10-23-2009 10:41 AM - edited 03-09-2019 10:40 PM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get more information on CSM, MARS, ASDM, IME, CCP, and IronPort SMA with Cisco experts Raghu Kasavaraju and Ziad Sarieddine. Raghu, Product Manager for Cisco Security Manager, has 15 years of extensive experience in IT and he has spent the last 10 years in Information Security Operations, Consulting & Engineering roles. Currently, Raghu is the PM Lead for Cisco Security Manager 4.0 release. Ziad (CCIE Security # 23379) is a security management technologist with expertise in security solutions covering Firewall, IPS, and VPN. Prior to joining Cisco in 2006, Ziad spent 10+ years as a Lead Analyst / Senior Network Engineer designing and installing large networks at different companies.
Remember to use the rating system to let Ziad know if you have received an adequate response.
Ziad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
11-02-2009 03:37 PM
Thaar,
This is not supported on the ASA today. QoS can be applied based on Source / destination traffic match but not user. Will take your request as feedback to product management team
Regards,
Ziad
11-02-2009 04:53 PM
Can you please provide more information on your request.
Regards,
Ziad
11-03-2009 09:50 AM
Dear zsariedd
Regarding Proxy, i know that ASA can work as Voice Proxy and in previous comment by rkasavar state that ASA can work as Proxy server, i want a link to this.
Regarding web content security, we know that ASA 5520 can has CSC module, what are the differences between this in ASA and IronPort web Content Security appliance (dont take number of user in your consideration).
regarding QoS i know that it is possible to manage the users bandwidth using Qos in ASA using ip address. is this OK?
Regarding websense, Cybroum and blue Coat, i need to know if ASA can do their function even with limited capabilites.
As i said before i want to manage my local users (2000 users), their bandwidth (ex. i want to give some of them a 10KB BW) and their download (ex. limit the download for each user to 100 MB)also i want to monitor my users internet using (ex. i want to know their chating details).
In summary i want the functions of Websense , Cybroam and Blue Coat to be implemented from ASA 5520 , please give me a link to any document the describe these in ASA or any other CISCO products. Please give me links.
best regards
thaar al_taiey
11-03-2009 04:02 PM
@thaar.altaiey
Thank you for your interest in Cisco Security - you have many great questions. Please refer to the NetPro Firewall conversations for questions on ASA
or feel free to contact your local Support or reseller contact. If you have any additional questions for Cisco Security Management, I am available to answer to them.
Regards,
Ziad
11-04-2009 05:16 AM
Dear Ziad
If I found the answers to my Q's in NetPro ASA or from others iam not asking The Expert. I post a message in NetPro before about one week and nobody reply.
So please if you could answer my Q's with liks in Cisco.com
best regards
thaar al_taiey
11-03-2009 04:06 PM
@dzingirai
Can you please provide more information on your request.
Regards,
Ziad
11-01-2009 08:31 PM
Hi Raghu and Ziad,
I couldn't find any details how to use RADIUS Vendor-Specific Attributes (VSA)26 , cisco av-pair but only some samples like:
cisco-avpair= "shell:priv-lvl=15"
Is there a FULL list of these attributes with correct syntax explained for IOS 12.4 and ASA 8.x anywhere? Much appreciated your response.
Peng
11-02-2009 02:16 PM
Peng,
Here is a link for Radius attributes that you may find useful. For any specific attribute that are not listed I would suggest working with TAC.
Regards,
Ziad
11-02-2009 07:08 AM
Greetings!
I interested in receiving feedback on the following information sourced from Gartner and where there is any truth to the direction Cisco is taking on MARS:
FINDINGS
Cisco has begun to quietly inform its customers of a decision to freeze support for most non-
Cisco event sources within its Security Monitoring, Analysis, and Response System (MARS).
New versions of non-Cisco vulnerability assessment and firewall technologies will not be
supported by MARS, but maintenance (e.g., updates for new signatures) for currently supported
versions will continue. Cisco also plans to release MARS support for Windows Server 2007 and
Windows Server 2008. Although Cisco has not formally announced its intention to exit the SIEM
market, the Cisco sales force is encouraging its MARS customers to find an alternative for log
collection and event analysis of non-Cisco event sources.
ANALYSIS
Cisco had widely sold MARS as a SIEM solution that was primarily oriented to network security,
and had built the largest SIEM customer base. The technology provides network security
monitoring and host activity monitoring, but Cisco had not provided integration for third-party
network devices. MARS has supported the major operating system platforms, and it has provided
limited third-party security device and application support. Many customers have been using
MARS for a combination of network and host activity monitoring to satisfy both network security
and compliance use cases.
