Chapter 5: CS-MARS Appliance Setup and Configuration

Cisco Press

1 2 3 4 Page 3
Page 3 of 4

CS-MARS Initial Setup and Quick Install

One of the greatest assets of CS-MARS is that it's extremely simple to set up, regardless of your level of technical expertise. A novice can easily follow the step-by-step process in this chapter and have a fully configured CS-MARS appliance when the steps are completed. In fact, the steps are exactly the same and just as easy, whether you are a novice system administrator or an experienced security or network engineer.

This book describes two different methods for initially setting up and installing CS-MARS. The first method, which is covered in this chapter, involves connecting a keyboard and a video monitor to your CS-MARS appliance and completing the initial setup using direct input through the keyboard. The second method is defined in Appendix F, "CS-MARS Console Access." It involves connecting your PC using the asynchronous serial port of your CS-MARS device and a terminal emulator and entering the initial configuration information on your keyboard. After you have successfully configured your CS-MARS device, you can access the device using the CS-MARS web interface. This requires the Microsoft Internet Explorer v6.x application, the Adobe VGA Viewer IE plug-in, and a network connection to the CS-MARS appliance.

The initial steps you need to perform to enable your CS-MARS device for deployment are the following:

Step 1 Complete the initial CS-MARS configuration.

Step 2 Enter system parameters using the CS-MARS web interface.

Complete the Initial CS-MARS Configuration

Completing the initial configuration for CS-MARS is a simple nine-step process. After you have completed this process, you can access your CS-MARS device with the web interface, complete additional steps required to add devices to the CS-MARS device database, and also configure system parameters. These steps make up the initial configuration process:

Step 1 Connect the video and the keyboard to the CS-MARS backplane.

Step 2 Power on the CS-MARS device.

Step 3 Log into CS-MARS using the factory default username and password.

Step 4 Change the default username and password.

Step 5 Set the time zone or synchronize to an NTP server.

Step 6 Set the desired date.

Step 7 Set the desired time.

Step 8 Set the IP address for your CS-MARS interface.

Step 9 Ensure connectivity between your CS-MARS device and your administrative management workstations.

The following is a description of the steps you need to perform to initialize your CS-MARS appliance:

Step 1 Connect the video and the keyboard to the CS-MARS backplane—While the device is powered off, simply connect a standard computer monitor and video cable to the video out on the CS-MARS backplane. After the video is connected, simply insert a standard keyboard and keyboard cable into the keyboard port on the CS-MARS backplane. See Figure 5-2.

Figure 5.2

Figure 5-2

CS-MARS Backplane

Step 2 Power on the CS-MARS device—Plug the CS-MARS power cable into the device backplane then into a standard 110 volt AC outlet. There are two switches used to power on the device; first press the power switch on the CS-MARS backplane, and then remove the face plate and press the power switch on the front of the device.

Step 3 Log into CS-MARS using the factory default username and password—When the CS-MARS device has completed its power cycle, you are presented with a username prompt. Enter pnadmin for both the username and the password.

Step 4 Change the default username and password—Enter the command passwd; you are prompted to change the username and password. Because CS-MARS is a critical device in your network and has access to most of your security, network, hosts, and server devices, it's a best practice to use a password that will be very difficult to guess if somebody gains physical or remote access to this device. General guidelines are to use a password with greater than eight characters that contains uppercase, lowercase, numeric, and special characters. Under no circumstances should your password be a word that can be found in a dictionary, English or otherwise.

Step 5 Set the time zone or synchronize to an NTP server—The first step you need to do is either manually set the time zone where your CS-MARS device is located or point your CS-MARS device to an NTP server. Step 5 Without synchronizing times among your CS-MARS appliance, your management workstations, and your reporting devices, you face several potential problems:

— Management workstations will not be capable of connecting to CS-MARS devices because self-signed certificates will appear to be expired.

— The dates on CS-MARS reports will not be accurate. This is especially a problem if you are using CS-MARS data for forensic analysis or you plan to use this data in a legal deposition or at a trial.

A fundamental feature of CS-MARS is to correlate event logs and alerts from many different network and security devices. These devices can be located anywhere in the world and in any time zone. To enable CS-MARS to accurately correlate information regardless of geographical location to a common time source, you must configure the accurate date, time, and time zone. The date, time, and time zone can be set manually, but it's much easier and much more accurate to simply point your devices to an authoritative Network Time Protocol (NTP) server.

The time zone can be set manually via the CLI using the timezone set command. After you enter the command, a text wizard steps you through the process of defining your time zone.

Step 6 Set the desired date—For the same reasons you need to synchronize time zones, you also need to ensure that the correct date is set on your CS-MARS device. As with the time zone, the date can manually be set or can be synchronized and set using an NTP server. Use the CS-MARS CLI command date dd/mm/yyyy to set the current date.

Step 7 Set the desired time—The same logic and reasoning applies to setting the desired time. As with the time zone, the time can manually be set or can be synchronized and set using an NTP server. Use the CS-MARS CLI command time hh:mm:ss to set the current time.

Step 8 Set the IP address for your CS-MARS interfaces—The ifconfig command is used to set the IP address on the CS-MARS interfaces. This command uses the standard UNIX ifconfig syntax. In the examples in this book, we use the default IP addresses on the CS-MARS interfaces. The Ethernet 0 default IP address is, and the Ethernet 1 default IP address is Either of these IP addresses can be used for management access through an administrative workstation.

To change the IP address on your CS-MARS interfaces, use the CLI command ifconfig eth0 <ip-address> <subnet-mask>; if you need to change the IP address on Ethernet 1, use the command ifconfig eth1 <ip-address> <subnet-mask>. Note that any changes to IP addresses or time zones require you to boot CS-MARS before the changes take effect.

Every time an IP address is changed, CS-MARS requires a reboot of the system.

Step 9 Ensure connectivity between your CS-MARS device and your administrative management workstations—You need to ensure that you have SSL/HTTPS access and network connectivity between your CS-MARS device and your management workstations. Connectivity can be verified using the ping command on either the workstation or the appliance, and management protocol connectivity can be verified using a browser and entering HTTPS:// (or the IP address you used for your CS-MARS interface). If either the ping or the browser access fails, you must work with your network administrators to ensure that you have a route between your workstation and the appliance and that no access lists are blocking TCP port 443 or ICMP traffic.

When you have completed these steps, continue to the next section to add devices and set system parameters to activate your CS-MARS appliance.

Enter System Parameters Using the CS-MARS Web Interface

The only supported browser for the CS-MARS web interface is Internet Explorer (IE) v6.0 SP1; it's assumed that higher versions will work. Before you use the browser to access your security appliance, you must make the following changes:

  • Turn off web page caching—This ensures that current web pages are always returned from the CS-MARS device. If you don't do this step, when you make a change to the CS-MARS configuration and then use your browser to check your configuration, you likely will see old data and not the change that you just made.

  • Configure IE with a medium security level—This enables ActiveX controls and scripting required by the web interface.

  • Configure IE to a privacy level of medium—By default, this allows cookies that are required for the correct operation of the CS-MARS web interface.

  • Configure IE to allow popups from the CS-MARS—CS-MARS uses popup windows to display several different types of information. Without this configuration, you will not be able to use the CS-MARS web interface. Your system might have other popup blockers besides the default IE blockers; you must make sure all of them are set to allow popups from CS-MARS.

If you are having any trouble making these changes on your system, refer to the excellent detailed step-by-step description on the Cisco website. You can access that information by browsing to and clicking on the Install and Upgrade link; then follow the links to the CS-MARS 4.1 Install and Setup Guide.

Enter System Parameters to Activate Your CS-MARS Appliance

Now that you have the correct browser, the correct browser configurations, connectivity to your appliance, and the appliance IP address, you are ready to make some basic configurations and activate your appliance.

The following is a step-by-step procedure to activate your CS-MARS appliance.

Step 1 Enter your username and password. The screen shown in Figure 5-3 appears. The default username and password are pnadmin/pnadmin.

Figure 5.3

Figure 5-3

CS-MARS License Entry Panel

Step 2 Enter the license key for your CS-MARS appliance. This should have been shipped with your device. If it was not included or you have misplaced it, send an e-mail to or browse to Cisco's licensing website to get a license.

You will notice that no matter what selection you chose on the GUI, you are prompted for the license key.

Step 3 After you enter your license key, CS-MARS presents you with a screen to enter the initial configuration for your appliance.

