Table of Contents
Advertisement
Data Enabling Features
The Activate action differs from Submit in that MARS begins to inspect and generate notifications about
the data provided by the devices.
Tip
Data Enabling Features
Adding a the reporting devices and mitigation devices is the primary method of providing MARS with
the data required to study the activities on your network. However, other features, both within the web
interface and as part of configuring the devices, can provide MARS with additional data, which is used
to refine the views it provides and to assist in the improving the overall effectiveness of the system. We
think of these features as data enabling features.
This section contains the following topics:
•
•
•
•
•
•
•
User Guide for Cisco Security MARS Local Controller
2-28
If you are adding or editing several devices, it is better for the system to click Activate for
several changes rather than for each individual change.
Layer 2 Discovery and Mitigation, page 2-29
Enable SNMP community strings to support the discovery the network topology. Allows for
mapping to the port level for switches. Combined with 802.1x support required by NAC, this setting
can resolve MAC address level settings for attached and wireless nodes on the network.
Networks for Dynamic Vulnerability Scanning, page 2-29
Enables a Nessus-based scan of the targeted hosts. Nessus also uses nmap for OS fingerprinting and
port scanning during a vulnerability assessment scan. These scans are conducted in response to
suspicious activity to determine whether the attempted attack is successful or likely to succeed based
on information such as target operating system type, patch level, and open ports on the host.
Understanding NetFlow Anomaly Detection, page 2-30
By enabling NetFlow, MARS can detect anomalies in traffic and network usage by comparing new
events with summary data. When anomalies are detected, MARS begins to store full NetFlow data.
By default, full NetFlow data is not stored by MARS unless an incident is identified.
Host and Device Identification and Detail Strategies, page 2-36
Details about reporting devices and the hosts that are on your network aids in the elimination of false
positives, as well as improves the performance of MARS in assessing events.
Configuring Layer 3 Topology Discovery, page 2-37
Layer 3 topology discovery aids in attack path analysis, as well as the population of the topology
graph in the web interface.
Scheduling Topology Updates, page 2-39
Topology update schedules are a critical part of many of the data enabling features, including
discovery of Layer 2 and Layer 3 devices, as well as pulling information from specific reporting
devices.
Configuring Resource Usage Data, page 2-41
MARS can collect additional data from a select set of reporting devices, which is used to provide
reports about CPU utilization, memory utilization, and device saturation. This data can be helpful
in detecting anomalies as well in network capacity planning.
Chapter 2
Reporting and Mitigation Devices Overview
78-17020-01
Advertisement
Table of Contents
Troubleshooting