Cisco's recent decision to freeze support for most non-Cisco event sources means that MARS
will become ineffective as a general SIEM solution as new versions of non-Cisco event sources
are implemented. Gartner believes Cisco will focus its efforts on improving Cisco's native security
management capabilities, long a weak spot across Cisco's product line. MARS customers that
require a fully functional SIEM solution will need to transition to an alternative product, while those
that were only integrating MARS to Cisco devices should actually see improved focus by Cisco
on security management across the Cisco security product line.
WHAT YOU NEED TO KNOW
⢠Organizations Evaluating SIEM Solutions: Organizations that require host activity
monitoring (i.e., monitoring of system, database, and application logs) or monitoring of
non-Cisco network or security devices should not consider Cisco MARS.
⢠Current MARS Customers That Require General SIEM Capabilities: Organizations
that are currently using MARS to monitor host activity and non-Cisco security devices
and applications should begin planning for a transition to a fully functional SIEM solution.
⢠Current MARS Customers That Are Focused on Cisco Event Sources:
Organizations that are currently using MARS primarily for Cisco event sources can
continue to apply MARS to this use case.
RECOMMENDED READING
"Magic Quadrant for Security Information and Event Management"
"Critical Capabilities for Security Information and Event Management Technology"
11-02-2009 01:13 PM
The BU's official response is below.
Regards,
Anil
October 30, 2009
Cisco response to Gartner Research Memo entitled âCisco MARS Is Becoming Less Viable as a General SIEM Solutionâ
Summary
⢠Gartner has alerted its customers that as Cisco continues to focus its security management efforts on Cisco devices, MARS appliances may become less viable for the broad set of âgeneralâ SIEM use cases.
⢠Gartner concludes that Cisco's focus on native management capabilities for our devices is a positive direction.
⢠For customers with primarily Cisco event sources on their network, Gartner recommends that MARS still provides a strong platform for security threat management (STM) and network behavior analysis (NBA) capabilities.
Details
On October 29th, 2009, Gartner released a research note titled âCisco MARS Is Becoming Less Viable as a General SIEM Solution.â This note is in response to Cisco's stated direction to focus CS-MARS development on supporting Cisco-built network security devices and critical host operating systems. Non-Cisco network device data and signature updates continue to be supported in CS-MARS for the current versions of these 3rd-party systems.
In the memo, Gartner concludes that âCisco will focus its efforts on improving Cisco's native security management capabilities,â which they note as a positive direction for Cisco's overall Security portfolio.
In the past, we have encouraged Gartner to break up this crowded space as it encompasses a vast array of use cases spanning compliance reporting, log aggregation, threat identification, and mitigation. While MARS has been placed in the SIEM market, it has never fully covered all aspects of the Gartner-defined space. Over the last year, as we have focused on the core Security Threat Management use cases for Cisco products, Cisco has de-emphasized compliance reporting and non-Cisco devices.
In particular for Cisco customers, it is important to note Gartner's recommendation that MARS continues to provide strong STM and NBA capabilities for Cisco event sources.
11-03-2009 03:26 AM
I have a very simple issue. My vpn client 4.1 software conects to my ADSL router and I can see/access the drives at the remote location. However it won't conect to the exchange server, can you help?
11-03-2009 09:22 AM
Hello Raghu/Ziad,
I would like to know that unlike Cisco why is it so difficult to find User/Configuration/Administration guides for Cisco IronPort devices. I spent hours searching IronPort configuration guides on the Net but didn't find one. Does IronPort have any proprietary laws which restrict them from publishing such information.
Thanks.
11-03-2009 07:07 PM
@tech_trac
We're in the process of adding IronPort documentation to Cisco.com in the mean time, customers and partners can access the files at the IronPort customer support portal.
http://www.ironport.com/support/
If you are unable to find the info you need please contact your Cisco local Support or reseller contact.
Regards,
Ziad
11-03-2009 10:17 AM
Hi,
I'm not an expert on Exchange but I believe you need to use a WINS server or LMHOSTS file to specify IP address for the Exchange server's NetBios name. Since your remote PC is not on local LAN, it will need ways to resolve name to IP address.
Hope that helps,
11-03-2009 11:38 AM
Hi, Raghu and Ziad,
According to the CSM User Guide, we should be able to configure boot image for FWSM. However, this option is not there in V3.2.2. Is it a bug?
Thanks.
Weidong Yan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide