The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a topology-aware SIM product. Because it holds sensitive information, it's important for VARs to configure it to establish authentication, information and rediscovery protocols. This tip covers how to establish ingress firewall rules for CS-MARS.
To simplify the work involved, you should define some network object groups on your firewall. If you're not familiar with this term, think of object groups as variables that you can use while configuring the firewall to make life easier. Rather than referring to a large list of IP addresses or TCP/UDP ports, you can simply refer to a name instead. The following examples use an object group called CORP_NET, which consists of all IP addresses used on your organization's network.
Ingress traffic refers to traffic that is inbound to a firewall (toward CS-MARS) from a less
trusted network. Figure 4-1 shows both ingress traffic and egress traffic, or traffic that leaves
CS-MARS to go toward the less trusted network.
Figure 4-1 Ingress and Egress Traffic
The following ingress rules are a good starting point for most companies:
| Step 1 |
Permit syslog and SNMP trap traffic (UDP 162 and 514) from security operations (SecOps). |
| Step 2 |
Permit NetFlow traffic (UDP 2049) from SecOps. |
| Step 3 |
Permit HTTPS (TCP 443) from SecOps if a large number of people will be accessing the web console of MARS to run ad hoc reports. Otherwise, permit HTTPS to a restricted range of addresses. |
| Step 4 |
Permit SSH (TCP 22) to a very restricted set of addresses. If the security management network has its own VPN gateway, which might be a function of the firewall, you might want to require administrators to establish a VPN connection before permitting SSH. |
| Step 5 |
Permit HTTP (TCP 80) from any monitored web servers running iPlanet or Apache. If you're using NetCache appliances, permit HTTP from it as well. |
| Step 6 |
If your MARS deployment consists of multiple MARS LCs that communicate to a centralized MARS GC, permit required management traffic between those systems (TCP 443 and 8444). |
| Step 7 |
Deny all other traffic. |
Continue reading to learn about egress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).
Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.
