Security Threat Mitigation And Response : Understanding Cisco Security Mars (642-544)

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Author(s): Tesch, Dale.; Greg Abelar
Publisher: Cisco Press
Year: 2007

Language: English
Pages: 516

User Guide for CiscoSecurity MARS LocalController......Page 1
Contents......Page 3
The MARS Web Interface......Page 19
About This Manual......Page 20
Documentation DVD......Page 21
Cisco Product Security Overview......Page 22
Cisco Technical Support Website......Page 23
Definitions of Service Request Severity......Page 24
Obtaining Additional Publications and Information......Page 25
STM Task Flow Overview......Page 27
Checklist for Provisioning Phase......Page 28
Checklist for Monitoring Phase......Page 35
Strategies for Monitoring, Notification, Mitigation, Remediation, and Audit......Page 42
Appliance-side Tuning Guidelines......Page 43
Device Inventory Worksheet......Page 44
User Role Worksheet......Page 46
Levels of Operation......Page 49
Selecting the Devices to Monitor......Page 50
Understanding Access IP, Reporting IP, and Interface Settings......Page 56
Reporting IP......Page 57
Selecting the Access Type......Page 58
Configure Telnet Access for Devices in MARS......Page 59
Bootstrap Summary Table......Page 60
Adding Reporting and Mitigation Devices......Page 64
Add Reporting and Mitigation Devices Individually......Page 65
Upgrade the Device Type to a Newer Version......Page 66
Delete a Device......Page 67
Add Multiple Reporting and Mitigation Devices Using a Seed File......Page 68
Seed File Header Columns......Page 69
Load Devices From the Seed File......Page 72
Adding Reporting and Mitigation Devices Using Automatic Topology Discovery......Page 73
Discover and Testing Connectivity Options......Page 74
Activate the Reporting and Mitigation Devices......Page 75
Data Enabling Features......Page 76
Networks for Dynamic Vulnerability Scanning......Page 77
Understanding NetFlow Anomaly Detection......Page 78
How MARS Uses NetFlow Data......Page 79
Enable Cisco IOS Routers and Switches to Send NetFlow to MARS......Page 80
Enable NetFlow Processing in MARS......Page 82
Configuring Layer 3 Topology Discovery......Page 84
Add a Community String for an IP Range......Page 85
Discover Layer 3 Data On Demand......Page 86
Schedule a Network Discovery......Page 87
To delete a scheduled topology discovery......Page 88
Configuring Resource Usage Data......Page 89
Configuring Network Admission Control Features......Page 90
MARS MIB Format......Page 91
Configure Syslog-ng Server to Forward Events to MARS......Page 92
Add Syslog Relay Server to MARS......Page 93
Add Devices Monitored by Syslog Relay Server......Page 94
Enable Administrative Access to Devices Running CiscoIOS 12.2......Page 95
Enable FTP-based Administrative Access......Page 96
Enable SNMP RO Strings......Page 97
Cisco Routers......Page 98
Cisco Switches......Page 99
Add and Configure a Cisco Router in MARS......Page 100
Enable Communications Between Devices Running CatOS and MARS......Page 103
Enable FTP-based Administrative Access......Page 104
Enable Syslog Messages on CatOS......Page 105
Enable L2 Discovery Messages......Page 106
Add and Configure a Cisco Switch in MARS......Page 107
Add Available Modules......Page 108
Add CiscoIOS 12.2 Modules Manually......Page 109
Configure ExtremeWare to Generate the Required Data......Page 111
Generic Router Device......Page 112
Add and Configure a Generic Router in MARS......Page 113
Cisco Firewall Devices (PIX, ASA, and FWSM)......Page 115
Bootstrap the Cisco Firewall Device......Page 116
Send Syslog Files From Cisco Firewall Device to MARS......Page 118
Add and Configure a Cisco Firewall Device in MARS......Page 119
Add Security Contexts Manually......Page 122
Add Discovered Contexts......Page 124
NetScreen ScreenOS Devices......Page 125
