Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
Configuring the Security Appliance for Use with MARS
Downloads: This chapterpdf (PDF - 124.0KB) The complete bookPDF (PDF - 14.43MB) | Feedback

Configuring the Adaptive Security Appliance for Use with MARS

Table Of Contents

Configuring the Adaptive Security Appliance for Use with MARS

Taskflow for Configuring MARS to Monitor Adaptive Security Appliances

Enabling Administrative Access to MARS on the Adaptive Security Appliance

Adding an Adaptive Security Appliance to Monitor

Adding Security Contexts

Adding Discovered Contexts

Editing Discovered Contexts

Setting the Logging Severity Level for Syslog Messages

Syslog Messages That Are Processed by MARS

Configuring Specific Features


Configuring the Adaptive Security Appliance for Use with MARS


MARS centrally aggregates logs and events from various network devices, including ASAs, which you can analyze for use in threat mitigation. MARS supports the following ASA versions: 7.0(7), 7.2(2), 7.2(3), 8.0(2), and 8.2(1).

This appendix describes how to configure the ASA and add it to MARS as a reporting device, and includes the following sections:

Taskflow for Configuring MARS to Monitor Adaptive Security Appliances

Enabling Administrative Access to MARS on the Adaptive Security Appliance

Adding an Adaptive Security Appliance to Monitor

Setting the Logging Severity Level for Syslog Messages

Syslog Messages That Are Processed by MARS

Configuring Specific Features

For more information about configuring devices and software to work with MARS, see the Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller document and the User Guide for Cisco Security MARS Local Controller.

Taskflow for Configuring MARS to Monitor Adaptive Security Appliances

The taskflow for configuring MARS to monitor the ASA includes the following steps:

1. Configure the ASA to accept administrative sessions from MARS to discover settings. Configure this setting in the admin context.

2. Configure the ASA to publish its syslog messages to MARS. Configure this setting for the admin context and for each security context defined.


Note Each context requires a unique, routable IP address for sending syslog messages to MARS, and each context must have a unique name (usually in the hostname.domain name format).


3. To enable MARS to accept syslog message event data and to collect configuration settings from the ASA, perform the following tasks:

Enable logging for one or more interfaces.

Select the logging facility and queue size.

Specify the logging severity level as debugging (7) or indicate the desired severity level.

Identify the target MARS appliance, and the protocol and port pair on which it listens.

4. Within the MARS web interface, perform the following steps:

Define the ASA by providing the administrative connection information.

Define security contexts. For more information, see the "Adding Security Contexts" section.

Add discovered contexts. For more information, see the "Adding Discovered Contexts" section.

Edit discovered contexts. For more information, see the "Editing Discovered Contexts" section.

Enabling Administrative Access to MARS on the Adaptive Security Appliance

To enable administrative access to MARS on the ASA, perform the following steps:


Step 1 To enable the MARS appliance to discover the ASA settings through SSH access, enter the following commands:

hostname# crypto key generate rsa modulus modulus
 
   

where modulus is the RSA modulus size specified in bits

hostname# ssh mars_ip netmask of the mars_ip interface name
 
   

where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.

Step 2 To enable the MARS appliance to discover the ASA settings through Telnet access, enter the following command:

hostname# telnet mars_ip netmask of the mars_ip interface name
 
   

where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.

Step 3 To enable the MARS appliance to discover the ASA settings through FTP access, make sure that you have added the MARS appliance configuration file to an FTP server.


Note If you choose the FTP access type, the MARS appliance cannot discover the non-admin context settings. Therefore, we do not recommend using this access type.


Step 4 To enable MARS to act as a target logging host, configure the ASA to publish syslog messages to MARS by entering the following commands:

hostname(config)# logging host interface name mars_ip
 
   

where mars_ip is the IP address of the MARS appliance and interface name can be inside, outside, or DMZ.

hostname(config)# logging trap 7
 
   
hostname(config)# logging enable
 
   

Note Make sure that you set the logging severity level to 7 (debugging), or configure the ASA to generate the desired set of syslog messages. The logging severity level generates the syslog message details that are required to track session-specific data.

Debugging messages are recommended for troubleshooting. The debugging logging severity level includes all alert, critical, error, warning, notification, and informational messages. This logging severity level also generates logs that identify the commands that are issued during FTP sessions and the URLs that are requested during HTTP sessions. If the ASA cannot sustain debugging-level messages because of performance considerations, use the informational logging severity level (6). For more information, see the "Setting the Logging Severity Level for Syslog Messages" section.

In addition, do not use the EMBLEM format for syslog messages.


