Lab 1

MARS Jump Start T rai n i n g

Lab G u i d e
S e p te m b e r 2 0 0 8
Version 2.0

Created by T eam A S T E C

© 2008 Cisco Systems, Inc.

 M A R S J u mp sta rt L a b G u ide

T a b le o f C o n te n ts
T a1 :sk A c c e s s in g th e D e v ic e s i n L a b ( 5-1 0 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
T a2 : sk P re p a n d T e s t th e L a b ( 1 0 -1 5 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
T a 3: sk S e t u p I O S I P S ( 2 0 -2 5m in ) ..................................................................................................... 5
T a 4: sk P re p p in g /A d d in g D e v i c e s t o M A R S ( 35-45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
T a 5: sk A tta c k W e b S e rv e r & t h e n M o n i t o r M i t i g a t e v i a M A R S ( 45 m i n ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 6
T a 6 : sk C o n fig u rin g A le rts a n d N o tif ic a tio n s ( 2 0 m in ) ..................................................................... 2 1
E x c is e r e 1 : S o lu tio n s S a le M o c k In te r v ie w & S o W G e n e r a tio n w ith c u s to m e r r e s p o n s e s ............... 2 7
E x c is e r e 2 : S o lu tio n s S a le M o c k I n t e r v i e w & S o W G e n e r a t i o n – S E i n t e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
M A R S L a b L o g ic a l T o p o lo g y D i a g r a m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

© 2008 Cisco Systems, Inc.

 M A R S J u mp sta rt L a b G u ide

T a s k 1 : A c c e s s in g th e D e v ic e s in L a b (5-10 m i n )

P u r p o se : T h e p u rp ose of th is ta sk is to V P N into you r p od to ensu re connectiv ity a nd a u th entica tion is w ork ing
p rop erl y.

S te p 1. G o to h ttp s: //p gY .da x m.net/stu dent, w h ere Y is you r p od set nu mb er to a ccess th e l a b s. T h e l a b p roctor
w il l inf orm you of th e p od set nu mb er f or you r l a b s.

S te p 2. L ogin a s psYpodx/< p a ssw o r d > w h ere Y is you r p od set nu mb er, a nd X is you r p od nu mb er. Y ou r
< p a ssw o r d > w il l b e p rov ided b y th e l a b p roctor.

S te p 3. Cl ick th e a p p rop ria te l ink to connect to you r dev ice.

NO T E : Al l a u th c h a l l e n g e s a r e u se r n a m e / p a ssw o r d : a d m i n i str a to r /c i sc o 123 U NL E S S o th e r w i se

sp e c i f i e d i n l a b d o c ste p s. Yo u m a y w a n t to w r i te th i s d o w n f o r f u tu r e r e f e r e n c e .

© 2008 Cisco Systems, Inc. 3

 M A R S J u mp Sta rt L a b G u ide

T a sk 2 : P r e p a n d T e st th e L a b (10-15 m i n )

P u r p o se : T h e p u rp ose of th is ta sk is to def a u l t th e rou ter a nd f irew a l l ( A SA ) .

S te p 1. T est th e remote desk top connectiv ity to U serP C1 , U serP C2, a nd A tta ck P C b y cl ick ing on th e l ink s
f rom th e p orta l p a ge.

Note: W i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .

S te p 2. F rom th e desk top of U serP C1 , tel net to 281 1 a .a cme.com to a ccess th e l a b ' s 281 1 rou ter.

a. U s e the 'd el ete / f o r c e / r ec u r s i v e f l a s h: i p s ’ i n P r i v i l e g e d E X E C M o d e ( t h i s m ay b e l e f t o v e r f r o m a

p r e v i o u s l ab , s o t h i s c o m m an d w i l l r e m o v e i t , an d i t s c o n t e n t s ) . Y o u r r o u t e r m ay o r m ay n o t h av e
t h i s f o l d e r l i s t e d i n f l as h . I f i t d o e s n ’t , j u s t m o v e o n t o s t e p 3 .

S te p 3. T o do a f ina l test f rom th e rou ter, b e su re you ca n p ing 281 1 a .a cme.com, a sa 551 0.a cme.com, w 2k -
serv er.a cme.com a s th ese a re th e ma in dev ices u sed in th is l a b .

NO T E : If a n y o f th e a b o v e te sts f a i l p l e a se n o ti f y y o u r l a b p r o c to r .

© 2008 Cisco Systems, Inc. 4

 M A R S J u mp Sta rt L a b G u ide

T a sk 3 : S e tu p IO S IP S (20-25 m i n )

P u r p o se : T h e 281 1 rou ter in th e l a b h a s a n IO S code l ev el th a t a l l ow s u s to ru n th e IO S IP S f ea tu re set. U se th e

f ol l ow ing comma nds to setu p th e rou ter to u se th is f ea tu re set. T h ese IP S settings w il l b e u sed to monitor tra f f ic f rom
th e A SA f irew a l l coming inw a rd, tow a rd th e corp ora te netw ork a s w el l a s f rom th e “G u est” V L A N ( V L A N 9) of f of th e
rou ter.

S te p 1. F rom U serP C1 , tel net to 281 1 a .a cme.com.

