Gary,
A couple of points on Cisco CS-MARS 100 that I know from personal experience
with it over the last year:
1. It can process a boatload of data from a lot of devices - very cool.
2. Reporting needs more flexibility and more speed. On the flexibility front,
if I want to simply grab a device's raw output for the last 24 hours and that
output is of a significant size (more than a thousand rows), I have to resort
to dumping raw logs because queries have pre-defined limits and the reporting
engine automatically performs summarization, which I often don't want. Both
MARS documentation and Cisco TAC confirm this as intentional behavior. Thus, I
can't generate non-summarized data on a scheduled basis.
On the speed front, it's not super-quick for grabbing anything of decent size,
whether querying or reporting. There aren't a lot of suggestions in the doc
for tuning/maintenance (yes, even in the 4.x doc) or indications via the CLI
for disk space usage, in case the disk is (getting) full.
3. The MARS OS is a Linux distro but users can't get to the actual OS. This
wouldn't normally be a problem but there was a bad MARS build that was
published recently, yanked within a day or so, and then required a TAC engineer
to remotely login to the MARS box to fix it. This is contrary to every other
Cisco device, including Linux-based 42xx IDS/IPS, that I've worked with.
Aside from the issues noted above, I think SIMS are great tools for bringing
many devices' data together for easier analysis and can really help the
typically-understaffed security personnel in the right environment.
Brent Stackhouse
VP of Security
Solis Security, Inc.
Austin, Texas
www.solissecurity.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
