Friday, November 13, 2009

CVE-2009-2977

Thanks to an eagle eyed reader, (though it is a couple of months old now), if you are running 6.0.4 and earlier, there is an Vulnerability when MARS is configured to pull Windows Event Logs.

"The Cisco Security Monitoring, Analysis and Response System (CS-MARS) 6.0.4 and earlier stores cleartext passwords in log/sysbacktrace.## files within error-logs.tar.gz archives, which allows context-dependent attackers to obtain sensitive information by reading these files."

You can view the CVE Here.

This was covered by Cisco Bug: CSCtb52450 , which mentioned it was only a bug when MARS was configured to PULL events rather than using Snare (or Honeycomb, and similar products)

Its was also mentioned , the issue can be mitigated if log files are not exported out of the CS-MARS device. (Only CS-MARS administrators can export log files)

BTW this was resolved in MARS release 6.0.5


Thursday, November 05, 2009

No Updates for Non Cisco Devices?

There has been plenty of rumours recently regarding MARS, and its support for Non Cisco Devices, more so, over the last couple of days...

Whether its Gartner a few days ago, or MARS competitors, like Nitro putting out releases yesterday, (and I`d fully expect the others to follow)

I noticed an official Business Unit response, in the Netpro Forums......

"October 30, 2009
Cisco response to Gartner Research Memo entitled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution”
Summary
• Gartner has alerted its customers that as Cisco continues to focus its security management efforts on Cisco devices, MARS appliances may become less viable for the broad set of “general” SIEM use cases.
• Gartner concludes that Cisco’s focus on native management capabilities for our devices is a positive direction.
• For customers with primarily Cisco event sources on their network, Gartner recommends that MARS still provides a strong platform for security threat management (STM) and network behavior analysis (NBA) capabilities.
Details
On October 29th, 2009, Gartner released a research note titled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution.” This note is in response to Cisco’s stated direction to focus CS-MARS development on supporting Cisco-built network security devices and critical host operating systems. Non-Cisco network device data and signature updates continue to be supported in CS-MARS for the current versions of these 3rd-party systems.
In the memo, Gartner concludes that “Cisco will focus its efforts on improving Cisco's native security management capabilities,” which they note as a positive direction for Cisco’s overall Security portfolio.

In the past, we have encouraged Gartner to break up this crowded space as it encompasses a vast array of use cases spanning compliance reporting, log aggregation, threat identification, and mitigation. While MARS has been placed in the SIEM market, it has never fully covered all aspects of the Gartner-defined space. Over the last year, as we have focused on the core Security Threat Management use cases for Cisco products, Cisco has de-emphasized compliance reporting and non-Cisco devices.

In particular for Cisco customers, it is important to note Gartner’s recommendation that MARS continues to provide strong STM and NBA capabilities for Cisco event sources
. "


Stinky......

Book Review: Cisco Routers for the Desperate, 2nd Ed


"Cisco Routers for the Desperate, 2nd Edition is designed to be read once and left alone until something breaks. When it does, you'll have everything you need to know in one easy-to-follow guidebook."


Cisco Routers for the Desperate, 2nd Edition, by Michael W.Lucas, condenses all you need to know about Cisco routers, and some switching down to a mere 125 pages.


Now your not going to pass your CCIE, or CCNA for that matter, with just this book. The sections covered are quite basic and to the point, but there are many people in the market place, who just have never had any official training on Cisco kit, and this book is for them.


How to navigate an IOS interface, configure interfaces, time, back up configs etc, are covered with a quirky writing style, then a redundancy chapter on BGP and HSRP will start to wet your cisco appetite.


All in all, a good read for anyone new to Cisco kit, or for the plenty of people out there, who did the CCNA course years ago, never did the exam, and now finally get your "hands on", and cant remember the basics!

Monday, November 02, 2009

MARS 6.0.5 FIPS PCI Card Notes

As you may of read in the release notes for MARS 6.0.5, a FIPS PCI Card is available for the MARS 110R

You can read details here