Install and Setup Guide for Cisco Security MARS, Release 4.3.x
Appliance Overview and Specifications
Download this chapter
Appliance Overview and SpecificationsAppliance Overview and Specifications
Download the complete book
Install and Setup Guide for Cisco Security MARS, Release 4.3.x (PDF)Install and Setup Guide for Cisco Security MARS, Release 4.3.x (PDF) (PDF - 4 MB)
give_us_feedback

Table Of Contents

Appliance Overview and
Technical Specifications

System Description

Local Controller

Global Controller

MARS Web Interface

Reporting and Mitigation Devices

Hardware Descriptions—MARS 20, 20R, 50 200, GCm, and GC

Technical Specifications

Locating the License Key

MARS 20 and MARS 20R

Front Panel Features

Back Panel Features

Serial Port

Line-in Port

Telephone Port

VGA Port

Parallel Port

Keyboard Port

Mouse Port

USB Ports (0 and 1)

Ethernet Connectors (eth0 and eth1)

Network Cable Requirements

MARS 50

Front Panel Features

Back Panel Features

MARS 100 and MARS 100e

Front Panel Features

Hard Drive Layout

Back Panel Features

MARS 200, MARS GCm, and MARS GC

Front Panel Features

Hard Drive Layout

Back Panel Features


Appliance Overview and
Technical Specifications

Revised: March 3, 2008, OL-14672-01

This chapter defines components of the Cisco Security Monitoring, Analysis, and Response System (MARS) and describes the front and backplanes of the various appliance models. This chapter contains the following sections:

System Description

Hardware Descriptions—MARS 20, 20R, 50 200, GCm, and GC

System Description

Cisco Security MARS is a security threat mitigation (STM) system. It delivers a range of information about your networks' health as reported by devices in your networks. It processes raw events from your reporting devices, sessionizes1 them across different devices, evaluates for matching inspection rules (system and user-defined), identifies false positives, and consolidates information using diagrams, charts, queries, reports, and rules.

MARS helps you be more productive by:

Reducing the amount of raw data that requires manual review

Enabling an evolving view of the network security posture

Identifying hot spots of malicious activity

Blocking undesirable traffic from the network

The MARS system operates at distinct and separate levels based on how much information is provided about your networks' reporting devices. At its most basic level, MARS functions as a syslog server. As you add information about reporting devices, MARS begins to sessionize the raw data, and after you configure additional reporting devices and enable the more verbose reporting features, it presents a much more comprehensive view of your network, from which you can quickly drill-down to a specific MAC address, for example.

Figure 1-1 presents an example deployment of MARS, which identifies the components of the system and their relationships.

Figure 1-1 Relationship of Global Controller to Local Controller to Reporting/Mitigation Device

The Cisco Security MARS system comprises the following components:

Local Controller

Global Controller

MARS Web Interface

Reporting and Mitigation Devices

Local Controller

The Local Controller models are as follows—MARS 20, MARS 20R, MARS 50, MARS 100, MARS 100e, MARS 200, . Each model differs in its ability to process and store events from reporting devices, enabling you to accurately address your needs based on the size of your network and the traffic volume.

Local Controllers receive and pull data from reporting devices, such as firewalls, routers, intrusion detection/prevention systems, and vulnerability assessment systems. Based on the data obtained from those devices, and the level of integration with them, MARS can present you with suggested mitigation rules for detected attacks and, in some cases, push those rules to the mitigation device, which is a network device that contains the attack by restricting network access to the infected hosts.

A Local Controller summarizes information about the health of your network based on data it receives from the reporting devices that it monitors.

