Chapter 5: CS-MARS Appliance Setup and Configuration

Cisco Press

1 2 3 4 Page 2
Page 2 of 4

Allowing local protocol access only Because CS-MARS uses the Oracle database to store and organize its device and event data, it requires a piece of software called a Transparent Network Substrate (TNS) listener. CS-MARS architects used the developer's version of Red Hat Linux and built CS-MARS applications from scratch, so access to the TNS listener is restricted to only the CS-MARS appliance itself. The only exception to this is if you elect to deploy a configuration called Local Controllers (LC) and Global Controllers (GC) on CS-MARS. When the LC-to-GC deployment is made, the TNS listener is used only within the HTTPS connection between LC and GC devices.

Selectively allowing protocol access using device authentication If you decide to use local and global CS-MARS devices as suggested in the previous bullet point, it's required that the Global Controller talk to the Local Controller database. In this case, the TNS listener must accept data from outside devices. Because CS-MARS developers wrote the CS-MARS application with security in mind, they employed a device-authentication mechanism that ensures that the remote CS-MARS appliance that you defined is the only device that can communicate with the local TNS listener.

Sandboxing your command-line execution The CS-MARS developers wrote a custom command-line parser that restricts operating system command execution to just a few lines. These commands are used solely to troubleshoot, configure CS-MARS, view some global parameters, or view statistics. This ensures that if hackers were able to gain access to your CS-MARS command-line interface (CLI), they would not be able to run traditional Linux commands to manipulate execution or install malicious code such as rootkits. To protect the CS-MARS operating system even more, all compilers and development libraries have been removed from the system. This ensures that in the unlikely event that attackers gained access, they would not be able to create or modify code on the device.

Related:
1 2 3 4 Page 2
Page 2 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)