Egress firewall rules refer to filters that restrict traffic from the protected network to less trusted networks. Ideal security would restrict outbound traffic to only those ports that are necessary for proper functioning of the MARS appliance. However, in real life, this might be unmanageable. You need to determine the proper balance between security and manageability.
The following list of egress filters serves as a good starter set for most networks:
|Step 1||Permit traffic required for name resolution to CORP_NET—for example, Domain Name System (DNS) and Server Message Block (SMB) for Windows hosts (TCP and UDP 53, TCP 137 and 445) to
|Step 2||Permit Network Time Protocol (NTP) to specified NTP servers, either on your network or internetwork.|
|Step 3||Permit device discovery traffic on CORP_NET for routers and switches—for example, Telnet (TCP 23), SSH (TCP 22), and SNMP (UDP 161).
|Step 4||Permit HTTPS to CORP_NET to allow MARS to discover Cisco IDS/IPS sensors as well as to allow event retrieval from Cisco IDSs/IPSs and Cisco routers running IOS IPS, and to allow communications between MARS LCs and GCs. If possible, restrict this range to a subset of CORP_NET.|
|Step 5||Permit FTP (TCP 21) to a centralized FTP server that contains configuration files of routers and switches, if you want to take advantage of this feature.|
|Step 6||Permit Simple Mail Transfer Protocol (SMTP) (TCP 25) to allow MARS to e-mail reports and alerts to your SMTP gateway.|
|Step 7||Permit NFS (UDP 2049) if your MARS archive server resides on a different network (not recommended).|
|Step 8||Permit TCP 8444 to allow communications between MARS LCs and GCs, if they reside in different locations.|
|Step 9||Deny all other traffic.|
If you want to take advantage of the MARS internal vulnerability assessment capabilities, the preceding list of rules will not work. Instead, use the following egress filter list:
|Step 1||Permit all TCP and UDP traffic sourced from CS-MARS or a third-party vulnerability scanner.|
|Step 2||Permit NTP traffic to defined NTP servers, if they do not exist locally on SecOps.|
|Step 3||Deny all other traffic.|
In day-to-day use of MARS, when you choose to get more information about a specific host, the internal vulnerability assessment feature of MARS initiates a port scan of the host. You cannot accurately define an egress rule list that permits the vulnerability assessment to take place while also restricting outbound ports. If you already use a supported third-party vulnerability assessment tool, such as QualysGuard, you do not need to use the internal tool. Otherwise, using the tool can greatly improve the accuracy of information presented to you by MARS.
Continue reading to learn about ingress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).
Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.
This was first published in August 2007