CS-MARS Version 5.2.4.2487 is an intrusion detection system analyzer [security event monitoring product] that collects data from reporting devices within a distributed network, then analyzes the data to detect incidents. The CS-MARS (Cisco Secure Monitoring, Analysis, and Response System) appliance collects events from a long list of compatible devices (specified in the Security Target) that includes routers, switches, firewalls, vulnerability scanners, VPN devices, antivirus applications, Windows, Solaris, RedHat Linux, web servers, web proxies, Oracle database server, Cisco ACS, syslog clients, SNMPv1 clients, host IDS applications, and network IDS sensors. All of these devices act as sensors to the CS-MARS appliance.
\r\nThe CS-MARS appliances receive event messages, or pull raw data in the form of device logs, alerts, events, and NetFlow communications generated by the sensors. In the context of raw data, an ‘event’ or ‘event data’ is an audit record or set of records generated by the reporting device, and is not to be confused with alerts that are generated by the CS-MARS appliance. The CS-MARS appliance compares collected data to security policies created by the CS-MARS administrator to identify possible attacks, security incidents, or other indications of intrusions across the network segments monitored by the reporting devices.
\r\nCS-MARS is also capable of compiling configuration information from the sensing networking devices to create a network topology to aid administrators in the analysis of events, and to enable modeling of packet flow throughout the entire network. As raw data is received, it is analyzed within the context of the network topology, and events are correlated and matched to the security policies mentioned above to identify security incidents. CS-MARS can send alert notifications, including emails and pages, to immediately notify individuals of incidents as they are detected.
\r\nA web based interface is available to MARS administrators and operators to view event data, modify the configuration, or generate reports. The web interface visually presents summarized and detailed accounts of each identified security incident. A topology map can be used to indicate hotspots, incidents, the full attack paths, and rule matches. CS-MARS stores raw data collected from sensors to allow for later review, or for generation of reports. Real-time and ad hoc queries can be run that support additional analysis of stored information. Reports can be generated using pre-defined report formats, or customizable formats.
\r\n\r\n
The following table identifies supported devices and protocols:
\r\nSupported Devices
\r\n\r\n
| Type | \r\nVendor | \r\nVersions | \r\nConfiguration retrieval protocol | \r\nRaw Data retrieval protocol | \r\nPushed to TOE or Pulled from Sensor | \r\n
|---|---|---|---|---|---|
| \r\n Router / Switch \r\n | \r\n \r\n Cisco IOS \r\n | \r\n \r\n 11.x, 12.x \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device), \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n NetFlow v1,v3,v5,v7 \r\n | \r\n \r\n Pushed \r\n | \r\n ||||
| \r\n Cisco CatOS \r\n | \r\n \r\n 6.x \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Extreme Extremeware \r\n | \r\n \r\n 6.x \r\n | \r\n \r\n SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Firewall \r\n | \r\n \r\n Cisco PIX \r\n | \r\n \r\n 6.0, 6.1, 6.2, 6.3, 7.0 \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n Cisco ASA \r\n | \r\n \r\n 7 \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Cisco FWSM \r\n | \r\n \r\n 1.1, 2.1, 2.2, 2.3 \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Cisco IOS FW Feature \r\n | \r\n \r\n 12.2(T) and later \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Netscreen \r\n | \r\n \r\n 3.0, 4.0, 5.0 \r\n | \r\n \r\n SSHv1 or SSHv2, SNMPv1 \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Checkpoint FW1 \r\n | \r\n \r\n FP3, FP4, AI \r\n | \r\n \r\n CPMI \r\n | \r\n \r\n LEA (from Log Server or Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n \r\n | \r\n \r\n Nokia Firewall (running Checkpoint) \r\n | \r\n \r\n FP3, FP4, AI \r\n | \r\n \r\n CPMI \r\n | \r\n \r\n LEA (from Log Server or Management Server) \r\n | \r\n \r\n Pulled \r\n | \r\n
| \r\n VPN \r\n | \r\n \r\n Cisco VPN 3000 \r\n | \r\n \r\n 4.0, 4.7 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from device) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n Network IDS \r\n | \r\n \r\n Cisco NIDS, IDSM \r\n | \r\n \r\n 3.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n POP (from device) \r\n | \r\n \r\n Pulled \r\n | \r\n
| \r\n Cisco NIDS, IDSM \r\n | \r\n \r\n 4.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n RDEP (from device) \r\n | \r\n \r\n Pulled \r\n | \r\n |
| \r\n Cisco IPS, ASA module \r\n | \r\n \r\n 5.0, 5.1 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SDEE (from device) \r\n | \r\n \r\n Pulled \r\n | \r\n |
| \r\n Cisco IOS IPS \r\n | \r\n \r\n 12.2 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SDEE (from device) \r\n | \r\n \r\n Pulled \r\n | \r\n |
