It seems to me that the different product groups WITHIN CISCO's SECURITY UNIT are incapable of cooperating. Compare what's suggested that we run (version-wise) with what's supported by CSM and CS-MARS, throw in a pinch of bugs that prevent running version x.y in your environment, and you have a bunch of same-branded stuff that can't be managed with a single set of tools, despite the fact that the tools were purchased for the express purpose of consolidating management. In my opinion, it's well past "starting to be a joke". Cisco's laughing all the way to the bank.
MARS 4.3 will support IPS 6.0, and it is due out in Aug/Sept 2007.
With MARS 4.2, there is no "IPS 6.x" in device type yet, but you can use the "IPS 5.x" device type instead. MARS will still process known signatures for IPS 6.x.
Only the new signatures for IPS 6.x that MARS does not know about will be shown as unknown event types.
You can still use keyword search to search those new signatures and build a rule on them.
As much as I am not an apologist for Cisco, I just want to point out that we do not live in a perfect world.
In a perfect world all Cisco (or any other vendor) security products would be released at the appropriate times and would work together flawlessly.
Unfortunately, this is never going to happen. Why spend time carping about this or envying the fact that Cisco is an extraordinarily rich company? It's all kind of like swallowing poison and hoping that your nemesis dies.
Instead, be glad that you have a legitimate forum for airing your gripes and that many people from Cisco read your comments. I can guarantee that they agree with you 100%. I have been present plenty of times when Cisco has had to eat crow regarding similar issues. They don't like it and you wouldn't either if you were in their shoes.
Please continue to keep Cisco honest with your criticism though also look for the workarounds posted in this forum to help keep your sanity. The one suggested above regarding IPS 6.0 and MARS is legitimate and I'll vouch for having seen it work in a production environment.
Thanks for letting me put my 2 cents into this discussion!
So let me get this straight: Cisco released a product (IPS 6.0) in November 2006 and their flagship reporting/analysis tool (MARS) isn't going to support it until September 2007, nearly a year later. The workaround is to have the customer sift through the MARS Unknown Event log and look for IPS 6.0 events that fired but weren't recognized. Then the customer needs to create standalone "one off" rule to handle that Unknown Event, however that rule can't integrate into existing system-defined MARS event groups or Event reports. Each firing of the custom IPS 6.0 rule will create its own stand-alone incident and will not integrate/correlate to any other MARS events/incidents. (Please correct me if I'm wrong here.)
Tell me why I'm paying $$$ thousands in IPS and MARS support again? Tell me why Cisco can't even create the "one off" rules themselves to hold us over until they finally get around to integrating IPS 6.0 into MARS. Tell me that we all won't be in the EXACT same situation when IPS 7.0 comes out, and we have to wait another year for MARS to support it?!
Tell me why I still don't have the ability to mass-configure IPS 6.0 sensors, five months after 6.0's release and nearly a YEAR after CSM 3.0 was released? (Yes, CSM 3.1 is due soon, but its still LATE.)
Tell me why Cisco is releasing marketing info like this (dated Feb 07) when some of the products are months away from release and/or full integration:
I don't think its too much to ask to have products supported by their respective management applications in a timely manner, and to hold a vendor to the claims they made during the sales cycle.
"The workaround is to have the customer sift through the MARS Unknown Event log and look for IPS 6.0 events that fired but weren't recognized"
This is just as much an issue with the 5.x sensors. MARS is usually weeks/months behind the latest sigs. If you haven't solved this problem in the 5.x environment, you could be missing alarms for the most recent signatures. AFAICT, you're no better or worse off with 6.x.
"then the customer needs to create standalone "one off" rule to handle that Unknown Event"
Create a single rule to fire on any unknown events. Yes, it sucks and it's pretty sad that Cisco can't upgrade MARS and IDS/IPS concurrently. When we see an unknown event incident, we investigate it just like any other. We tend not to rely too much on MARS for those details anyway. I agree that it is silly for Cisco to not support v6 by now and to not have concurrent MARS/IDS signature updates.
"Each firing of the custom IPS 6.0 rule will create its own stand-alone incident and will not integrate/correlate to any other MARS events/incidents. (Please correct me if I'm wrong here"
this is true, but is usually the case anyway. How many times have you had an incident with a NIDS alarm that also contained other useful events? I can't recall a single one in our environment, maybe there's been some but it's pretty rare.
"I don't think its too much to ask to have products supported by their respective management applications in a timely manner, and to hold a vendor to the claims they made during the sales cycle."
agreed 100%. we gave up on Cisco in this department a long time ago (i.e. VMS) and wrote our own management application. It's surprisingly easy when you don't have to try and support everything and the kitchen sink.
Are you willing/able/interested in sharing that application?
Im not sure what the system requirments are but I have a MARS-100 server thats probably up to the task.....heck if we had a useful application to run on the MARS-100 box it might even save it from its future as a boat anchor in Long Island Sound.
Developed at work, so I can't share it. It currently doesn't work with v6 anyway. v6 is decidedly more complicated because of the possibility for multiple virtual sensor. Cisco started encrypting some of the config files too. Plus, I've heard that the new management product is much better than VMS.
re: MARS 100e...I'm not sure the 100e would make a very good boat anchor either, perhaps a door stop?
Oh, I agree totally. Cisco really falls down hard in the security market. There is so much potential here but until they get their act together and start acting as a single, cohesive unit then their security offerings are a joke. Individually, things are okay I guess but who wants to piece their security platform together? I need a single enterprise-level security solution and what I have is definitely not that.
Can anybody from Cisco tell us when CSM 3.1 is going to be released? There is already a patch for it in the downloads but not the 3.1 product. What gives???
BTW - Why don't you like the Mars 100e? I was looking to get one of those (despite the obvious shortcomings listed here) but maybe I should rethink this decision?
3.1 is already release isn't it? I thought I downloaded all 700MB+ of it the other day.
I was just joking about the 100e. I'm often critical of CSMARS, but in the end we're able to do a heck of a lot more with it than the previous SIM we used...if for no other reason than we don't have to buy a license every time we want to monitor a device. The per device license model that most SIM vendors use is a joke. Kudos to Protego/Cisco for breaking that mold.
Although heavy, the CSMARS box just isn't shaped well to be used as an anchor.
Whew! You had me worried. ;-)
CSM 3.1 must have been released because I've seen so many people talk about it but all I find in the downloads section is the 3.0.x stuff and a 3.1 patch...no 3.1 app. Maybe they pulled it for some reason or maybe I'm looking in the wrong place? I do own VMS/CSM so I should see it with my account.
Summary: If activities were pending in the Cisco Security Manager version 3.0.1 database,
customers upgrading from version 3.0.1 to version 3.1 may experience database corruption.
Yeah, I saw the announcement as well. I've been waiting to install 3.1 for IPS 6.x support so the bug wouldn't have hit me. It would have been nice for them to have kept it out there and just pasted it with warnings about pending activities instead of doing a "Chicken Little" and pulling it out altogether.