The screen that is displayed contains cells to enter (see Figure 5-4).

— IP address for the second CS-MARS interface

— Default gateway

— Mail gateway

— DNS address information

Step 4 Enter the required values for each of these fields.

Figure 5.4

Figure 5-4

CS-MARS Basic Configuration Panel

Step 5 Make sure you include DNS addresses. The CS-MARS device generates reports that contain source and destination IP addresses. The CS-MARS appliance will resolve these names as long as you have defined your DNS servers. If you don't define your DNS servers, you must manually resolve addresses, which severely impacts the speed and accuracy of your analysis process.

Step 6 You have flexibility on how you can use the interfaces of your CS-MARS device. The basic functions provided by the CS-MARS interfaces are data collection and device management. The interfaces can be used for either of these purposes. For example, you could use one interface for device management or event collection, or both. You could also choose to use one interface for data collection and the other for device management.

Step 7 CS-MARS uses the mail information to send alerts or reports to certain mail addresses when alerts or reports are generated, so it's important to populate this field appropriately.

Step 8 After the data is entered, click the Update button at the bottom of the page. This sends the data to your appliance and saves the configuration.

CS-MARS Reporting Device Setup

Now that you have configured the basic parameters for CS-MARS and have connectivity to the appliance, you must add the devices that will be communicating to your CS-MARS device. This section provides an overview of how to set up reporting devices. For more detailed information on how to configure reporting devices, reference The User Guide for Cisco Security MARS Local Controller. This document is located on the Cisco website at Follow the links to product literature, support, and documentation.

CS-MARS supports three main types of devices:

  • Hardware-based security devices—These are devices that are traditional network and security appliances, such as routers, switches, security appliances, firewalls, web proxies, and intrusion-prevention devices.

  • Software-based security devices—Software devices are applications that run on hosts or servers. These include Apache web server, IIS server, or other software-based network or security services.

  • On-demand security services—These are subscription-based services provided by vendors using a central security operations center or management center.

Adding Devices

Two methods are used to input device information into CS-MARS:

  • Manual device entry

  • Comma-separated variable (CSV) seed file imports

Manual Device Entry

The first method for device entry is the manual method. Using this function, you enter all your known devices into CS-MARS to enable CS-MARS to use their information for log integration, log correlation, and topology discovery. You are asked to enter the following information for each device. This list isn't absolute, however. For example, in some cases, you won't be able to enter SNMP-RO information; in other cases, you might not be able to enter usernames and passwords. Don't worry about this. Enter what you can, and CS-MARS will use whatever information it can glean from the information that you do give it.

The following is a list of general information you can use to add devices to CS-MARS. Note, however, that most devices require only a subset of this information for CS-MARS to begin communications.

  • Device name (required)

  • Access IP address (IP used for Telnet, SNMP, or SSH access to the device; required)

  • Reporting IP (source IP address of reporting data; required)

  • Access type (Telnet, SSH, FTP)

  • Username

  • Password

  • Enable password

  • Config path

  • Filename

  • SNMP-RO community string

  • Monitor resource usage

  • Interface IP addresses and subnets (needed for path calculation only)

If a device is not entered into CS-MARS or is improperly configured in CS-MARS, the appliance classifies and reports any data it receives as an "Unknown Reporting Device," and the data from these devices is not used in CS-MARS for attack analysis.

One of the more impressive features of CS-MARS is that after you enter the information of your network and security devices, CS-MARS uses that information to access those devices, analyze the device configurations, analyze interface parameters, and analyze route and Content Addressable Memory (CAM) tables to determine your network topology. This is discussed in detail in Chapter 4, "CS-MARS Technologies and Theory."

The following steps are taken when manually adding a device on your CS-MARS appliance.

Step 1 In the CS-MARS GUI, navigate to the panel to add devices: Admin > Security and Monitoring Information. Figure 5-5 is the starting panel for adding network devices.

 Figure 5.5

Figure 5-5

CS-MARS Add Device Panel

When you've accessed this panel, click the Add button to enter a new device. Figure 5-6 appears.

Figure 5.6

Figure 5-6

CS-MARS Device-Configuration Panel

Step 2 You must make a selection from the Device Type pull-down list. These are the default devices that have reporting features that CS-MARS supports. Figure 5-7 shows those devices and categorizes them by HW-based security device, SW-based security device, and on-demand security device.

