Menu
For free
Registration
Home  /  Success stories/ Protocols for cisco mars. Products

Protocols for cisco mars. Products

Cisco Security Monitoring, Analysis, and Response System MARS (Cisco Security Monitoring, Analysis, and Response System) is a hardware device that provides detailed monitoring and control capabilities of an existing security system, detecting, managing and repelling security threats.

Network and security administrators may encounter the following issues:

  • A very large amount of information about the state of the network and system security;
  • Insufficient effectiveness of detection tools, determining the significance of attacks and failures and developing response actions;
  • High speed and complexity of attacks and high cost of recovery after attacks;
  • The need to create reports to pass audits and compliance checks.

Cisco MARS Features

Collection and processing of information

Cisco Security MARS accumulates and integrates all information about the network topology, configuration of network devices and security rules, receiving it from network devices and security systems, as well as by analyzing network traffic. At the same time, the use of agents is minimal, which does not reduce the performance of the network and the system as a whole.

Cisco Security MARS centrally collects log files from routers, switches, firewalls, intrusion detection systems, vulnerability scanners, antivirus applications, and servers running operating systems Windows, Solaris, Linux, application programs (for example, web servers, authentication servers), DBMS, and traffic processing programs (for example, Cisco NetFlow).

Detecting Event Correlation

The collected information is organized depending on the network topology, device configuration, source and destination addresses. Based on the information received, related events are grouped into sessions in real time. In accordance with system rules and those set by the administrator, Cisco MARS analyzes sessions to identify incidents, failures, and attacks.

Cisco MARS comes with a large set of system rules, which are updated regularly and include detection of most combination attacks, zero-day attacks, network worms, etc. The administrator can create rules for any application using the graphical interface.

Identification of event correlation structures information about the network and system security, which reduces the amount of information required for decision-making and helps determine priority actions to respond to attacks, and as a result, increases the effectiveness of the measures taken.

Collection and accumulation of large amounts of data

Cisco MARS receives information about a variety of events on the network, then structures the data, and compresses the data for archiving. Processing huge amounts of data is possible thanks to the use of efficient algorithms and a built-in high-performance database, the configuration of which is completely transparent to the administrator.

For transferring data to secondary archiving devices, as well as for the ability to restore configurations after failures, Cisco MARS supports the NFS network file system and the secure FTP protocol.

Visualization of incidents and repelling attacks

Cisco Security MARS can help administrators more quickly and easily identify attacks and failures, confirm incidents, and implement attack mitigation measures.

Cisco MARS provides powerful graphical tools with which you can build a network map (including attacked nodes, attack paths), and display complete information about attacks and incidents. This allows you to quickly take action to repel attacks.

MARS analyzes event sessions to detect and confirm attacks and collect information about them (down to the MAC addresses of end nodes). This automated process is complemented by analysis of security log files (firewalls, intrusion detection systems, etc.) and Cisco's own MARS checks for false positives.

In addition to the fact that Cisco MARS allows you to obtain complete information about the attack, the system automatically identifies hosts vulnerable to attack and generates commands that the user can execute to repel the attack.

Real-time information collection and compliance reporting

What sets Cisco Security MARS apart is its easy-to-use tools for structuring network security information and systems that provide automatic detection system status, incidents and responses, both in day-to-day operations and for inspections and audits.

Cisco MARS provides the ability to graphically display attacks both in real time and to reconstruct patterns of attacks and incidents when analyzing historical events.

Cisco Security MARS provides reporting capabilities for a variety of purposes: to develop disaster recovery plans, to analyze incidents and network activity, to audit the current security state, and reports can be created in the form of text, tables, graphs and charts. There are also opportunities to create reports on compliance with many foreign standards (PCI DSS, Sarbanes - Oxley, HIPAA, etc.).

Fast implementation and flexible management

Cisco Security MARS requires a network connection with the ability to send and receive log files, SNMP messages, and establish sessions with network devices and security devices using standard or vendor-specific secure protocols.

Installing Cisco MARS does not require additional hardware, operating system upgrades, additional licenses, or additional work. To work, you only need to use the web interface to configure network devices and security tools to connect to Cisco MARS, as well as configure the networks and network nodes that need to be monitored.

Cisco MARS allows you to transfer log files to an external server for integration with your existing network infrastructure. Cisco Security MARS also allows you to install an additional management device (Global Controller), which provides: hierarchical management of several Cisco MARS systems, consolidation of reports from individual systems, setting rules and report templates and updates for local Cisco MARS systems.

Detailed Description of Cisco MARS Features

Dynamic session correlation:

  • Anomaly detection including NetFlow information
  • Event correlation based on behavior and rules
  • General built-in and user-defined rules
  • Automatic normalization of translated network addresses

Construction of a topological diagram:

  • Routers, switches and firewalls levels 2 and 3
  • Modules and devices of a network intrusion detection system
  • Manual or scheduled construction
  • SSH, SNMP, Telnet and device-specific communications

Vulnerability Analysis:

  • Network- or end-node-based breach detection
  • Configuration analysis of switches, routers, firewalls and NAT
  • Automatic processing of vulnerability scan data
  • Automatic and user-defined false positive analysis

Violation analysis and response:

  • Individual Security Event Management Dashboard
  • Combining session event data with the context of all rules
  • Graphical representation of the attack path with detailed analysis
  • Device profiles along the attack path with determination of MAC addresses of end nodes
  • Graphical and detailed sequential representation of attack type
  • Breach details, including rules, unhandled events, common vulnerabilities and network impact, and response options
  • Instant analysis of violations and identification of false positives
  • Define rules using a graphical user interface to support your own rules and analysis keywords
  • Assessment of violations with issuance of a worksheet for users describing step-by-step actions
  • Notification including email, pager, syslog and SNMP

Generating queries and reports:

  • Graphical user interface supporting large number standard and custom queries
  • Over 80 common reports, including management, operations and compliance reports
  • Report generator with a visual interface that allows you to create an unlimited number of custom reports
  • Text, graphic and general report format supporting export to HTML and CSV files
  • Creation of ready-to-print, group, standard, etc. reports

Administration:

  • HTTPS web interface; role-based administration with specified permissions
  • Hierarchical management of multiple Cisco MARS systems using a global controller
  • Automatic updates including device support, new rules and features
  • Permanently migrate raw breach data archives to offline NFS storage

Device support:

  • Network active equipment: Cisco IOS software, versions 11.x and 12.x; Cisco Catalyst OS version 6.x; Cisco NetFlow versions 5.0 and 7.0; Extreme Extremeware version 6.x.
  • Firewalls/VPN: Cisco Adaptive Security Appliance version 7.0, Cisco PIX security appliance software versions 6.x and 7.0; Cisco IOS firewall version 12.2(T) or higher; Cisco Firewall Function Module (FWSM) versions 1.x, 2.1, and 2.2; software for Cisco VPN 3000 version 4.0; firewall Checkpoint Firewall-1 NG FP-x and VPN-1 versions FP3, FP4 and AI; NetScreen firewall versions 4.x and 5.x; Nokia firewall versions FP3, FP4 and AI.
  • IDS systems: Cisco IDS version 3.x, 4.x and 5.0; Cisco IDS module versions 3.x and 4.x; Cisco IOS IPS version 12.2; Enterasys Dragon NIDS version 6.x; ISS RealSecure network sensor versions 6.5 and 7.0; Snort NIDS version 2.x; McAfee Intrushield NIDS version 1.5 and 1.8; NetScreen IDP system version 2.x; OS versions 4.x and 5.x; Symantec MANHUNT system.
  • Vulnerability assessment systems: eEye REM version 1.x and FoundStone FoundScan version 3.x.
  • Endpoint security systems: Cisco Security Agent version 4.x; McAfee Entercept version 2.5 and 4.x; sensor for end nodes ISS RealSecure Host Sensor versions 6.5 and 7.0.
  • Antivirus software: Symantec Antivirus version 9.x.
  • Authentication servers: Cisco ACS server versions 3.x and 4.x.
  • End node operating systems: Windows NT, 2000 and 2003 (with and without agents); Solaris OS versions 8.x, 9.x and 10.x; Linux OS version 7.x.
  • Applications: Web servers (ISS, iPlanet and Apache); Oracle 9i and 10g; NetCache.
  • Universal device support for aggregating and monitoring system logs of any application.

