Table Of Contents
Configuring the Adaptive Security Appliance for Use with MARS
Taskflow for Configuring MARS to Monitor Adaptive Security Appliances
Enabling Administrative Access to MARS on the Adaptive Security Appliance
Adding an Adaptive Security Appliance to Monitor
Adding Security Contexts
Adding Discovered Contexts
Editing Discovered Contexts
Setting the Logging Severity Level for Syslog Messages
Syslog Messages That Are Processed by MARS
Configuring Specific Features
Configuring the Adaptive Security Appliance for Use with MARS
MARS centrally aggregates logs and events from various network devices, including ASAs, which you can analyze for use in threat mitigation. MARS supports the following ASA versions: 7.0(7), 7.2(2), 7.2(3), 8.0(2), and 8.2(1).
This appendix describes how to configure the ASA and add it to MARS as a reporting device, and includes the following sections:
•
Taskflow for Configuring MARS to Monitor Adaptive Security Appliances
•Enabling Administrative Access to MARS on the Adaptive Security Appliance
•Adding an Adaptive Security Appliance to Monitor
•Setting the Logging Severity Level for Syslog Messages
•Syslog Messages That Are Processed by MARS
•Configuring Specific Features
For more information about configuring devices and software to work with MARS, see the Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller document and the User Guide for Cisco Security MARS Local Controller.
Taskflow for Configuring MARS to Monitor Adaptive Security Appliances
The taskflow for configuring MARS to monitor the ASA includes the following steps:
1. Configure the ASA to accept administrative sessions from MARS to discover settings. Configure this setting in the admin context.
2. Configure the ASA to publish its syslog messages to MARS. Configure this setting for the admin context and for each security context defined.
Note Each context requires a unique, routable IP address for sending syslog messages to MARS, and each context must have a unique name (usually in the hostname.domain name format).
3. To enable MARS to accept syslog message event data and to collect configuration settings from the ASA, perform the following tasks:
–Enable logging for one or more interfaces.
–Select the logging facility and queue size.
–Specify the logging severity level as debugging (7) or indicate the desired severity level.
–Identify the target MARS appliance, and the protocol and port pair on which it listens.
4. Within the MARS web interface, perform the following steps:
–Define the ASA by providing the administrative connection information.
–Define security contexts. For more information, see the "Adding Security Contexts" section.
–Add discovered contexts. For more information, see the "Adding Discovered Contexts" section.
–Edit discovered contexts. For more information, see the "Editing Discovered Contexts" section.
Enabling Administrative Access to MARS on the Adaptive Security Appliance
To enable administrative access to MARS on the ASA, perform the following steps:
Step 1 To enable the MARS appliance to discover the ASA settings through SSH access, enter the following commands:
hostname# crypto key generate rsa modulus modulus
where modulus is the RSA modulus size specified in bits
hostname# ssh mars_ip netmask of the mars_ip interface name
where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.
Step 2 To enable the MARS appliance to discover the ASA settings through Telnet access, enter the following command:
hostname# telnet mars_ip netmask of the mars_ip interface name
where mars_ip is the IP address of the MARS appliance, netmask of the mars_ip is the netmask of the MARS appliance, and interface name can be inside, outside, or DMZ.
Step 3 To enable the MARS appliance to discover the ASA settings through FTP access, make sure that you have added the MARS appliance configuration file to an FTP server.
Note If you choose the FTP access type, the MARS appliance cannot discover the non-admin context settings. Therefore, we do not recommend using this access type.
Step 4 To enable MARS to act as a target logging host, configure the ASA to publish syslog messages to MARS by entering the following commands:
hostname(config)# logging host interface name mars_ip
where mars_ip is the IP address of the MARS appliance and interface name can be inside, outside, or DMZ.
hostname(config)# logging trap 7
hostname(config)# logging enable
Note Make sure that you set the logging severity level to 7 (debugging), or configure the ASA to generate the desired set of syslog messages. The logging severity level generates the syslog message details that are required to track session-specific data.
Debugging messages are recommended for troubleshooting. The debugging logging severity level includes all alert, critical, error, warning, notification, and informational messages. This logging severity level also generates logs that identify the commands that are issued during FTP sessions and the URLs that are requested during HTTP sessions. If the ASA cannot sustain debugging-level messages because of performance considerations, use the informational logging severity level (6). For more information, see the "Setting the Logging Severity Level for Syslog Messages" section.
In addition, do not use the EMBLEM format for syslog messages.
Step 5 To allow MARS to discover CPU usage and related information, enable the SNMP RO community string for the ASA by entering the following command:
hostname(config)# snmp-server host interface mars_ip poll community community
where interface can be inside, outside, or DMZ, mars_ip is the IP address of the MARS appliance, and community is the SNMP RO community string.