Step 5 To allow MARS to discover CPU usage and related information, enable the SNMP RO community string for the ASA by entering the following command:

hostname(config)# snmp-server host interface mars_ip poll community community
 
   

where interface can be inside, outside, or DMZ, mars_ip is the IP address of the MARS appliance, and community is the SNMP RO community string.

Step 6 Repeat Step 4 for each admin context and security context defined.


Adding an Adaptive Security Appliance to Monitor

Events that are published by a reporting device (the ASA) to MARS are not inspected until the reporting IP address of the ASA is defined in the MARS web interface.

To add an ASA to monitor, perform the following steps:


Step 1 In the MARS web interface, click Admin > System Setup > Security and Monitor Devices > Add.

Step 2 Choose the correct version of the ASA from the Device Type drop-down list. The basic device type represents the admin context.

Step 3 Specify values for the following Device Access fields:


Tip To enable SSH discovery, the MARS appliance must authenticate to the ASA. The default username is "pix" and the password is the one that you specified for the password command (unless you use AAA).


Device Name, which MARS maps to the reporting IP address

Access IP, which is usually the same as the reporting IP address

Reporting IP, which is the interface that publishes syslog messages or SNMP notifications, or both

Access Type

Login

Password

Enable Password

(Optional) SNMP RO, which allows MARS to retrieve MIBs that are related to CPU usage and network usage

(Optional) Monitor Resource Usage (requires the SNMP RO setting), which allows MARS to monitor for anomalous consumption of resources, such as memory and CPU

Step 4 Click Discover to determine the ASA settings, including any security contexts and their settings.

Step 5 Click Submit to save these settings in the MARS database.

Step 6 Click Activate to load these settings into the MARS appliance working memory.

Step 7 Choose Summary > Dashboard.

Step 8 Under the Hotspot Graph, click Full Topology Graph, and verify that the selected ASA appears.


Adding Security Contexts

To add security contexts, perform the following steps:


Step 1 In the MARS web interface, click Add Module.

Step 2 Choose the correct version of the ASA from the Device Type drop-down list.

Step 3 Enter the name of the ASA in the Device Name field.

Step 4 Enter the name of the security context in the Context Name field. This name must match the context name defined on the ASA.

Step 5 Enter the IP address of the security context from which syslog messages or SNMP notifications, or both are published in the Reporting IP field.

Step 6 (Optional) Enter the ASA read-only community string in the SNMP RO Community field.

Step 7 Click Discover to discover the settings of the defined security context. MARS collects all route, NAT, and ACL-related information.

Step 8 Click Submit to save these settings in the MARS database.


Adding Discovered Contexts

To add discovered contexts, perform the following steps:


Step 1 In the MARS web interface, click Add Available Module.

Step 2 Choose the security context from the Select drop-down list, and click Add.

Step 3 Click Submit to save these settings in the MARS database.

Step 4 Repeat these steps for each discovered context.


Editing Discovered Contexts

To edit discovered contexts, perform the following steps:


Step 1 In the MARS web interface, choose the discovered context that you want to edit according to the selected device type.

Step 2 Click Edit Module.

Step 3 Enter the IP address from which the syslog messages of the security context are sent in the Reporting IP field.

Step 4 (Optional) Enter the ASA read-only community string in the SNMP RO Community field.

Step 5 (Optional) To enable MARS to monitor this context for anomalous resource usage, click Yes from the Monitor Resource Usage list.

Step 6 Click Submit to save these settings in the MARS database.

Step 7 Repeat these steps for each discovered context.


Setting the Logging Severity Level for Syslog Messages

You can change the logging severity level of the required syslog messages or turn off specific syslog messages using the logging message command. For more information, see Chapter 74 "Configuring Logging."

Syslog Messages That Are Processed by MARS

MARS can correctly parse syslog messages at customized logging severity levels. Therefore, you can set syslog messages to a lower logging severity level (for example, logging severity level 6). By changing the logging severity level for syslog messages, you can reduce the logging load on the ASA by 5-15%. However, the primary consumer of resources are the session detail events.

MARS processes the following syslog messages, which are required for correct sessionization. If you change the logging severity level of the ASA, make sure that these syslog messages are generated at the new logging severity level so that the MARS appliance can receive them.

Table E-1 lists the syslog message classes, their definitions, and the ranges of syslog message numbers that are processed by MARS.