Figure 5.7

Figure 5-7

CS-MARS Device Pull-Down Menu

Notice that the devices that are supported in this pull-down list are not only Cisco devices, but devices from most of the popular security vendors. Chapter 6, "Reporting and Mitigative Device Configuration," has a complete list of supported devices and vendors. The following is a partial list of third-party vendors that CS-MARS supports:

— Cisco Systems

— Extreme Systems

— NetScreen

— Network Appliance


— Qualsys

Step 3 In the example for this chapter, you add a Cisco Intrusion Prevention 5.0 device.

Select Cisco IPS 5.x from the Device Type pull-down menu. You are presented with the panel to add an IPS 5.x device, illustrated in Figure 5-8. Note that because not all devices have the same configuration characteristics and reporting formats, this screen might differ, depending on the device selected.

Figure 5.8

Figure 5-8

IPS Device Entry Panel

Step 4 You must fill in the following information to enable this device as a CS-MARS reporting device:

Device Name—This is name that has been configured with the IPS CLI or IPS web interface as the device name for this device.

Reporting IP—This is the IP address for the management interface of this device. Make sure this interface is routable to the CS-MARS device. In this example, the IPS device has an address of

Login—This is the administrative username for the IPS device.

Password—This is the administrative password for the IPS device.

Port—Unless otherwise configured on the IPS device, this value should always be 443.

Monitor Resource Usage—Select Yes if you want CS-MARS to report when this device uses excessive hardware resources.

Monitored Network—This selection tells CS-MARS that this device will be sending alert information for the IP addresses that are members of the defined subnets in this table. It is important that the proper information is placed in these fields because CS-MARS uses this data for path calculation and alarm data. A best practice is to enter the exact subnets from inside your network that this IPS device monitors. Do not summarize these entries! If all your subnets are not present in the Select a Network drop-down list, you can manually put them in using the Define a Network selection. In this example, the monitored networks are and

You must also ensure that, on the IPS device, the address of the CS-MARS device is included in the IPS's "allowed" access list. Readying devices for CS-MARS access is discussed in depth in Chapter 6.

Step 5 When this configuration panel is completed, you must click the Test Connectivity button. You will see a screen that indicates that discovery of this device is in progress. If the discovery fails, an Internet Explorer popup screen appears. If it's successful, an Internet Explorer popup screen reads "Discovery is done."

Step 6 When the device is discovered, you must click the Submit button to add the IPS device to your device list.

Step 7 After adding the device to your device list, you need to activate your work. Select the Activate button, in the upper-right corner of the CS-MARS window.

Activation is important in the CS-MARS world. When you make changes through the web interface, your changes are written to the CS-MARS database but do not take effect until they are activated. Activation is achieved simply by selecting the Activate button.

After activation, your CS-MARS screen looks like Figure 5-9.

Figure 5.9

Figure 5-9

CS-MARS Added Device List

You can also confirm that CS-MARS recognized your device by navigating to the topology page and verifying that an icon for the IPS device has been added to the Summary page, as shown in Figure 5-10. Your topology should show your CS-MARS device, two subnets that are displayed as Layer 2 switches, and the IPS device you just loaded. In this configuration, the address of the IPS device is The two subnets and show up as connected routes to the CS-MARS device because of the interface IP addresses, and the IPS device shows those addresses for two reasons: The management interface of the IPS box is in the subnet, and when we added the device, we told CS-MARS that the IPS device is monitoring and

Figure 5.10

Figure 5-10

CS-MARS Network Topology Display

This example using SSL is just one of many different ways to add devices to CS-MARS. SNMP is important and should not be overlooked. CS-MARS extensively uses the information from SNMP device databases to discover network topology and as a method to make configuration changes for attack mitigation. Discovery and mitigation are covered in depth in Chapter 4.

These Cisco devices have SNMP support through the CS-MARS appliance:

  • Cisco adaptive security appliances

  • Cisco IOS routers, Version 12.2 and higher

  • Cisco PIX firewalls

  • Cisco Catalyst switches/CATOS

  • Cisco Catalyst switches/IOS

  • Cisco Virtual Private Network (VPN) concentrators, Version 4.03 and higher

CSV File Import

From the previous section, which explained how to manually add a device, you have probably observed that adding devices is easy but that it would be very time-consuming to add several devices. If you are an enterprise with 20 or more devices you need to add to the CS-MARS database, it might make sense to use CSV file import, which was designed to add multiple devices.