S te p 2. T h e IP S signa tu res w il l b e u p l oa ded to f l a sh so crea te a directory to store th ese signa tu res u sing th e
'm k d i r i p s ' comma nd in P riv il eged E X E C M ode. Y ou ca n issu e th e 's h o w f l a s h ' comma nd to ensu re th e ip s
directory w a s ma de.

N ow w e need to conf igu re th e IO S IP S cryp to k ey:

S te p 3. F rom th e desk top of U serP C1 op en u p th e “Sof tw a re/IO S IP S” su b f ol der. W ith in th is f ol der is a tex t
f il e na med “p u b l ic k ey.tx t”. O p en u p th is f il e a nd cop y th e contents of th is f il e into you r cl ip b oa rd.

NO T E : T h e k e y w a s d o w n l o a d e d f r o m C C O a l o n g w i th th e si g n a tu r e f i l e s. It i s r e q u i r e d to v a l i d a te th e
si g n a tu r e f i l e a s i t i s l o a d e d i n to th e r o u te r w i th th e i d c o n f c o m m a n d .

S te p 4. A t th e G l ob a l Conf igu ra tion M ode p romp t on th e rou ter p a ste th e cl ip b oa rd contents. T h is w il l a dd

th e cryp to k ey u sed b y th e IP S signa tu re f il e. T h e cryp to k ey is u sed to v erif y th e digita l signa tu re f or th e
ma ster signa tu re f il e ( sigdef -def a u l t.x ml ) w h ose contents a re signed b y a Cisco p riv a te k ey to gu a ra ntee its
a u th enticity a nd integrity a t ev ery rel ea se. T h e sigdef -def a u l t.x ml is u sed b y M A R S.
© 2008 Cisco Systems, Inc. 5
 M A R S J u mp Sta rt L a b G u ide

S te p 5. Sa v e th e ru nning conf igu ra tion of th e rou ter to sta rtu p -conf ig.

S te p 6. Issu e th e 'i p i p s n a m e i o s i p s ' comma nd in G l ob a l Conf igu ra tion M ode. T h is w il l crea te a ru l e th a t

w il l b e u sed to ena b l e th e IP S f ea tu res on a n interf a ce.

S te p 7. Issu e th e 'i p i p s c o n f i g l o c a t i o n f l a s h : i p s ' comma nd in G l ob a l Conf ig M ode to def ine w h ere th e IP S

signa tu res w il l b e stored.

S te p 8. E na b l e SD E E ev ent notif ica tion. T h is is u sed b y M A R S a nd CSM to l ea rn of th e ev ents a s w el l a s to

imp l ement remedia tion. Issu e th e 'i p i p s n o t i f y s d e e ' comma nd in G l ob a l Conf igu ra tion M ode.

S te p 9. B y def a u l t, IO S IP S onl y a l l ow s 1 SD E E connection. U se th e 'i p s d e e s u b s c r i p t i o n s 3 ' G l ob a l

Conf igu ra tion M ode comma nd to ena b l e th e ma x imu m nu mb er of SD E E connections f or IO S IP S.

S te p 10. U se th e comma nd 'i p i p s n o t i f y l o g ' comma nd, in G l ob a l Conf igu ra tion M ode, to ena b l e sysl og f or
IP S ev ents.

IO S IP S a l so su p p orts th e u se of sysl og to send ev ent notif ica tion. SD E E a nd sysl og ca n b e u sed indep endentl y
or ena b l ed a t th e sa me time to send IO S IP S ev ent notif ica tion. Sysl og notif ica tion is ena b l ed b y def a u l t. If
l ogging consol e is ena b l ed, you w il l see IP S sysl og messa ges. E nsu re sysl og is on w ith th e 's h o w l o g g i n g '
comma nd f rom P riv il ege E X E C M ode.

S te p 11. E na b l e th e H T T P S serv er on th e rou ter f or remote a dministra tiv e a ccess. U se th e 'i p h t t p s e c u r e -

s e r v e r ' comma nd in G l ob a l Conf igu ra tion M ode to ena b l e th e H T T P S serv er.

S te p 12. Conf igu re th e IO S IP S to u se th e def a u l t b a sic signa tu re set. Cisco' s IO S IP S f ea tu re set ru ns

resident in th e rou ter if it isn' t in a sep a ra te modu l e. T h is mea ns th a t th e memory a nd CP U of th e rou ter a re
a f f ected b y w h ich signa tu res a re b eing monitored. T h eref ore, disa b l e ( retire) a l l signa tu res E X CE P T th e ones
th a t a re needed.

NO T E : T a k e c a r e to u se e x i t a n d n o t c n tl -z to sa v e i p s c a te g o r y c h a n g e s! ! ! If y o u d o n 't, y o u w i l l h a v e to
r e l o a d th e r o u te r W IT H O U T sa v i n g c h a n g e s a n d r e d o th i s ste p .

