Configuring the Security Appliance for Use with MARS
MARS centrally aggregates logs and events from various network devices, including security appliances, which you can analyze for use in threat mitigation. MARS supports the following PIX and ASA adaptive security appliance versions: 7.0(7), 7.2(2), 7.2(3), 8.0(2), and 8.1(1).
Note Version 8.1(1) applies to the ASA 5580 adaptive security appliance only. In addition, PIX is not supported in Version 8.1(1) or 8.1(2).
This appendix describes how to configure the security appliance and add it to MARS as a reporting device, and includes the following sections:
Taskflow for Configuring MARS to Monitor Security Appliances
The taskflow for configuring MARS to monitor the security appliance includes the following steps:
1. Configure the security appliance to accept administrative sessions from MARS to discover settings. Configure this setting in the admin context.
2. Configure the security appliance to publish its syslog messages to MARS. Configure this setting for the admin context and for each security context defined.
Note Each context requires a unique, routable IP address for sending syslog messages to MARS, and each context must have a unique name (usually in the hostname.domain name format).
3. To enable MARS to accept syslog message event data and to collect configuration settings from the security appliance, perform the following tasks:
–Enable logging for one or more interfaces.
–Select the logging facility and queue size.
–Specify the logging severity level as debugging (7) or indicate the desired severity level.
–Identify the target MARS appliance, and the protocol and port pair on which it listens.
4. Within the MARS web interface, perform the following steps:
–Define the security appliance by providing the administrative connection information.
To enable administrative access to MARS on the security appliance, see the Device Configuration Guide for Cisco Security MARS, Release 6.x.
–Define security contexts.
Events that are published by a reporting device (the security appliance) to MARS are not inspected until the reporting IP address of the security appliance is defined in the MARS web interface.
To add a PIX or ASA adaptive security appliance to monitor, see the Device Configuration Guide for Cisco Security MARS, Release 6.x.
–Add security contexts.
To add security contexts, see the Device Configuration Guide for Cisco Security MARS, Release 6.x.
–Add discovered contexts.
To add discovered contexts, see the Device Configuration Guide for Cisco Security MARS, Release 6.x.
–Edit discovered contexts.
To edit discovered contexts, see the Device Configuration Guide for Cisco Security MARS, Release 6.x.
Setting the Logging Severity Level for Syslog Messages
You can change the logging severity level of the required syslog messages or turn off specific syslog messages using the logging message command. For more information, see Chapter 39 "Monitoring the Adaptive Security Appliance."
Syslog Messages That Are Processed by MARS
MARS can correctly parse syslog messages at customized logging severity levels. Therefore, you can set syslog messages to a lower logging severity level (for example, logging severity level 6). By changing the logging severity level for syslog messages, you can reduce the logging load on the security appliance by 5-15%. However, the primary consumers of resources are the session detail events.
MARS processes the following syslog messages, which are required for correct sessionization. If you change the logging severity level of the security appliance, make sure that these syslog messages are generated at the new logging severity level so that the MARS appliance can receive them.
Table F-1 lists the syslog message classes, their definitions, and the ranges of syslog message numbers that are processed by MARS.
Table F-1 Syslog Message Classes and Associated Message Numbers
You can configure security appliances to act as reporting devices and manual mitigation devices, because they perform multiple roles on your network. MARS can benefit from configuration of the following features:
•The built-in IDS and IPS signature matching features can be critical in detecting an attempted attack.
•The logging of accepted, as well as denied sessions, which aids in false positive analysis.
•Administrative access ensures that MARS can obtain critical data, including the following:
–Route and ARP tables, which aid in network discovery and MAC address mapping.
–NAT and PAT translation tables, which aid in address resolution and attack path analysis, and expose the actual instigator of attacks.
–OS settings, from which MARS determines the correct ACLs to block detected attacks, which you can use in a management session with the security appliance.
•Implementing NSEL, in which the MARS Local Controller is configured as a NetFlow collector on the ASA 5580. When the ASA 5580 is configured in multi-mode, each context can report to its own MARS appliance if the contexts are on separate networks. The MARS Local Controller can use the NSEL information in the following ways:
–Create topology-aware sessionization of NetFlow events with non-NetFlow events.
–Perform rule correlation and incident firing from NetFlow events.
–Retrieve collected NetFlow data with queries and non-scheduled reports.
–View incoming NetFlow events with the Real-Time Event Viewer.
–Configure drop rules according to incoming NetFlow events.
–Use NetFlow-derived events in scheduled reports results (for example, Top N reports).
Note Syslog-only anomaly detection is still supported for the ASA 5580.
Before enabling NetFlow configuration on MARS appliances, you must enable NSEL on the ASA 5580 by configuring MARS as the NetFlow collector. For information about configuring NetFlow collectors, see Chapter 39 "Monitoring the Adaptive Security Appliance."
Configuring NSEL for MARS on the ASA 5580
The following procedure is valid only for the Cisco ASA, Version 8.1(1). The Cisco ASA, Version 8.0.x does not support NSEL.
For additional information about configuring NetFlow (NSEL) collectors for the ASA 5580, see the Cisco ASA 5580 Implementation Note for NetFlow Collectors, availableat the following URL:
hostname(config)# ntp server
171.68.10.80 key 1 source
inside prefer
Configures an NTP server to ensure accurate time stamps. Entering this command enables better correlation between the ASA and MARS devices, because it ensures that the time on both are the same.
Step 3
clear configure flow-export
For example:
hostname(config)# clear
configure flow-export
Clears all flow-export configurations associated with NetFlow data.
Step 4
flow-export enable
For example:
hostname(config)# flow-export
enable
For Version 8.1(1), when export of NetFlow data is enabled, the template records are sent to all configured NetFlow collectors. In addition, the device starts exporting NetFlow data events. When disabled, any pending cached NetFlow events will be removed, and the device stops exporting NetFlow events.
For Version 8.1(2), the flow-export enable command has been deprecated. When you enter this command, flow-export actions are converted under Modular Policy Framework and the following informational message appears:
INFO: 'flow-export enable' command is deprecated.
Converting to flow-export actions under MPF.
For Version 8.1(2), the no flow-exort enable command is not supported. When you enter this command, the following error message appears:
ERROR: This command is no longer supported. Flow-export
actions under MPF need to be removed to stop exporting
NetFlow events.
Configures the ASA 5580 to export NetFlow events to a destination system (MARS).
The example configures the ASA 5580 interface on which the MARS appliance can be reached, the name associated with the IP address of the MARS appliance, and the UDP port on which MARS is listening for NetFlow traffic.
Feedback
Version 8.1(1) applies to the ASA 5580 adaptive security appliance only. In addition, PIX is not supported in Version 8.1(1) or 8.1(2).