The Local Controller performs the following functions:

Collects all raw events

Sessionizes events across different devices

Fires inspection rules for incidents

Determines false positives

Delivers consolidated information in diagrams, charts, queries, reports, and notifications

Detects inactive reporting devices

Derives set of IOS/IPS Distributed Threat Mitigation (DTM) signatures based on attacks reported by monitored CISCO IPS 5.x appliances

Acts as a repository for the IOS/IPS DTM signatures, from which IOS/IPS devices can download current signature sets

Global Controller

If you deploy numerous Local Controllers, you can deploy a Global Controller that summarizes the findings of two or more Local Controllers. In this way, the Global Controller enables you to scale your network monitoring without increasing the management burden. The Global Controller provides a single user interface for defining new device types, inspection rules, and queries, and it enables you to manage Local Controllers under its control. This management includes defining administrative accounts and performing remote, distributed upgrades of the Local Controllers. The Global Controller is available in the following models—MARS GCm and MARS GC.

MARS Web Interface

The MARS web interface operates on a client computer. With many features common to both the Local Controller and Global Controller, the web interface uses a tabbed, hyperlinked, browser-based user interface. You access the web interface from any computer that can access the MARS Appliance on your network. For more information on client requirements, see Web Browser Client Requirements, page 3-9.

From the web interface, you can perform most of your administrative functions, including all functions that are not supported at the command line. Although this manual includes procedures for initially configuring the appliance using the web interface, the following publications reference their corresponding web interface:

User Guide for Cisco Security MARS Local Controller

User Guide for Cisco Security MARS Global Controller

Reporting and Mitigation Devices

If you consider the MARS system from a top-down perspective, you see that the Global Controller monitors Local Controllers and that Local Controllers monitor one or more reporting devices. Reporting devices provide MARS with data about the network, from traffic flows, as in the case of a router, to the configuration of possible attack targets, such as from a vulnerability assessment system.

A reporting device that can deny a traffic flow is called a mitigation device (for example, a switch). MARS provides mitigation support in two forms:

For supported Layer 3 devices (based on the OSI Network Model), MARS provides you with a suggested device and set of commands that can be used to halt an ongoing, detected attack. You can use this information to manually block the attack.

For supported Layer 2 devices, MARS recommends a device, a set of commands to halt the ongoing, detected attack, and provides a method for making the configuration changes on your behalf.

How you configure your reporting devices and mitigation devices greatly affects the ability of MARS to detect ongoing attacks. You can learn more about how to configure these devices in the following:

User Guide for Cisco Security MARS Local Controller

User Guide for Cisco Security MARS Global Controller

For a complete list of the supported reporting and mitigating devices, see:

Supported Devices for Cisco Security MARS Local Controller Version 5.3.x

Hardware Descriptions—MARS 20, 20R, 50 200, GCm, and GC

The following sections describe the front and back panels of the different MARS Appliance models and the different components they include.

Technical Specifications

MARS 20 and MARS 20R

MARS 50

MARS 100 and MARS 100e

MARS 200, MARS GCm, and MARS GC

Technical Specifications

Table 1-1 lists physical measurements and components of the Cisco Security MARS appliances. Table 1-2 describes the electrical characteristics and environmental operating parameters.

Table 1-1 Chassis and Component Specifications

 
MARS 20, 20R
MARS 50
MARS 100,100E
MARS 200, GCM, GC
Weight

9.07 kg
20.0 lbs

12.7 kg
28.0 lbs

28.6 kg
63.0 lbs

43.1 kg
95.0 lbs

Rack Unit1

1 RU x 16 in. (41 cm)

1 RU x 25.6 in. (65.0 cm)

3 RU x 25.6 in. (65.0 cm)

4 RU x 25.6 in. (65.0 cm)

CPU

Intel Pentium 4
3.0 GHz

Intel Pentium 4
3.0 GHz

2 Intel Xeon
2.8 GHz

2 Intel Xeon
2.8 GHz

Network Controller

2 X 10/100/1000 Integrated Ethernet

2 X 10/100/1000 Integrated Ethernet

2 X 10/100/1000 Integrated Ethernet

2 X 10/100/1000 Integrated Ethernet

Storage

120GB (non-RAID)

240GB RAID 0

750GB RAID 10
Hot-swappable

1 TB RAID 10
Hot-swappable

DVD-ROM

24x SlimDVD-ROM

24x SlimDVD-ROM

24x SlimDVD-ROM

24x SlimDVD-ROM

1 A rack unit (RU) is a standardized measure for the height of rack-mountable equipment. One RU is 44.45 mm (1.75 in) high, 482.6 mm (19 in.) wide.