Bootstrap the NetScreen Device......Page 126
Add the NetScreen Device to MARS......Page 131
Check Point Devices......Page 133
Determine Devices to Monitor and Restrictions......Page 135
Bootstrap the Check Point Devices......Page 136
Add the MARS Appliance as a Host in Check Point......Page 137
Define an OPSEC Application that Represents MARS......Page 138
Obtain the Server Entity SIC Name......Page 141
Select the Access Type for LEA and CPMI Traffic......Page 143
Create and Install Policies......Page 145
Verify Communication Path Between MARS Appliance and Check Point Devices......Page 146
Reset the OPSEC Application Certificate of the MARS Appliance......Page 147
Add and Configure Check Point Devices in MARS......Page 150
Add a Check Point Primary Management Station to MARS......Page 151
Manually Add a Child Enforcement Module or Log Server to a Check Point Primary Management Station......Page 155
Add a Check Point Certificate Server......Page 158
Edit Discovered Log Servers on a Check Point Primary Management Station......Page 159
Define Route Information for Check Point Firewall Modules......Page 161
Specify Log Info Settings for a Child Enforcement Module or Log Server......Page 163
Remove a Firewall or Log Server from a Check Point Primary Management Station......Page 166
Troubleshooting MARS and Check Point......Page 167
Bootstrap the VPN 3000 Concentrator......Page 169
Add the VPN 3000 Concentrator to MARS......Page 170
Configure Sensors Running IDS 3.1......Page 173
Add and Configure a Cisco IDS 3.1 Device in MARS......Page 176
Bootstrap the Sensor......Page 177
Add and Configure a CiscoIDS or IPS Device in MARS......Page 178
Specify the Monitored Networks for CiscoIPS or IDS Device Imported from a Seed File......Page 180
Cisco IPS Modules......Page 181
Enable SDEE on the CiscoIOS Device with an IPS Module......Page 182
Add an IPS Module to a CiscoSwitch or CiscoASA......Page 183
ISS Site Protector......Page 185
ISS RealSecure 6.5 and 7.0......Page 189
Configure ISS RealSecure to Send SNMP Traps to MARS......Page 190
Add an ISS RealSecure Device as a NIDS......Page 191
Add an ISS RealSecure Device as a HIDS......Page 192
Extracting Intruvert Sensor Information from the IntruShield Manager......Page 194
Configure IntruShield Version 1.8 to Send SNMP Traps to MARS......Page 195
Add and Configure an IntruShield Manager and its Sensors in MARS......Page 197
Add IntruShield Sensors Manually......Page 198
Add IntruShield Sensors Using a Seed File......Page 199
Add the Snort Device to MARS......Page 200
Symantec ManHunt Side Configuration......Page 201
Add Configuration Information for Symantec ManHunt 3.x......Page 202
Add Configuration Information for the IDP......Page 203
Add NetScreen IDP 2.1 Sensors Manually......Page 204
Configure the DPM or EFP......Page 205
Add a Dragon NIDS Device......Page 206
Extracting Entercept Agent Information into a CSV file (for Entercept Version 2.5)......Page 209
Specific the Events to Generate SNMP Traps for MARS......Page 210
Add the Entercept Console Host to MARS......Page 211
Add Entercept Agents Using a Seed File......Page 212
Configure CSA Management Center to Generate Required Data......Page 213
Export CSA Agent Information to File......Page 214
Add and Configure a CSAMC Device in MARS......Page 215
Add a CSAAgent Manually......Page 216
Add CSAAgents From File......Page 217
Troubleshooting CSA Agent Installs......Page 218
Configure the AV Server to Publish Events to MARS Appliance......Page 219
Add Agent Manually......Page 225
Configure ePolicy Orchestrator to Generate Required Data......Page 226
Add and Configure ePolicy Orchestrator Server in MARS......Page 230
Cisco Incident Control Server......Page 231
Configure CiscoICS to Send Syslogs to MARS......Page 232
Define Rules and Reports for CiscoICS Events......Page 233
