Cisco Security Appliance Command Line Configuration Guide, Version 8.0
Configuring the Security Appliance for Use with MARS
Downloads: This chapterpdf (PDF - 143.0KB) The complete bookPDF (PDF - 17.35MB) | Feedback

Configuring the Security Appliance for Use with MARS

Table Of Contents

Configuring the Security Appliance for Use with MARS

Taskflow for Configuring MARS to Monitor Security Appliances

Enabling Administrative Access to MARS on the Security Appliance

Adding a Security Appliance to Monitor

Adding Security Contexts

Adding Discovered Contexts

Editing Discovered Contexts

Setting the Logging Severity Level for System Log Messages

System Log Messages That Are Processed by MARS

Configuring Specific Features


Configuring the Security Appliance for Use with MARS


MARS centrally aggregates logs and events from various network devices, including security appliances, which you can analyze for use in threat mitigation. MARS supports the following PIX and ASA adaptive security appliance versions: 7.0(7), 7.2(2), 7.2(3), and 8.0(2).

This appendix describes how to configure the security appliance and add it to MARS as a reporting device, and includes the following sections:

Taskflow for Configuring MARS to Monitor Security Appliances

Enabling Administrative Access to MARS on the Security Appliance

Adding a Security Appliance to Monitor

Setting the Logging Severity Level for System Log Messages

System Log Messages That Are Processed by MARS

Configuring Specific Features

For more information about configuring devices and software to work with MARS, see the Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller document and the User Guide for Cisco Security MARS Local Controller.

Taskflow for Configuring MARS to Monitor Security Appliances

The taskflow for configuring MARS to monitor the security appliance includes the following steps:

1. Configure the security appliance to accept administrative sessions from MARS to discover settings. Configure this setting in the admin context.

2. Configure the security appliance to publish its system log messages to MARS. Configure this setting for the admin context and for each security context defined.


Note Each context requires a unique, routable IP address for sending system log messages to MARS, and each context must have a unique name (usually in the hostname.domain name format).


3. To enable MARS to accept system log message event data and to collect configuration settings from the security appliance, perform the following tasks:

Enable logging for one or more interfaces.

Select the logging facility and queue size.

Specify the logging severity level as debugging (7) or indicate the desired severity level.

Identify the target MARS appliance, and the protocol and port pair on which it listens.

4. Within the MARS web interface, perform the following steps:

Define the security appliance by providing the administrative connection information.

Define security contexts. For more information, see Adding Security Contexts.

Add discovered contexts. For more information, see Adding Discovered Contexts.

Edit discovered contexts. For more information, see Editing Discovered Contexts.

Enabling Administrative Access to MARS on the Security Appliance

To enable administrative access to MARS on the security appliance, perform the following steps:


Step 1 To enable the MARS appliance to discover the security appliance settings through SSH access, enter the following commands:

hostname# crypto key generate rsa modulus modulus
 
   

where modulus is the RSA modulus size specified in bits

hostname# ssh mars_ip netmask of the mars_ip interface name
 
   

where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.

Step 2 To enable the MARS appliance to discover the security appliance settings through Telnet access, enter the following command:

hostname# telnet mars_ip netmask of the mars_ip interface name
 
   

where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.

Step 3 To enable the MARS appliance to discover the security appliance settings through FTP access, make sure that you have added the MARS appliance configuration file to an FTP server.


Note If you choose the FTP access type, the MARS appliance cannot discover the non-admin context settings. Therefore, we do not recommend this access type.


Step 4 To enable MARS to act as a target logging host, configure the security appliance to publish system log messages to MARS by entering the following commands:

hostname# logging host interface name mars_ip
 
   

where mars_ip is the IP address of the MARS appliance and interface name can be inside, outside, or DMZ.

hostname# logging trap 7
 
   
hostname# logging enable
 
   

Note Make sure that you set the logging severity level to 7 (debugging), or configure the security appliance to generate the desired set of system log messages. The logging severity level generates the system log message details that are required to track session-specific data.

Debugging messages are recommended for troubleshooting. The debugging logging severity level includes all emergency, alert, critical, error, warning, notification, and informational messages. This logging severity level also generates logs that identify the commands that are issued during FTP sessions and the URLs that are requested during HTTP sessions. If the security appliance cannot sustain debugging-level messages because of performance considerations, use the informational logging severity level (6). For more information, see Setting the Logging Severity Level for System Log Messages.

In addition, do not use the EMBLEM format for system log messages.


Step 5 To allow MARS to discover CPU usage and related information, enable the SNMP RO community string for the security appliance by entering the following command:

hostname# snmp-server host interface mars_ip poll community community
 
   

where interface can be inside, outside, or DMZ, mars_ip is the IP address of the MARS appliance, and community is the SNMP RO community string.

Step 6 Repeat Step 4 for each admin context and security context defined.


Adding a Security Appliance to Monitor

Events that are published by a reporting device (the security appliance) to MARS are not inspected until the reporting IP address of the security appliance is defined in the MARS web interface.

To add a PIX or ASA adaptive security appliance to monitor, perform the following steps:


Step 1 In the MARS web interface, click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 Choose the correct version of the ASA adaptive security appliance from the Device Type drop-down list. The basic device type represents the admin context.

Step 3 Specify values for the following Device Access fields:


Tip To enable SSH discovery, the MARS appliance must authenticate to the security appliance. The default username is "pix" and the password is the one that you specified for the password command (unless you use AAA).


Device Name, which MARS maps to the reporting IP address

Access IP, which is usually the same as the reporting IP address

Reporting IP, which is the interface that publishes system log messages or SNMP notifications, or both

Access Type

Login

Password

Enable Password

(Optional) SNMP RO, which allows MARS to retrieve MIBs that are related to CPU usage and network usage

(Optional) Monitor Resource Usage (requires the SNMP RO setting), which allows MARS to monitor for anomalous consumption of resources, such as memory and CPU

Step 4 Click Discover to determine the security appliance settings, including any security contexts and their settings.

Step 5 Click Submit to save these settings in the MARS database.

Step 6 Click Activate to load these settings into the MARS appliance working memory.

Step 7 Click Summary > Dashboard.

Step 8 Under the Hotspot Graph, click Full Topology Graph, and verify that the selected security appliance appears.


Adding Security Contexts

To add security contexts, perform the following steps:


Step 1 In the MARS web interface, click Add Module.

Step 2 Choose the correct version of the security appliance from the Device Type drop-down list.

Step 3 Enter the name of the security appliance in the Device Name field.

Step 4 Enter the name of the security context in the Context Name field. This name must match the context name defined on the security appliance.

Step 5 Enter the IP address of the security context from which system log messages or SNMP notifications, or both are published in the Reporting IP field.

Step 6 (Optional) Enter the security appliance read-only community string in the SNMP RO Community field.

Step 7 Click Discover to discover the settings of the defined security context. MARS collects all route, NAT, and ACL-related information.

Step 8 Click Submit to save these settings in the MARS database.


Adding Discovered Contexts

To add discovered contexts, perform the following steps:


Step 1 In the MARS web interface, click Add Available Module.

Step 2 Choose the security context from the Select drop-down list, and click Add.

Step 3 Click Submit to save these settings in the MARS database.

Step 4 Repeat these steps for each discovered context.


Editing Discovered Contexts

To edit discovered contexts, perform the following steps:


Step 1 In the MARS web interface, choose the discovered context that you want to edit according to the selected device type.

Step 2 Click Edit Module.

Step 3 Enter the IP address from which the system log messages of the security context are sent in the Reporting IP field.

Step 4 (Optional) Enter the security appliance read-only community string in the SNMP RO Community field.

Step 5 (Optional) To enable MARS to monitor this context for anomalous resource usage, click Yes from the Monitor Resource Usage list.

Step 6 Click Submit to save these settings in the MARS database.

Step 7 Repeat these steps for each discovered context.


Setting the Logging Severity Level for System Log Messages

You can change the logging severity level of the required system log messages or turn off specific system log messages using the logging message command. For more information, see Chapter 44 "Monitoring the Security Appliance."

System Log Messages That Are Processed by MARS

MARS can correctly parse system log messages at customized logging severity levels. Therefore, you can set system log messages to a lower logging severity level (for example, logging severity level 6). By changing the logging severity level for system log messages, you can reduce the logging load on the security appliance by 5-15%. However, the primary consumer of resources are the session detail events.

MARS processes the following system log messages, which are required for correct sessionization. If you change the logging severity level of the security appliance, make sure that these system log messages are generated at the new logging severity level so that the MARS appliance can receive them.

Table E-1 lists the system log message classes, their definitions, and the ranges of system log message numbers that are processed by MARS.

Table E-1 System Log Message Classes and Associated Message Numbers 

Class 
Definition
System Log Message Numbers

auth

User Authentication

109001-109003, 109005-109008, 109010-109014, 109016-109034, 113001, 113003-113020, 114001-114020, 611101-611104, 611301-611323

bridge

Transparent Firewall

110001

ca

PKI Certification Authority

717001-717019, 717021-717038

config

Command Interface

111001, 111003-111005, 111007-111009, 111111, 112001, 208005, 308001-308002, 504001-504002, 505001-505013, 506001

e-mail

E-mail Proxy

719001-719026

ha

High Availability (Failover)

101001-101005, 102001, 103001-103005, 104001-104004, 105001-105011, 105020-105021, 105031-105032, 105034-105040, 105042-105048, 210001-210003, 210005-210008, 210010, 210020-210022, 311001-311004, 709001-709007

ip

IP Stack

209003-209005, 215001, 313001, 313003-313005, 313008, 317001-317005, 322001-322004, 323001-323006, 324000-324007, 324300-324301, 325001-325003, 326001-326002, 326004-326017, 326019-326028, 327001-327003, 328001, 329001, 331001-331002, 332003-332004, 333001-333010, 334001-334008, 335001-335014, 408001-408003, 410001-410004, 411001-411004, 412001-412002, 413001-413004, 416001, 417001, 417004, 417006, 417008-417009, 418001, 419001-419002, 421001-421007, 422004-422006, 423001-423005, 424001-424002, 431001-431002, 450001, 507001-507002, 508001-508002, 509001

ips

Intrusion Protection Service

400000-400050, 401001-401005, 415001-415020, 420001-420003

np

Network Processor

319001-319004

npssl

NP SSL

725001-725014

ospf

OSPF Routing

318001-318009, 409001-409013, 409023, 503001, 613001-613003

rip

RIP Routing

107001-107003, 312001

rm

Resource Manager

321001-321004

session

User Session

106001-106002, 106006-106007, 106010-106027, 106100-106101, 108002-108003, 108005, 201002-201006, 201008-201013, 202001, 201005, 202011, 204001, 302001, 302003-302004, 302007-302010, 302012-302023, 302302, 303002-303005, 304001-304009, 305005-305012, 314001, 405001-405002, 405101-405107, 405201, 405300-405301, 406001-406002, 407001-407003, 500001-500004, 502101-502103, 502111-502112, 607001-607002, 608001-608005, 609001-609002, 616001, 617001-617004, 620001-620002, 621001-621003, 621006-621010, 622001, 622101-622102, 703001-703002, 710001-710006, 726001

snmp

SNMP

212001-212006

sys

System

199001-199003, 199005-199009, 211001, 211003, 216003, 217001, 218001-218004, 219002, 315004, 315011, 414001-414002, 604101-604104, 605004-605005, 606001-606004, 610001-610002, 610101, 612001-612003, 614001-614002, 615001-615002, 701001-701002, 711001-711002

vpdn

PPTP and L2TP Sessions

213001-213004, 403101-403104, 403106-403110, 403500-403507, 603101-603109

vpn

IKE and IPSec

316001, 320001, 402101-402103, 402106, 402114-402120, 402123, 404101-404102, 501101, 602101-602104, 602201-602203, 602301-602304, 702201-702212, 702301-702303, 702305, 702307, 713004, 713006, 713008-713010, 713012, 713014, 713016-713018, 713020, 713022, 713024-713037, 713039-713043, 713047-713052, 713056, 713059-713063, 713065-713066, 713068, 713072-713076, 713078, 713081-713086, 713088, 713092, 713094, 713098-713099, 713102-713105, 713107, 713109, 713112-713124, 713127-713149, 713152, 713154-713172, 713174, 713176-713179, 713182, 713184-713187, 713189-713190, 713193-713199, 713203-713206, 713208-713226, 713228-713251, 713900-713906, 714001-714007, 714011, 715001, 715004-715009, 715013, 715019-715022, 715027-715028, 715033-715042, 715044-715072, 715074-715079

vpnc

VPN Client

611101-611104, 611301-611323, 722001-722038

vpnfo

VPN Failover

720001-720073

vpnlb

VPN Load Balancing

718001-718081, 718084-718088

webvpn

Web-based VPN

716001-716056, 723001-723014, 724001-724002


Configuring Specific Features

You can configure security appliances to act as reporting devices and manual mitigation devices, because they perform multiple roles on your network. MARS can benefit from configuration of the following features:

The built-in IDS and IPS signature matching features can be critical in detecting an attempted attack.

The logging of accepted, as well as denied sessions, aids in false positive analysis.

Administrative access ensures that MARS can obtain critical data, including the following:

Route and ARP tables, which aid in network discovery and MAC address mapping.

NAT and PAT translation tables, which aid in address resolution and attack path analysis, and expose the actual instigator of attacks.

OS settings, from which MARS determines the correct ACLs to block detected attacks, which you can use in a management session with the security appliance.