Implementing New CS-MARS Features
by Gary Halleen
Cisco Secure Monitoring, Analysis, and Response Server (CS-MARS) versions 4.3.1 and 5.3.1 were recently released, introducing a number of key new features. This article describes the features and explains how to use some of them in your network.
These features are common to both 4.3.1 and 5.3.1 software releases, and it might be useful to explain when to use 4.3.1 and when to use 5.3.1. The original CS-MARS models are often referred to as Generation 1 appliances. These include the CS-MARS 20R, 20, 50, 100e, 100, 200, and GC models. These "Gen1" appliances run the 4.x software train, while the Generation 2 (Gen2) appliances, which include the CS-MARS 110R, 110, 210, and GC2, run the 5.x software train. There are only minor differences between the two software trains, with the primary difference being which hardware they run on.
As in most CS-MARS releases, there are numerous changes and improvements and updated support for Cisco and other vendors' network and security devices or software. Additionally, there are new features that are added. This article focuses on the new features.
The new features you will most likely be interested in are related to authentication services of the CS-MARS appliance, as well as automated support of new Cisco Intrusion Prevention System (IPS) signatures.
Traditionally, CS-MARS has supported only an on-box database of users, and the users have not been able to make any changes to their own accounts. All account maintenance has been a task for an Admin-level user. In smaller organizations, this has not been a major issue, but in larger organizations, this places a burden on the administrator and requires duplication of accounts on appliances rather than a centralized authentication database. Version 4.3.1 (5.3.1) changes this by adding a list of new authentication features that:
- Allow users to change their own account information, including their passwords.
- Use a Radius server for centralized authentication services.
- Lockout an account due to failed login attempts.
- Provide configurable timeout settings for each user role.
- Provide improved reports and queries related to authentication and general health of the appliance.
Cisco IPS Signature Auto-Update
Prior to this release, all new support for new device signatures came in a new CS-MARS release. Beginning in 4.3.1 (5.3.1), however, support for new Cisco IPS signatures can be automated. A login name and password for Cisco's software download site can be configured in CS-MARS, and new IPS signatures can be supported within MARS without the need for a new software release.
Using the New Features
If you configure CS-MARS to authenticate against a central radius server, you make it simpler to administer CS-MARS. A radius server can use its own database, or can proxy to a different database. Common examples include:
- Windows Active Directory or Domain
- One-time Password (OTP) Server
Using a centralized database allows MARS users to use the same login names and passwords that they use on other systems without needing to manually replicate the passwords. The only exception to this is regarding the MARS admin account ("pnadmin"). Regardless of how you configure radius authentication, the pnadmin account will always remain a local account. Be sure to treat it carefully, using a secure password.
Configuring CS-MARS to use radius is relatively straightforward. The first prerequisite is, obviously, a radius server. In this example, we will use a Cisco Secure ACS Server, version 4.x.
Follow these steps to enable radius authentication:
Create an AAA Client within your radius server. This means creating a profile that defines the name of CS-MARS, its IP address, a private key to use when communicating with radius, and how to authenticate. In CS-ACS, this is configured in the Network Configuration as shown in Figure 1.
Figure 1: Add AAA Client
Make sure each user that needs to login to CS-MARS has an account in CS-MARS and also has an account on your radius server or a database to which your radius proxies unknown users.
Figure 2: User Account Creation within ACS
From within CS-MARS, while logged in as "pnadmin" or another admin-level account, click "Admin" and then "Authentication Configuration". You should see a screen that looks like Figure 3.
Figure 3: Authentication Configuration
Click "Add" in the middle box. This allows you to define the radius server and how MARS should communicate with it. Select whether to configure the radius server on an existing host that MARS is aware of or on a new host. After entering basic IP address information, click "Reporting Applications" and select "Generic AAA Server". See Figure 4.
Figure 4: Define AAA Server
You should use the "Test Connectivity" button to verify that CS-MARS can communicate with the radius server and also to verify that user accounts can be authenticated against. See Figure 5 for an example.
Figure 5: Test Connectivity
The final step is to go to the Authentication Configuration screen again and select "AAA Server" for Authentication Method. Select the server you just defined. See Figure 6 for an example. CS-MARS can have up to three radius servers configured. Notice this is also where you can define how many failed login attempts MARS should watch before locking out an account.
Figure 6: Select AAA Server and Method
If, for any reason, you need to change authentications back to Local, you will need to recreate a password for each user. Once the authentication method is changed to radius, all local passwords on the MARS appliance (except the pnadmin user) are deleted.
Account Lockout Policy:
If you enable the Account Lockout Policy, as shown in Figure 6, a person's account will become locked, or disabled, if they fail a password check several times in a row. An Admin needs to unlock the account before it can be used again. This is done by selecting the user's login name in the User Management screen and clicking on "Unlock".
It is also possible to lock the pnadmin and other Admin accounts. If this occurs, the only way to unlock users is through the command line interface (CLI). Even if locked, the pnadmin user can still login through secure shell (ssh). The command "unlock" can be used to unlock specific users or all users ("unlock -a").
CS-MARS allows you to select different timeout values for each login role. This is useful if you want Admins and Security Analysts (accounts with the ability to change the configuration of MARS) to have a short timeout period, while allowing those who are simply monitoring activity to remain connected for a longer period of time.
This is a simple setting to change. Click "Admin" and then"System Parameters". Click "Timeout Settings".
Change the values to what you desire and click "Submit". See Figure 7 for an example of a short timeout for most accounts but no timeout for Operator roles.
Cisco IPS Signature Auto-Update:
Dynamic support for new Cisco IPS signatures is added by configuring a login and password in MARS and also instructing MARS how often to look for new signatures. Remember that in order for this feature to work, CS-MARS needs to be able to either communicate with the Cisco Website, or with another Website on your network to which you load files. You may need to configure proxy settings for this to work, depending on your topology and secure policy.
To configure this support, click "Admin", "System Setup", and then "IPS Signature Dynamic Update Settings".
Enter your Cisco.com username and password and then select how often you would like MARS to check. See Figure 8.
Once this is entered, click the "Test Connectivity" button to verify that MARS is able to communicate with Cisco.com and login with your credentials. Once you have tested the communications, you can click the "Update Now" button to instruct MARS to begin pulling down the up-to-date signatures.
This article is, by no means, intended to be your sole source of documentation for configuring these new features but should suffice to get you started. Centralized authentication and dynamic IPS signature updates are important to securing your MARS appliance and maintaining it with accurate, up-to-date event data. While this article did not show you the updated reports associated with the centralized authentication and other health information, you should look for it under the Query and Report tab at the top of the CS-MARS interface.