Wednesday, December 12, 2007

4.3.2 / 5.3.2 Release

As promised links to the release notes for MARS 4.3.2 for Gen1 and 5.3.2 for Gen2 appliances.

Release Notes for Cisco Security MARS Appliance 4.3.2

Release Notes for Cisco Security MARS Appliance 5.3.2

As mentioned the other day, the major difference between the 2 release codes, is Wireless Controller support in 5.3.2, but not 4.3.2.

"Cisco Secure MARS 5.3. x supports the collection, parsing, and analysis of SNMP security traps generated by Cisco Wireless Controller, version 4.x. devices. In addition, MARS includes this event data in new and existing reports and rules. Support for Cisco Wireless Access Points is enabled via Cisco Wireless LAN Controller, v. 4.1.171.0, which forwards SNMP traps to the MARS Appliance for processing."

Theres also the usual updated Vendor Signatures...

The other new Enhancements are shown below, ripped from the release notes....

New Activate Button and Activation Scheduler

The Activate button now displays red when a configuration change requires activation. Previously, there was no change in the display of the button. Additionally, a scheduler daemon can be configured from the GUI to automatically execute activations.

Support for Custom Signature Definitions in Cisco IPS.

Cisco IPS 6.0 enables you to define custom signatures for Cisco IPS devices. In 5.3.2, you can map that signature to a MARS event type so that an inspection rule in MARS fires when that signature is detected. To do so, you must define an XML file that maps between the custom signature and the event type in MARS as well as manually update the Local Controller from the Admin > System Setup > IPS Signature Dynamic Update Settings page.

•Global Controller-to-Local Controller Communication Enhancements.

Enhancements include the following:

–Topology-sync performance improvement

–Report Results performance

–Incidents/Firing Events performance

•Enhanced Cisco Device Support:

–IOS 12.3, 12.4(11) T-T4

–PIX and ASA 7.0.7, 7.2.2, 7.2.3, and 8.0.

–Cisco IPS 6.0 (IDSM/2, IPS 4270, and ASA-IPS SSM 10/20 support)

–FWSM 3.1.4, 3.1.6, and 3.2

•Enhanced 3rd-Party Device Support.

–Juniper IDP 3.x via IDP management server (3.0, 3.1)

–Juniper IDP 4.x via NSM (4.0, 4.1)

–Symantec AntiVirus 10.x (10.1, 10.2)


MARS 4.3.2 and 5.3.2 Released

CS-MARS Versions 4.3.2 and 5.3.2 have been released.


More info on these, when the release notes are posted!

Monday, December 10, 2007

CS-MARS 5.3.2 Support for Wireless Controllers


The ASK the expert forum has now finished, but you can still go over to the ASK the Expert Forums and read the posts.

One that caught my eye, was the question "will there be a native support for Cisco access-points in further releases? "

And Gary Halleen`s reponse, "Cisco access points will be supported through integration with the wireless controllers. This support comes in the 5.3.2 release, which we'll see on CCO in just a few days.

Be warned, though, that this wireless support will not be available in the 4.3.2 release that runs on the Generation 1 appliances. Only the Generation 2 appliances.

Support for wireless controllers on Generation 1 appliances won't be available until 6.0 comes out this spring."

Thursday, November 29, 2007

New MARS Ask the Expert Discussion


There is a new Net Pro, ask the Expert discussion, regarding the new features is MARS 4.3.1

This is with Gary Halleen one of the authors of, the latest Cisco MARS Book.

You can find this HERE.

Wednesday, November 21, 2007

Extending CS-MARS Forensics and Reporting



You may of heard of products that can make use of the Cisco MARS Archive data. There are 3 i`ve heard of that can do this, once such product is SecureVue from EIQNetworks.

eIQ SecureVue provides extended forensics and investigative search capabilities that allow Cisco Security MARS customers to quickly search volumes of archived log data collected across the enterprise.

SecureVue processes Cisco Security MARS archived log data and generates comprehensive SOX, PCI, GLBA, FISMA, HIPAA and other compliance-specific reports to meet evolving federal, state and industry regulatory mandates and audit requirements.

You can find a data sheet on the MARS - EIQNetworks Integration here.


Wednesday, November 14, 2007

Netflow Performance Analysis

Thanks to Joe Harris` 6200 Networks Blog, for a great link to Netflow Performance Analysis.

"Although many Cisco customers want to deploy NetFlow services, they are naturally cautious about introducing new technology into their network without completely understanding the potential performance impact. This paper examines the CPU impact of enabling NetFlow services in various scenarios on several different Cisco hardware platforms."

You can find a direct link to the Article Here.

Wednesday, November 07, 2007

MARS Cisco IPS 6 Dynamic Updates

Beginning in 4.3.1 and 5.3.1, MARS can discover new Cisco IPS signatures and correctly process and categorize received events that match those signatures.

Note, the Dynamic IPS Update feature is not enabled by default, and has to be configured as pictured above. Now there are two ways to get the updates. One is automatically (via a schedule) from Cisco, where a valid username and password is required. (ie, CCO Account). The second is to download the files manually from CCO, and place these on a server that MARS will have access too.

