Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cisco MARS (Part I) Formerly Known as Protego Networks MARS Edgar Reinke Netfarmers GmbH edgar.reinke@netfarmers.net
The Idea Have a Central Device for logging Security related Events • Events from different Devices and different Vendors • Different Protocols (SDEE, Syslog, HTTPS, SNMP …) • Normalize Events • Sessionize Events • Match Sessions against Rules to trigger Incidents Of course this should be done in • Automated False Positive Tuning nearly Real-time • Match Real Incidents to the Network Topology • Offer Queries / Reports for doing the Forensic Analysis Why? To have a Top Down Approach for the Security Investigation . Do not start e. g. with a single Syslog Message, which you might find somewhere in a 30 MB Logfile. To get the Visualization of an Attack … Not to be bothered by thousands of Messages provided by different Devices, oftenly using different textual flavours to talk about the same things (… same sessions). To be compliant (e. g. SOX, Euro-SOX …). But please do not use the following slides to demonstrate your CEO how to become compliant. MARS is a technical answer … we are not talking about processes and overall Policies.
Cisco´s Security Information Management SIM Solution Monitoring Analysis Response System Cisco Security Manager: The Security Provisioning Solution.
The MARS Models (Q4 2006) RAID 0: No Redundancy; but higher Transfer Rate (writing on 2 Disks in parallel which is called Stripping) RAID 10: Redundancy and higher transfer rate (RAID 0 over multiple RAID 1) SMB Devices (because there is no Redundancy) 20 50 100 200
Back Panel (Example MARS 20 / MARS 20R) Used to face the Reporting Devices That is only a Used for Management Access proposal … CLI Access only with Job Role Cisco do not provide customers root access to the linux operating system …
Supplementary Files MARS is an Agentless solution. Nevertheless, sometimes Agents are required … e.g. if a Cisco ACS should become a Reporting Device.
Recovery Images With a Recovery Image you can setup the Box from the scratch with the latest Release.
Multi-Vendor Support (1) The good News: We are not talking only about Cisco Devices … … and we are talking about Applications and Operating Systems.
Multi-Vendor Support (2) The Syslog and SNMP Trap Messages of actualy not supported Vendors could be integrated with the Event Parser Tool (ADMIN Custom Setup).
Flowchart (1) Database Used for Query und Reports Database Forensic Analysis Tools Vendor ORACLE 9.2i Enterprise (not supported) Raw Events Drop EventParser Event Parser Rule (2) ? Vendor I:1901103 (supported) (Normalized Event) • Event ID • CVE Name • Severity Database Database The good News: • Device Event ID Device Type MARS is not Inline Device Event Type (MARS will not process • Event Type Group this Events for triggering Incidents) (R4.2: 16533 Events) RESULT OF FALSE POSITIVE NORMALIZATION TUNING A Forensic Analysis is only possible if the Datas are stored in the Box … …. and not outside in the NFS NAS Store.
Flowchart (2) Flow Flow Rule fires (2) Rules Rules Incident Detection Detection S:42073911 I:298958954 SESSIONIZATION Every sessionized Event • Source Address is checked againts • Source Port every (!) Rule. • Destination Address • Destination Port (R4.2: 126 System Rules) • Protocol ID • NAT aware Mapping Real Positives VA Analysis - Attack reached Target? - Target vulnarable? - Static VA Information False Positives - Dynamiv VA Information - Unconfirmed False Positives … e.g. built-in Nessus Network Topology - User confirmed False Positives and Attack Path - User confirmed Positives FALSE POSITIVE TUNING OPTIONS - System determined False Positives
What does Normalization mean? Sometimes linked to Vendor Pages Raw Events E.G.: MARS knows an Event called . This Event is known by other Vendors (e.g. ISS RealSecure, Snort) as well (see Device Event Type) … but of course they use different textual Messages. Those different Messages (Raw Events) are mapped by the Event Parser into the MARS Event. This is called Normalization. MARS knows 16533 normalized Events (R4.2). Why? Because MARS matches Events against Rules to trigger Incidents. Using normalized Events there is no need for different Rules in cause of different textual flavors for the same thing.
What does Normalization mean? Normalization PIX | ASA Information Device Type %PIX | ASA-4-400009: IDS:1103 IP Fragments Overlap from 1.2.3.4 to 172.16.1.1 on interface DMZ-3 PIX 6.3 | | ASA 7.0 [Remark: Syslog Messages from 400000 to 400051 are IDS Signature Messages] Device Event Type PIX|ASA-4-400009 ISS RealSecure 7.0 Information Device Type ISS RealSecure 7.0 Device Event Type TearDrop Event Type Group DoS/All DoS/Host Event ID 901103 CVE Name CVE-2000-0305,CAN-1999-0015
Every Session is checked against every Rule Clarification: The same Event Types have triggered the same Rule … the original one and a Copy of it. Therefore, we got 2 Incidents.
