Thursday, September 27, 2007

Cisco MARS 4.3.1 Now Available

Cisco MARS 4.3.1 is now available (and 5.3.1 for Gen2).

There are some great new features, briefly mentioned below...

Data Migration Support

Beginning with this release, you can migrate configuration and event data from a MARS Appliance running 4.x to a newer model running 5.x.

Centralized Password Management—External AAA Server Support

External Authentication, Authorization, and Auditing (AAA) servers can now act as the authentication mechanism for MARS Appliance GUI logins (username and password). Previously, each MARS Appliance authenticated login name/password combinations with the appliance's local user database. Release 4.3.1 supports the following external RADIUS AAA servers:

Cisco Secure Access Control Server (ACS)

Microsoft Internet Authentication Service (IAS) Server

Juniper Networks Steel belted RADIUS

Account Locking—Login Security

Previously, MARS Appliances permitted an unlimited number of login attempts. With Release 4.3.1, the adminstrator can configure the GUI to lock after a specified number of failed login attempts, or can configure the GUI to never lock.

Monitoring Global Controller Connection Status from the Local Controller

Previously, the connection status between a Local Controller and a Global Controller was reported on the Global Controller's Zone Controller Information page

(Admin > System Setup > Local Controller Management).

With Release 4.3.1, the Local Controller now generates syslogs to record communication problems caused by the following events:

Local Controller cannot connect to the Global Controller

Local Controller certificate is not on the Global Controller or vice versa

Local Controller and Global Controller are operating with incompatible MARS release versions

Release 4.3.1 defines seven new events, three new system rules, and two new system reports on the Local Controller to monitor the connection status with the Global Controller.

GUI and CLI Timeout Interval

Previously, the GUI would timeout after 30 minutes of inactivity. With Release 4.3.1, the timeout interval for the GUI can be set at 15, 30 (default), 45, and 60 minutes, or as Never (never will timeout). Different GUI timeout intervals can be set for the Administrator, Security Analyst. and Operator roles. The Administrator parameter also sets the CLI timeout.


Miscellaneous Changes and Enhancements

The following changes and enhancements exist in 4.3.1:

Global Controller-to-Local Controller Communication Enhancements. Enhancements include more efficient data batches, reduced transfer times, and a prioritization on recent data. If a data backlog occurs due to a Global Controller-to-Local Controller disconnect, the Local Controller sends recent data first and stays in sync with new data coming in. The Local Controller catches up with older data over time.

Support for Cisco IPS 6.0 Dynamic Signature Updates. Download new signatures from CCO and correctly process and categorize received events that match those signatures, which includes them in inspection rules and reports. These updates provides event normalization and event group mapping, and they enable your MARS Appliance to parse Day Zero signatures from the IPS devices

Syslog Forwarding. Designate a syslog collector and forward syslog messages received from one or more IP addresses to that collector.

Password Management Enhancement. Non-administrative users can change the password associated with their account. Previously, editing a MARS user was considered an administrative task and limited to those accounts with the admin role.

Raw Message Log Enhancement.To view and delete queries in the local cache, click the View Cache button on the Retrieve Raw Messages page accessed from Admin > System Maintenance > Retrieve Raw Messages.Previously, queries were purged automatically every two weeks; this feature helps avoid disk space shortages that could occur before that period elapsed.

GC2R Support. The 4.3.1 and 5.3.1 releases are interoperable, allowing the GC2R to manage Local Controllers running 4.3.1 on the following models: MARS 20R, MARS 20, and MARS 50.

Enhanced Cisco Device Support:

IPS 6.0

PIX / ASA 7.2

CSA 5.0, 5.1, and 5.2

Cisco IOS P1-5

FWSM 3.1.5

Enhanced 3rd-Party Device Support.

ISS Site Protector 2.0

CheckPoint R61, R62, and R65.

Update to intrusion prevention, and intrusion detection, and vulnerability assessment signature sets.

Bug fixes.

New Vendor Signatures

Release notes for the new version are available HERE.

Look out on the Blog over the next few days, for details on the new features.


Wednesday, September 26, 2007

Guard & Detector Custom Parser

As promised an example Custom Parser for the impressive Cisco Guard & Detector.


Like any Cisco device, these appliances or Catalyst 6500 Modules can produce syslog. And since these devices are not on the MARS supported Device list, a Custom Parser was needed for MARS to understand the incoming syslog, to convert to Events.

I created a few Log Parser Templates for a section of Guard Events, including system added Dynamic Filters, User Pending Dynamic Filters, Attack Started etc....

NB: To receive events about the addition and removal of dynamic filters, the trap level must be changed to informational, on the Guard/Detector.

With simple String matching in the RAW syslog, with some events containing more "useful" information than others...


Once done, MARS can then interpret the incoming Syslog from an Inline Catalyst 6500 Guard in the example below.


And it can Sessionize this information where possible..

In this case, I did not define the new log templates to already defined MARS Event Types, so I created Rules, to fire Incidents.....



And more importantly a reporting back-end over time.....


For more information on the DDOS Mitigation Guard & Detector, visit HERE for Cisco.com website info, or speak to Satisnet or your local Cisco Account Rep.

Monday, September 24, 2007

Cisco Guard and Detector

Appologies for the lack of updates, i`ve been working away on a DDOS project utilizing the Cisco Guard and Detector.

These appliances (or Cat 6500 Modules) are based upon the patented Multi-Verification Process (MVP) architecture.


This MVP architecture enables the Cisco Guard and Cisco Traffic Anomaly Detector to leverage the latest analysis and attack recognition techniques to detect and remove network attack traffic while scrubbing and reinjecting valid network traffic to its proper destination.

The Traffic Anomaly Detector learns what is a normal traffic pattern for a protected network area, or zone. DDoS mitigation policies are constructed and thresholds are tuned in order to react to various DDoS attack scenarios.

This DDoS attack diversion is typically implemented by updating the Border Gateway Protocol (BGP) routing table or by other mechanisms including static routes (manual IP routes) and policy-based routes (specific traffic forwarding based upon parameters including application and packet size).

The Guard's ability to update routing tables in the event of an attack (or always run inline with the Cat6500 Modules) allows the Guard to automatically scrub the DDoS attack traffic, while still forwarding or tunneling valid network traffic to the destination zone.

So less about the Guard itself on this blog (more soon on network-response), but look out tomorrow for an example MARS custom parser for the Guard & Detector.

Sunday, September 02, 2007

MARS 4.2.8 Released

Sorry for no new posts over the last 2 weeks, (and appologies if you have emailed, and had no reply) i`ve been on Hols to Greece and Turkey.

Old news now, but MARS 4.2.8 was released whilst I was away.


Release notes for Cisco Security MARS Appliance 4.2.8 are available Here.