[unisog] Cisco MARS reviews

Velasquez Venegas Jaime Omar jaime at ulima.edu.pe
Fri Feb 16 19:46:07 GMT 2007


We tested Cisco MARS a few days.For starters,you should define the
appropiate model of Cisco MARS for your organization.Criteria is based
on events per second and number of devices logging events to MARS.
The list of devices that Cisco MARS can deal with is quite vast (i.e
switches,routers,firewalls,ids,etc...).Logging is stored in a built-in
Oracle database and reporting is a task that can be viewed in realtime,
customized or stored.
Some of the reports we tested were those regarding Dos Attacks,
Malware,Intrusion attempts and they didn't take too long considering
they involved hours of  data collecting from devices such as firewalls
and ids.Some other reports couldnt be generated though due it took too
much time or because we didn't have a specific deviced added to 
Cisco MARS.There is one feature i liked which was the option to shut
down a switch port that was being threatened by some kind of attack.
There are plenty of options to customize your reports and you can save
them if you think it would be useful later.
As for backup/restore functions,you need another Cisco MARS appliance in
order to restore data previously backed up.Obviously you can restore
data to the only box you have but since there's no chance to store
backed up data and real time data from logging at the same time , this
is a drawback.
 
I hope this helps.
 
Jaime Velasquez
 
 
 
________________________________

From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Abdul Q. Haamid
Sent: Lunes, 12 de Febrero de 2007 07:03 a.m.
To: unisog at lists.dshield.org
Subject: [unisog] Cisco MARS reviews


I am starting to research Cisco/ Protegos MARS product. Has anyone
implemented the product? If so what do you think of the products
performance? How good are the reporting facilities? 


Thanks,

Abdul Q. Haamid
WCMC-Q






More information about the unisog mailing list