Table 1-2 Electrical and Environmental Specifications

 
MARS 20, 20R
MARS 50
MARS 100,100E
MARS 200, GCM, GC
Power Supply
(Rated output, input voltage range, frequency range, minimum and maximum input current)

300W autoswitch 100-240 VAC, 50-60Hz
6A min. 10A max.

300W autoswitch 100-240 VAC, 50-60Hz
6A min. 10A max.

500W dual-redundant
Hot-swappable

100-240 VAC, 50-60Hz

10A min. 10A max.

500W dual-redundant
Hot-swappable

100-240 VAC, 50-60Hz

10A min. 10A max.

Dissipated Heat

1, 000-1,700 BTU

Operating Temperatures and Humidity Range
5º C to 40ºC;
20% to 80% max. 27ºC wet bulb, noncondensing
5º C to 40ºC;
20% to 80% max. 27ºC wet bulb, noncondensing
5º C to 40ºC;
20% to 80% max. 27ºC wet bulb, noncondensing
5º C to 40ºC;
20% to 80% max. 27ºC wet bulb, noncondensing
Non-operating Temperatures and Humidity Range
-20 to 60 ºC;
5% to 90% maximum 38 ºC wet bulb, noncondensing
-20 to 60 ºC;
5% to 90% maximum 38 ºC wet bulb, noncondensing
-20 to 60 ºC;
5% to 90% maximum 38 ºC wet bulb, noncondensing
-20 to 60 ºC;
5% to 90% maximum 38 ºC wet bulb, noncondensing
Vibration

Operating: 0.2G, 5-500 Hz, swept sine

Nonoperating: 1.0 G, 5-500 Hz, swept sine

Operating: 0.2G, 5-500 Hz, swept sine

Nonoperating: 1.0 G, 5-500 Hz, swept sine

Operating: 0.2G, 5-500 Hz, swept sine

Nonoperating: 1.0 G, 5-500 Hz, swept sine

Operating: 0.2G, 5-500 Hz, swept sine

Nonoperating: 1.0 G, 5-500 Hz, swept sine
Shock

Operating: 3G peak, 11 ms half-sine

Nonoperating: 10G peak, 11 ms half-sine

Operating: 3G peak, 11 ms half-sine

Nonoperating: 10G peak, 11 ms half-sine

Operating: 3G peak, 11 ms half-sine

Nonoperating: 10G peak, 11 ms half-sine

Operating: 3G peak, 11 ms half-sine

Nonoperating: 10G peak, 11 ms half-sine

Altitude

Operating: 3000 m (10,000 ft.)

Nonoperating: 12,000 m (40,000 ft.)

Operating: 3000 m (10,000 ft.)

Nonoperating: 12,000 m (40,000 ft.)

Operating: 3000 m (10,000 ft.)

Nonoperating: 12,000 m (40,000 ft.)

Operating: 3000 m (10,000 ft.)

Nonoperating: 12,000 m (40,000 ft.)

Acoustic Noise

Operating: 7.5 bel

Operating: 7.5 bel

Operating: 7.5 bel

Operating: 7.5 bel


Locating the License Key

For MARS Appliances running 4.X software, a license key sticker is affixed to the chassis and the Recovery DVD case shipped with your product. Figure 1-2 identifies the license key sticker location on the chassis.