You can from the page above, Test your connectivity or perform an immediate update.


What is in these updates? These updates provides event normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero signatures from the IPS devices. They are in the format of an xml file, as pictured below..


Note, these file do not contain detailed information, such as vulnerability information. Detailed signature information is provided in later MARS signature upgrade packages just as with 3rd-party signatures. Also Custom Signatures are not supported.

What happens once MARS gets the update file? The MARS Appliance performs an auto-activate to load the new signature information.

What happens if I do not enable this feature? If this feature is not configured, the events appears as unknown event type in queries and reports, and MARS does not include these events in inspection rules.

How Often Does MARS Check for Updates? This is scheduled, and can be hourly or daily, see below..


Two types of failures can occur, and they are identified in the Status field of the IPS Signature Dynamic Update Settings page:

• Failure to download the package. Verify that the MARS Appliance has connectivity to the specified destination and that it is using the correct username and password.

• Failure to install. Indicates a problem with the package itself, possibly corrupted during the download.

Another thing to check is the Autoupdate process, in the MARS CLI....

This is the process that handles the IPS Signature updates, you can see its status, via a pnstatus.

How do i check the version of update, i have on my MARS Appliance? This is done, by going to Help/About...


New Events/Rules related to the IPS Feature. I have listed some of the new events below, that relate to the IPS Feature, you will get an incident fired, if say your IPS update was not successful..



Lastly, there are some important considerations in a GC/LC environment. In a Global Controller-Local Controller deployment, you should configure the dynamic signature URL and all relevant settings on the Global Controller.

When the Global Controller pulls the new signatures from CCO, all managed Local Controllers download the new signatures from the Global Controller.

You may get communication failures if your GC and LC`s are running different versions of the IPS update files.




Friday, November 02, 2007

Book Review: LAN Switch Security

Title: LAN Switch Security: What Hackers Know About Your Switches
Authors: Eric Vyncke and Christopher Paggen
Publisher: Cisco Press


Quote "Contrary to popular belief, Ethernet switches are not inherently secure. Security vulnerabilities in Ethernet switches are multiple: from the switch implementation, to control plane protocols (Spanning Tree Protocol [STP], Cisco® Discovery Protocol [CDP], and so on) and data plane protocols, such as Address Routing Protocol (ARP) or Dynamic Host Configuration Protocol (DHCP). LAN Switch Security explains all the vulnerabilities in a network infrastructure related to Ethernet switches. Further, this book shows you how to configure a switch to prevent or to mitigate attacks based on those vulnerabilities. This book also includes a section on how to use an Ethernet switch to increase the security of a network and prevent future attacks."

Go into some (or most!) networks today, that run cisco switches, and you will see the majority of the security functions not enabled, or simply un or misconfigured. When you read this book, i`m sure you`ll start to review the security of your switch infrastructure right away. When you discover the insecurities of individual protocols, and the freely available tools on the internet that could bring you Network Meltdown!

Now before i start, for anyone that has read the famous "Hacking Exposed: Cisco Networks" book, that came out in 2006, LAN Switch Security:What hackers know about your switches will be pretty much overlap.

But if you havent read the previous mentioned book, then LAN Switch security is a definite read.

I think the book is well written, and includes many references to "hacking tools" on the web, with explanations of how attacks work, and examples of how to mitigate. For example, VLAN Hopping, DHCP Weaknesses, Arp Spoofing, HSRP etc.

You`ll have great fun in testing with tools like the famous "yershina". (Yersinia is a network tool designed to take advantage of some weaknesses in different network protocols.)

Though a couple sections in the book are thin on the ground in terms of configuration examples, for example the ACL section, i`d still recommend this book as a great read, to anyone looking to improve switch security in a Cisco Network.

Thursday, October 25, 2007

Unlocking User Accounts via the CLI

As promised, a short article on unlocking user accounts via the CLI.

MARS 4.3.1 introduced the new AAA features.

For both Local or AAA authentication methods, if enabled, GUI access is locked for an account upon login failure, which occurs when a specified number of incorrect password entries are made for a single login name.

Now an important thing to note. The administrator GUI access can be locked like any other account. BUT, the CLI access through the console or through SSH is never locked. (Good job or you could be completely locked out your MARS box!)

Now from the CLI we can unlock single accounts or all accounts at the same time, the switches on the unlock command are shown below...


And an example of unlocking all accounts is shown at the top of the page, and an example of an individual account is shown below..

Now remember we can unlock individual user accounts in the CLI also, as long as the admin GUI account isn't locked.

Some other important notes regarding global controllers....

Unlocking is not replicated through Global Controller–Local Controller communications, it applies only to the local appliance. An account locked on a Global Controller does not replicate the locked status to global accounts on Local Controllers. A global account locked on two different appliances must be unlocked manually on each appliance.

Tuesday, October 09, 2007

MARS AAA with Microsoft IAS

I was going to do a write up on configuring the new MARS 4.3.1 AAA authentication feature with Cisco ACS.

But to be honest, there is a great write up in the official MARS documentation on doing just that, so in this article i`ll show you how to configure AAA with Microsoft IAS Server, for those of you who dont own an ACS Box.