U se th e f ol l ow ing comma nds to setu p th is stru ctu re:

# cop y ru nning-conf ig sta rtu p -conf ig

# conf igu re termina l
( conf ig) # ip ip s signa tu re-ca tegory
( conf ig-ip s-ca tegory) # ca tegory a l l
( conf ig-ip s-ca tegory-a ction) # retired tru e
( conf ig-ip s-ca tegory-a ction) # ex it
( conf ig-ip s-ca tegory) # ca tegory ios_ ip s b a sic
( conf ig-ip s-ca tegory-a ction) # retired f a l se
( conf ig-ip s-ca tegory-a ction) # ex it
( conf ig-ip s-ca tegory) # ex it
D o you w a nt to a ccep t th ese ch a nges? [ conf irm] < P ress E nter>

© 2008 Cisco Systems, Inc. 6

 M A R S J u mp Sta rt L a b G u ide

C r i ti c a l C h e c k → D id you get th e p romp t to a ccep t th ese ch a nges? If y o u d o n 't g e t th e p r o m p t to c o n f i r m

y o u r c h a n g e s y o u w i l l n e e d to r e l o a d th e r o u te r w i th o u t sa v i n g y o u r c h a n g e s! T o conf irm you r ch a nges
w ere a ccep ted, typ e ‘sh o w i p i p s c a te g o r y i o s_ i p s b a si c c o n f i g ’ . V erif y you r ou tp u t is “R etire: F a l se”.

S te p 13. Since w e a re monitoring tra f f ic incoming f rom th e A SA tow a rd th e corp ora te netw ork , w e need to
ena b l e th e IP S ru l es on interf a ce F a stE th ernet 0/0.X5, w h ere X is you r p od nu mb er. T h e ru l e w a s crea ted
ea rl ier in step 7.

( conf ig) # interf a ce F a stE th ernet 0/0.X5

( conf ig-if ) # ip ip s iosip s in

S te p 14. N ow ena b l e th e monitoring f or incoming tra f f ic f rom th e “P u b l ic” V L A N . T h e su b interf a ce

F a stE th ernet 0/0.X9 is th e P u b l ic V L A N .

( conf ig) # interf a ce F a stE th ernet 0/0.X9

( conf ig-if ) # ip ip s iosip s in

S te p 15. W e a re now rea dy f or th e signa tu re f il e. It is stored on U serP C1 ' s desk top in th e “Sof tw a re/IO S
IP S/IO S IP S 5-24-08” su b f ol der.

NO T E : B e su r e y o u tf tp u p l o a d th e IO S -S 334.C L I.p k g f i l e f o u n d i n th e “ S o f tw a r e / IO S IP S / IO S IP S 5-
24-08” su b f o l d e r , NO T a n o th e r IP S si g n a tu r e f i l e .

a . R u n 3CD a emon on U serP C1 . T h is p rogra m is ou r T F T P serv er. Sel ect th e Conf igu re T F T P
Serv er icon a nd set th e U p l oa d/D ow nl oa d directory to “C: \D ocu ments a nd
Settings\A dministra tor\D esk top \Sof tw a re\IO S IP S\IO S IP S 5-24-08\” ( don' t incl u de th e q u otes) .
Cl ick O K to sa v e you r ch a nges. Stop a nd Sta rt th e T F T P Serv er.

b . A t th e rou ter' s P riv il eged E X E C M ode issu e th e comma nd 't e r m i n a l m o n i t o r ' comma nd to w a tch
th e sysl og ev ents a s w e u p l oa d th e signa tu res.

c. N ow issu e th e comma nd 'c o p y t f t p : //1 9 2 . 1 6 8 . 4 . 5 0 /I O S -S 3 3 4 -C L I . p k g i d c o n f ' comma nd in

P riv il eged E X E C M ode. Y ou w il l see sysl og messa ges sh ow ing th e IO S IP S signa tu res b eing
insta l l ed into th e f l a sh : ip s directory.

d. A f ter th e .p k g f il e cop ies ov er, u se th e 'd i r f l a s h : i p s ' comma nd to see th e contents of th e f l a sh : ip s

directory.

S te p 16. U se th e 's h o w i p i p s s i g n a t u r e s c o u n t ' to ensu re you h a v e v ersion S334.0 ( l oca ted a t th e top of th is
comma nd' s ou tp u t) a nd th e T ota l Signa tu res sh ou l d b e 2271 ( l oca ted nea r th e end of th is comma nd' s ou tp u t) .

S te p 17. Cl ose 3CD a emon once done.

NO T E : B y d e f a u l t a l l si g n a tu r e s a r e c o n f i g u r e d to “ Al a r m ” a c ti o n o n l y . T h i s i m p l i e s th a t si g n a tu r e
tu n i n g i s n e e d e d to a c ti v e l y b l o c k a tta c k s. L a te r i n th e l a b w e w i l l se t so m e o f th e si g n a tu r e s to b l o c k
a tta c k s.

© 2008 Cisco Systems, Inc. 7

 M A R S J u mp Sta rt L a b G u ide

T a s k 4 : P r e p p in g /A d d in g D e v ic e s to M A R S (35-45 m i n )

P u r p o se : T h e p u rp ose of th is l a b is to a dd th e necessa ry conf igu ra tion comma nds to th e rou ter a nd A SA f or

connectiv ity w ith M A R S, a nd th en conf igu re th e M A R S b y a dding th e dev ices a nd setting u p some b a sic connecitiv ity.

P a rt of th e w a y M A R S commu nica tes w ith dev ices is v ia SN M P so setu p SN M P on ea ch dev ice f or p ol l ing
b ef ore a dding it to M A R S. SSH w il l a l so b e conf igu red f or f u l l dev ice discov ery.

