The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) is a topology-aware SIM product. Because it holds sensitive information, it's important for VARs to configure it to establish authentication, information and rediscovery protocols. This tip covers how to establish ingress firewall rules for CS-MARS.
Ingress traffic refers to traffic that is inbound to a firewall (toward CS-MARS) from a less trusted network. Figure 4-1 shows both ingress traffic and egress traffic, or traffic that leaves CS-MARS to go toward the less trusted network.Figure 4-1 Ingress and Egress Traffic
The following ingress rules are a good starting point for most companies:
|Step 1||Permit syslog and SNMP trap traffic (UDP 162 and 514) from security operations (SecOps).|
|Step 2||Permit NetFlow traffic (UDP 2049) from SecOps.|
|Step 3||Permit HTTPS (TCP 443) from SecOps if a large number of people will be accessing the web console of MARS to run ad hoc reports. Otherwise, permit HTTPS to a restricted range of addresses.|
|Step 4||Permit SSH (TCP 22) to a very restricted set of addresses. If the security management network has its own VPN gateway, which might be a function of the firewall, you might want to require administrators to establish a VPN connection before permitting SSH.|
|Step 5||Permit HTTP (TCP 80) from any monitored web servers running iPlanet or Apache. If you're using NetCache appliances, permit HTTP from it as well.|
|Step 6||If your MARS deployment consists of multiple MARS LCs that communicate to a centralized MARS GC, permit required management traffic between those systems (TCP 443 and 8444).|
|Step 7||Deny all other traffic.|
Continue reading to learn about egress firewall rules for the Cisco Security Monitoring, Analysis, and Response System (CS-MARS).
Reproduced from Chapter four of the book Security Monitoring with Cisco Security MARS by Gary Halleen and Greg Kellogg. Copyright 2007, Cisco Systems, Inc. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other uses.