Figure 1-2

License Key Location

MARS 20 and MARS 20R

Front Panel Features

Figure 1-3 MARS 20 and MARS 20R Front Pant

l

Element
Description

1

DVD drive

2

DVD eject button

3

Power switch

4

Power indicator light

5

Face plate release screws

6

Restart button


Back Panel Features

Figure 1-4 MARS 20 and MARS 20R Back Panel

Element
Description

1

PS/2 Keyboard port

2

PS/2 Mouse Port

3

Parallel port (not supported)

4

eth1, Ethernet 1port

5

eth0, Ethernet 0 port

6

RJ-11 Line-in port

7

Telephone port (line out)

8

Power socket

9

Power switch

10

VGA Port

11

Serial port

12

USB 0 port (not supported)

13

USB 1 port (not supported)

14

Serial number (begins with SN:)


Serial Port

The integrated serial port on the back panel of the appliance uses a 9-pin D-subminiature connector.

If you reconfigure your hardware, you may need information regarding the pin number and signal for the serial port connector. Figure 1-5 illustrates the pin numbers for the serial port connector and defines the pin assignments and interface signals for the serial port connector. (Pin numbering proceeds bottom to top and right to left, as illustrated.)

Figure 1-5 Pin Numbers for the Serial Port Connector

Pin
Signal
I/O
Definition
1

DCD

I

Data carrier detect

2

SIN

I

Serial input

3

SOUT

O

Serial output

4

DTR

O

Data terminal ready

5

GND

N/A

Signal ground

6

DSR

I

Data set ready

7

RTS

O

Request to send

8

CTS

I

Clear to send

9

RI

I

Ring indicator

Shell

N/A

N/A

Chassis ground


Line-in Port

The MARS Appliance comes with a built-in V.90 modem for use with SMS and pager alerts. You connect the modem to the wall jack using the provided cable and the line-in port, which is a standard RJ-11 port.

Telephone Port

If you have connected the modem to the telephone wall jack, you can connect a telephone to the telephone port on the MARS Appliance. The telephone port uses a standard RJ-11 port.

VGA Port

This standard VGA port enables you to connect a monitor to the appliance and view the console logs and operate the command line. However, you must have a keyboard also attached to the MARS Appliance to use these features.

Parallel Port

Not used.

Keyboard Port

Accepts a PS/2 keyboard connection. You can connect a keyboard directly to the MARS Appliance. When you connect a keyboard to this port and a monitor to the VGA port, you can access the console logs and the command line interface of the appliance.

Mouse Port

Not used.

USB Ports (0 and 1)

Not used.

Ethernet Connectors (eth0 and eth1)

Your system has two integrated 10/100/1000-megabit-per-second (Mbps) autosensing Ethernet connectors. MARS Appliance supports the operation of both Ethernet connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.

Each NIC is configured to detect the speed and duplex mode of the network.

The MARS Appliance monitors network traffic destined to the IP address assigned to eth0. The eth0 connector is the port to which the gateway command applies. Therefore, eth0 must be attached to the network from which the reporting devices are accessible. The eth1 connector is typically used as an out-of-band management network, which provides faster graphical user interface (GUI) response to the administrator. To use eth1, you must define static routes to the destination networks for that interface.

Warning To avoid electric shock, do not connect safety extra-low voltage (SELV) circuits to telephone-network voltage (TNV) circuits. LAN ports contain SELV circuits, and WAN ports contain TNV circuits. Some LAN and WAN ports both use RJ-45 connectors. Use caution when connecting cables.

Network Cable Requirements

The Ethernet connectors are designed for attaching an unshielded twisted pair (UTP) Ethernet cable equipped with standard RJ-45 compatible plugs. Press one end of the UTP cable into the Ethernet connector until the plug snaps securely into place. Connect the other end of the cable to an RJ-45 port on a hub or other device, depending on your network configuration. Observe the following cabling restrictions for 10BASE-T, 100BASE-TX, and 1000BASE-TX networks:

For 10BASE-T networks, use Category 3 or greater wiring and connectors.

For 100BASE-TX and 1000BASE-TX networks, use Category 5 or greater wiring and connectors.

The maximum cable run length is 328 feet or 100 meters.

