In this chapter, you learn the fundamental steps required to configure and deploy your CS-MARS platform. Topics discussed include these:
Deploying CS-MARS in Your Network
CS-MARS Initial Setup and Quick Install
CS-MARS Reporting Device Setup
Creating Users and Groups
Configuring NetFlow and Vulnerability Scanning
Configuring CS-MARS System Maintenance
Configuring System Parameters
In previous chapters, you learned the difference between security threat mitigation (STM) and security information management (SIM). Understanding the advantages of deploying an STM in your environment, you now walk through the steps necessary for the initial configuration and setup of high-level system parameters that enable CS-MARS as an STM system.
This chapter discusses the first step of deploying CS-MARS, which is determining where it can be securely placed in your network. It explains how to configure the information required for network communication and alert notification, and includes instructions on how to use the CS-MARS web interface to add devices that will report to the CS-MARS appliance. You will learn how to add users and groups to administer your CS-MARS appliance and how to use NetFlow and configure vulnerability scanning, which will significantly increase the accuracy of attack recognition. Finally, you will learn about system maintenance tasks and how to configure system parameters.
After applying the information in this chapter, you will have a fully operational CS-MARS STM device.
Deploying CS-MARS in Your Network
Before you start configuring your CS-MARS appliance, you need to make the critical decision of where CS-MARS should be placed in your network. This decision is important for the security of your network and the security of data going to and from your CS-MARS device. Your CS-MARS appliance data and your CS-MARS appliance itself are prime targets for an attacker who wants to compromise your network.
Just some of the information hackers could glean if they had access to the data stream going to and from your CS-MARS appliance would include the following:
IP addresses
Device names
Source and destination pairs
Attack information
Vulnerability information
Operating system information
The CS-MARS box itself would be a prime target because if attackers can access the box, they could change policies and hide attacks that they might launch against your critical assets.
Because of the importance of this device and its data, you don't want to place it where it can be easily compromised or where attackers might be able to run network sniffers and harvest information about your network.
Network Placement
Normally you want to place CS-MARS in a part of your network where normal users don't have access. These networks are called out-of-band networks. Conversely, in-band networks are networks where user, voice, and video data are located. In relation to out-of-band (OOB) networks, in-band networks are considered insecure. In-band networks are susceptible to many types of attacks by which an attacker can gain control of a device and gain leverage to attack other devices in the network or sniff traffic on the network; the attacker might then learn critical information such as device configurations, IP addresses, usernames, or passwords. Because out-of-band networks don't have user workstations, they are considered to be much more secure. Of course, all this information assumes that when the administrator set up the in-band and out-of-band networks, the switches and routers were configured with the proper commands so that attackers can't "hop" between networks.
Because out-of-band networks are considered more secure, we recommend that you place your CS-MARS device and all other security-management devices, such as password servers, syslog servers, Network Time Protocol (NTP) servers, and domain name services (DNS) servers in these networks. Figure 5-1 shows a very simple illustration of components that are commonly found in an OOB network.
OOB networking for management devices is an "ideal" best practice, and sometimes it's not possible to implement them because of distance limitations, interface limitations, and various other factors. At best, if you need to place critical management devices in user networks, you should try to encrypt traffic that is sourced from and destined to those devices. As an alternative, if management traffic needs to traverse your in-band network, you should always keep your management device protected from the user networks with a combination of firewalls and intrusion-prevention appliances.
The bottom line is that, depending on how your network is set up, CS-MARS should be deployed in the most secure area possible. Table 5-1 lists the network types from most secure to least secure and provides an explanation of the presumed security level of each area.
Management Network
Table 5-1 Network Placement for CS-MARS
Network Connection Type | Description |
OOB management network segment | This is the preferred network segment for your CS-MARS appliance. There should be no user access except by security administrators. Make sure that all switches are locked down to protect against Layer 2 attacks and that there are no open ports where an attacker can connect a PC. |
In-band encrypted | You should place CS-MARS in an in-band network only if you can encrypt all data going to and coming from the CS-MARS appliance. This ensures that even if attackers have access to your in-band network, they cannot steal network and attack data going across this network. Also make sure that all switches are locked down to protect against Layer 2 attacks and that there are no open switch ports where an attacker can connect a PC. The greatest risk in this network scenario is that an attacker might be able to guess the IP address of your CS-MARS device and try brute-force password attacks against the appliance. If you have an IPS device on the same network as your management interface, you will be able to recognize and mitigate these types of attacks. |
In-band appliance protected | If you can't encrypt data to and from your CS-MARS device, you should have a firewall and a network intrusion-prevention (IPS) device between the CS-MARS box and the user network. The attacker should have his hands full figuring out how to directly compromise the device with these appliances in place. |
In-band | This scenario is not recommended and should be avoided at all costs. This gives an attacker free rein to try to sniff data off the network and to try to gain management access to the appliance. |
CS-MARS Security Hardening
The earlier "Network Placement" section goes into a lot of detail about how you should treat CS-MARS as a critical secure network component and ensure that it is deployed properly in your network. You should not be intimidated by this; the good news is that this is the only task besides administering usernames and passwords that you need to worry about when installing CS-MARS. Normally, when you deploy a host, server, network, or security device in your business or enterprise network, you want to complete several tasks before using the new device. The following is a list of typical security best practices, depending on the type of device:
Apply current operating system patches
Apply current application patches
Analyze configurations and remove unneeded services that could be exploited by malicious network activity
Turn off or secure clear-text services to the security appliance
Correctly apply access control lists limiting connectivity to the inside of your network
Enable auditing functions
Apply registry and file-sharing security as recommended by the operating system vendor
Install antivirus software from a leading vendor
Install host or server intrusion prevention
On the CS-MARS platform, the developers have done these tasks for you, either by design or based on input that you provided to the CS-MARS appliance when adding devices or setting global parameters.
