New MARS and CSM 3.2 Linkages

Some of you may of noticed Cisco Security Manager 3.2 was released at the end of March.

Now i managed to wing a beta of this earlier in the year, as there are some great new MARS linkages. I aslo produced a Demo which can be seen HERE, for a Seminar in London. (I`ll add the version with sound next week).


I`m not completely sure what will work today, as I created the demo using an early MARS 5.34 Beta, but the datasheets on Cisco.com for CSM which i have quoted below, give further info.

So whats new?

IPS Configuration
"Cross-collaboration with Cisco Security MARS enables event/anomaly investigation with immediate insight into policy deployment changes. This collaboration enables policy launching of historic and real-time events, encouraging tighter collaboration between network operations and security operations teams while keeping Cisco Security Manager policies in band. Insight and cross-collaboration decreases event investigation and troubleshooting, thus speeding resolution time. Cisco Security Manager and Cisco Security MARS collaboration enables interactive IPS event action filter creation, thus reducing your network's vulnerability exposure." - Source CSM 3.2 Datasheet


Enhanced Cisco Security Manager and MARS integration
– Ability to select syslog messages collected by Cisco Security MARS and launch to that specific rule in the Cisco Security Manager that generated the syslog
– Ability to select a rule in Cisco Security Manager and view historic or real-time syslog messages in Cisco Security MARS
– Ability to select an IPS signature in Cisco Security Manager and view historical or real-time events processed by Cisco Security MARS
– Ability to view IPS events in Cisco Security MARS and launch to that specific IPS signature in Cisco Security Manager. - Source CSM3.2 Bulletin

Finally some screenshots from the Datasheet....