S te p 1. L og into rou ter 281 1 a a nd issu e th e f ol l ow ing comma nds in G l ob a l Conf igu ra tion M ode:

( conf ig) # snmp -serv er commu nity cisco1 23 R O

( conf ig) # snmp -serv er l oca tion A CM E D a ta Center
( conf ig) # snmp -serv er conta ct R oa d R u nner rru nner@ a cme.com
( conf ig) # snmp -serv er tra p -sou rce l oop b a ck 0
( conf ig) # L ogging 1 92.1 68.2.30
( conf ig) # l ine v ty 0 4
( conf ig) # tra nsp ort inp u t ssh

S te p 2. U se th e comma nd 's h o w v e r s i o n ' to see w h a t v ersion of sof tw a re th e rou ter is ru nning. T h is

inf orma tion w il l b e u sed du ring w h en a dding th e rou ter to M A R S.

S te p 3. F rom U serP C1 op en IE a nd f rom th e h ome p a ge u se th e CS-M A R S l ink to a ccess th e M A R S

ma na gement interf a ce. L ogin into M A R S w ith th e u ser/p a ss of p na dmin/cisco1 23 ( p a ssw ord ma y a u tof il l ) .

S te p 4. U sing th e menu items a cross th e top of th e M A R S screen cl ick th e AD M IN l ink .

S te p 5. In th e “D ev ice Conf igu ra tion a nd D iscov ery Inf orma tion” section cl ick th e S e c u r i ty a n d M o n i to r
D e v i c e s l ink .

© 2008 Cisco Systems, Inc. 8

 M A R S J u mp Sta rt L a b G u ide

S te p 6. N ote th a t th ere a re no dev ices in M A R S yet. Sel ect Ad d ( l oca ted a l ong th e righ t of th e w indow ) to
sta rt a dding th e 281 1 rou ter.

S te p 7. E nter th e f ol l ow ing inf orma tion a b ou t th e rou ter:

D ev ice T yp e: Cisco IO S 1 2.4

D ev ice N a me: 281 1 a .a cme.com
A ccess IP : 1 92.1 68.2.1
R ep orting IP : 1 92.1 68.0.1
A ccess T yp e: SSH
L ogin: a dministra tor
P a ssw ord: cisco1 23
E na b l e P a ssw ord: cisco1 23
SN M P R O Commu nity: cisco1 23
M onitor R esou rce U sa ge: Y es

NO T E : If y o u a r e a d d i n g a sw i tc h , u n d e r th e “ D e v i c e T y p e ” , th e r e i s a se l e c ti o n f o r “ C i sc o S w i tc h -IO S ”
i n a d d i ti o n to “ C i sc o IO S ” .

S te p 8. Cl ick D i sc o v e r .

NO T E : T h i s w i l l ta k e so m e ti m e (se v e r a l m i n u te s) p a r ti a l l y b e c a u se M AR S a l so h a s to l o a d a l l o f th e
IO S IP S si g n a tu r e s b u t a l so b e c a u se o f th e sh a r i n g r e so u r c e s o n o u r V M S e r v e r . P l e a se b e p a ti e n t.

S te p 9. Cl ick O K once th e discov ery is done.

S te p 10. M A R S f ou nd th a t th e rou ter h a s IO S IP S ru nning so now w e ca n a dd th e IP S inf orma tion into th e

dev ice inf orma tion w indow . Scrol l to th e b ottom of th e w indow a nd cl ick Ad d IP S .

a . In th e new w indow a dd th e u serna me/p a ssw ord of admin is t r at o r /C i s c o R o c k s . Cl ick T e st

C o n n e c ti v i ty to ensu re th is inf orma tion is correct.

b . O op s, w e got a n error. Cl ick O K on th e error.

NO T E : T h e p o i n t o f ste p 11a i s to d e m o n str a te th e a b i l i ty to v i e w d e ta i l s o f e r r o r m e ssa g e s, a n d

h o w M AR S d e a l s w i th th i s ty p e o f i ssu e .

c. T h ere is now a V iew E rror l ink a l ong th e b ottom of th e screen. Cl ick V i e w E r r o r to see w h a t is
w rong. O nce you see w h a t th e error is f ix th e u serna me/p a ssw ord inf orma tion w ith
a dministra tor/cisco1 23.

d. Cl ick T e st C o n n e c ti v i ty once more a nd w e w il l get a discov ery is done messa ge. Cl ick O K on th a t
messa ge.

e. F ina l l y cl ick S u b m i t to a dd th e IO S IP S inf orma tion.

S te p 11. Cl ick S u b m i t to a dd th e rou ter to M A R S.

© 2008 Cisco Systems, Inc. 9

 M A R S J u mp Sta rt L a b G u ide

S te p 12. N ow th a t th e rou ter is in M A R S, cl ick th e red Ac ti v a te b u tton in th e top righ t of th e w indow to

su b mit th e cu rrent ch a nges to th e M A R S da ta b a se. Cl ose th e a ctiv a tion done w indow to retu rn to M A R S.

