07-16-2008 10:30 AM
If you allow Mars to ssh to devices, does it still need snmp RW access?
I ask this because, while reading the Cisco Press - Understanding Security - MARS, it says to give Mars a RW snmp string on each devices. But the user guide says to only create RO strings. I would like our Mars to function at its fullest potential without unnecessary configurations.
Since I know Mars will not block things till I tell it to, I would like to setup ssh without snmp RW.
07-16-2008 11:34 AM
Hi Ben,
To answer your question:
From my experience if you want MARS to function to its fullest potential then use SNMP RO strings so MARS can discover the network topology.
MARS can also be configured to SSH to devices in order to provide a mitigation solution.
I prefer that MARS understands topology as opposed to having it be my tool for mitigating problems. I don't configure MARS for mitigation because it is very easy for an inexperienced admin to accept a MARS recommendation and then have them disable a trunk port, instead of only an access port.
Hope this helps.
Paul
07-17-2008 01:38 AM
The 'RW' strings are used to perform mitigation on the switches (Cisco). Normally RO strings are enough. By giving MARS SSH/Telnet access you also let MARS import 'configurations' into its database to have a better understanding of the network. This is particularly important if you are running FWSM/IDSM modules or want to sessionalize events when NAT etc. are employed.
Regards
Farrukh
07-17-2008 04:05 AM
Hi Farrukh
Thanks for your spot-on answer and clarification to my post.
07-17-2008 09:37 AM
I'm not sure I understand how SSH/telnet access is required in any way for sessionization. The events provide all the relevant data necessary for this. I don't understand, outside of mitigation, why that same information (routing tables, CAM tables, etc) can't be pulled via SNMP. One of the biggest challenges we have always had with MARS is the lack of appropriate details that tie specific functionality with access requirements. When you're in a larger enterprise, these details really start to matter because other areas "own" the devices and simply stating that something is required so MARS can run at "level n" doesn't cut it.
sigh...I'll climb down off my soabox now.
07-18-2008 04:24 AM
Well this is what a Cisco SE told us in one'Partner Training' :).
I myself faced an issue with a CAT6513 not showing SVIs properly (resulting in a disconnected MARS network map). As soon as I gave SSH/Telnet accesss to the core switch, MARS was able to discover the SVI's. Faced similar issues with Netscreen ISG Redundant interfaces.
Regards
Farrukh
07-18-2008 04:55 AM
Oh yes, Cisco is great about being saying you need it, just not why.
For creating network maps, I totally get it. Our network is way to big for them to be useful though, so I don't even worry about that feature.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide