In August last year, Jon Oltsik, senior analyst at Enterprise Strategy Group praised the success of Cisco MARS (Monitoring Analysis and Response System), noting that Cisco is giving away "the razors [MARS] to sell the blades [Cisco's core networking gear]," and that "No one can schmooze the enterprise networking crowd like Cisco." Now Oltsik has changed his opinion, referring to poor MARS a product in Cisco's "doghouse".
In his blog on cnet, Oltsik explains that Cisco in 2005 and 2006 aggressively pushed the security product into end-user accounts but the product "languished behind competitive offerings, causing problems with the installed base." He cites competition from Enterasys, Juniper, and Nortel, which established partnerships with Q1 Labs. Also, "some Cisco sales executives and channel partners eschewed MARS in favor of more popular Cisco products. When you have a portfolio of hundreds of products, it is easy to lead with your best stuff and never mention those in the doghouse," Oltsik writes.
So what of MARS' future. Oltsik says Cisco has three choices: Admit defeat and get out; double down on MARS development; or replace MARS with another acquisition.
More from Cisco Subnet:
* Cisco responds to SMARTnet antitrust lawsuit
* Report: Cisco not cutting jobs
* Video: A peek inside Cisco's DNA data center lab
* Q&A with Riverbed chief evangelist
* Spotlight on CCVP
* Cisco releases dates for public CCIE Wireless exams
* Cisco Subnet's top 10 Cisco stories of 2008
* The IT Swiss Army Knife - Cisco Network Compliance Manager
* Making the CCIE Plunge
* Under the hood: Cisco unified communications
* Cisco News and Review podcast
* Jimmy Ray Purser Networking Geek to Geek podcast
Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.
Advertisement: |
The Cisco Subnet blog is written by Network World managing editor Jim Duffy and is the official blog of Network World's Cisco Subnet community. The Cisco Subnet site is managed by Online Community Editor Julie Bort. Cisco Subnet is the independent voice of Cisco customers and is your gateway to daily Cisco news, blogs, opinion, books, prize giveaways and more. Visit the Cisco Subnet home page daily and while you are there, subscribe to the Cisco Alert e-mail newsletter, which includes news and views generated by the Cisco Subnet community as well as Cisco-related stories on Network World and elsewhere on the Web.
The Leader in Network Knowledge
They'd better not do Option 1
If they're not willing to admit defeat with WAAS (and they should, since its core architecture is flawed (partitioning drive space on a per-peer and per-protocol basis), then they damn well better not drop MARS. Its only been three years since they're dropped SIM in favor of MARS, and they've done a lot to integrate it with CSM (Cisco Security Manager).
All things considered I think MARS is an OK product, but its not the Magic Bullet that they sell it as. You can't just point 20 firewalls and IPS's to it an expect an expect it to separate the wheat from the chaff. You need to (aggressively) tune out alerts, create Drop rules, and customize the built-in reports/queries so that you're not staring at 200 Red Level incidents per day. The best advice I got at Networkers was "dont alert on that which you can do nothing about". e.g. I no longer alert on external devices port-scanning my edges, since I'm not going to track down some kid in and tell him to "cut it out or I'll tell".
So to that end I duplicated the (for example) "Top Denied Ports" report, and now I have one for External port scans (interesting but non-actionable) and another for internal hosts trying to get out to the Internet. I do the same for my DMZ to detect a compromised box that's trying to do funky things outbound (e.g. IRC). Run those on an hourly basis, and you can quickly roll-up to days/weeks of activity (as opposed to running an ad-hoc query and waiting hours.) Also, the Custom Columns query should be your primary ad-hoc investigation tool.
So a big part of it is tuning, but MARS still really needs: major GUI improvements, better case/workflow/incident management, improved interoperability with 3rd party NetFlow sensors (e.g Mazu Profiler, Arbor, etc), more current/relevant Rules, ability to script actions based on rules, a better Dashboard (how hard can it be to make an ACID or SGUIL like homepage? sheesh!).
Cisco should double their investment in MARS, fix the GUI, increase its ability to integrate with 3rd party data (not just the Custom Parser, but the ability to query remote data and launch user-defined scripts), allow the custom parser to store more/different data in MARS (dont just limit me to source ip, dest ip, etc.) and most importantly get releases out the door more quickly.
Post new comment