NO T E : T h i s l a b g u i d e w a s d e v e l o p e d u si n g p o d 1. Yo u m a y n o ti c e a d iffe r e n tp o d n u m b e r u n d e r th e
“ D e v i c e Na m e ” f i e l d . Is th i s a p r o b l e m ? Yo u b e t i t i s! In th i s c a se , i t’ s a r o u te r h o stn a m e i ssu e . As p a r t
o f th e d i sc o v e r y , M AR S p u l l e d th e h o stn a m e f r o m th e c o n f i g u r a ti o n f i l e i n th e r o u te r . S in c e D NS h a s
2811a .a c m e .c o m , i n th e r e a l w o r ld ,y o u w o u ld w a n t to f ix th e h o stn a m e . F o r th e p u r p o se o f th e la b , th i s
isn o ta b ig d e a l.

S te p 13. G o to th e rou ter a nd typ e ‘S h o w i p sd e e su b sc r i p ti o n s’

© 2008 Cisco Systems, Inc. 1 0

 M A R S J u mp Sta rt L a b G u ide

S te p 14. T el net to A SA 551 0.a cme.com to setu p connectiv ity to M A R S.

H ere a re th e comma nds to b e typ ed into G l ob a l Conf igu ra tion M ode on th e A SA :

( conf ig) # l ogging h ost inside 1 92.1 68.2.30

( conf ig) # snmp -serv er commu nity cisco1 23
( conf ig) # snmp -serv er l oca tion A CM E Corp ora te
( conf ig) # snmp -serv er conta ct rru nner@ a cme.com
( conf ig) # snmp -serv er h ost inside 1 92.1 68.2.30 commu nity cisco1 23
( conf ig) # cryp to k ey genera te rsa modu l u s 1 024
( conf ig) # ssh 1 92.1 68.0.0 255.255.0.0 inside
( conf ig) # a a a a u th entica tion ssh consol e L O CA L ( L O CA L mu st b e u p p erca se)

S te p 15. R etu rn to M A R S. If you need to, retu rn to th e Secu rity a nd M onitoring Inf orma tion p a ge b y cl ick ing
on th e AD M IN l ink a nd th en th e S e c u r i ty a n d M o n i to r D e v i c e s l ink .

S te p 16. Cl ick Ad d to sta rt th e p rocess of a dding in th e A SA . U se th e f ol l ow ing v a l u es:

D ev ice T yp e: Cisco A SA 8.0

D ev ice N a me: a sa 551 0.a cme.com
A ccess IP : 1 92.1 68.5.254
R ep orting IP : 1 92.1 68.5.254
A ccess T yp e: SSH , 3D E S
L ogin: a dministra tor
P a ssw ord: cisco1 23
E na b l e P a ssw ord: cisco1 23
SN M P R O Commu nity: cisco1 23
M onitor R esou rce U sa ge: Y E S

S te p 17. Cl ick D i sc o v e r .

S te p 18. Cl ick O K w h en discov ery is done, a nd th en cl ick S u b m i t.

S te p 19. Cl ick th e red Ac ti v a te b u tton to sa v e th e A SA into M A R S' da ta b a se. Cl ose th e a ctiv a tion done
w indow to retu rn to M A R S. Y ou sh ou l d now h a v e 2 dev ices a dded into M A R S.

NO T E : T h i s l a b g u i d e w a sd e v e l o p e d u si n g p o d 1. Yo u m a y n o ti c e a d i f f e r e n tp o d n u m b e r u n d e r th e
“ D e v i c e Na m e ” f i e l d . Is th i s a p r o b le m ? Yo u b e t i t i s! In th i s c a se , i t’ s a r o u te r h o stn a m e i ssu e . As p a r t
o f th e d i sc o v e r y , M AR S p u lle d th e h o stn a m e f r o m th e c o n f i g u r a ti o n f i l e i n th e r o u te r . S i n c e D NS h a s
a sa 5510.a c m e .c o m , i n th e r e a l w o r ld ,y o u w o u l d w a n t to f i x th e h o stn a m e . F o r th e p u r p o se o f th e la b ,
th i s i s n o t a b i g d e a l .

© 2008 Cisco Systems, Inc. 1 1

 M A R S J u mp Sta rt L a b G u ide

S te p 20. T h ere a re tw o w a ys to get l ogging inf orma tion f rom a W indow s ma ch ine. In th is l a b w e sh ow th e
“p u l l ” meth od a nd in da y 2' s l a b w e sh ow th e “receiv e” meth od. T h ese meth ods a re mu tu a l l y ex cl u siv e so
don' t a ctiv a te b oth on th e sa me dev ice w ith in M A R S. W e f irst need to setu p th e W indow s serv er. L ogin into
th e W indow s D C ma ch ine f rom th e Stu dent P orta l p a ge.

Note: W i th i n V NC , to s en d c tr l -a l t-d el or en a b l e/ d i s a b l e f u l l s c r een u s e F 8 to op en th e op ti on s tool b a r .

S te p 21. O p en u p th e “A ctiv e D irectory U sers a nd Comp u ters” l ink l oca ted a t “Sta rt → P rogra ms →
A dministra tiv e T ool s → A ctiv e D irectory U sers a nd Comp u ters”.

