The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a topology-aware SIM product. Because it holds sensitive information, it's important for VARs to configure it to establish authentication, information and rediscovery protocols. This tip covers how to establish egress firewall rules for CS-MARS.
Egress firewall rules refer to filters that restrict traffic from the protected network to less trusted networks. Ideal security would restrict outbound traffic to only those ports that are necessary for proper functioning of the MARS appliance. However, in real life, this might be unmanageable. You need to determine the proper balance between security and manageability.
For example, a strict default egress policy might make sense for your company's public-facing web server. Hopefully, connectivity from the Internet to your web server (ingress rule) is permitted only on either TCP 80 or 443, depending on whether your web server uses encrypted HTTP. The egress policy should deny all traffic that originates from the web server to hosts on the Internet. In other words, someone should never be allowed to browse the Internet from your web server, to download files from the web server, or to have other communications from the web server to the Internet. By applying a proper egress rule on the firewall that denies it, an attacker is also denied that same communications path. In most instances where a web server, or any other server, is compromised by a hacker, the hacker's next steps include copying files to the web server. This is either to deface websites, install root kits, or retrieve the software needed to further hack into the network. Strict egress filters raise the difficulty level, often to a level that exceeds the capabilities of the hacker. Depending on your environment and which MARS features you're using, strict egress filters might be unmanageable. However, you should evaluate them to see whether they are workable in your environment.
The following list of egress filters serves as a good starter set for most networks:
|Step 1||Permit traffic required for name resolution to CORP_NET—for example, Domain Name System (DNS) and Server Message Block (SMB) for Windows hosts (TCP and UDP 53, TCP 137 and 445) to
|Step 2||Permit Network Time Protocol (NTP) to specified NTP servers, either on your network or internetwork.|
|Step 3||Permit device discovery traffic on CORP_NET for routers and switches—for example, Telnet (TCP 23), SSH (TCP 22), and SNMP (UDP 161).
|Step 4||Permit HTTPS to CORP_NET to allow MARS to discover Cisco IDS/IPS sensors as well as to allow event retrieval from Cisco IDSs/IPSs and Cisco routers running IOS IPS, and to allow communications between MARS LCs and GCs. If possible, restrict this range to a subset of CORP_NET.|
|Step 5||Permit FTP (TCP 21) to a centralized FTP server that contains configuration files of routers and switches, if you want to take advantage of this feature.|
|Step 6||Permit Simple Mail Transfer Protocol (SMTP) (TCP 25) to allow MARS to e-mail reports and alerts to your SMTP gateway.|
|Step 7||Permit NFS (UDP 2049) if your MARS archive server resides on a different network (not recommended).|
|Step 8||Permit TCP 8444 to allow communications between MARS LCs and GCs, if they reside in different locations.|
|Step 9||Deny all other traffic.|
If you want to take advantage of the MARS internal vulnerability assessment capabilities, the preceding list of rules will not work. Instead, use the following egress filter list:
|Step 1||Permit all TCP and UDP traffic sourced from CS-MARS or a third-party vulnerability scanner.|
|Step 2||Permit NTP traffic to defined NTP servers, if they do not exist locally on SecOps.|
|Step 3||Deny all other traffic.|
In day-to-day use of MARS, when you choose to get more information about a specific host, the internal vulnerability assessment feature of MARS initiates a port scan of the host. You cannot accurately define an egress rule list that permits the vulnerability assessment to take place while also restricting outbound ports. If you already use a supported third-party vulnerability assessment tool, such as QualysGuard, you do not need to use the internal tool. Otherwise, using the tool can greatly improve the accuracy of information presented to you by MARS.
Continue reading to learn about ingress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).
Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.