Additional Hardware Features:

  • Devices special purpose, 19" rack mounting; UL certification.
  • OS with enhanced protection; firewall with a reduced set of functions.
  • Two 10/100/1000 Ethernet interfaces.
  • DVD-ROM with recovery discs.

CiscoWorks Security Information Management Solution (SIMS)

We present a description of the system for network monitoring, data collection, processing and management of network devices.

CiscoWorks Security Information Management Solution (SIMS) is a system for management, monitoring and collection of statistics, the architecture of which is based on a multi-level model (Fig. 1), which allows you to expand the system step by step as the network infrastructure of the enterprise grows.
SIMS represents the core - a single point for collecting all incidents in the network, their classification and continuous monitoring.

Main tasks of SIMS:

  • monitoring;
  • collection of data obtained from firewalls, devices, attack detection, antivirus and operating systems, as well as applications;
  • data analysis and processing;
  • presentation of the final result in graphical form - reports and diagrams;

SIMS allows you to obtain data on possible security violations not only of an individual device, for example an IDS, but of the network as a whole, and this makes it possible to see the strengths/weaknesses in the organization of network security.
SIMS is designed for networks large enterprises and Internet providers with from 30 to several thousand nodes in their networks can work together with systems such as HP Openview and Micromuse. And also, when network intrusions are detected, SIMS can create incidents describing the problem and send them to the technical support service of the corporate network.

The central component of the system is the kernel. It is a rapid response system that is a distributed application. SIMS allows you to receive notifications about violations of security policies anywhere in the corporate network, generates reports and provides access to them from any application that supports a web interface.

The operating principle of SIMS technology can be divided into 4 parts:

1. Standardization.

Data from various network devices is collected by agents (Fig. 2), which process events, collect them into groups (recognize up to 20 thousand different events), reduce them to one data type (IDMEF) and send them via TCP to the server with the main one installed on it. application (SIMS core) for data processing.

2. Association.

The SIMS core distributes the received data into 9 groups (Fig. 3) depending on the degree of importance from a security point of view. In large networks, due to the scalability of the system, several such servers can be used to provide distributed processing.

3.Analysis of the obtained data.
The system analyzes and processes the received data. At this stage of the system’s operation, you can set the settings for templates, security policies and differentiation of protection levels for different sections of the network.

4.Visualization.

At the fourth and final stage, SIMS presents the result of its work in a convenient graphical form (Fig. 4). The system allows you to create various graphs, tables and charts for visual presentation of data. Using the parameters stored in the system database, you can comparative analysis both according to individual criteria and the system as a whole.

Product advantages:

  • Scalability
  • Distributed architecture
  • Integration with Openview and Micromuse

SIMS can be purchased as separate software and installed on a server, or already installed on a high-performance server platform.

Table 1. Information for ordering a SIMS 3.1 solution with a hardware platform.

Table 2. Ordering information SIMS 3.1 (software only)

Product numbers Description
CWSIM-3.1-SS-K9 SIMS 3.1 basic configuration for OC Solaris; Includes a license for monitoring up to 30 network devices, a license for 1 main data processing server, 1 additional distributed data processing server and 1 single database server.
CWSIM-3.1-SL-K9 SIMS 3.1 basic configuration for OS Linux; Includes a license for monitoring up to 30 network devices, a license for 1 main data processing server, 1 additional distributed data processing server and 1 single database server.
CWSIM-3.1-DS-K9 Additional storage server license for an existing CiscoWorks SIMS 3.1 solution running Solaris OS.
CWSIM-3.1-DL-K9 Additional storage server license for an existing CiscoWorks SIMS 3.1 solution running Linux.
CWSIM-3.1-ADD20-K9 License to add 20 agents to a CiscoWorks SIMS 3.1 working solution running OS Solaris or Linux.
CWSIM-3.1-MON30-K9 SIM 3.1 license for Cisco Secure Agent for monitoring 30 servers 300 workstations
CWSIM-3.1-MON75-K9 SIM 3.1 license for Cisco Secure Agent for monitoring 75 servers 750 workstations
CWSIM-3.1-EN-K9 License to add a distributed data processing server running Solaris or Linux OS.
CWSIM-3.1-20LND-K9 License for monitoring up to 20 low-end devices and OS on servers
CWSIM-3.1-100LNDK9 License for monitoring up to 100 low-end devices and OS on servers
CWSIM-3.1-500LNDK9 License for monitoring up to 500 low-end devices and OS on servers

