Table Of Contents
Top Issues for the Cisco Security Monitoring, Analysis, and Response System
Hardware Installation Overview
Initial Hardware Configuration Checklist
Adding CheckPoint Devices as Reporting Devices
Getting Logs from Windows Hosts
ACS Configuration and Appliance Support
Deleting, Re-adding, Renaming a Device
Global Controller Configuration
Raw Message vs. Archive File Message Formats
Event Timestamps and Processing
Cisco Product Security Overview
Reporting Security Problems in Cisco Products
Obtaining Technical Assistance
Cisco Technical Support Website
Definitions of Service Request Severity
Obtaining Additional Publications and Information
Top Issues for the Cisco Security Monitoring, Analysis, and Response System
Last Updated: March 20, 2007
This document identifies common issues and customer questions about the Cisco Security Monitoring, Analysis, and Response System (MARS). It also provides pointers to newly documented topics as they become available, focusing more on the topic rather than a version-specific compendium. While the content identified in this document is presumably targeted to the latest release, many configuration operations apply to earlier releases as well. For device support by release, refer to the Supported and Interoperable Devices and Software list:
http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html
Getting Started
This section identifies topics that assist in getting your MARS Appliance up and running.
Hardware Installation Overview
The following topic provides a quick overview of the tasks you must perform to install the appliance in a rack.
Initial Hardware Configuration Checklist
The following topic identifies the process required to deploy and initially configure the appliance, bringing it online within your network.
•
Checklist for Initial Configuration
Client Configuration
The following topic identifies proper client configuration so that you can access the MARS HTML interface.
•
Task Flow Overview
The following topic outlines the expected flow for configuring the appliance and the reporting and mitigation devices that it monitors. Review this document after the appliance is installed and running on the network.
Device Configuration
This section organizes topics that address configuration of the reporting devices.
Adding CheckPoint Devices as Reporting Devices
The following topic presents the task flow and procedures for configuring CheckPoint devices in MARS.
Getting Logs from Windows Hosts
The following topic includes detailed procedures for pulling events from Windows hosts, as well as updated information on configuring SNARE agents. It discusses advantages and disadvantages of these two methods.
Note
NetFlow Configuration Update
The following topic explains how to configure NetFlow for Cisco Routers and Switches and how MARS uses this information to detect anomalies in network traffic.
•
ACS Configuration and Appliance Support
The following topics explain how to configure the Cisco ACS server, how to configure a relay host to support the Cisco ACS Solution Engine, how to download, install, and configure the pnLog agent, and how to configure MARS to receive the logs forwarded by the pnLog agent.
•
•
•
Deleting, Re-adding, Renaming a Device
The following topic explains how to delete a device so that you can add a new reporting device with the same IP address.
Global Controller Configuration
The following topic highlights the key tasks to perform to configure a Global Controller to communicate with one or more Local Controllers, and provides the expected order of those tasks.
•
Appliance Maintenance
These topics address the maintenance and recovery of the MARS Appliance.
NFS Server Configuration
Configuring NFS servers on Linux and Windows servers requires specific, detailed information. This section discusses the file format expected on the NFS server and new procedures for configuring Windows servers. It also includes some key syntax changes in the Linux configuration example and removes references to Solaris support. We are currently discovering the information required to configure NFS on Solaris, at which time we will release updated documentation with a configuration example.
•
Backup and Restore
Archiving and restoring data is an important operation. While there isn't documentation specific to this operation, we can piece it together from the backup and recovery procedures.
Backup
•
Restore CLI
Restore Overview
•
Restore Guidelines
Upgrade vs. Re-image
Customers who are running versions that are two or more releases behind the current release are often puzzled by the incremental upgrade path. The question arises, "Why can't I just back up, re-image the appliance, and then restore the data on the newer image?" Several potential issues prevent this from being a valid solution. First, only the configuration data can be backed up completely. Event data is backed up only from the point at which you enable backup. In other words, if you have 8 days of data and you turned on archiving on day 6, the only data that is archived is the last two days. Second, the database table structures can change between releases, which means the restore operation might result in restoring an older database table into a newer table structure, which can cause database corruption and data loss. The database table migrations are addressed by the upgrade process, which is one reason why upgrades can take so long. The upgrade process converts all old data to the new structure.