A CSV file must be created in a specific format so that CS-MARS can correctly use the information for its intended purpose. Each entry contains the same information that Figure 5-6 showed.

The detailed format for a CSV file is documented in The User Guide for Cisco Security MARS Local Controller, found on the Cisco website at Follow the links to product literature, support, and documentation until you find the document titled Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System, Release 4.1. Within that document, search for the string "add multiple devices using a seed file."

After you create a CSV file with all your devices and appropriate access information, you must import that file into CS-MARS.

Using a CSV Device Import File (Seed File)

First create the file with an entry for each of the devices you need to add to CS-MARS. This file is called the seed file.

The information for each device and CSV seed file format is listed in Appendix C, "CS-MARS Supplements."

The following is an example of a seed file that could be used to import a PIX firewall, two NetScreen devices, and two IOS devices into CS-MARS.,,,,PIX,TELNET,,,cisco,,,,,,,,,,,,,,,NETSCREEN,SSH,netscreen,ns3146wsdf,,,,,,,,,,,,,,,,NETSCREEN,SSH,netscreen,tt160p91,,,,,,,,,,,,,,,,IOS,TELNET,,,Qa$1*5ft,gt$*j15,,,,,,,,,,,,,,IOS,TELNET,,,telnetpass123,,,,,,,,,,

In this example, for simplicity, we add a single PIX 7.0 firewall and use the following information in the seed file.,,,,PIX7X,ssh,sshuser,cisco123,,Cisco

Step 1 After the seed file has been created, you need to once again navigate to the Admin > Security and Monitoring Information panel. This time, instead of adding a device, click the Load from Seed File button. A browser popup prompts you for the FTP location of your seed file. Figure 5-11 shows the prompts and the value used for this example.

Figure 5.11

Figure 5-11

CS-MARS Seed Import Configuration Panel

Step 2 After the seed file has been submitted, CS-MARS automatically discovers the devices that were in your seed file and notifies you with a browser popup when the devices have been discovered.

Step 3 You must then navigate back to the previous screen and click the Activate button.

Step 4 Then, as you did when you manually added a device, go to the Summary page and view the topology map to see your device.

Creating Users and Groups

The next step to get your CS-MARS devices ready for deployment is to create users and groups that are allowed to interact with your CS-MARS device.

You can create four types of users to manage your CS-MARS environment:

  • Admin

  • Security analyst

  • Notifications only

  • Operator

Each of these user types has a specific set of functions it is allowed to perform on a CS-MARS appliance.

Admin—This is the equivalent of a superuser. The admin account has full control on a CS-MARS appliance. The pnadmin account is the only account that can access the CS-MARS through SSH for CLI operation.

Security analyst—This user can access all areas of the CS-MARS web interface and CLI, except for the Admin configuration panel.

Notifications only—These are accounts that can receive e-mails or reports generated by CS-MARS. These users can view only report data related to the notification they received.

Operator—An operator has access to the CS-MARS device GUI but in read-only mode. This type of user cannot make changes to the system.

The following steps describe how to add users to CS-MARS.

Step 1 First, you must navigate to Admin > User Management. If you have a default installation, the only user created is the pnadmin user, labeled as Administrator (pnadmin).

Step 2 Before you set up accounts, you need to identify each user that needs access to the CS-MARS device and then what function that user needs to perform. Then you input each user through the Admin > User Management configuration panel and associate them with the appropriate group.

CS-MARS enables you to enter a significant amount of informational data for each user. It should be considered a best practice to enter all the data you possibly can. In many industries, regulations require you to do this, but this also can save you significant time if you need to contact CS-MARS users in the middle of a threat response.

Configuring NetFlow and Vulnerability Scanning

At this point, your CS-MARS device is capable of accepting and analyzing logs and security alerts, but with the addition of NetFlow and vulnerability scanning, your CS-MARS appliance will be a much more powerful security solution.

The addition of NetFlow enables CS-MARS to recognize traffic anomalies and baseline network behavior.

1 2 3 4 Page 3
Page 3 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)