S te p 22. Cl ick on “A ction → N ew → U ser” to op en u p th e A dd new u ser p a ge to crea te th e u ser a ccou nt th a t

w il l b e u sed b y th e M A R S a p p l ia nce to l og into th is serv er a nd p u l l its secu rity, a p p l ica tion, a nd system ev ent
l ogs.

a . F il l in th e f ol l ow ing:

F irst N a me: M a rs
L a st N a me: M a na ger
U serna me: ma rs

b . Cl ick Ne x t.

c. A dd th e p a ssw ord inf orma tion:

P a ssw ord: cisco1 23.

Ch eck th e b ox nex t to “P a ssw ord nev er ex p ires”.

d. Cl ick Ne x t. R ev iew th e u ser' s inf orma tion a nd th en cl ick F i n i sh .

S te p 23. R igh t cl ick th e new l y crea ted a ccou nt a nd sel ect “A dd memb ers to a grou p ...”. Sel ect th e
A dministra tor grou p a nd cl ick O K .

S te p 24. G o to Sta rt → P rogra ms → A dministra tiv e T ool s → L oca l Secu rity P ol icy to setu p th e a u dit settings
so th a t th ese ev ents w il l b e a u dited.

a . O p en u p th e L oca l P ol icies f ol der.

b . Cl ick on th e A u dit P ol icy f ol der.

© 2008 Cisco Systems, Inc. 1 2
 M A R S J u mp Sta rt L a b G u ide

c. R igh t cl ick ea ch item ( 9 items) in th e righ t h a nd p a ne, sel ect “Secu rity”, a nd th en ch eck th e b ox es
nex t to “Su ccess” a nd “F a il u re” to ena b l e a u diting on a l l ev ents. Cl ick O K w h en done f or ea ch
item. No te : T h e e f f e c ti v e se tti n g f o r th e a u d i ti n g i s se t to No a u d i ti n g .

S te p 25. R etu rn to th e M A R S w indow on U serP C1 to a dd th is serv er a s a monitored dev ice in M A R S. Cl ick

on AD M IN, th en S e c u r i ty a n d M o n i to r D e v i c e s ( you ma y a l rea dy b e h ere on retu rn to M A R S) .

S te p 26. Cl ick Ad d to sta rt th e p rocess of a dding in th is serv er.

a . Sel ect Ad d S W se c u r i ty a p p s o n n e w h o st f rom th e D ev ice T yp e drop dow n menu since M A R S is

a l rea dy a w a re of th is serv er.

b . F inish f il l ing ou t th e inf orma tion not a l rea dy k now n b y M A R S:

D ev ice N a me: w 2k -serv er.a cme.com

A ccess IP : 1 92.1 68.3.1 0
R ep orting IP : 1 92.1 68.3.1 0
O p era ting System: W indow s

c. Sel ect th e L ogging Inf o l ink to op en u p a new w indow . F il l ou t th e inf orma tion w ith :

W indow s O p era ting System: M icrosof t W indow s 2000

Ch eck th e P u l l b ox
NOTE: Don't check Receive as this isn't configured and checking b oth is not sup p orted.
D oma in N a me: a cme.com
H ost l ogin: ma rs
H ost p a ssw ord: cisco1 23

© 2008 Cisco Systems, Inc. 1 3

 M A R S J u mp Sta rt L a b G u ide

d. Cl ick S u b m i t.

e. A dd interf a ce IP a nd ma sk f or eth er0 ( M A R S ma y a l rea dy h a v e th is inf orma tion p op u l a ted) a nd

cl ick Ap p l y .

f . W e now need to sp ecif y O S a nd p a tch inf orma tion. Cl ick on th e col u mn h ea ding l a b el ed
“V u l nera b il ity A ssessment Inf o”

g. F rom th e drop dow n sel ect ANY W i n d o w s 2000 S e r v e r (v e r si o n :ANY,p a tc h :ANY) , a nd th en cl ick
Ap p l y .

h . Cl ick D one.

© 2008 Cisco Systems, Inc. 1 4

 M A R S J u mp Sta rt L a b G u ide

i. Ch eck to ma k e su re you r “D ev ice D isp l a y” sh ow s th e gra p h ic f or “N ot in cl ou d”. T h e f irst f igu re

b el ow sh ow s th e D ev ice D isp l a y in th e cl ou d. Simp l y cl ick th e icon to ch a nge its sta tu s.

Sh ou l d b e…

j . Cl ick Ac ti v a te .

© 2008 Cisco Systems, Inc. 1 5

 M A R S J u mp Sta rt L a b G u ide

T a sk 5 : A tta c k W e b S e r v e r & th e n M o n ito r M itig a te

v i a M A R S (45 m i n )
P u r p o se : T h e p u rp ose of th is ta sk is to demonstra te th e monitoring a nd mitiga tion f ea tu res w ith -in M A R S.

S te p 1. L ogin into U serP C1 a nd op en u p th e IE l ink to CS-M A R S.

S te p 2. M a k e su re th a t in M A R S you a re l ook ing a t th e SU M M A R Y p a ge.

S te p 3. F rom th e Stu dent P orta l , l ogin into A tta ck P C a nd op en u p Internet E x p l orer.

NO T E : T h e V NC p a ssw o r d i s c i sc o 123.

