Table of Contents
Advertisement
Chapter 2
Reporting and Mitigation Devices Overview
Access IP
MARS uses the access IP address to either connect to the device for network-based administrative
sessions or connect to a remote server on which a file containing the device's configuration is stored.
The expected value is determined by the access type you select. Most devices also require that you
explicitly identify the IP addresses of hosts allowed to administer them. The MARS Appliance must be
listed among such hosts as part of the device preparation.
The protocol that MARS uses to connect to the device is defined by the access type value, which is a
dependency for enabling administrative access. Once MARS has administrative access, it can perform
device discovery, which includes settings such as ARP tables, NAT, routes, and active ACLs, all of which
helps MARS understand the topology, perform attack path analysis, and identify false positive incidents.
Discovery can be performed to varying degrees using any of the access types. For more information on
access types, see
MARS also uses SNMP RO and SNMPwalk to discover the device settings and topology information.
However, the two methods of discovery are distinct and have distinct requirements. SNMPwalk requires
the access IP address and the SNMP access type. SNMP RO discovery does not requires the SNMP
access type, but it does require the access IP address.
Note
MARS does not support the following characters in the SNMP RO community string: ' (single quote), "
(double quote), < (less than symbol), and > (greater than symbol).
In addition, both SNMPwalk and SNMP RO are unrelated to SNMP notifications or SNMP traps.
SNMPwalk and SNMP RO both require that MARS initiate the information request, where as SNMP
notifications are event notifications published by the reporting device, much the same as syslog
messages are. As with syslog messages, SNMP notifications are published over the reporting IP address.
Reporting IP
The reporting IP is the source IP address of event messages, logs, notifications, or traps that originate
from the device. MARS uses this address to associate received messages with the correct device. For
single-homed devices, the reporting IP address is the same as the access IP; for dual- or multi-homed
devices, this address must be explicitly associated with the syslog, NetFlow, and SNMP services running
on the reporting device. Most devices also require, for each message type, that you explicitly identify
the IP addresses of hosts to which messages should be published. These hosts are commonly referred to
as target log servers. The MARS Appliance must be listed among such hosts as part of the device
preparation.
The role in MARS of the reporting IP address differs from that of the access IP address in that the
reporting IP address is treated passively from the MARS perspective. MARS does not query the device
using this address. Such operations are performed using the access IP address and the access type.
MARS accepts only one reporting IP address per device. For devices supporting two message formats,
such as NetFlow and syslog, you must ensure that both message formats are bound to the same source
IP address (the reporting IP). In Cisco IOS devices, this common association is not the default so you
must change either the syslog or the NetFlow reporting IP address to match the other. If the message
types do not originate from a common IP address, one of them is seen as originating from an unreported
device and MARS does not parse those events correctly.
78-17020-01
Selecting the Access Type, page
Understanding Access IP, Reporting IP, and Interface Settings
2-10.
User Guide for Cisco Security MARS Local Controller
2-9
Advertisement
Table of Contents
Troubleshooting