MARS 50

Front Panel Features

Figure 1-6 MARS 50 Front Panel

Element
Description

1

DVD drive

2

DVD eject button

3

Power indicator light

4

Power switch

5

Face plate release screws

6

Restart button


Back Panel Features

Figure 1-7 MARS 50 Back Panel

Element
Description

1

Power socket

2

PS/2 Keyboard port

3

PS/2 Mouse port

4

Parallel port (not supported)

5

eth1, Ethernet 1port

6

eth0, Ethernet 0 port

7

RJ-11 Line-in port

8

Telephone port (line out)

9

VGA Port

10

Serial port

11

USB 0 port (not supported)

12

USB 1 port (not supported)

13

Serial number (begins with SN:)


MARS 100 and MARS 100e

Front Panel Features

Figure 1-8 MARS 100 and MARS 100e Front Panel

Element
Description

1

Drives 1-3

2

Drive status lights

3

Drive bay door lock

4

Drives 4-6

5

Face plate release screws

5

DVD eject button

6

DVD drive

7

Restart button

8

Power switch

9

Power indicator light

10

Serial number (begins with SN:)


Hard Drive Layout

Figure 1-9 Hard Drive Slot Numbering for the Local Controller 100 and 100E

MARS Appliance
Storage Capacity1
Hard Drive Slot to Port Number

MARS 100e
MARS 100

750 GB

RAID 10
6 x 250 GB Drives

Hot-swappable

Slot 6 is Port 0
Slot 5 is Port 1
Slot 4 is Port 2
Slot 3 is Port 3
Slot 2 is Port 4
Slot 1 is Port 5

1 The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive.


Back Panel Features

Figure 1-10 MARS 100 and MARS 100e Back Panel

Element
Description

1

PS/2 Keyboard port

2

PS/2 Mouse port

3

Parallel port (not supported)

4

Telephone port (line out)

5

RJ-11 Line-in port

6

Power source release screw

7

Power source release lever

8

Power socket

9

Power source handle
Power supply part number: CS-MARS-100-PS=

10

eth1, Ethernet 1 port

11

eth0, Ethernet 0 port

12

VGA Port

13

Serial port

14

USB 0 port (not supported)

15

USB 1 port (not supported)


MARS 200, MARS GCm, and MARS GC

Front Panel Features

Figure 1-11 MARS 200, MARS GCm, or MARS GC Front Panel

Element
Description

1

Drives 1-3

2

Drive status lights

3

Drive bay door lock

4

Drives 4-6

5

Drives 7-9

6

DVD drive

7

DVD eject button

8

Face plate release screws

9

Power switch

10

Serial number (begins with SN:)

11

Power indicator light


Hard Drive Layout

Figure 1-12 MARS 200, MARS GCm, or MARS GC Hard Drive Slot Numbering

MARS Appliance
Storage Capacity1
Hard Drive Slot to Port Number
MARS 200, GC, GCM

1 TB

RAID 10
8 x 250 GB Drives

Hot-swappable

Slot 8 is Port 0
Slot 7 is Port 1
Slot 6 is Port 2
Slot 5 is Port 3
Slot 4 is Port 4
Slot 3 is Port 5
Slot 2 is Port 6
Slot 1 is Port 7

1 The stated storage capacity is the sum of the rated capacity of all the hard drives and does reflect bytes reserved for the RAID overhead on each drive.


Back Panel Features

Figure 1-13 MARS 200, MARS GCm, or MARS GC Back Panel

Element
Description

1

Power Supply switch
Power supply part number: CS-MARS-200-PS=

2

Power Supply release lever

3

Power Supply light

4

Power Supply reset button

5

System Power indicator light

6

AC Power sockets

7

Telephone port (line out)

8

RJ-11 Line-in port

9

eth1, Ethernet 1 port

10

eth0, Ethernet 0 port

11

VGA port

12

Parallel port (not supported)

13

DB-9 Serial port

14

USB 0 port (not supported)

15

USB 1 port (not supported)

16

PS/2 Keyboard port

17

PS/2 Mouse port

18

Power Supply handles


1 Sessionize refers to correlating the reported network data. logs, and events into a higher-level interpretation to identify those packets as part of a single session, or a communication, that has a beginning, a body, and an end.