S te p 4. Cl ick th e T e st IIS W e b S e r v e r b ook ma rk to ensu re you h a v e a ccess to th e Intra net W eb Serv er.

S te p 5. R etu rn to th e h ome p a ge a nd cl ick th e S i g 5801 D i r e c to r y T r a v e r sa l Atta c k to send a directory

tra v ersa l a tta ck .

NO T E : Yo u w i l l g e t a p a g e c a n n o t b e d i sp l a y e d m e ssa g e – th i s i s f i n e a s th e a tta c k sh o u l d h a v e r a n i n th e
b a c k -g r o u n d .

S te p 6. Sw itch ov er to th e M A R S SU M M A R Y w indow . Y ou ma y w a nt to ch a nge th e “P a ge R ef resh R a te”

to 1 minu te to sp eed u p th e p a ge u p da tes. W a tch f or th e a tta ck to sh ow u p . ( It ma y ta k e 1 -3 minu tes) .

NO T E : Yo u c o u l d a l so se e th i s a tta c k i n IO S IP S v i a th e r o u te r 's l o c a l l o g o r w a tc h i n g th e sy sl o g
m e ssa g e s.

S te p 7. O nce you see th e a tta ck , cl ick on th e ‘Incident ID ’ f or th a t a tta ck ( Y ou r Incident ID w il l b e dif f erent
th a n th e one in th e gra p h ic b el ow ) .

© 2008 Cisco Systems, Inc. 1 6

 M A R S J u mp Sta rt L a b G u ide

S te p 8. Scrol l dow n a nd to th e righ t a nd you ' l l see in th e P a th /M itiga te col u mn. Cl ick on th e R ed Stop Sign
to get th e p a th v ector of th e a tta ck .

NO T E : T h i s c a n ta k e a l o n g ti m e to l o a d .

© 2008 Cisco Systems, Inc. 1 7

 M A R S J u mp Sta rt L a b G u ide

S te p 9. A f ter it l oa ds ch eck ou t th e “F u l l T op ol ogy” op tion to ref resh th e ma p w ith M A R S' tota l top ol ogy
a w a reness.

S te p 10. In th e l ef t p a ne a re M A R S' op tions to remedia te a ga inst th is a tta ck . T h e p rima ry op tion M A R S h a s

w il l b e l isted j u st u nder th e “Su ggested” h ea ding. If oth er op tions ex ist, M A R S w il l l ist th em u nder th e
“A l terna tiv e” h ea ding. Cl ick on th e 2811a -p o d 4.a c m e .c o m l ink to rel oa d th is p a ge w ith th e remedia tion
su ggestion da ta l oa ded.

© 2008 Cisco Systems, Inc. 1 8

 M A R S J u mp Sta rt L a b G u ide

S te p 11. Scrol l to th e b ottom a nd rev iew th e su ggested remedia tion.

NO T E : If th e r e a r e n o AC L s o n th e su g g e ste d i n te r f a c e o f r e m e d i a ti o n , M AR S w i l l g i v e y o u a R e g E x p
AC L su g g e sti o n . No ti c e th a t th e P U S H b u tto n i s g r a y e d o u t. If th i s w a s a L a y e r 2 r e m e d i a ti o n th e p u sh
b u tto n w o u l d b e o f f e r e d to h a v e M AR S i m m e d i a te l y p u sh th i s su g g e sti o n o u t to th e d e v i c e .

S te p 12. A dd th e f ol l ow ing A CL s b el ow to th e rou ter. T h is w a y M A R S w il l h a v e th e a ctu a l A CL na mes to

ref erence in f u tu re remedia tion recommenda tions f or th is rou ter:

( conf ig) # ip a ccess-l ist ex tended V L A N X5 ! ! ! ( w h ere X is you r p od nu mb er) ! ! !

( conf ig-ex t-na cl ) # p ermit ip a ny a ny
( conf ig) # interf a ce F a stE th ernet 0/0.X5
( conf ig-int) # ip a ccess-grou p V L A N X5 in
( conf ig) # ip a ccess-l ist ex tended V L A N X9 ! ! ! ( w h ere X is you r p od nu mb er) ! ! !
( conf ig-ex t-na cl ) # p ermit ip a ny a ny
( conf ig) # interf a ce F a stE th ernet 0/0.X9
( conf ig-int) # ip a ccess-grou p V L A N X9 in

© 2008 Cisco Systems, Inc. 1 9

 M A R S J u mp Sta rt L a b G u ide

S te p 13. M A R S w il l p eriodica l l y q u ery its k now n dev ices. H ow ev er, w ith resp ect to time, do a ma nu a l
rediscov er of th e rou ter w ith in M A R S.

a . G o to th e AD M IN → S e c u r i ty a n d M o n i to r D e v i c e s p a g e o n M AR S .

b . Ch eck th e b ox nex t to th e 281 1 a .a cme.com rou ter. T h en sel ect E d i t.

c. Cl ick D i sc o v e r a nd th en O K once th e discov ery is done.

NO T E : T h i s ta k e s ti m e . P l e a se b e p a ti e n t.

d. Scrol l to th e b ottom of th e p a ge a nd sel ect S u b m i t.

e. Cl ick D o n e a nd th en Ac ti v a te .

