Gary, A couple of points on Cisco CS-MARS 100 that I know from personal experience with it over the last year:
1. It can process a boatload of data from a lot of devices - very cool. 2. Reporting needs more flexibility and more speed. On the flexibility front, if I want to simply grab a device's raw output for the last 24 hours and that output is of a significant size (more than a thousand rows), I have to resort to dumping raw logs because queries have pre-defined limits and the reporting engine automatically performs summarization, which I often don't want. Both MARS documentation and Cisco TAC confirm this as intentional behavior. Thus, I can't generate non-summarized data on a scheduled basis. On the speed front, it's not super-quick for grabbing anything of decent size, whether querying or reporting. There aren't a lot of suggestions in the doc for tuning/maintenance (yes, even in the 4.x doc) or indications via the CLI for disk space usage, in case the disk is (getting) full. 3. The MARS OS is a Linux distro but users can't get to the actual OS. This wouldn't normally be a problem but there was a bad MARS build that was published recently, yanked within a day or so, and then required a TAC engineer to remotely login to the MARS box to fix it. This is contrary to every other Cisco device, including Linux-based 42xx IDS/IPS, that I've worked with. Aside from the issues noted above, I think SIMS are great tools for bringing many devices' data together for easier analysis and can really help the typically-understaffed security personnel in the right environment. Brent Stackhouse VP of Security Solis Security, Inc. Austin, Texas www.solissecurity.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
