Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

MARS Communications Requirements

Before you can protect MARS with a firewall, you first need to understand which TCP and UDP ports MARS requires to operate properly, and which of these carry outbound or inbound traffic. Table 4-1 provides a summary of all communications when MARS and the various monitored devices are all configured with default ports. Many or all of these can be changed, and you might need to modify this table for your installation.

Table 4-1. MARS TCP and UDP Ports

Port

Description

Direction

TCP/21

Used by MARS to retrieve switch and router configuration files from centralized servers. FTP uses additional TCP ports (usually TCP/20), and most firewalls allow this to occur automatically.

Outbound

TCP/22

Used for management access to MARS LCs and GCs.

Inbound

Used by MARS to connect to devices when learning topology or investigating hosts.

Outbound

TCP/23

MARS uses Telnet as one method to connect to some network devices when learning topology or investigating hosts.

Outbound

TCP/25

Used by MARS to e-mail reports and alerts.

Outbound

UDP/53

Used by MARS to look up host name–to–IP address resolution.

Outbound

TCP/53

Used by MARS to look up host name–to–IP address resolution.

Outbound

TCP/80

Used by MARS to communicate with Cisco routers for Distributed Threat Mitigation (DTM).

Outbound

Used by MARS to receive some events, including web logs from iPlanet and Apache web servers, as well as NetCache.

Inbound

UDP/123

Used by MARS to synchronize time with Network Time Protocol (NTP) servers.

Outbound

TCP/137

Used by MARS to pull events from Windows systems.

Outbound

UDP/161

Used for Simple Network Management Protocol (SNMP) communications from MARS to monitored devices that use SNMP as the access method.

Outbound

UDP/162

Used by MARS to receive SNMP traps from monitored devices that are configured to use traps for logging.

Inbound

TCP/443

Used for management access to MARS LCs and GCs.

Inbound

Used by MARS to pull security events from Cisco IDS 4.x and IPS 5.x sensors and Cisco IOS IPS.

Outbound

Used by MARS GCs and LCs for communications between appliances.

Inbound and Outbound

TCP/445

Used by MARS to pull events from Windows systems.

Outbound

UDP/514

Used by MARS to receive syslog messages from monitored devices.

Inbound

UDP/2049

Used by MARS to write archive data using Network File System (NFS).

Outbound

UDP/2055

Used by MARS to receive NetFlow data from monitored devices.

Inbound

TCP/8444

Used for communications between MARS GC and LC appliances.

Inbound and Outbound

TCP/18184

Used by MARS to pull event logs from Check Point firewalls.

Outbound

TCP/18190

Used by MARS to retrieve configuration settings from Check Point firewalls.

Outbound

TCP/18210

Used by MARS to retrieve certificates from Check Point firewalls or management consoles.

Outbound

All TCP/UDP

Used for vulnerability assessment scanning by MARS if enabled.

Outbound

  • + Share This
  • 🔖 Save To Your Account