We'll use Microsoft IAS, and if you dont know, this is the Microsoft implementation of a Remote Authentication Dial-in User Service (RADIUS) server, which comes built into Windows 2000 Server and Windows Server 2003.

I`m not going to go through installing IAS, but theres plenty of guides to doing this on the web.

Lets start by adding a new RADIUS Client...


Now Click Next, and select Cisco for the Client-Vendor, and enter a shared key that the two devices will share for the authentication process.

Next, we need to create a remote access policy. For ease, we will create a new one, and delete any existing predefined entries.

1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
2. In the right pane, right-click the default policy, and select Delete.
3. Right-click, and select New Remote Access Policy.
4. In the Remote Access Policy Wizard, click Next.
5. Click Set Up A Custom Policy, name it Cisco MARS, and click Next.
6. Click Add, select Windows-Groups, and click Add


Specifiy a Windows group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard



1. Click Next, select Grant Remote Access Permission, and click Next.
2. Click Edit Profile, and select the Authentication tab.
3. Only select the Unencrypted Authentication (PAP/SPAP) check box



  1. Next, select the Advanced tab.
  2. Select Service-Type, and click Edit.
  3. In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list.

Back on the Advanced tab, select Framed-Protocol, and click Remove.


Click OK, and its done!
Oh, and one point, make sure you have allowed Dial-In rights, on the User, under AD Users and Computers.

Now the MARS Bit....

Now the first thing i would do is create user accounts in MARS, for the users you want AAA access. I know this seems weird, but you will see why later! Also make sure you create these case perfect to your windows accounts.

Once done, you can configure the MS IAS Server in MARS...

This is quite simple, go to Admin/Authentication Configuration...


Now under AAA Server Configuration select ADD...


And, Add AAA Server on a new host..


Fill in the IP`s etc, then click Next. Now click, ADD again for a Generic AAA Server..


Now specify the name, and Shared Key we specified earlier in the IAS Config, along with the Radius Server ports. I used, 1812 and 1813.

Now Click Test Connectivity, which will result, in either a Failure, if any of the parameters are wrong (especially the shared key), or success...


If Success, enter a windows user name and password to test the authentication process.

Once done, we can then set MARS to use AAA for logins...

Under Admin/Authentication Configuration, specify the IAS Server as the authentication method, and optionally set a lock out.

Once you click Submit, MARS will delete all the local User passwords you created earlier (except Admins).....


This will create an incident...


And thats it, all the MARS configuration done.

Now there are a couple of bits of note, to tell you about. To remove the IAS Server, you cannot do this via the normal Security and Monitor devices. If you try you will get this error...


Instead, delete the IAS Server, via the Authentication Configuration screen.

Logging on the Microsoft IAS is pretty poor...

And these will be obviously stored on the Windows Box, and not MARS! Obviously with ACS and the agent, you can get the logs back into MARS, but Windows does not have a native Syslog engine.

So you could run a query with the PNMARS device, for account logins...

Also a bug you should be aware about in the GUI when using AAA services, is that your user accounts may appear "locked", even if you do not use a Lock Out policy...


And err....


This does not effect the AAA function in anyway, and should be fixed in the next release.

Now this method worked fine in the lab, if you make a complete hash of the above dont blame me! :-)

In the next article i show you some CLI commands, to unlock user accounts.

Tuesday, October 02, 2007

642-544 cisco MARS Exam

I get a lot of visitors to the Blog via the keyword 642-544, so I thought i`d give the new MARS exam another mention.

The MARS exam is part of the Cisco CCSP Certification Track, and there are a couple of training courses available in the official Instructor Led Course or 3rd Party Hands On Real World Training Course by Priveon.

There are also two books available, Security Threat Mitigation and Response: Understanding Cisco Security MARS and Security Monitoring with Cisco Security MARS.

The Cisco Press website, only recommends the first book though.

Another useful resource is the Cisco MARS User Group, where there are now over 430 members.

Exam Topics

The following topics are general guidelines for the content likely to be included on the Remote Access exam. However, other related topics may also appear on any specific delivery of the exam. In order to better reflect the contents of the exam and for clarity purposes, the guidelines below may change at any time without notice.

Install and configure the Cisco Security MARS product

  • Identify the components, features and functions of the Cisco Security MARS product
  • Describe the process of installing the Cisco Security MARS appliance
  • Add Cisco reporting devices into the Cisco Security MARS appliance
  • Add non-Cisco reporting devices into the Cisco Security MARS appliance
  • Investigate events that the Cisco Security MARS appliance collects from configured security devices
  • Configure the Cisco Security MARS appliance to send alerts
  • Create and view a long-duration query on the Cisco Security MARS appliance
  • Configure rules to detect interesting patterns of network activity and other anomalous network behavior
  • Use the management features in the Cisco Security MARS appliance to assign event, addressing, service, and user information
  • Configure the Cisco Security MARS appliance hardware maintenance activities
  • Utilize the Global Controller to manage multiple Cisco Security MARS appliances
Good luck with the Exam!