Table of Contents
Advertisement
Bootstrapping Cisco Security Manager Server to Communicate with MARS
Task
Using Security Manager for mitigation response.
7.
While MARS suggests ACL changes to mitigate attacks, and in the case of Layer 2 devices such as Cisco
switches, it can push changes to layer 2 device via the "Big Red" button (which shuts down a port on a switch),
you must ensure accuracy between the policy defined in Security Manager and the configuration running on the
managed devices. This synchronization ensures an accurate understanding of your network configuration and
improves your ability to troubleshoot issues using the policy analysis tools provided in Security Manager.
Therefore, we recommend that you perform the device mitigation by applying the rules recommended by MARS
with Security Manager. This approach also prevents you from having to manually synchronize your policy
between Security Manager and the mitigation devices. As an added benefit, you can enable and remove
containment rules on multiple devices via global rules, thereby further restricting the spread of possibly
undetected infections. Using comments in the rules, you can document the attack responses, allowing for future
analysis when considering global network stances and when developing attack response strategies.
Bootstrapping Cisco Security Manager Server to Communicate
with MARS
To prepare the Security Manager server to be queried by MARS, you must configure the following
settings:
•
Cisco does not recommend using System Administrator for this account. Instead, we recommend least
Note
privilege settings (only enabling those privileges required to perform the job). As such, we recommend
defining an admin account with the Help Desk security level.
•
•
User Guide for Cisco Security MARS Local Controller
16-12
Define an admin account in Security Manager that MARS can use to perform queries. A separate
account is recommended to provide a cleaner audit trail on the Security Manager server. The
following security levels defined in Common Services 3.0 server satisfy the authorization
requirements of MARS-to-Security Manager policy query:
Help Desk
–
Network Operator
–
Network Administrator
–
–
System Administrator
For more information on defining admin accounts on the Common Services 3.0 server, see:
http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_chapter09186a0
08022f958.html#wp372210
Enable HTTPS access to the Common Services 3.0 server by the MARS Appliance. If you are using
AAA authentication, such as Cisco Secure ACS, on the Common Services 3.0 server, you must
update the administrative access settings to ensure that the MARS Appliance has the necessary
access to the Security Manager server.
Before MARS can query the policies defined on the Security Manager server, you must enable
HTTPS on the Security Manager server. For more information on enabling HTTPS, see:
Chapter 16
Policy Table Lookup on Cisco Security Manager
78-17020-01
Advertisement
Table of Contents
Troubleshooting