| \r\n McAfee Intrushield \r\n | \r\n \r\n 1.5, 1.8 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Netscreen IDP \r\n | \r\n \r\n 2.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Symantec Manhunt \r\n | \r\n \r\n 4.0 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n ISS RealSecure \r\n | \r\n \r\n 6.5, 7.0 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Snort \r\n | \r\n \r\n 1.x, 2.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Enterasys Dragon \r\n | \r\n \r\n 6.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from Manager) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Host IDS \r\n | \r\n \r\n Cisco CSA \r\n | \r\n \r\n 4.0, 4.5 \r\n | \r\n \r\n \r\n | \r\n \r\n SNMP (from CSA MC) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n McAfee Entercept \r\n | \r\n \r\n 2.5, 4.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n ISA RealSecure Host Sensor \r\n | \r\n \r\n 6.5, 7.0 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Anti-virus \r\n | \r\n \r\n Symantec AV \r\n | \r\n \r\n 9.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n \r\n | \r\n \r\n CICC, Trend Micro OPS \r\n | \r\n \r\n 11.x- Prg 7.5 –Engine \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from CICC Server) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n \r\n | \r\n \r\n Network Associates \r\n | \r\n \r\n 8.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SNMP (from Management Server) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n Vulnerability Assessment \r\n | \r\n \r\n E-eye REM \r\n | \r\n \r\n 1.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n JDBC (MS SQL) (from REM server) \r\n | \r\n \r\n Pulled \r\n | \r\n
| \r\n Qualys \r\n | \r\n \r\n 3.4 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n HTTPS \r\n | \r\n \r\n Pulled \r\n | \r\n |
| \r\n Foundstone Foundscan \r\n | \r\n \r\n 4.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n JDBC (MS SQL) (from Management Sever) \r\n | \r\n \r\n Pulled \r\n | \r\n |
| \r\n Host OS \r\n | \r\n \r\n Windows \r\n | \r\n \r\n NT, 2000, 2003 \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from SNARE agent) or MS-RPC event pull \r\n | \r\n \r\n Pulled ( in case of MS_RPC) \r\n | \r\n
| \r\n Solaris \r\n | \r\n \r\n 8.x, 9.x, 10.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Redhat Linux \r\n | \r\n \r\n 7.x, 8.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from Device) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Web Server \r\n | \r\n \r\n Microsoft IIS \r\n | \r\n \r\n ANY \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from SNARE agent) \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n Sun iPlanet \r\n | \r\n \r\n ANY \r\n | \r\n \r\n N/A \r\n | \r\n \r\n HTTP (from Protego Agent) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Apache \r\n | \r\n \r\n ANY \r\n | \r\n \r\n N/A \r\n | \r\n \r\n HTTP (from Protego Agent) \r\n | \r\n \r\n Pushed \r\n | \r\n |
| \r\n Web proxy \r\n | \r\n \r\n NetApp Netcache \r\n | \r\n \r\n \r\n | \r\n \r\n N/A \r\n | \r\n \r\n HTTP \r\n | \r\n \r\n Pushed \r\n | \r\n
| \r\n Database \r\n | \r\n \r\n Oracle \r\n | \r\n \r\n 9i, 10g \r\n | \r\n \r\n N/A \r\n | \r\n \r\n SQLNet (from Host) \r\n | \r\n \r\n Pulled \r\n | \r\n
| \r\n AAA \r\n | \r\n \r\n Cisco ACS \r\n | \r\n \r\n 3.x \r\n | \r\n \r\n N/A \r\n | \r\n \r\n Syslog (from Protego Agent) \r\n | \r\n \r\n Pushed \r\n | \r\n
Note: Some of the sensor devices supported by the evaluated product use non-secure protocols (HTTP, Syslog, SNMPv1, OPSEC-LEA, OPSEC-CPMI, POP, MS-RPC, SQLNet) for raw data transfer to CS-MARS. The authorized administrator must ensure that appropriate measures are taken in the IT Environment to protect this data in transit.
\r\nThe evaluation was carried out in accordance with the Arca Common Criteria Test Laboratory processes and procedures that are compliant with the Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation demonstrated that the Auditing, Identification and Authentication, External Device Communication, Administration, Reporting, Analysis, Reaction, and Self Protection of CS-MARS met the security requirements contained in the Security Target. The criteria against which CS-MARS was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3 Part II and Part III. The evaluation team conducted the evaluation using the Common Methodology for Information Technology Security Evaluation, Version 2.3.
\r\nArca CCTL concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 2 have been met. The product, configured as outlined in the Secure Installation Guidance (Installation, Generation, and Start-Up Documentation), satisfies all of the security functional requirements stated in the Security Target. A Validation Team, on behalf of CCEVS, monitored the evaluation, which completed in June 2008. Results of the evaluation can be found in the Validation Report prepared by the National Information Assurance Partnership (NIAP) CCEVS Validation Team.
","environmental_strengths":"Remote administration of Global and Local Controllers requires secure channels using SSLv2 or SSLv3. Connectivity between a Global Controller and Local Controllers uses SSLv3.
\r\nNote: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor
","features":[]}