So when does it make sense to re-image rather than upgrade? The answer is simple, when you do not want to preserve any configuration and event data. In this case, you start with a clean system, and re-imaging can be much faster than following a multi-path upgrade.
Upgrade
•
Re-image
View and Query Archived Data
When you archive data in MARS, you are really backing up that data. That data is backed up using a compressed format that can only be accessed manually by uncompressing the file and analyzing the raw message logs. You can pull raw message logs from the archive without configuring a second appliance. This log format is detailed, ordered according to message timestamp, and unable to be queried using the sophisticated query features found in MARS. However, once uncompressed, the logs are in ASCII, which allows you to search these logs using `grep' or custom scripts developed on an administrative computer.
If you prefer the powerful query options found in MARS, you must configure a secondary appliance that is dedicated to reviewing archived logs. In other words, you can query across the archived data using scripts and string matching, but you cannot define a query as you would in MARS unless you restore that data to an appliance. If you need to manipulate data in this fashion, we recommend purchasing a model that is the same or larger than the model that is archiving the data. You must restore the data range in which you are interested, and then perform the query as you normally would. Issues arise when you restore the configuration data, such as conflicting devices on the network. Therefore, we recommend that you restore this data on an isolated network that can access the NFS backup server.
Raw Message Logs
Restore an Archived Image
•
Secondary Server Guidance
•
Restore Guidelines
Raw Message vs. Archive File Message Formats
The data that is returned from raw message is simply the audit message provided by the reporting device. The archive file includes the raw message and the system data required to correlate that message with the session, device type, five tuple (source IP, destination IP, protocol, source port, and destination port), and all other data points. The raw message is just the message as sent by the reporting device, such as a syslog message.
Password Recovery
Recovering a lost password does not come without costs. However, this issue is seen primarily for appliances that have changed hands or have been inactive for some time. The answer to this problem is to re-image the appliance, thereby restoring the original factory default password. This approach resets both the pnadmin password and the user-provided portion of the expert mode password to the factory installed defaults.
We recommend downloading the latest ISO image and re-imaging with that ISO image. For more information, see:
•
Issues and Discussion
The topics in this section are ones that frequent mailing lists and bulletin boards regarding MARS.
Standby Servers
The concept of high-availability is one that most enterprise-level customers consider important. While MARS does not support automatic failover to a second appliance, you can configure a standby or "hot swap" server that shares the configuration and event data of the primary appliance. We discuss the expected configuration in the following sections of the Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System:
•
License Keys
One of the most common asked questions is that of locating a lost license key. For MARS Appliance models sold running release 3.4.3 and later (post May 2005), the license key is included on the chassis of the actual appliance. For more information on locating your license key on the chassis, see Locating the License Key.
Topology Discovery
In MARS, topology discovery has several responsibilities:
•
•
•
However, it is important to understand how the actual discovery process works. The following topics discuss each of the responsibilities and provide more detail on how the discovery process works:
•
•
Syslog Forwarding
The MARS Appliance does not support direct syslog forwarding; it cannot relay syslog events that it receives from reporting devices to other syslog servers for further processing. However, you can configure inspection rules so that when parsed events fire a rule, then a syslog notification is generated and sent to any syslog servers you have identified. For information on defining this type of notification method, see Setting Alerts and Sending Alerts and Notifications.
Event Timestamps and Processing
To understand event timestamps, let's clarify our terminology:
•
•
The MARS system processes events from multiple reporting devices. Various methods are used to obtain events from those devices, including syslog, SNMP traps, SDEE/RDEP, SNARE agent, pulling from Windows hosts, and pnLog agent. Broadly, we can separate these methods into two categories:
•
•
How MARS processes the events and which timestamp is used varies based on the category:
•
•
As an example, consider the case where a customer has a MARS Appliance pulling events from an IPS device using SDEE. MARS uses the time on the IPS device assuming it is within the 3600 second window. However, if the time on the IPS device is not synchronized with the MARS Appliance and, for example, it is 5 minutes ahead of MARS, when the customer performs a query for events occurring in the last 10 minutes, the most current events will not appear. The customer would need to query for 10 minutes in the future to see the most current events.
In both cases, once a timestamp has been applied to an event, MARS uses that timestamp for all queries and reports. If MARS time is applied in either category and the original event included the device time, the device time for each event is embedded in the raw message. However, it is not used by MARS for queries and reports. You can determine the device time by delving into the details of the raw message via queries, reports, and raw message retrieval.
