Table of Contents
Advertisement
Selecting the Access Type
The supported format of event data varies among reporting devices. Just because the device is able to
generate syslog, NetFlow, and SNMP notifications does not mean that MARS processes all three
formats. The document,
Controller 4.2.x and
Interface Settings
Interface settings are exclusive to hosts and software applications running on hosts. While MARS can
discover the settings of a reporting device that is a software application running on a host, it cannot
discover settings about the host itself. The role of interface settings in MARS is different from that the
access IP address and reporting IP address. Interface settings represent static information, not discovered
or learned, about the host.
When correlating events specific to a host or reporting devices running on that host, MARS needs to
understand the number of interfaces installed in the host, their names, and the IP addresses and networks
associated with them. MARS uses the interface settings to guide discovery operations, to determine
attack path vectors, and to perform Nessus vulnerability assessments.
Selecting the Access Type
The access type refers to the administrative protocol that MARS uses to access a reporting device or
mitigation device. For most devices monitored by MARS, you can choose from among four
administrative access protocols:
•
•
•
•
Note
You can use any access scheme in conjunction with an SNMP RO community string. The division
between Access IP and Reporting IP is clearly illustrated by an FTP access type example. Assume that
you have SNMP RO access to a router, but your configuration discovery (access type) is restricted to a
file stored on an FTP server.
User Guide for Cisco Security MARS Local Controller
2-10
Supported Devices and Software Versions for Cisco Security MARS Local
5.2.x, identifies the event retrieval protocol supported by each device type.
SNMP. SNMP access provides administrative access to the device using a secured connection. It
allows for the discovery of the settings using SNMPwalk, such as routes, connected networks, ARP
tables, and address translations. If granted read-write access, SNMP also allows for mitigation on
any L2 devices that support MIB2.
Telnet. Telnet provides full administrative access to the device using an unsecured connection. It
allows for the discovery of the settings, such as routes, connected networks, ARP tables, and address
translations. It also allows for mitigation on L2 devices.
SSH. SSH provides full administrative access to the device using a secured connection. It allows for
the discovery of the settings, such as routes, connected networks, ARP tables, and address
translations. It also allows for mitigation on L2 devices. This access method is recommended for
DTM support; however, Telnet access can achieve the same results.
FTP. FTP passive discovery of settings by providing MARS access to a file copy of the
configuration running on the router. FTP does not support mitigation, DTM, or discovery of
dynamic settings, such as NAT and ARP tables. In addition, if you select the FTP access type for
device types, such as Cisco ASA and FWSM, you can only discover settings for the admin context.
This access method is the least preferred and most limited access method. To enable configuration
discovery using FTP access, you must place a copy the device's configuration file on an FTP server
to which the MARS Appliance has access. This FTP server must have users authentication enabled.
TFTP is not supported. You must use an FTP server.
Chapter 2
Reporting and Mitigation Devices Overview
78-17020-01
Advertisement
Table of Contents
Troubleshooting
