QueryReports


Query/Reports

Cisco Security MARS features a collection of predefined reports in addition to the ability to create a custom report. Reports are generated from the event data in Cisco Security MARS that is collected from the devices in the self-defending network, including routers, LAN switches, firewalls, IPS sensors, and hosts. Cisco Security MARS also features groups of reports. Figure 10-9 displays a sample of the report groups in Cisco Security MARS.

Figure 10-9. Report Groups


There are several report groups in Cisco Security MARS for topics that you have previously learned about in this book. For example, there are report groups for attacks and DoS, firewall control, malware outbreak (Cisco ICS), and security posture compliance (Cisco NAC). In addition to the topics previously discussed in this book, Cisco Security MARS also features a report group for Distributed Threat Mitigation (DTM).

DTM is designed to enable branch IOS routers, specifically Integrated Services Routers (ISRs), to dynamically configure themselves with the necessary IPS signatures to reduce the risk of an attack at the branch office in an automated, self-defending fashion. DTM is an emerging technology, and it is strongly recommended that DTM be tested in a small pilot network to verify scalability prior to any deployments in production networks.

In addition to the DTM report group, Cisco Security MARS also includes the option to be a DTM controller. The DTM controller is essentially the brains behind the DTM battlefield. The DTM controller in Cisco Security MARS receives input in the form of IPS Security Device Event Exchange (SDEE) events and syslogs to help to determine what specific attack is occurring in the branch network. Cisco Security MARS can then automatically enable the identified and necessary IPS signature on the branch IOS ISR. Figure 10-10 provides an example of the reports that are available as part of the DTM report group.

Figure 10-10. DTM Reports


Cisco IOS ISRs can implement many features, including voice, routing, and security in a single device at a very cost-effective price point. The combination of feature-richness and low price point enables ISR routers to be deployed in remote branch offices in environments where an organization may have thousands of remote branches. To keep the price point of the ISRs attractive, their memory footprint, or capacity, is often substantially less than that of a dedicated security appliance such as an ASA (Advanced Security Appliance). The reduced memory footprint of the ISR creates a situation in which the entire IPS signature set cannot be simultaneously enabled on the ISR. The branch environment is often remote, and there may be no security or IT professionals resident at the remote branch to manage these devices. The combination of the remoteness of the branch and the limited memory capacity of the ISR can be addressed in certain, small-scale situations by managing the IPS signatures on the ISR with a DTM in Cisco Security MARS. DTM is currently not scalable to large networks, and DTM should be implemented only on select remote ISRs with Cisco Security MARS.

ISRs contain a file called named attack-drop.sdf. This attack-drop.sdf file lists all the IPS signatures that are enabled on that ISR device. In addition to the attack-drop.sdf file, some of the larger ISR routers may also run the 128MB.sdf or 256MB.sdf signature files if they have enough memory. These attack-drop.sdf, 128MB.sdf, and 256MB.sdf files are frequently updated on Cisco.com to contain the latest, most relevant IPS signatures.

DTM can automatically enable the desired IPS signature on the ISR by monitoring network events that originate from networks around the ISR and updating the attack.sdf file on the ISR with the desired IPS signature. The monitored network events that are used by Cisco Security MARS to apply dynamically apply IPS signatures to ISR to mitigate a threat can originate from an IPS appliance, ASA IPS (AIP-SSM), a Catalyst 6500/7600 IPS service module, or an ISR router.

Cisco Security MARS cannot create the initial attack-drop.sdf file on the router. This attack-drop.sdf file must be initially created by CLI, Security Device Manager (SDM), or Cisco Security Manager.



Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net