The Incident is not enough … We need … … a Topology Map which provides the Configuration, Security Policies and Dynamic Date (e.g. CAM Table, ARP Cache) of the Devices. This allows MARS to map the Traffic Flow (an Attack) to the Topology of the network. The Topology Information must be stored with Timestamps (like Incidents) in the Database: During Forensic Analysis MARS has to map an old Incident to the Topology which was valid as the Incident has been triggered.
What is the Value of knowing the Path? MARS knows all the Devices and Networks between the Attacker and the attacked Host. Therefore, it can suugest the Enforcement Device and Alternates.
What is the Value of knowing Device Configuration? PIX / ASA specific feature MARS can recommend Mitigation Actions … There is no automatic Mitigation! We only get a Recommendation which might be pushed to a Layer 2 device (but not Layer 3 device).
What is the Value of knowing Device Configuration? In this Example the Enforcement Device is a Layer 2 Device. Only for those Devices you get the Option to Push Commands to the (Cisco) Device. If you like to get this Option please be aware of the fact, that your Layer 2 Devices must be Reproting Devices (… and you might have many of them).
Internal Storage Local Storage Capacity in Days depends on the Number of EPS and (optional) FPS (EPS: Events per Second / FPS: (Net)Flows per Second). Internal Database: ORACLE 9.2i Enterprise There are 10 Partitions used for Internal Data Storage. If the last Partition is full, MARS starts to overwrite the first one. There is a special Incident which signals this Jump. If e. g. SOX is in your Mind, the idea of loosing Events by overwriting old ones sounds bad. Therefore, you will use external Storage as well. Estimation …
External NAS Storage No time values configurable Configuration File every day at 3 a.m. Raw Event Data (ZIV-Lempel compressed; ratio 12:1 … 38:1) every 1 hour Example: 3 Days of External Storage Capacity If e. g. SOX is in your Mind, the idea Delete of loosing Events by overwriting old ones sounds bad. Therefore, you have to think about Backup as well. 30 GB 20 GB 45 GB 35 GB 60 GB 1st Day 2nd Day 3rd Day 4th Day 5th Day
Yes, there are other solutions • Interactive Dashboard • Forensic Investigation • Powerful Filter Engine Only two examples. Nice colored Reports - compatible to the expectance of Managers! But the Information is not mapped to the Topology. Therefore, MARS offers more Values … but a Request to Cisco: MARS offers nice Reoprts as well, but please offer those Reports as PDF, or provide an Interface to Crystal Reports.
Access via HTTPS pnadmin pnadmin Default Remarks: 192.168.0.100 ist the Default IP Address of ETH0 192.168.1.100 ist the Default IP Address of ETH1 The SVG Plugin is not provided by the Box: MARS only provides the Link to the Adobe Download Page …
MARS provides a Self-signed Certificate
Die Kontaktaufnahme
Ein neues Plug-In …
(Default) Konfiguration
Logout
The License is tied to Ethernet 0 So meldet sich eine jungfräuliche MARS (pnrestore bzw. Re-Imaging)
You have to accept …
Bootstrap MARS Box via GUI All Information are required …
Yes, there is a CLI Only if the Administrator Role is assigned to an User Account, this User is able to Access the CLI. This Account do not have Root Privileges for the Linux OS. Root Privileges are provided with the Expert Account.
When to use the CLI Doing a Reboot Start / Stop PN Daemons (pnstatus / pnstart / pnstop) Doing a Reset (pnreset … you will loose Database und need License Key) Doing a Restore (pnrestore) Doing a Re-Imaging using DVD Configuring NTP (… unfortunately this is not possible via the GUI) Configuring Static Routes …
pndbusage / diskusage There are 10 Partitions used for Internal Data The actual Usage of the Disks … Storage. If the last Partition is full, MARS starts to overwrite the first one. There is a special Incident which signals this Jump.
Yes, there are problems as well … In this Case it is a Problem with the TNS Listener, which handels the Connections to the Oracle Database (ORA-12541). Therefore it is not a MARS specific Problem (see Cisco FN-62505). As you can see, MARS does not accept any CLI Command. An pnreset seems to work, but after the Rebboot MARS still has the old Information (see screen on the right hand site). You are not able to use the GUI, because you get an strange looking Login Screen and Authentication fails.
Digging into the Past Productive MARS Database - Configuration - Events / Devices etc. (compressed) Restore - Part of the Linux OS Spare MARS Doing a Restore means loosing the recent Data in the Box. A Forensic Analysis is only possible with the Data stored in the internal Database. This might become a conflict … Therefore, you need a Spare Device. Loosing Data is a Topic your CEO should be interested in … this is not a technical issue … it is the Point where e.g. SOX might be a good argument to get the Money for a Spare MARS.
You can also read