Product Documentation
Note
Table 1 describes the product documentation that is available based on category.
Table 1 Product Documentation
Documentation Road Maps
•
http://www.cisco.com/en/US/products/ps6241/products_documentation_roadmaps_list.html
Quick Install and Release Notes
•
http://www.cisco.com/en/US/products/ps6241/prod_release_notes_list.html
Install and Setup Guide
•
http://www.cisco.com/en/US/products/ps6241/prod_installation_guides_list.html
User Guides
•
http://www.cisco.com/en/US/products/ps6241/products_user_guide_list.html
Supported Devices and Software Versions Tables
•
http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html
Regulatory, Compliance, and Safety Information
•
http://www.cisco.com/en/US/products/ps6241/prod_installation_guides_list.html
Context-sensitive online help
•
•
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several ways to obtain technical assistance and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
You can access international Cisco websites at this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation DVD
Cisco documentation and additional literature are available in a Documentation DVD package, which may have shipped with your product. The Documentation DVD is updated regularly and may be more current than printed documentation. The Documentation DVD package is available as a single unit.
Registered Cisco.com users (Cisco direct customers) can order a Cisco Documentation DVD (product number DOC-DOCDVD=) from the Ordering tool or Cisco Marketplace.
Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/
Cisco Marketplace:
http://www.cisco.com/go/marketplace/
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•
http://www.cisco.com/en/US/partner/ordering/
•
Documentation Feedback
You can send comments about technical documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883We appreciate your comments.
Cisco Product Security Overview
Cisco provides a free online Security Vulnerability Policy portal at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
From this site, you can perform these tasks:
•
•
•
A current list of security advisories and notices for Cisco products is available at this URL:
If you prefer to see advisories and notices as they are updated in real time, you can access a Product Security Incident Response Team Really Simple Syndication (PSIRT RSS) feed from this URL:
http://www.cisco.com/en/US/products/products_psirt_rss_feed.html
Reporting Security Problems in Cisco Products
Cisco is committed to delivering secure products. We test our products internally before we release them, and we strive to correct all vulnerabilities quickly. If you think that you might have identified a vulnerability in a Cisco product, contact PSIRT:
•
•
Tip
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence with PSIRT is the one that has the most recent creation date in this public key server list:
http://pgp.mit.edu:11371/pks/lookup?search=psirt%40cisco.com&op=index&exact=on
In an emergency, you can also reach PSIRT by telephone:
•
•
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, Cisco Technical Support provides 24-hour-a-day, award-winning technical assistance. The Cisco Technical Support Website on Cisco.com features extensive online support resources. In addition, Cisco Technical Assistance Center (TAC) engineers provide telephone support. If you do not hold a valid Cisco service contract, contact your reseller.
Cisco Technical Support Website
The Cisco Technical Support Website provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The website is available 24 hours a day, 365 days a year, at this URL:
http://www.cisco.com/techsupport
Access to all tools on the Cisco Technical Support Website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at this URL:
http://tools.cisco.com/RPF/register/register.do
Note
Submitting a Service Request
Using the online TAC Service Request Tool is the fastest way to open S3 and S4 service requests. (S3 and S4 service requests are those in which your network is minimally impaired or for which you require product information.) After you describe your situation, the TAC Service Request Tool provides recommended solutions. If your issue is not resolved using the recommended resources, your service request is assigned to a Cisco TAC engineer. The TAC Service Request Tool is located at this URL:
http://www.cisco.com/techsupport/servicerequest
For S1 or S2 service requests or if you do not have Internet access, contact the Cisco TAC by telephone. (S1 or S2 service requests are those in which your production network is down or severely degraded.) Cisco TAC engineers are assigned immediately to S1 and S2 service requests to help keep your business operations running smoothly.
To open a service request by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447For a complete list of Cisco TAC contacts, go to this URL:
http://www.cisco.com/techsupport/contacts
Definitions of Service Request Severity
To ensure that all service requests are reported in a standard format, Cisco has established severity definitions.
Severity 1 (S1)—Your network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Severity 2 (S2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Severity 3 (S3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Severity 4 (S4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•
http://www.cisco.com/go/marketplace/
•
•
•
http://www.cisco.com/go/iqmagazine
•
•
http://www.cisco.com/en/US/learning/index.html
This document is to be used in conjunction with the documents listed in the "Product Documentation" section.
Guest