Table 3. Minimum requirements for installing SIMS 3.1 software.

Hardware Requirements
CPU Linux: Dual Intel Pentium 4 1.5 GHz (server class)
Solaris: Dual UltraSPARC-IIi 444 MHz (server class)
RAM 4 GB
Free disk space 18 GB
Storage device CD-ROM

For more information, visit the Cisco Systems website http://www.cisco.com/go/sims

Cisco Security Monitoring, Analysis and Response System (CS-MARS)

Cisco Security Monitoring, Analysis and Response System (CS-MARS) - is a network monitoring system that allows correlation of network security events and enforces rules to proactively respond to unauthorized access and intrusion into the network. The system consists of software installed on a high-performance server.

Main functions of the system:

  • network monitoring;
  • building a network graph;
  • detection of network attacks and their graphical rendering;
  • studying the settings of network devices;
  • data collection analysis and processing of data received from various network devices;
  • presentation of the final result in the form of graphs, reports and diagrams;

MARS displays the network infrastructure in graphical form, depicting the spread of network attacks in real time (Fig. 1). By analyzing the configurations of routers, switches and firewalls (Firewalls), MARS is intelligent enough to trace the source of infection from unauthorized access, even if it is behind the Firewall.

To build the network topology (Fig. 2), interact with switches (must support SNMP STP MIB) and routers (must support SNMP MIB II), MARS uses the snmp protocol, and to interact with the firewall and obtain their configuration, the system uses telnet, SSH and CPMI.

MARS records and recognizes events that can be generated by almost all network devices:

  • network devices: Cisco IOS 11.x, 12.2, Catalyst OS 6.x, NetFlow 5.0, 7.0, Extreme Extremeware 6.x;
  • ITU/VPN: Cisco PIX Firewall 6.x, IOS Firewall, FWSM 1.x, 2.2, Concentrator 4.0, Checkpoint Firewall-1 NGx, VPN-1, NetScreen Firewall 4.0, 5.0, Nokia Firewall;
  • IDS: Cisco NIDS 3.x, 4.x, Network IDS module 3.x, 4.x, Enterasys Dragon NIDS 6.x ISS RealSecure Network Sensor 6.5, 7.0, Snort NIDS 2.x, McAfee Intrushield NIDS 1.x, NetScreen IDP 2.x, OS 4.x, 5.x, Symantec MANHUNT;
  • Antivirus software: Symantec A/V;
  • Authentication servers: Cisco ACS;
  • Operating systems: Windows NT, 2000, 2003 (with or without agents), Solaris, Linux (requires agent installation);
  • Applications: Web Servers (ISS, iPlanet, Apache), Oracle 9i, 10i audit logs, Network Appliance NetCache, Oracle 9i and 10i;

MARS can process up to 10 thousand events per second. The system supports scalability; for this purpose, in the networks of large enterprises and Internet providers, a two-level architecture can be created through the use of MARS controllers, to which several MARS servers can connect. When using this architecture, the network is divided into “zones” and each is assigned to a specific MARS server.
The MARS system allows you to centrally configure network policies, collect data and create up to 80 various types standard reports.
MARS can report recorded violations via the snmp protocol, e-mail, send messages to a pager, or keep a record of syslog events.
MARS does not require the purchase of agent and/or database licenses.