Configure FoundScan to Generate Required Data......Page 235
Add and Configure a FoundScan Device in MARS......Page 236
Configure eEye REM to Generate Required Data......Page 237
Add and Configure the eEye REM Device in MARS......Page 238
Qualys QualysGuard Devices......Page 239
Add and Configure a QualysGuard Device in MARS......Page 240
Troubleshooting QualysGuard Integration......Page 242
Adding Generic Devices......Page 245
Configure Syslogd to Publish to the MARS Appliance......Page 246
Configure MARS to Receive the Solaris or Linux Host Logs......Page 247
Microsoft Windows Hosts......Page 248
Install the SNARE Agent on the Microsoft Windows Host......Page 249
Pull Method: Configure the Microsoft Windows Host......Page 250
Enable Windows Pulling from a Windows 2000 Server......Page 251
Configure the MARS to Pull or Receive Windows Host Logs......Page 252
Windows Event Log Pulling Time Interval......Page 254
Define Vulnerability Assessment Information......Page 255
Identify Network Services Running on the Host......Page 257
Configure the Oracle Database Server to Generate Audit Logs......Page 259
Add the Oracle Database Server to MARS......Page 260
Configure Interval for Pulling Oracle Event Logs......Page 261
Install and Configure the Snare Agent for IIS......Page 263
To configure IIS for web logging......Page 264
To add configuration information for the host......Page 267
Install and Configure the Web Agent on UNIX or Linux......Page 269
To configure the iPlanet web server for the agent......Page 270
To add configuration information for the host......Page 271
Configure NetCache to Send Syslog to MARS......Page 273
Add and Configure NetCache in MARS......Page 274
Configuring AAA Devices......Page 277
Bootstrap CiscoSecure ACS......Page 278
Configure CiscoSecure ACS to Generate Logs......Page 279
Define AAA Clients......Page 281
Configure TACACS+ Command Authorization for Cisco Routers and Switches......Page 282
Install and Configure the PN Log Agent......Page 283
Upgrade PN Log Agent to a Newer Version......Page 285
Application Log Messages for the PN Log Agent......Page 286
Add and Configure the Cisco ACS Device in MARS......Page 288
To add a custom Device/Application type:......Page 291
To add Parser Templates for a Device/Application......Page 293
Overview of CiscoSecurityManager Policy Table Lookup......Page 305
More About Cisco Security Manager Device Lookup......Page 307
Prerequisites for Policy Table Lookup......Page 308
Restrictions for Policy Table Lookup......Page 309
Checklist for Security Manager-to-MARS Integration......Page 310
Bootstrapping CiscoSecurityManager Server to Communicate with MARS......Page 316
Add a CiscoSecurityManager Server to MARS......Page 317
Procedure for Invoking CiscoSecurityManager Policy Table Lookup from CiscoSecurityMARS......Page 318
Logging In......Page 323
Basic Navigation......Page 324
Your Suggestions Welcomed......Page 326
Dashboard......Page 328
Sessions and Events......Page 330
Diagrams......Page 331
Manipulating the Diagrams......Page 333
Network Status......Page 334
Reading Charts......Page 335
To set up reports for viewing......Page 337
Case Management Overview......Page 339
Hide and Display the Case Bar......Page 341
Create a New Case......Page 342
Edit and Change the Current Case......Page 343
Add Data to a Case......Page 344
Generate and Email a Case Report......Page 345
Incidents Overview......Page 347
The Incidents Page......Page 348
To Search for a Session ID or Incident ID......Page 350
Incident Details Table......Page 351
False Positive Confirmation......Page 352
The False Positive Page......Page 354
To Tune an Unconfirmed False Positive to True Positive......Page 355
Mitigation......Page 356
Procedure for Mitigation with 802.1X Network Mapping......Page 357
Display Dynamic Device Information......Page 361
Components Used......Page 363