Step 6 Repeat Step 4 for each admin context and security context defined.
Adding an Adaptive Security Appliance to Monitor
Events that are published by a reporting device (the ASA) to MARS are not inspected until the reporting IP address of the ASA is defined in the MARS web interface.
To add an ASA to monitor, perform the following steps:
Step 1 In the MARS web interface, click Admin > System Setup > Security and Monitor Devices > Add.
Step 2 Choose the correct version of the ASA from the Device Type drop-down list. The basic device type represents the admin context.
Step 3 Specify values for the following Device Access fields:
Tip To enable SSH discovery, the MARS appliance must authenticate to the ASA. The default username is "pix" and the password is the one that you specified for the password command (unless you use AAA).
•Device Name, which MARS maps to the reporting IP address
•Access IP, which is usually the same as the reporting IP address
•Reporting IP, which is the interface that publishes syslog messages or SNMP notifications, or both
•Access Type
•Login
•Password
•Enable Password
•(Optional) SNMP RO, which allows MARS to retrieve MIBs that are related to CPU usage and network usage
•(Optional) Monitor Resource Usage (requires the SNMP RO setting), which allows MARS to monitor for anomalous consumption of resources, such as memory and CPU
Step 4 Click Discover to determine the ASA settings, including any security contexts and their settings.
Step 5 Click Submit to save these settings in the MARS database.
Step 6 Click Activate to load these settings into the MARS appliance working memory.
Step 7 Choose Summary > Dashboard.
Step 8 Under the Hotspot Graph, click Full Topology Graph, and verify that the selected ASA appears.
Adding Security Contexts
To add security contexts, perform the following steps:
Step 1 In the MARS web interface, click Add Module.
Step 2 Choose the correct version of the ASA from the Device Type drop-down list.
Step 3 Enter the name of the ASA in the Device Name field.
Step 4 Enter the name of the security context in the Context Name field. This name must match the context name defined on the ASA.
Step 5 Enter the IP address of the security context from which syslog messages or SNMP notifications, or both are published in the Reporting IP field.
Step 6 (Optional) Enter the ASA read-only community string in the SNMP RO Community field.
Step 7 Click Discover to discover the settings of the defined security context. MARS collects all route, NAT, and ACL-related information.
Step 8 Click Submit to save these settings in the MARS database.
Adding Discovered Contexts
To add discovered contexts, perform the following steps:
Step 1 In the MARS web interface, click Add Available Module.
Step 2 Choose the security context from the Select drop-down list, and click Add.
Step 3 Click Submit to save these settings in the MARS database.
Step 4 Repeat these steps for each discovered context.
Editing Discovered Contexts
To edit discovered contexts, perform the following steps:
Step 1 In the MARS web interface, choose the discovered context that you want to edit according to the selected device type.
Step 2 Click Edit Module.
Step 3 Enter the IP address from which the syslog messages of the security context are sent in the Reporting IP field.
Step 4 (Optional) Enter the ASA read-only community string in the SNMP RO Community field.
Step 5 (Optional) To enable MARS to monitor this context for anomalous resource usage, click Yes from the Monitor Resource Usage list.
Step 6 Click Submit to save these settings in the MARS database.
Step 7 Repeat these steps for each discovered context.
Setting the Logging Severity Level for Syslog Messages
You can change the logging severity level of the required syslog messages or turn off specific syslog messages using the logging message command. For more information, see Chapter 74 "Configuring Logging."
Syslog Messages That Are Processed by MARS
MARS can correctly parse syslog messages at customized logging severity levels. Therefore, you can set syslog messages to a lower logging severity level (for example, logging severity level 6). By changing the logging severity level for syslog messages, you can reduce the logging load on the ASA by 5-15%. However, the primary consumer of resources are the session detail events.
MARS processes the following syslog messages, which are required for correct sessionization. If you change the logging severity level of the ASA, make sure that these syslog messages are generated at the new logging severity level so that the MARS appliance can receive them.
Table E-1 lists the syslog message classes, their definitions, and the ranges of syslog message numbers that are processed by MARS.
