Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH

Page created by Bernard Goodwin
 
CONTINUE READING
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Cisco MARS (Part I)
Formerly Known as Protego Networks MARS

                   Edgar Reinke
                 Netfarmers GmbH

            edgar.reinke@netfarmers.net
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
The Idea
Have a Central Device for logging Security related Events

• Events from different Devices and different Vendors
• Different Protocols (SDEE, Syslog, HTTPS, SNMP …)
• Normalize Events
• Sessionize Events
• Match Sessions against Rules to trigger Incidents           Of course this should be done in
• Automated False Positive Tuning                             nearly Real-time
• Match Real Incidents to the Network Topology
• Offer Queries / Reports for doing the Forensic Analysis

Why?

To have a Top Down Approach for the Security Investigation . Do not start e. g. with a single Syslog
Message, which you might find somewhere in a 30 MB Logfile.

To get the Visualization of an Attack …

Not to be bothered by thousands of Messages provided by different Devices, oftenly using different
textual flavours to talk about the same things (… same sessions).

To be compliant (e. g. SOX, Euro-SOX …). But please do not use the following slides to demonstrate
your CEO how to become compliant. MARS is a technical answer … we are not talking about
processes and overall Policies.
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Cisco´s Security Information Management

                                         SIM Solution

                                                              Monitoring
                                                              Analysis
                                                              Response
                                                              System

Cisco Security Manager: The Security Provisioning Solution.
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
The MARS Models (Q4 2006)

                    RAID 0: No Redundancy; but higher Transfer Rate (writing on 2 Disks in parallel which is called Stripping)
                    RAID 10: Redundancy and higher transfer rate (RAID 0 over multiple RAID 1)

     SMB
    Devices

(because there is
       no
  Redundancy)

                                   20                          50                          100                          200
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Back Panel (Example MARS 20 / MARS 20R)

                             Used to face the Reporting Devices           That is only a
                             Used for Management Access                   proposal …

                          CLI Access only with Job Role 

  Cisco do not provide customers root access to the linux operating system …
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Front Panel (Example MARS 20 / MARS 20R)

              (used e.g. for re-imaging the Box)
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
MARS Software Download
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Supplementary Files

MARS is an Agentless solution. Nevertheless, sometimes Agents are required
… e.g. if a Cisco ACS should become a Reporting Device.
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Upgrade Packages

                                       *

* Not provided very frequently …
Cisco MARS (Part I) Formerly Known as Protego Networks MARS - Edgar Reinke Netfarmers GmbH
Recovery Images

With a Recovery Image you can setup the Box from the scratch with the latest
Release.
Multi-Vendor Support (1)

The good News:
We are not talking only about Cisco Devices …
… and we are talking about Applications and Operating Systems.
Multi-Vendor Support (2)

The Syslog and SNMP Trap Messages of actualy not supported Vendors
could be integrated with the Event Parser Tool (ADMIN Custom Setup).
Flowchart (1)

                                               Database           Used for Query und Reports
                                              Database
                                                                    Forensic Analysis Tools
    Vendor                               ORACLE 9.2i Enterprise
(not supported)      Raw Events
                                                                               Drop
                                             EventParser
                                            Event  Parser                      Rule            (2)
                                                                                ?
   Vendor                                    I:1901103
 (supported)                             (Normalized Event)

                                                • Event ID
                                              • CVE Name
                                                • Severity           Database
                                                                     Database
           The good News:                  • Device Event ID
                                              Device Type
          MARS is not Inline                Device Event Type     (MARS will not process
                                          • Event Type Group      this Events for triggering
                                                                  Incidents)
                                         (R4.2: 16533 Events)
                                                                        RESULT OF
                                                                      FALSE POSITIVE
                                          NORMALIZATION                  TUNING
 A Forensic Analysis is only possible if the Datas are stored in the Box …
                                                …. and not outside in the NFS NAS Store.
Flowchart (2)

