cs-mars presales

8/7/2019 CS-MARS presales

1/18

1 2005 Cisco Systems, Inc. All rights reserved. Company Confidential

CS-MARS Positioning Training


2/18


Agenda

Introduction

Security Management Challenges

Ciscos Protego Mitigation and Response System(MARS)

Solution Overview

Protego MARS Deployments

Protego MARS in Action: LoveGate

Protego MARS in Action: Sasser-D

Product Line

How to Sell Protego MARS

Customer Success Stories

Live Demo


3/18


Protego Mitigation and Response System (MARS)Next Generation SIM/STM

Leverage YOUR existing investment to buildpervasive security

Correlate data from across the Enterprise

NIDS, Firewalls, Routers, Switches, CSA

Syslog, SNMP, RDEP, SDEE, NetFlow,

Endpoint event logs

Rapidly locate and mitigate attacks

Key Features

Determines security incidents based on

device messages, events, and sessions Incidents are topologically aware for

visualization and replay

Mitigation on L2 ports and L3chokepoints

Efficiently scales for real-time use acrossthe Enterprise


4/18


MARS Value Proposition

Plug-and-Play Deployment

No professional services required

Can be installed and receiving events within just a few hours

Event Monitoring and Mitigation

Ability to correlate events from multiple network and securitydevices, tune IDS signatures, locate offending hosts, determineattack path and offer active mitigation options

Broad Product Portfolio

Entry-level price point for commercial customers

Scales from 500 EPS to 10,000 EPS per appliance, with options for

distributed deployments Helps Prove ROI for Existing and New Security Devices

Converts millions of events to a small number of actionablemitigation options

Allows customers to expand the number of security devices intheir networks


5/18


Self-Defending Network Components

Defense-in-depth

Firewalls

Proxies

VPN

Anti-virus

Network IDS/IPS

Host IDS/IPS

Vulnerability Assessment

Patch Management

Policy Compliance

Router

Switch


6/18


Security Operations / Reactions Today

Action Steps:

1. Alert

2. Investigate

3. Mitigate

Network Operations Security Operations

Security

knowledge

base

Firewall

IDS/IPS

VPN Vulnerability

Scanners

Authentication

Servers

Router/Switch

Anti-virus

10K Win,

100s UNIXCollect Network Diagram

Read and Analyze

TONS of Data

Repeat


7/18


Business Problem

In-depthDefense

Noise

Poor AttackIdentification& Response

Compliance& Audit

Mandates

InsufficientSecurity

Staff

after patching, puttingout fires, investigation

and remediationproduce the audit report

alarms, disconnectedevents, false positives,

network anomalies

Sarbox, HIPAA, GLBA,FISMA, Basel II due

care and process

un-prioritized blendedattacks, day zero

attacks, worms andnetwork issues

MitigateAttacks

CostlyBusinessDilemma


8/18


Infected Host

Log/Alert

Defense-In-Depth = Complexity


9/18


What You Have to Deal With: NIDS Alert


10/18


What You Have to Deal With: Firewall Log


11/18


MARS Product Line


12/18


Full Spectrum Product Line

Installation takes minutes

NO JAVA!!!!

Server side scripting does it all!

Raid 1+0 No DBA Needed

Agent-less Event Collection

Layer 2/3 Network Topology andMitigation

NetFlow

Drill down to MAC addresses

PN-MARS Model 20 50 100e 100 200Global

Controller

Events/Sec 500 1,000 3,000 5,000 10,000 N/A

NetFlow Flows/Sec 15,000 25,000 75,000 150,000 300,000 N/A

RAID Storage 120GB 120GB 750GB 750GB 1TB 1TBRack Size 1 RU 1 RU 3 RU 3 RU 4 RU 4 RU


13/18


MARS Device Support

Networking Cisco IOS 11.x and 12.x, Catalyst OS 6.x

NetFlow v5/v7

NAC ACS 3.x

Extreme Extremeware 6.x

Firewall/VPN

Cisco PIX 6.x, IOS Firewall, FWSM 1.x & 2.2,VPN Concentrator 4.0

CheckPoint Firewall-1 NG FPx, VPN-1

NetScreen Firewall 4.x, 5.x

Nokia Firewall

IDS

Cisco NIDS 3.x & 4.x, IDSM 3.x & 4.x

Enterasys Dragon NIDS 6.x

ISS RealSecure Network Sensor 6.5, 7.0

Snort NIDS 2.x

McAfee Intrushield NIDS 1.x

NetScreen IDP 2.x

Symantec ManHunt 3.x

Vulnerability Assessment eEye REM 1.x

Foundstone FoundScan 3.x

Host Security

Cisco Security Agent (CSA) 4.x

McAfee Entercept 2.5, 4.x

ISS RealSecure Host Sensor 6.5, 7.0 Symantec AnitVirus 9.x

Host Log

Windows NT, 2000, 2003 (agent andagent-less)

Solaris

Linux

Syslog

Universal device support

Applications

Web servers (IIS, iPlanet, Apache)

Oracle 9i, 10i database audit logs

Network Appliance NetCache


14/18


CS-MARSGlobal Controller Deployment

Switch

VPN

Router

Wireless

Sw2

Switch / NIDS

App

= HostIDS

LogHIDS

AV

Log

HIDSAV

o erce

Internal

Inbound

Mg t.Net

External

DBMSURL / AV

Filter

Outbound

Mail GW

FW / NAT

AAA

NAS Archive

Protego PN-MARS

Passive monitoring anywhere theappliance can send and receiveinformation

Gains network intelligence Translates NAT, sets Netflow

thresholds Correlates logs, alerts, Netflow Identifies valid incidents, no falsepositives Offer real-time visualization, replay,query Enables complete drill-downinvestigation

Automates mitigation and workflow

Consolidates / stores incidents and rawdata

PN-MARS

Web

PN-MARSGC

PN-MARS GC deployed in themanagement network provides global

view, management, and reporting.Each PN-MARS securely and efficientlycommunicates to the GC. GC

appliance can distribute updates, rules,report templates, access rules, andqueries across MARS appliances.

Tunnel

Remote

PN-MARS can

be placed onremote sites andbe managed byPN-MARS GC

AAA

PN-MARSInternal


15/18


CS-MARSCommand and Control


16/18


CS-MARSThe Battlefield

Network Intelligence

Topology

Traffic Flow

Device Configuration Enforcement Devices


17/18


CS-MARSConnect the Dots

Accurate attack-path , detailed investigation

Host A Port Scans Target X,followed by

Host A Buffer Overflow Attack toTarget X

Where X is vulnerable to Attack,followed by

Target X executes passwordattack on Target Y


18/18


CS-MARSAttack Path with Layer 2 Mitigation

cs-mars presales

Documents