Getting Started - I

Implementing MARS in Network

I guess you have a little idea about this appliance now. So, let me take you to the part of implementing this system in a network.

Things to Understand before implementing

1. This device will not work automatically and save you from the threats by blocking the traffic.


2. Each and every day the security analyst has to look into the incidents and tune it according to their network policy to work effectively.


3. This device is not a monitoring tool which gives you the results such as the machine status, the cpu utilization or the disk utilization etc.


4. This device will monitor the security and network events through the syslog or any other logging methods from your network devices and hosts. Correlates it and helps you to take actions.


5. It should be kept inside the network just like a computer which needs an IP address and hostname with the option of accessing the local network and Internet to update its IPS signatures.


6. There are two LAN ports. One port can be used to collect the data from the network. Other port can be used to manage the device. Both the ports can not be in the same LAN / VLAN.


7. An NFS server can be used to take the backup of configurations of the device and the events logs collected which can be used in the future or to recover after a disaster.


8. MARS supports a list of devices directly which includes some third party devices and applications. The unsupported devices or applications other than that list can be integrated to MARS and customization has to be to make it a supported one.

The next post will contain the methods of integrating network's devices and hosts to MARS.

Your suggestions are welcome to enhance this blog.