Selecting the Devices to Monitor
•
•
•
Table 2-1
Table 2-1
Levels of Operation
Level Of Operation
Configuration Requirements
Level 1
MARS configured
Reporting device names and reporting IP
addresses added
NetFlow enabled
Level 2
Access IP addresses and information added
Level 3
Community strings and networks added
Selecting the Devices to Monitor
All monitoring strategies involve selecting the types of devices to monitor and how much data to provide
the MARS Appliance. All devices on your network, be they hosts, gateways, security devices, or servers,
provide some level of data that MARS can use to improve the accuracy of security incident
identification. However, careful consideration of what data to provide can improve the attack
identification response time by ensuring that MARS does not perform necessary or redundant event
correlation and analysis. Unnecessary logging and reporting by reporting devices can also reduce the
effectiveness of your network.
We recommend analyzing each network segment to identify the most data rich combination that you can
achieve, while identifying and refining your configurations to reduce redundant data.
When determining a monitoring strategy, you must also determine the goals behind the monitoring. Is it
just for attack detection? Attack detection and mitigation? Regulatory compliance? Your goals affect
which devices you must monitor and what features you must configure on those devices.
User Guide for Cisco Security MARS Local Controller
2-2
Basic. At this level, MARS behaves like a smart syslog server. It collects reporting device logs and
support basic queries and reports. To enable basic operation, you must complete the initial
configuration of the MARS Appliance as described in Install and Setup Guide for Cisco Security
Monitoring, Analysis, and Response System. In addition, you must specify the device name and
reporting IP addresses of the reporting devices as described in
Devices, page
2-16.
Intermediate. At this level, MARS processes events and performs session-based correlation,
including resolving NAT and PAT translations at the IP address layer. To enable intermediate
operation, you must provide more details about the devices you want to monitor, including access
IP addresses, management access passwords, OS platforms and versions, and running services and
applications, see
IP Management, page 23-3
Advanced. This level is a fully enabled MARS Appliance. When advanced operation is enabled,
MARS Appliance discovers and displays the full topology, draws attack paths, and enables MAC
address lookups of the hosts involved in an attack. To enable advanced operation, you must provide
the SNMP community string information for your network. You must also enable topology
discovery, as defined in
Scheduling Topology Updates, page
summarizes the levels, their configuration requirements, and the features enabled at that level.
Chapter 2
Reporting and Mitigation Devices Overview
Adding Reporting and Mitigation
for more information.
2-39.
Functionality Enabled
Basic syslog functionality
Event correlation
Query, reports, and chart support
NetFlow anomaly detection
Starts performing event and session-based
correlation
NAT and PAT resolution
IP address lookup of attackers and targets
MAC address lookup of attackers and targets
Topologies enabled
78-17020-01