Network Diagram......Page 364
Add the Cisco Catalyst 5000 with SNMP as the Access Type.......Page 365
Add the Cisco Catalyst 6500 with SNMP as Access Type (Layer 2 only).......Page 366
Add the Cisco 7500 Router with TELNET as the Access Type......Page 367
Verify the Connectivity Paths for Layer 3 and Layer 2......Page 368
Perform Mitigation......Page 372
Queries......Page 375
To Run a Free-form Query......Page 376
To Run a Batch Query......Page 377
To Resubmit a Batch Query......Page 378
Result Format......Page 379
Order/Rank By......Page 381
Maximum Number of Rows Returned......Page 382
To Select a Criterion......Page 383
Source IP......Page 384
Device......Page 385
Action......Page 386
Procedure for Invoking the Real-Time Event Viewer......Page 387
Perform a Long-Duration Query Using a Report......Page 391
Perform a Batch Query......Page 393
Reports......Page 396
Report Type Views: Total vs. Peak vs. Recent......Page 397
To Create a New Report......Page 398
To Delete a Report......Page 399
To Edit a Report......Page 400
Rules Overview......Page 401
Planning an Attack......Page 402
Back to Being the Admin......Page 403
Drop Rules......Page 404
Constructing a Rule......Page 405
Example C: Same Host, Same Destination, Same Port Denied......Page 416
Duplicate a Rule......Page 417
Edit a Rule......Page 418
Add an Inspection Rule......Page 419
Duplicate a Drop Rule......Page 421
Add a Drop Rule......Page 422
Setting Alerts......Page 423
Rule and Report Groups......Page 424
Rule and Report Group Overview......Page 425
Add, Modify, and Delete a Rule Group......Page 426
Add, Modify, and Delete a Report Group......Page 429
Display Incidents Related to a Rule Group......Page 431
Create Query Criteria with Report Groups......Page 432
Using Rule Groups in Query Criteria......Page 433
Sending Alerts and Incident Notifications......Page 435
Configure the E-mail Server Settings......Page 438
Configure a Rule to Send an Alert Action......Page 439
Create a New User—Role, Identity, Password, and Notification Information......Page 444
Create a Custom User Group......Page 446
Add a User to a Custom User Group......Page 447
Search for an Event Description or CVE Names......Page 449
Add a Group......Page 450
Edit a Group......Page 451
Add a Host......Page 452
Edit Host Information......Page 454
Edit a Group of Services......Page 455
User Management......Page 456
Add a New User......Page 457
Search for a User......Page 459
Add or Remove a User from a User Group......Page 460
Filter by Groups......Page 461
Setting Runtime Logging Levels......Page 463
View the Back-end Log......Page 464
Retrieve Raw Messages From Archive Server......Page 465
Retrieve Raw Messages From the Database of a LocalController......Page 467
Replace a Hard Drive......Page 469
Change the Default Password of the Administrator Account......Page 470
XML Overview......Page 473
XML Incident Notification Data File Sample Output......Page 474
Usage Guidelines and Conventions for XML Incident Notification......Page 476
PCRE Regular Expression Details......Page 479
Backslash......Page 480
Non-printing Characters......Page 481
Generic Character Types......Page 482
Unicode Character Properties......Page 483
Simple Assertions......Page 484
Circumflex and Dollar......Page 485
Square Brackets and Character Classes......Page 486
Posix Character Classes......Page 487
Internal Option Setting......Page 488
Subpatterns......Page 489
Repetition......Page 490
Atomic Grouping and Possessive Quantifiers......Page 492
Back References......Page 493
Assertions......Page 494
Lookbehind Assertions......Page 495
Using Multiple Assertions......Page 496
Conditional Subpatterns......Page 497
Recursive Patterns......Page 498
Subpatterns as Subroutines......Page 499
Callouts......Page 500
Date/Time Format Specfication......Page 501
Glossary......Page 505
Index......Page 509