Security of Cisco security monitoring, analysis, and response systems (1)

Bkjia.com exclusive Article: Cisco security monitoring, analysis and response system (MARS) is a key component of Cisco's network security system. It helps users' security and network organizations identify, manage, and defend against security threats. It uses users' original security investments to identify and isolate illegal behaviors and recommend users with correct measures to eliminate threats. But how can we implement the security of MARS? This article will discuss the methods and measures to ensure the security of MARS.

Security Information Management (SIM) system can contain a large amount of sensitive information. This is because it can receive event logs from the network security system. These logs contain information that can be used to attack sensitive systems. For example, intrusion detection system IDS) logs can contain actual data packets in the network. Administrators can analyze certain data packets through free data packet analysis programs to find the usernames and passwords that employees use to access websites, email systems, and network devices.

Although security personnel always encourage users to select the only password for the company's network, the fact is that many users tend to use the same password for both workplace and home Internet access activities. If an employee decides to use the workplace's network password for his/her e-mail password, if an attacker uses the plaintext authentication of the email, this user creates an account on the company's network for illegal activities.

As a security information product that allows you to view network topologies, Cisco's security monitoring, analysis, and response system, MARS, usually contains sensitive information. Within the scope of monitoring, analysis, and response system MARS, the most accurate way to perceive the network topology is to find every network device. This involves accessing the configuration of MARS, verifying the identity of the device, retrieving interface information, and regularly discovering this information again. In the scope of user interfaces, whether it is a command line interface or a Web user interface, you can disguise the identity authentication information of the device to prevent unauthorized users from using the console to obtain unauthorized information. However, if an attacker gains access to the operating system or physical access to the device, the attacker can use this permission to retrieve all information contained on the hard disk, this information may contain the authentication information of the device. He can also use this access to install backdoors to facilitate remote access at any time in the future.

This article describes the suggestions to ensure the security of the monitoring, analysis, and response system MARS, including physical and logical aspects. In addition to monitoring the security, network, and other devices, the TCP port and UDP port used for communication with other MARS systems are also explored in detail.

Physical security

If the user does not solve the physical security problem, the network security problem cannot be solved correctly. This is a common sense problem. If a malicious guy gains physical access to the target system, all network security measures will be meaningless.

As an administrator, ensure that hosts and MARS on the security management network are located in a protected facility. At least, these devices should be locked in a room that cannot be accessed by people without specific business needs. Ideally, security management is placed in a robust and secure data center. A person with access permissions must have a security badge. before entering the security badge, the person must sign on the paper media or electronically and record the access time.

Inherent security of the MARS Device

Management Access to All MARS devices is implemented through SSL, and HTTPS and SSH protocols can be used. These protocols use TCP port 443 and port 22 respectively, with inherent security because they use mechanisms such as encryption, authentication, and authorization. HTTP and Telnet protocols that implement the same functions are disabled on the MARS device because they are not encrypted.

The MARS device is an enhanced Linux server that runs various services, including Oracle and Apache HTTP servers. Software Updates can reduce the number of newly discovered vulnerabilities in various services and drivers on the MARS device. In addition, disabling necessary services or unused services can prevent potential security vulnerabilities on some devices.

Strengthening the operating system is a good start to enhance security, but it is far from enough. When considering the security of the MARS device, you need to consider the sensitivity of information on the MARS device. Users should have a sound plan to prevent MARS from being used as a network attack tool. This also includes placing the device in a network protected by a firewall or IDS.
If you do not have a firewall, IDS, or IPS to protect MARS, hackers will try to find vulnerabilities through management protocols or other protocols that monitor security or network devices. When building audit indexes for some attack events, the firewall or IDS/IPS allows users to limit the exposure of attacks.

For example, you can consider SSH, a remote command for managing MARS. Some vulnerabilities have occurred in OpenSSH applications that provide such services for MARS some time ago. Currently, there are no known vulnerabilities in the existing SSH service. However, a new vulnerability may be discovered at a certain time in the future. In view of this, you need to restrict the functionality of your computer to establish an SSH connection to the MARS device if you do not connect to a specific network. The status check firewall is an ideal device that provides such restrictions. Regularly updated network IDS or IPS can detect if someone is using a known vulnerability to compromise the security of the MARS device.

Another example of using SSH involves a powerful password attack on the MARS device. In this attack, attackers repeatedly use the password dictionary and use a script to crack the administrator password for managing the MARS device. MARS is particularly vulnerable to this type of attack, because the Administrator name is well known, and this is the only user name that can use SSH. This example uses the same method as the first example. First, place MARS on a protected network and use a state detection firewall to separate it from the rest of the network, allow users to restrict connection attempts to a limited number of devices or company networks. In addition, network IDS or IPS can detect multiple logon attempts, whether through SSH or Web-based methods. This type of IDS detection can notify an appropriate individual, and IPS can prevent further attack attempts.