Configuring the Security Appliance for Use with MARS
MARS centrally aggregates logs and events from various network devices, including security appliances, which you can analyze for use in threat mitigation. MARS supports the following PIX and ASA adaptive security appliance versions: 7.0(7), 7.2(2), 7.2(3), 8.0(2), and 8.1(1).
Note Version 8.1(1) applies to the ASA 5580 adaptive security appliance only. In addition, PIX is not supported in Version 8.1(1) or 8.1(2).
This appendix describes how to configure the security appliance and add it to MARS as a reporting device, and includes the following sections:
MARS can correctly parse syslog messages at customized logging severity levels. Therefore, you can set syslog messages to a lower logging severity level (for example, logging severity level 6). By changing the logging severity level for syslog messages, you can reduce the logging load on the security appliance by 5-15%. However, the primary consumers of resources are the session detail events.
MARS processes the following syslog messages, which are required for correct sessionization. If you change the logging severity level of the security appliance, make sure that these syslog messages are generated at the new logging severity level so that the MARS appliance can receive them.
Table F-1 lists the syslog message classes, their definitions, and the ranges of syslog message numbers that are processed by MARS.
Table F-1 Syslog Message Classes and Associated Message Numbers
You can configure security appliances to act as reporting devices and manual mitigation devices, because they perform multiple roles on your network. MARS can benefit from configuration of the following features:
•The built-in IDS and IPS signature matching features can be critical in detecting an attempted attack.
•The logging of accepted, as well as denied sessions, which aids in false positive analysis.
•Administrative access ensures that MARS can obtain critical data, including the following:
–Route and ARP tables, which aid in network discovery and MAC address mapping.
–NAT and PAT translation tables, which aid in address resolution and attack path analysis, and expose the actual instigator of attacks.
–OS settings, from which MARS determines the correct ACLs to block detected attacks, which you can use in a management session with the security appliance.
•Implementing NSEL, in which the MARS Local Controller is configured as a NetFlow collector on the ASA 5580. When the ASA 5580 is configured in multi-mode, each context can report to its own MARS appliance if the contexts are on separate networks. The MARS Local Controller can use the NSEL information in the following ways:
–Create topology-aware sessionization of NetFlow events with non-NetFlow events.
–Perform rule correlation and incident firing from NetFlow events.
–Retrieve collected NetFlow data with queries and non-scheduled reports.
–View incoming NetFlow events with the Real-Time Event Viewer.
–Configure drop rules according to incoming NetFlow events.
–Use NetFlow-derived events in scheduled reports results (for example, Top N reports).
Note Syslog-only anomaly detection is still supported for the ASA 5580.
hostname(config)# ntp server 18.104.22.168 key 1 source inside prefer
Configures an NTP server to ensure accurate time stamps. Entering this command enables better correlation between the ASA and MARS devices, because it ensures that the time on both are the same.
clear configure flow-export
hostname(config)# clear configure flow-export
Clears all flow-export configurations associated with NetFlow data.
hostname(config)# flow-export enable
For Version 8.1(1), when export of NetFlow data is enabled, the template records are sent to all configured NetFlow collectors. In addition, the device starts exporting NetFlow data events. When disabled, any pending cached NetFlow events will be removed, and the device stops exporting NetFlow events.
For Version 8.1(2), the flow-export enable command has been deprecated. When you enter this command, flow-export actions are converted under Modular Policy Framework and the following informational message appears:
INFO: 'flow-export enable' command is deprecated.
Converting to flow-export actions under MPF.
For Version 8.1(2), the no flow-exort enable command is not supported. When you enter this command, the following error message appears:
ERROR: This command is no longer supported. Flow-export
actions under MPF need to be removed to stop exporting
Configures the ASA 5580 to export NetFlow events to a destination system (MARS).
The example configures the ASA 5580 interface on which the MARS appliance can be reached, the name associated with the IP address of the MARS appliance, and the UDP port on which MARS is listening for NetFlow traffic.