Cisco Security Monitoring, Analysis, and Response System (MARS) is a family of high-performance, scalable appliances for threat management, monitoring, and mitigation that enables you to make more effective use of network and security devices by combining network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. With MARS solutions you can readily and accurately identify, manage, and eliminate network attacks and maintain network compliance.
Labs
Lab 1: Remote Lab Familiarization
Get an introduction to the remote lab environment. Access equipment, explore available features, and examine connectivity. You will have access to:
- Three Microsoft Windows desktop PCs
- Six Windows 2003/2000 servers
- An ASA 5520 firewall
- A Catalyst 3560 L2/L3 switch
- Two 2811 IOS routers
Lab 2: Bootstrapping the MARS
Learn to bootstrap the MARS appliance by performing basic configurations and command line options within the MARS. Explore several newer commands available in versions 6.0.1. Perform initial login to the MARS and enter the appropriate licensing information. Become comfortable with the GUI and the MARS interface. Once the configuration is verified, you will identify your network reporting devices in a generic template to be used in subsequent labs.
Lab 3: Importing Hardware Devices into MARS
The MARS appliance is only as good as the data the reporting devices are sending it. In this lab, you will provide three methods for loading the networking devices into the MARS: Auto Discovery, Manual, and Seed File import. You will configure the appropriate SNMP settings in the MARS to support your various networking devices. You'll configure MARS to explore routers, switches, and an ASA, adding the required commands yourself to see the configuration first-hand. Use ASA 8.x code, as do most customers. After all the devices are added to the MARS appliance, perform a basic query against the MARS database.
- Perform a Manual device entry
- Auto Discover devices
- Use a Seed File to import devices
Lab 4: Generating Summary Reports
Gain familiarity with the GUI and create generic summary reports. Take a look at how Netflow is used on the MARS appliance for anomaly detection, and walk through the configuration of Netflow on your Cisco IOS Routers. Step through various graphs available on the MARS
- Maneuvering the GUI
- Reviewing queries
Lab 5: Exploring Rules
In this lab, you will explore what makes an incident fire. Step through creation of a basic rule to generate an incident when a VPN user logs into the network. Explore day-to-day tasks performed by a MARS administrator to create a drop rule; that is, investigate incidents and generate false positives from the incidents.
- Create a basic rule
- Investigate an incident to mark as a false positive, thereby creating a drop rule
Lab 6: Generating Queries and Reports
Learn how to create a query with different search parameters. Investigate various reports from Cisco included in MARS. Issue the appropriate IOS/ASA commands to allow detailed logging to take place and tune messages from being sent to MARS. Configure newer commands available in IOS to allow command logging, and create a rule in MARS to generate an incident when such a command is entered.
- Enter appropriate logging commands on an IOS device
- Explore newer IOS commands to allow command logging to MARS
- Run queries with different search parameters
Lab 7: Case Management and Rule Actions
In this lab, you will learn to configure an action for a rule. In this case, you will have an e-mail generated and sent to your admin user when a particular incident is created. With an environment complete with a SMTP server, you can see your e-mails being generated and sent. You will also explore the newer CASE Management feature, which allows notes and a trace log associated with one or many incidents. You will delegate control of the case to a particular user.
- Create a case and have the case e-mailed to a user
- Modify the action on a rule to automatically generate an e-mail when the incident is created
Lab 8: Incident Handling and Mitigation
Create several incidents by generating attacks in your network. Launch an attack against your DMZ to create the incident. Learn to investigate these incidents and attack vector graphs as well as review the suggested mitigation techniques MARS offers.
- Launch an attack against your DMZ from the outside of the network
- Investigate the incident and attack vector graphs
- Review the recommended mitigation response from MARS
Lab 9: Tuning the MARS
Discover false positives and learn to tune your networking devices not to generate incidents for this traffic. Explore the options to perform device-side tuning or appliance-side tuning.
- Tune networking devices from generating incidents
- Investigate an Incident and create a False Positive rule
- Explore device-side tuning and appliance-side tuning
Lab 10: Creating a Custom Parser
Learn to use a Custom Parser-a tool used in your MARS deployments to map syslog messages from a non-supported reporting device. You will learn to use a new free tool to allow the generation of syslog traffic to test your parser.
- Use tool to provide custom syslog messages so you do not have to fail/penetrate production equipment
- Create a custom parser to parse a Barracuda WebFilter log
Lab 11: CSM and MARS Interaction
In this lab, examine the integration of MARS to the Cisco Security Manager (CSM) product. CSM allows an organization one central location to provide configurations to their Cisco Security products, including routers, switches, IPS/IDS, PIX/ASA, and various other products. The interaction with MARS allows you to view incidents on MARS and easily review the associated policy in the network device by querying CSM for the configuration.
- Add a CSM Server to MARS
- Generate an event and have the IPS report the event to MARS
- Investigate the event by querying CSM directly from MARS
- Review the IPS signature that caused the event directly from MARS
Lab 12: IPS and MARS Integration
This detailed lab covers the integration of the MARS appliance and a Cisco IPS device, including the 42xx product line and the AIP-SSM modules. Load a baseline configuration file and examine the IPS configuration reporting to MARS. Walk through the steps of configuring the IPS with SNMP settings. Use IPS version 6.x software (the latest) and perform command line troubleshooting on the IPS to verify subscriptions. Using the latest code on the MARS enables you to configure IPS Dynamic Signature Updates, which you will also investigate.
- Load the baseline config into the IPS
- Configure the IPS for SNMP support
- Create a MARS account in the IPS
- Add the IPS to MARS
- Configure Dynamic Signature Updates
- Use Command Line options in the IPS to verify that MARS is configured correctly
Lab 13: Adding a Software Reporting Device
Install the latest version of SNARE to send IIS events and standard Windows events to MARS. Examine the various free SNARE programs available from InterSect Alliance. Symantec AntiVirus Server is also included in this lab. You'll walk through setting up the Alert Server so that MARS can report on any virus activity. You'll then send a virus to a workstation in the lab, and see the virus generate an alert in MARS.
- Add a Windows Server as a reporting device using SNARE and RPC
- Add an IIS Server as a reporting device
Lab 14: Adding an AAA Reporting Device
In this lab, you will install the Cisco Secure ACS 4.1 latest software build as the AAA reporting device to MARS. The Cisco Secure ACS is a very specialized piece of software requiring its own software to report the log data to MARS. In this lab, you will install and configure the PNLOGAGENT software on the ACS Server. After this lab, you will no longer need to sift through a CSV file on your ACS server to pull audit reports since a simple query on the MARS will provide a better and enhanced reporting technique.
- Configure the ACS Server as a reporting device in MARS
- Login to an IOS device and see the event in MARS
Exclusive - Lab 15: Maintaining the MARS Appliance
Learn to retrieve raw messages from the MARS database for a particular time range. Download the raw messages from the database to a server in the lab environment and allow you to review the contents as an auditor would. Explore the Data Archiving feature, which is crucial in your production environment. You will install a Microsoft-provided utility to allow you to share your standard Windows shares as an NFS share that MARS can attach and archive to. Explore newer commands only available in newer versions of code to allow you to manually back up your configuration and raw message information separately. Configure a newer option only available in newer code which allows your engineering team to use a RADIUS server (Microsoft IAS or ACS) to authenticate to the MARS appliance. Walk through that configuration as well as the lockout feature for security.
- Extract raw messages from MARS
- Archive Data to a Windows NFS share
- Set up NFS on Windows using a Microsoft Utility
- Explore newer commands available only in newer versions of MARS code
- Configure your MARS to authenticate to a Cisco Secure ACS using RADIUS
