Securing the Cisco Security Monitoring, Analysis, and Response System
A Security Information Management (SIM) system can contain a tremendous amount of sensitive information. This is because it receives event logs from security systems throughout a network. These logs potentially contain information that can be used to target attacks at sensitive systems. For example, intrusion detection system (IDS) logs can contain actual packets seen on the network. Some of these packets can be decoded with freely available packet analyzers to find usernames and passwords that your employees might be using to access websites, e-mail systems, and network devices.
Although security people always encourage users to select unique passwords for company networks, the reality is that many users tend to reuse passwords both for work and home activities. If an employee has decided to use his work network password as his personal web-based e-mail password, if an attacker discovers the cleartext authentication for web e-mail, he has also discovered an account on your network in which to begin nefarious activities.
As a topology-aware SIM product, the Cisco Security Monitoring, Analysis, and Response System (CS-MARS) often contains even more sensitive information. The most accurate method of maintaining the network topology awareness within MARS is by discovering each network device. This involves configuring access information for MARS to authenticate to the devices, retrieve interface information, and periodically rediscover it. From within the user interfaces, both the command-line interface (CLI) and web user interface, device authentication information is masked to prevent anyone from using the console to gain unauthorized information. However, if an attacker gains access to the base operating system, or gains physical access to the appliance, he could use that access to retrieve all information contained on the hard drives, which could include device authentication information. He can also use that access to install back doors to allow remote access at any time.
This chapter describes recommendations for securing MARS appliances, both physically and electronically. It also provides detailed insight into the TCP and User Datagram Protocol (UDP) ports that MARS requires for communication with other MARS appliances, in addition to monitored security, network, and other devices.
Physical Security
You cannot properly address network security without also addressing physical security. This is evident with common sense and in the various regulations addressed in Chapter 2, "Regulatory Challenges in Depth." All the network security in the world is worthless if someone with malicious intent can gain physical access to the target.
Make sure that the hosts on your security management network, and MARS specifically, reside in a protected facility. At the very least, they should be locked in a room that is inaccessible to the public and staff without a specific business need. Ideally, security management resides in a datacenter that exercises strong controls. Staff with access rights to the facility need to have a security badge and need to sign in, either on paper or electronically, before entering. In Chapter 2, the Payment Card Industry (PCI) data security standard has good recommendations that datacenters everywhere should attempt to adhere to, even if your facility is not affected by PCI requirements.