Product advantages:

  • Scalability
  • Distributed architecture
  • Lack of licensing system

Ordering information:

MARS servers Performance (events per second) NetFlows events per second Data storage Form factor power unit
Cisco Security MARS-20-K9 (PN-MARS 20) 500 15000 120GB (non-RAID) 1RU x16” 300W
Cisco Security MARS-50-K9 (PN-MARS 50) 1000 30000 240GB RAID0 1RU x25.6” 300W
Cisco Security MARS-100E-K9 (PN-MARS 100e) 3000 75000 3RU x25.6” two 500W (one spare)
Cisco Security MARS-100-K9 (PN-MARS 100) 5000 150000 750GB RAID10 hot swap support 3RU x25.6” two 500W (one spare)
Cisco Security MARS-200-K9 (PN-MARS 200) 10000 300000 4RU x25.6” two 500W (one spare)
MARS - controllers Connectable devices Number of connections Data storage Form factor power unit
Cisco Security MARS-GCMK9 (PN-MARS GCm) only MARS servers 20/50 up to 5 1TB RAID10 hot swap support 4RU x25.6” two 500W (one spare)
Cisco Security MARS-GC-K9 (PN-MARS GC) Any MARS servers On at the moment no restrictions 1TB RAID10 hot swap support 4RU x25.6” two 500W (one spare)

Information security techniques have evolved from perimeter defense at the interface with the Internet to a “deep” model in which multiple countermeasures are distributed at many levels throughout the infrastructure. A multi-layer model is becoming a necessity due to the increase in the number of attacks, their complexity and speed of implementation. Network objects can be scanned thousands of times a day looking for vulnerabilities. Modern “blended” or hybrid attacks use a variety of sophisticated techniques to gain unauthorized access and control from both outside and inside organizations. Distribution of worms, viruses, Trojan horses, spyware and special software poses a threat to even heavily protected networks, leaving less time to respond and increasing the cost of recovery.

In addition, in addition to the large number of servers and network devices, each component of the security system maintains its own event log and has its own set of tools for detecting anomalies and responding to threats. Unfortunately, this situation leads to the need to process a huge number of disparate event logs and false danger signals, resulting in the inability of the operator to respond effectively.

Information security and event management products allow you to assess threats in a specific way and handle them accordingly. These solutions allow IT security services to centrally collect and process event data, use correlations, processing queues, and generate reports.....

Cisco Systems Solution Overview

Cisco Security MARS is a hardware-based, full-featured solution that provides insight and control over your existing security posture. As part of the security management suite, MARS allows you to identify, control, and stop security threats. The solution works with your existing network and security system to find, isolate and eliminate problematic elements. MARS also helps maintain integrity domestic policy security and can be integrated as part of an overall network regulation solution.

Security administrators face many challenges, such as:

  • Excessive flow of incoming network and security information
  • Problems in recognizing attacks and errors in identification, prioritization and response
  • Complicating attacks, increasing recovery costs
  • The need to maintain security compliance
  • Problems with personnel

Cisco Security MARS allows you to solve these problems in the following way:

    Integrates network data to build correlations of network anomalies and security incidents

    Tracks incidents and automates investigations

    Mitigates attacks by leveraging the full capabilities of your existing network and security infrastructure

    Monitors the state of objects, networks, security procedures for compliance with the required template

    Acts as a scalable solution, easy to implement and operate, with a low cost of ownership

Cisco Security MARS transforms raw data into a form convenient for processing, providing the ability to specifically detect, suppress and generate reports for priority threats using devices already embedded in the network infrastructure.

Development of information security controls and threat prevention

To solve this problem, Cisco offers a line of scalable hardware systems. Cisco Security MARS is one of the high-performance, scalable systems that protect network devices and optimize information security by combining network data, content correlation functions “Context Correlation”, “SureVector™ analysis”, and the ability to automatically suppress threats. The MARS platform is closely integrated with the security management complex - Cisco Security Manager. This integration allows you to bind event messages to a policy configured in Cisco Security Manager. Policy review allows you to quickly analyze the operation of security policies on the firewall and detect network problems and configuration errors.

Features and Benefits

Intelligent event processing and performance management

Cisco Security MARS uses network data using knowledge of network topology, device configurations, and network traffic profiles. The system's integrated network exploration capability builds a topology diagram that includes device configurations and applied security policies, allowing Cisco Security MARS to model data flows on a network. Because Cisco Security MARS does not directly process network traffic and makes minimal use of network software elements, the impact on overall network performance remains minimal.

Cisco Security MARS centrally collects event data from a wide range of network devices such as routers and switches; security devices and applications such as firewalls, intrusion detection devices, vulnerability scanners, and antivirus applications. Data from end systems (Windows, Solaris, Linux), applications (databases, Web servers and authentication servers), and statistics on network traffic (Cisco NetFlow) are also processed.

Contextual correlation

When receiving data, a unified correspondence scheme is built with the network topology, device configuration, and address translation (NAT) parameters. Relevant events are grouped in real time. System and user correlation rules are then applied to identify network incidents. Cisco Security MARS comes with a comprehensive set of correlation patterns, regularly updated by Cisco, that can detect most of the various complex attacks. Graphical tools make it easy to create rules for various applications. Contextual correlation significantly reduces the amount of raw data processed, which allows for response prioritization and increases the effectiveness of applied countermeasures.

High performance aggregation

Cisco Security MARS processes millions of primary messages, efficiently classifies events to significantly reduce data volumes, and compresses information for archiving. Managing such volumes of data requires a stable and secure centralized platform. Cisco Security MARS appliances are optimized to process large quantity events, up to 15,000 per second, or 300,000 Cisco NetFlow events per second. In addition, MARS supports backup and recovery of configurations and data via NFS and sFTP.

Visualization and suppression of incidents

MARS allows you to speed up and simplify the process of detecting, investigating, assessing and remediating threats. A common challenge for IT security staff is the time it takes to analyze and resolve security events that occur. In this case, Cisco Security MARS is a powerful, interactive tool for managing security and creating rules.

The graphical work environment displays a topological map showing events, attack vectors, and incident details, which allows you to instantly identify existing threats. Cisco "SureVector analysis" processes close groups of events to assess the reality of the threat, and its origin, down to the MAC address of the end device. The process is automated by analyzing event logs from devices such as firewalls and intrusion prevention devices (IPS), third-party data assessment systems, and endpoint scanning results to prevent false positives. Using Cisco Security MARS, security teams have the tools to quickly understand the components of a complex attack and identify the affected system. Cisco's "automatic mitigation" features find available control devices along the attack path and automatically provide appropriate commands that operators can quickly apply to eliminate the threat.

Operational analysis and compliance verification

Cisco Security MARS provides an easy-to-use framework that simplifies ongoing security operations, automating investigations, escalations, alerts, ongoing activity documentation, and ad hoc audits. Cisco Security MARS graphically displays attacks and extracts historical data to analyze previous events. The system fully supports arbitrary queries to quickly obtain information.

Cisco Security MARS offers many built-in request templates and is compatible with PCI-DSS, GLBA, HIPAA, FISMA, Basel II protocols. The report generator allows you to modify more than 100 standard reports or create new ones with unlimited capabilities for planning response and recovery procedures, tracking incidents and network activity, monitoring compliance with security policies and conducting audits. Sending reports is also supported.

Speed ​​and ease of implementation

When implementing Cisco Security MARS, it is necessary to ensure the ability to send and receive “syslog” messages, SNMP messages (SNMP traps), and it is also necessary to communicate with installed network devices using generally accepted or proprietary protocols. No additional hardware or modification of the software used is required. In this way, message forwarding to Cisco Security MARS is configured, and monitoring objects are added through the “Web-based GUI”. MARS can send statistics to external servers for integration with the current infrastructure.

Cisco MARS Monitoring, Analysis and Response System

Cisco MARS (Cisco Security Monitoring, Analysis, and Response System) is a comprehensive hardware platform providing unparalleled capabilities for thorough monitoring and control of the existing security system. As a key element of the security management lifecycle, Cisco MARS provides IT and network operations personnel with the ability to detect, manage, and defeat security threats.

Description

GPL price

CS-MARS 25 Appliance

CSMARS 25R 1RU Appliance;75 EPS; 250 GB

CSMARS 55 1RU Appliance;1500EPS;500GB,RAID 1,Redundant

CSMARS 110R 2RU Appliance;4500EPS;1500GB,RAID 10,Redundant

CSMARS 110 2RU Appliance;7500EPS;1500GB,RAID 10,Redundant

CSMARS 210 2RU Appliance;15000EPS;2000GB,RAID10,Redundant

MARS GC2 2RU Appliance;2000GB;RAID10;Redundant PS

CSMARS-GC2-LIC-K9=

Upgrade license for CS-MARS-GC2R to CS-MARS-GC2


Based on existing network and security investments this system detects and isolates elements that disrupt the normal operation of the network, and also provides administrators with recommendations for their complete elimination. In addition, this system provides support for compliance with security policies and can be included as part of common system compliance with regulatory documents.

Network and security administrators face many complex challenges including:

  • Information complexity of the security system and network.
  • Lack of effectiveness in detecting, prioritizing, and responding to attacks and failures.
  • Increased complexity, speed of spread and cost of mitigating the consequences of attacks.
  • The need to comply with compliance regulations and reporting requirements.
  • Lack of security specialists and funds.

Cisco MARS solves these problems by doing the following:

  • Integration of intelligent functions into the network to improve the efficiency of the mechanism for correlating network anomalies and security events.
  • Visualization of confirmed security violations and automation of their investigation.
  • Repel attacks by taking full advantage of your existing network and security infrastructure.
  • Monitor endpoints, network, and security operations to ensure regulatory compliance.
  • Delivering a scalable, easy-to-implement and use device with minimal total cost of ownership (TCO).

Cisco MARS transforms raw network and security data about malicious activity into understandable information that can be used to resolve confirmed security breaches and ensure regulatory compliance. A suite of easy-to-use threat mitigation hardware enables administrators to centrally detect, prioritize, and defeat threats using network and security appliances already embedded in the infrastructure.

The CISCO MARS hardware and software system is designed to manage security threats. Sources of information about them can be: network equipment (routers and switches), security tools (firewalls, antiviruses, attack detection systems and security scanners), OS logs (Solaris, Windows NT, 2000, 2003, Linux) and applications (DBMS, web, etc.), as well as network traffic (for example, Cisco Netflow). Cisco MARS supports solutions from various manufacturers - Cisco, ISS, Check Point, Symantec, NetScreen, Extreme, Snort, McAfee, eEye, Oracle, Microsoft, etc.

The ContextCorrelation TM mechanism allows you to analyze and compare events from heterogeneous security tools. Their visualization on a network map in real time is achieved using the SureVector TM engine. These mechanisms allow you to display the attack propagation path in real time. Automatic blocking of detected attacks is achieved using the AutoMitigate TM mechanism, which allows you to reconfigure various means protection and network equipment.

Key Features

  • Process up to 10,000 events per second and over 300,000 Netflow events per second
  • Ability to create your own correlation rules
  • Notification of detected problems via e-mail, SNMP, syslog and pager
  • Visualization of attacks at the data link and network levels
  • Supports Syslog, SNMP, RDEP, SDEE, Netflow, system and user logs as information sources
  • Ability to connect your own security tools for analysis
  • Effectively suppresses false positives and noise, as well as detects attacks missed by separate security measures
  • Anomaly detection using the NetFlow protocol
  • Create and automatically update a network map, including import from CiscoWorks and other network management systems
  • Support IOS 802.1x, NAC (phase 2)
  • Monitoring switch protection mechanisms (Dynamic ARP Inspection, IP Source Guard, etc.)
  • Integration with Cisco Security Manager (CSM Police Lookup)
  • Integration with incident management systems using
  • Authentication on the RADIUS server
  • Cisco MARS Component Health Monitoring
  • Syslog forwarding
  • Dynamic recognition of new attack signatures on Cisco IPS and loading them into Cisco MARS