Content

Implementing Cisco Security Monitoring, Analysis, and Response System v3.0

This lab bundle supports the Implementing Cisco Security Monitoring, Analysis, and Response System (MARS) version 3.0 course. Cisco Security MARS combines network intelligence, context correlation, vector analysis, anomaly detection, hotspot identification, and automated mitigation capabilities. The result is a system that helps customers to readily and accurately identify, manage, and eliminate network attacks, and maintain network security compliance.

There are fourteen (14) lab exercises included in the MARS 3.0 course:

  • Accessing the Cisco Security MARS Appliance
  • Adding Reporting Devices and Enabling NetFlow
  • Configuring the Syslog Forwarding Feature
  • Generating Summary Reports
  • Configuring Cisco Security MARS Event Types
  • Configuring an Inspection Rule
  • Performing a Query and Creating a Custom Report
  • Performing Incident Investigation and Mitigation
  • Configuring the Custom Parser
  • Performing Cisco Security Manager Policy Lookup
  • Reviewing the CLI and Upgrading the Device Version
  • Configuring IPS Auto Signature Download
  • Configuring AAA RADIUS Authentication and Working with the Account Locking and Session Timeout Menu
  • Retrieving Raw Messages

All lab exercises use the same topology as shown in this figure:

Content

Objectives

Upon finishing this set of exercises, you will be able to:

  • Connect to the Cisco Security MARS appliance using Microsoft Internet Explorer
  • Log in to the Cisco Security MARS appliance and review the basic configuration using the GUI
  • Manually add Cisco ASA, Cisco IPS-SSM module, and Cisco router devices into the Cisco Security MARS appliance
  • Enable NetFlow processing in the Cisco Security MARS appliance
  • Set up the syslog server to receive the forwarded messages
  • Review syslog configuration on the Cisco router
  • Configure syslog forwarding on the Cisco Security MARS appliance and test syslog forwarding
  • Create a real-time query to monitor raw messages
  • View events and NetFlow traffic in your network
  • Gather information from Network Status graphs
  • Customize reports on the Summary page
  • Find and filter event types in Cisco Security MARS
  • Find internally generated event types in Cisco Security MARS
  • Configure an inspection rule and test the rule for matching event
  • Add a user and attempt an unsuccessful login to generate an event
  • Run and save a query as a report
  • Trigger an incident and perform incident drill-down
  • Review incident mitigation information
  • Configure a case and tune the incident as false positive
  • Generate a web server syslog to Cisco Security MARS and run an event query
  • Create a custom parser to parse the syslog
  • Add a custom device as a reporting device and re-run an event query
  • Add Cisco Security Manager to Cisco Security MARS
  • Review Cisco router configurations in Cisco Security Manager
  • Trigger an event on the Cisco router and perform Cisco Security Manager policy lookup on Cisco Security MARS
  • Run a query on firewall events
  • Review the pndbusage, diskusage, and pnstatus commands
  • Upgrade the device software version (for demonstration purposes only)
  • Confirm the Cisco Security MARS update process
  • Configure the IPS Signature Dynamic Update settings
  • Configure Cisco Security MARS to authenticate with the Cisco Secure ACS AAA server
  • Review the Cisco Secure ACS server configuration
  • Add a user and manage account authentication
  • Revert Cisco Security MARS to use local authentication
  • Work with the new Download Raw Message feature of Cisco Security MARS
  • Export data using the Cisco Security MARS command line

Importance

This lab bundle is essential for all administrators who want to protect their network with various Cisco security devices by using strong tool for monitoring, analysing, and report generating system called Cisco Security MARS.

Target Audience

The primary audience for this lab bundle comprises network and system engineers responsible for security solutions deployment and troubleshooting using Cisco Security MARS.

Prerequisite Knowledge

To successfully complete these exercises a knowledge about Cisco Security MARS and configuration on Cisco ASA, IPS-SSM module for Cisco ASA, and Cisco router is needed. This knowledge is best gained by attending the Implementing Cisco Security Monitoring, Analysis, and Response System (MARS) version 3.0 course.