The CS-MARS appliance is built on a Red Hat Linux operating system that has been heavily modified and security-hardened by CS-MARS developers. Because of this, you will never need to install typical operating system components or application patches. This type of maintenance is common for other vendors that install security software on off-the-shelf operating systems (OS). However, Cisco has assured its customers that if a security vulnerability is found in any of its devices, including CS-MARS, it will immediately provide a patch to protect against malicious software that could exploit this vulnerability. It should be noted, however, that when this book was written, Cisco and Protego had shipped CS-MARS for more than three years, and no vulnerabilities had been identified for this product.
The other major task that you need to do if you purchased an off-the-shelf security product that runs on a commercial operating system is to turn off the unused network services, such as Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP). Although it's impossible to turn off all network services on a security device installed on an off-the-shelf OS, the developers of CS-MARS either have turned off unnecessary services, have never installed them, or have modified the services that are enabled to eliminate known vulnerabilities. In some cases, such as SMTP, the developers implemented the protocol to allow only the skeleton requirements needed by CS-MARS.
The bottom line is that you need to do a minimal amount of work to secure your CS-MARS appliance; most of these types of tasks have been completed for you by CS-MARS developers or because of the architecture of CS-MARS.
Table 5-2 lists typical network and host-hardening tasks and shows how CS-MARS either does these tasks for you or eliminates the necessity for you to perform the task.
In addition to traditional security-hardening tasks such as those mentioned previously, CS-MARS adds hardening features to protocols that are required for CS-MARS functionality.
Table 5-2 Security-Hardening Tasks
Required Security-Hardening Task | Hardening Achieved | User Interaction |
Apply current operating system hot fixes | Because CS-MARS is written on a special developer's version of Red Hat Linux operating system, no operating system hot fixes are required. | No action is required on your part unless Cisco releases a security alert in conjunction with a software patch for this appliance. |
Apply current application patches | Because CS-MARS is written on a special developer's version of Red Hat Linux operating system, no application patches are required. | No action is required on your part. |
Analyze configurations and remove unneeded services that could be exploited by malicious network activity | CS-MARS developers never installed unneeded services, and they modified existing services to reduce or eliminate the possibility of vulnerabilities that attackers could exploit. | No action is required on your part. |
Harden or remove clear-text services to the security appliance | The clear-text protocols used by CS-MARS are Telnet and syslog. These clear-text protocols are required to support existing legacy reporting and management applications used by most security and network devices. | As recommended in the previous section, if you are using clear-text protocols, you should either isolate your CS-MARS appliance in an out-of-band network or encrypt the clear-text data if it traverses a user network. |
Correctly apply access control lists limiting connectivity to your security device | CS-MARS communicates only with devices that you have added to its device database, so access control lists are not required. | No action is required on your part. |
Turn on auditing functions | Full device-auditing features are turned on by default in the CS-MARS appliance. | No action is required on your part. |
Apply registry and file-sharing security as recommended by the operating system vendor | CS-MARS developers have written the operating system and the CS-MARS applications so that a registry, as we know it, is not required and file sharing does not exist. | No action is required on your part. |
Install antivirus software | Because CS-MARS is a hardened OS with IP tables for inbound and outbound connections, the probability of virus outbreak is very low. | No action is required on your part. |
Install host or server intrusion prevention | Because CS-MARS is a hardened operating system that tightly controls its operating environment and controls applications with code that can be executed, the probability of exploit is very low. | No action is required on your part unless Cisco releases a security alert in conjunction with a software patch for this appliance. |
Protocol Security Hardening
CS-MARS employs additional protocol security hardening in four ways:
Enforcing directional control on protocols that it requires on the appliance using IP tables
Allowing local protocol access only
Selectively allowing protocol access using device-authentication mechanisms
Sandboxing your computer command-line execution and the internal database
Enforcing directional control In some protocols, which would normally be bidirectional, CS-MARS has ensured that inbound traffic is not accepted. SNMP is an example of this. CS-MARS uses SNMP to notify predefined users in the case of a high-severity event, but SNMP on a CS-MARS appliance does not accept inbound traffic; therefore, the SNMP server cannot be exploited from the outside.