Table E-1 Syslog Message Classes and Associated Message Numbers 

Class 
Definition
Syslog Message Numbers

auth

User Authentication

109001-109003, 109005-109008, 109010-109014, 109016-109034, 113001, 113003-113020, 114001-114020, 611101-611104, 611301-611323

bridge

Transparent Firewall

110001

ca

PKI Certification Authority

717001-717019, 717021-717038

config

Command Interface

111001, 111003-111005, 111007-111009, 111111, 112001, 208005, 308001-308002, 504001-504002, 505001-505013, 506001

e-mail

E-mail Proxy

719001-719026

dap

Dynamic Access Policies

734

ha

High Availability (Failover)

101001-101005, 102001, 103001-103005, 104001-104004, 105001-105011, 105020-105021, 105031-105032, 105034-105040, 105042-105048, 210001-210003, 210005-210008, 210010, 210020-210022, 311001-311004, 709001-709007

ip

IP Stack

209003-209005, 215001, 313001, 313003-313005, 313008, 317001-317005, 322001-322004, 323001-323006, 324000-324007, 324300-324301, 325001-325003, 326001-326002, 326004-326017, 326019-326028, 327001-327003, 328001, 329001, 331001-331002, 332003-332004, 333001-333010, 334001-334008, 335001-335014, 408001-408003, 410001-410004, 411001-411004, 412001-412002, 413001-413004, 416001, 417001, 417004, 417006, 417008-417009, 418001, 419001-419002, 421001-421007, 422004-422006, 423001-423005, 424001-424002, 431001-431002, 450001, 507001-507002, 508001-508002, 509001

ipaa

IP Address Assignment

735

ips

Intrusion Protection Service

400000-400050, 401001-401005, 415001-415020, 420001-420003

np

Network Processor

319001-319004

npssl

NP SSL

725001-725014

ospf

OSPF Routing

318001-318009, 409001-409013, 409023, 503001, 613001-613003

rip

RIP Routing

107001-107003, 312001

rm

Resource Manager

321001-321004

session

User Session

106001-106002, 106006-106007, 106010-106027, 106100-106101, 108002-108003, 108005, 201002-201006, 201008-201013, 202001, 201005, 202011, 204001, 302001, 302003-302004, 302007-302010, 302012-302023, 302302, 303002-303005, 304001-304009, 305005-305012, 314001, 405001-405002, 405101-405107, 405201, 405300-405301, 406001-406002, 407001-407003, 500001-500004, 502101-502103, 502111-502112, 607001-607002, 608001-608005, 609001-609002, 616001, 617001-617004, 620001-620002, 621001-621003, 621006-621010, 622001, 622101-622102, 703001-703002, 710001-710006, 726001

snmp

SNMP

212001-212006

sys

System

199001-199003, 199005-199009, 211001, 211003, 216003, 217001, 218001-218004, 219002, 315004, 315011, 414001-414002, 604101-604104, 605004-605005, 606001-606004, 610001-610002, 610101, 612001-612003, 614001-614002, 615001-615002, 701001-701002, 711001-711002

vpdn

PPTP and L2TP Sessions

213001-213004, 403101-403104, 403106-403110, 403500-403507, 603101-603109

vpn

IKE and IPSec

316001, 320001, 402101-402103, 402106, 402114-402120, 402123, 404101-404102, 501101, 602101-602104, 602201-602203, 602301-602304, 702201-702212, 702301-702303, 702305, 702307, 713004, 713006, 713008-713010, 713012, 713014, 713016-713018, 713020, 713022, 713024-713037, 713039-713043, 713047-713052, 713056, 713059-713063, 713065-713066, 713068, 713072-713076, 713078, 713081-713086, 713088, 713092, 713094, 713098-713099, 713102-713105, 713107, 713109, 713112-713124, 713127-713149, 713152, 713154-713172, 713174, 713176-713179, 713182, 713184-713187, 713189-713190, 713193-713199, 713203-713206, 713208-713226, 713228-713251, 713900-713906, 714001-714007, 714011, 715001, 715004-715009, 715013, 715019-715022, 715027-715028, 715033-715042, 715044-715072, 715074-715079

vpnc

VPN Client

611101-611104, 611301-611323, 722001-722038

vpnfo

VPN Failover

720001-720073

vpnlb

VPN Load Balancing

718001-718081, 718084-718088

webvpn

Web-based VPN

716001-716056, 723001-723014, 724001-724002


Configuring Specific Features

You can configure ASAs to act as reporting devices and manual mitigation devices, because they perform multiple roles on your network. MARS can benefit from configuration of the following features:

The built-in IDS and IPS signature matching features can be critical in detecting an attempted attack.

The logging of accepted, as well as denied sessions, aids in false positive analysis.

Administrative access ensures that MARS can obtain critical data, including the following:

Route and ARP tables, which aid in network discovery and MAC address mapping.

NAT and PAT translation tables, which aid in address resolution and attack path analysis, and expose the actual instigator of attacks.

OS settings, from which MARS determines the correct ACLs to block detected attacks, which you can use in a management session with the ASA.