Personally, if cost isn't an issue and you're expecting to sink high
volume of traffic, I'd suggest that you go for Peakflow SP together
with TMS (It's still ranked as one of the better ones among the rest).
Else the ADM + AGM should work well enough. Generally for the MARS
boxes, I'd propose the same concept to have a dedicated collector and
forward it.
--raymondh
On Apr 13, 2009, at 11:51 PM, James Michael Keller wrote:
Yes, I've crushed a MARS 110 unit with netflow data from around 200
devices. Cisco recommended we switch to a dedicated netflow
collector and then feed the consolidated sessions into MARS rather
then have MARS directly take all the raw netflows (ie layer3 switch
flow and router flow having duplicate data for the same flow).
We're on the last 5.x build version before 6.x. Getting ready to
re-build it from a 6.x disk and see if the new SQL backend helps
with some of that until we get a dedicated netflow box in.
---
James Michael Keller
Ryan Hughes wrote:
MARS really isn't positioned to be a Netflow anomaly detection with
the
likes of Arbor and others previously mentioned. It's simply a
feature that's
in there to help bring into perspective of what's going on with
your Cisco
infrastructure from a threat perspective. And I would definitely be
careful
with the amount of logs and Netflow that you send to the device as
you can
definitely cause it to choke whereby the device isn't storing
enough events
for proper correlation.
On Sun, Mar 15, 2009 at 8:03 PM, Justin Shore
<[email protected]>wrote:
Roland Dobbins wrote:
On Mar 16, 2009, at 12:39 AM, Roland Dobbins wrote:
Arbor Peakflow SP, Narus Insight Manager, and Lancope
StealthWatch Xe are
three commercial NetFlow-based anomaly-detection systems.
I forgot to add Q1 Labs Q1Radar, and I believe NetQoS now have an
anomaly-detection module, as well, though I've not seen it.
How about MARS? I'm trying to get a pair of IDSM2s returned (they
don't
work right on 7600s) in exchange for a MARS 110R appliance.
That's roughly
the same price. I'm planning on using it for log analysis. Would
its
Netflow abilities be useful here?
Justin
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