                      Flow
                     Flow                                     Rule fires
(2)                                               Rules
                                                  Rules                      Incident
                   Detection
                   Detection

                   S:42073911                                              I:298958954

               SESSIONIZATION            Every sessionized Event
               • Source Address            is checked againts
               • Source Port                  every (!) Rule.
               • Destination Address
               • Destination Port       (R4.2: 126 System Rules)
               • Protocol ID
               • NAT aware

      Mapping Real Positives                                                   VA
                                                                             Analysis

                                                                   - Attack reached Target?
                                                                   - Target vulnarable?
                                                                         - Static VA Information
                           False Positives                               - Dynamiv VA Information
                           - Unconfirmed False Positives                   … e.g. built-in Nessus
Network Topology           - User confirmed False Positives
 and Attack Path           - User confirmed Positives          FALSE POSITIVE TUNING OPTIONS
                           - System determined False Positives
What does Normalization mean?

                                                                                         Sometimes linked to
                                                                                           Vendor Pages

                                                                         Raw Events

E.G.:

MARS knows an Event called .

This Event is known by other Vendors (e.g. ISS RealSecure, Snort) as well (see Device Event Type) … but of course
they use different textual Messages.

Those different Messages (Raw Events) are mapped by the Event Parser into the MARS  Event.
This is called Normalization. MARS knows 16533 normalized Events (R4.2).

Why? Because MARS matches Events against Rules to trigger Incidents. Using normalized Events there is no need for
different Rules in cause of different textual flavors for the same thing.
What does Normalization mean?

                                                                         Normalization
PIX | ASA Information
                                                                                                      Device Type
 %PIX | ASA-4-400009: IDS:1103 IP Fragments Overlap from 1.2.3.4 to 172.16.1.1 on interface DMZ-3     PIX 6.3 | | ASA 7.0
 [Remark: Syslog Messages from 400000 to 400051 are IDS Signature Messages]                           Device Event Type
                                                                                                      PIX|ASA-4-400009

ISS RealSecure 7.0 Information
                                                                                 Device Type
                                                                                 ISS RealSecure 7.0
                                                                                 Device Event Type
                                                                                 TearDrop

                                                                                         Event Type Group
                                                                                         DoS/All
                                                                                         DoS/Host
                                                                                         Event ID
                                                                                         901103
                                                                                         CVE Name
                                                                                         CVE-2000-0305,CAN-1999-0015
Every Session is checked against every Rule

Clarification: The same Event Types have triggered the same Rule … the
original one and a Copy of it. Therefore, we got 2 Incidents.
The Incident is not enough …

We need …

… a Topology Map which provides the Configuration, Security Policies and
Dynamic Date (e.g. CAM Table, ARP Cache) of the Devices. This allows MARS to
map the Traffic Flow (an Attack) to the Topology of the network.

The Topology Information must be stored with Timestamps (like Incidents) in
the Database: During Forensic Analysis MARS has to map an old Incident to the
Topology which was valid as the Incident has been triggered.
What is the Value of knowing the Path?

MARS knows all the Devices and Networks between the Attacker and the
attacked Host. Therefore, it can suugest the Enforcement Device and
Alternates.
What is the Value of knowing Device Configuration?

                                              PIX / ASA specific feature

    MARS can recommend Mitigation Actions …

    There is no automatic Mitigation! We only get a Recommendation which
    might be pushed to a Layer 2 device (but not Layer 3 device).
What is the Value of knowing Device Configuration?

     In this Example the Enforcement Device is a Layer 2 Device. Only for
     those Devices you get the Option to Push Commands to the (Cisco)
     Device. If you like to get this Option please be aware of the fact, that
     your Layer 2 Devices must be Reproting Devices (… and you might
     have many of them).
Internal Storage

Local Storage Capacity in Days depends on the Number of EPS and (optional) FPS
(EPS: Events per Second / FPS: (Net)Flows per Second).

Internal Database: ORACLE 9.2i Enterprise

There are 10 Partitions used for Internal Data Storage. If the last Partition is full, MARS
starts to overwrite the first one. There is a special Incident which signals this Jump.

                                               If e. g. SOX is in your Mind, the idea of
                                               loosing Events by overwriting old ones
                                               sounds bad. Therefore, you will use
                                               external Storage as well.

                                               Estimation …
External NAS Storage

                                                  No time values configurable
                                                   Configuration File every day at 3 a.m.
                                                   Raw Event Data (ZIV-Lempel compressed;
                                                   ratio 12:1 … 38:1) every 1 hour

Example: 3 Days of External Storage Capacity              If e. g. SOX is in your Mind, the idea
                    Delete                                of loosing Events by overwriting old
                                                          ones sounds bad. Therefore, you
                                                          have to think about Backup as well.
 30 GB 20 GB 45 GB            35 GB 60 GB
1st Day   2nd Day   3rd Day   4th Day   5th Day
Yes, there are other solutions

            • Interactive Dashboard
            • Forensic Investigation
            • Powerful Filter Engine

Only two examples. Nice colored Reports
- compatible to the expectance of Managers!
But the Information is not mapped to the
Topology. Therefore, MARS offers more Values … but a Request to
Cisco: MARS offers nice Reoprts as well, but please offer those Reports as PDF, or provide an
Interface to Crystal Reports.
Access via HTTPS

                                                    pnadmin
                                                    pnadmin   Default

Remarks:

192.168.0.100 ist the Default IP Address of ETH0

192.168.1.100 ist the Default IP Address of ETH1

The SVG Plugin is not provided by the Box: MARS only provides the Link to the
Adobe Download Page …
MARS provides a Self-signed Certificate
Die Kontaktaufnahme
Ein neues Plug-In …
(Default) Konfiguration
Logout
The License is tied to Ethernet 0

So meldet sich eine jungfräuliche MARS (pnrestore bzw. Re-Imaging)
You have to accept …
Bootstrap MARS Box via GUI

All Information are required …
Yes, there is a CLI

Only if the Administrator Role is assigned to an User Account, this User is able to Access the
CLI. This Account do not have Root Privileges for the Linux OS. Root Privileges are provided
with the Expert Account.
When to use the CLI

Doing a Reboot
Start / Stop PN Daemons (pnstatus / pnstart / pnstop)
Doing a Reset (pnreset … you will loose Database und need License Key)
Doing a Restore (pnrestore)
Doing a Re-Imaging using DVD
Configuring NTP (… unfortunately this is not possible via the GUI)
Configuring Static Routes
…
pndbusage / diskusage

There are 10 Partitions used for Internal Data        The actual Usage of the Disks …
Storage. If the last Partition is full, MARS starts
to overwrite the first one. There is a special
Incident which signals this Jump.
Yes, there are problems as well …

In this Case it is a Problem with the TNS Listener, which handels the Connections to the Oracle
Database (ORA-12541). Therefore it is not a MARS specific Problem (see Cisco FN-62505).

As you can see, MARS does not accept any CLI Command. An pnreset seems to work, but after the
Rebboot MARS still has the old Information (see screen on the right hand site). You are not able to
use the GUI, because you get an strange looking Login Screen and Authentication fails.
Digging into the Past

      Productive MARS                                   Database

                                                        - Configuration
                                                        - Events / Devices etc. (compressed)
                                        Restore         - Part of the Linux OS

         Spare MARS

Doing a Restore means loosing the recent Data in the Box. A Forensic Analysis is only possible
with the Data stored in the internal Database. This might become a conflict …

Therefore, you need a Spare Device. Loosing Data is a Topic your CEO should be interested in
… this is not a technical issue … it is the Point where e.g. SOX might be a good argument to get
the Money for a Spare MARS.
You can also read