Home > Articles > Cisco Network Technology > General Networking > Securing the Cisco Security Monitoring, Analysis, and Response System

Securing the Cisco Security Monitoring, Analysis, and Response System

Chapter Description

This chapter describes recommendations for securing MARS appliances, both physically and electronically.

Security Management Network

As a best practice, you should create a network as a security management network if you don't already have one. This network should contain various servers used for administering and monitoring the security of your network. The entire network should be protected by a firewall and IDS/IPS. Access to it should be tightly restricted, and any remote access to it should be through a Virtual Private Network (VPN).

Examples of hosts that should reside on this network include the following:

  • MARS global controller (GC)
  • MARS local controller (LC), if practical
  • MARS archive server
  • Firewall management consoles, such as Cisco Security Manager or Check Point SmartCenter
  • IDS/IPS/HIPS management consoles
  • Any existing syslog servers
  • Vulnerability scanning hosts

The systems that reside on your management networks are some of the most sensitive in your organization. They often contain the keys to the kingdom, and for this reason, the management networks are targets of attackers. After an attacker has compromised a host on a management network, an open freeway often exists to other systems because of the trust assigned to hosts on the management network.

Don't cut corners on network hardware that you use on your security management network. Install switches that support security features. You might want to consider configuring features such as private VLANs, which provide isolation between hosts on the same network. Other switch security features, such as the capability to prevent VLAN hopping, should also be considered.

4. MARS Communications Requirements | Next Section Previous Section