Table E-1 Syslog Message Classes and Associated Message Numbers
Class
|
Definition
|
Syslog Message Numbers
|
auth
|
User Authentication
|
109001-109003, 109005-109008, 109010-109014, 109016-109034, 113001, 113003-113020, 114001-114020, 611101-611104, 611301-611323
|
bridge
|
Transparent Firewall
|
110001
|
ca
|
PKI Certification Authority
|
717001-717019, 717021-717038
|
config
|
Command Interface
|
111001, 111003-111005, 111007-111009, 111111, 112001, 208005, 308001-308002, 504001-504002, 505001-505013, 506001
|
e-mail
|
E-mail Proxy
|
719001-719026
|
dap
|
Dynamic Access Policies
|
734
|
ha
|
High Availability (Failover)
|
101001-101005, 102001, 103001-103005, 104001-104004, 105001-105011, 105020-105021, 105031-105032, 105034-105040, 105042-105048, 210001-210003, 210005-210008, 210010, 210020-210022, 311001-311004, 709001-709007
|
ip
|
IP Stack
|
209003-209005, 215001, 313001, 313003-313005, 313008, 317001-317005, 322001-322004, 323001-323006, 324000-324007, 324300-324301, 325001-325003, 326001-326002, 326004-326017, 326019-326028, 327001-327003, 328001, 329001, 331001-331002, 332003-332004, 333001-333010, 334001-334008, 335001-335014, 408001-408003, 410001-410004, 411001-411004, 412001-412002, 413001-413004, 416001, 417001, 417004, 417006, 417008-417009, 418001, 419001-419002, 421001-421007, 422004-422006, 423001-423005, 424001-424002, 431001-431002, 450001, 507001-507002, 508001-508002, 509001
|
ipaa
|
IP Address Assignment
|
735
|
ips
|
Intrusion Protection Service
|
400000-400050, 401001-401005, 415001-415020, 420001-420003
|
np
|
Network Processor
|
319001-319004
|
npssl
|
NP SSL
|
725001-725014
|
ospf
|
OSPF Routing
|
318001-318009, 409001-409013, 409023, 503001, 613001-613003
|
rip
|
RIP Routing
|
107001-107003, 312001
|
rm
|
Resource Manager
|
321001-321004
|
session
|
User Session
|
106001-106002, 106006-106007, 106010-106027, 106100-106101, 108002-108003, 108005, 201002-201006, 201008-201013, 202001, 201005, 202011, 204001, 302001, 302003-302004, 302007-302010, 302012-302023, 302302, 303002-303005, 304001-304009, 305005-305012, 314001, 405001-405002, 405101-405107, 405201, 405300-405301, 406001-406002, 407001-407003, 500001-500004, 502101-502103, 502111-502112, 607001-607002, 608001-608005, 609001-609002, 616001, 617001-617004, 620001-620002, 621001-621003, 621006-621010, 622001, 622101-622102, 703001-703002, 710001-710006, 726001
|
snmp
|
SNMP
|
212001-212006
|
sys
|
System
|
199001-199003, 199005-199009, 211001, 211003, 216003, 217001, 218001-218004, 219002, 315004, 315011, 414001-414002, 604101-604104, 605004-605005, 606001-606004, 610001-610002, 610101, 612001-612003, 614001-614002, 615001-615002, 701001-701002, 711001-711002
|
vpdn
|
PPTP and L2TP Sessions
|
213001-213004, 403101-403104, 403106-403110, 403500-403507, 603101-603109
|
vpn
|
IKE and IPSec
|
316001, 320001, 402101-402103, 402106, 402114-402120, 402123, 404101-404102, 501101, 602101-602104, 602201-602203, 602301-602304, 702201-702212, 702301-702303, 702305, 702307, 713004, 713006, 713008-713010, 713012, 713014, 713016-713018, 713020, 713022, 713024-713037, 713039-713043, 713047-713052, 713056, 713059-713063, 713065-713066, 713068, 713072-713076, 713078, 713081-713086, 713088, 713092, 713094, 713098-713099, 713102-713105, 713107, 713109, 713112-713124, 713127-713149, 713152, 713154-713172, 713174, 713176-713179, 713182, 713184-713187, 713189-713190, 713193-713199, 713203-713206, 713208-713226, 713228-713251, 713900-713906, 714001-714007, 714011, 715001, 715004-715009, 715013, 715019-715022, 715027-715028, 715033-715042, 715044-715072, 715074-715079
|
vpnc
|
VPN Client
|
611101-611104, 611301-611323, 722001-722038
|
vpnfo
|
VPN Failover
|
720001-720073
|
vpnlb
|
VPN Load Balancing
|
718001-718081, 718084-718088
|
webvpn
|
Web-based VPN
|
716001-716056, 723001-723014, 724001-724002
|
Configuring Specific Features
You can configure ASAs to act as reporting devices and manual mitigation devices, because they perform multiple roles on your network. MARS can benefit from configuration of the following features:
•The built-in IDS and IPS signature matching features can be critical in detecting an attempted attack.
•The logging of accepted, as well as denied sessions, aids in false positive analysis.
•Administrative access ensures that MARS can obtain critical data, including the following:
–Route and ARP tables, which aid in network discovery and MAC address mapping.
–NAT and PAT translation tables, which aid in address resolution and attack path analysis, and expose the actual instigator of attacks.
–OS settings, from which MARS determines the correct ACLs to block detected attacks, which you can use in a management session with the ASA.
Feedback