S te p 14. L ogin to U serP C2. E nsu re th e V P N is N O T connected b y a ttemp ting to p ing 1 92.1 68.3.1 0 ( th e
interna l IP of th e w eb serv er) . T h a t p ing sh ou l d f a il .

S te p 15. L a u nch IE a nd sel ect th e T e st W e b S e r v e r f r o m In te r n e t l ink to v erif y th e w eb serv er is u p a nd

ru nning.

S te p 16. Cl ick H ome in IE a nd now cl ick th e S i g 5326 r o o t.e x e Atta c k l ink to a tta ck th e w eb serv er.

S te p 17. Sw itch b a ck to U serP C1 a nd w a tch f or th e ev ent to a p p ea r on th e M A R S su mma ry p a ge.

S te p 18. Cl ick on th e ‘Incident ID ’ f or th e resp ectiv e a tta ck .

S te p 19. Scrol l dow n to th e b ottom a ga in a nd cl ick th e ‘P a th /M itiga te’ b a dge.

S te p 20. Sel ect th e su ggested op tion ( w h ich sh ou l d b e remedia tion on th e A SA ) . Scrol l dow n to see th e
su ggested remedia tion op tions. N otice th e dif f erent w a ys to b l ock th is a tta ck er f rom th e A SA .

S te p 21. N ow sel ect th e a l terna te op tion a nd scrol l dow n. N otice th a t th e su ggested A CL s a re now
ref erencing th e a ctu a l A CL s def ined on th e interf a ce. A ga in notice th a t th e P U SH b u tton is stil l gra yed ou t.
H ow ev er, you cou l d cop y a nd p a ste th e recommenda tion into th e rou ter' s G l ob a l Conf igu ra tion M ode to
remedia te.

© 2008 Cisco Systems, Inc. 20

 M A R S J u mp Sta rt L a b G u ide

T a s k 6 : C o n fig u r in g A le r ts a n d N o tific a tio n s (20 m i n )

P u r p o se : Instea d of l ook ing a t th e M A R S Su mma ry screen 24/7, l et M A R S a l ert you w h en a n ev ent h a s occu rred th a t
req u ires you r a ttention!

S te p 1. F rom U serP C1 op en u p IE a nd cl ick th e CS-M A R S l ink to l a u nch th e M A R S ma na gement w indow .

S te p 2. Sel ect th e AD M IN menu item a cross th e top .

S te p 3. Sel ect th e C o n f i g u r a ti o n In f o r m a ti o n l ink in th e CS-M A R S Setu p f ra me.

S te p 4. F il l in th e M a il G a tew a y inf orma tion a s so ( l ea v e oth er def a u l ts a s is) :

IP : 1 92.1 68.3.1 0
P ort: 25
E ma il doma in na me: a cme.com
E ma il F orma t: ( Sel ect th e ra dio b u tton b y F u l l gra p h ics)

S te p 5. Cl ick U p d a te a nd O k .

N ow crea te a ru l e a nd a ction th a t, w h en triggered, w il l send a n ema il .

S te p 6. F irst w e need to a dd th e u sers b eing ema il ed to M A R S. G o to th e AD M IN p a ge. A l ong th e top , f ind

a nd cl ick th e U ser M a na gement L ink . Cl ick Ad d to a dd a new u ser.

© 2008 Cisco Systems, Inc. 21

 M A R S J u mp Sta rt L a b G u ide

S te p 7. A dd onl y th e f ol l ow ing inf orma tion f or a u ser w h o onl y needs to b e a l erted of a n ev ent occu rring:

R ol e: N otif ica tion O nl y

F irst N a me: W il ie
L a st N a me: Coyote
O rga niz a tion: A CM E
E ma il : w ecoyote@ a cme.com
W ork P h one: 1 23-1 23-1 234

NO T E : L o g i n , P a ssw o r d , a n d R e -e n te r P a ssw o r d f i e l d s a r e n o t r e q u i r e d f o r No ti f i c a ti o n O n l y .

S te p 8. Cl ick S u b m i t

S te p 9. A dd th e f ol l ow ing inf orma tion f or a u ser w h o w il l h a v e rea d a nd w rite a ccess to M A R S a nd onl y rea d
a ccess to th e A D M IN menu .

R ol e: Secu rity A na l yst No te : T h i n k te c h n i c i a n w h o h a s to d o so m e th i n g a b o u t th i s.

L ogin: rru nner
P a ssw ord: cisco1 23
R e-enter p a ssw ord: cisco1 23
F irst N a me: R oa d
L a st N a me: R u nner
O rga niz a tion: SO C a t A CM E
E ma il : rru nner@ a cme.com

S te p 10. Cl ick S u b m i t.

S te p 11. N ow a dd a grou p a nd incl u de th ese tw o u sers.

a . Cl ick th e Ad d G r o u p b u tton.

b . N a me: R ed A l erts G rou p

c. Ch eck th e b ox es nex t to “W il ie” a nd “R oa d”.

© 2008 Cisco Systems, Inc. 22
 M A R S J u mp Sta rt L a b G u ide

d. Cl ick th e Ad d b u tton, l oca ted b el ow th e p a ne, to mov e th em ov er to th e l ef t p a ne.

e. Cl ick S u b m i t.

S te p 12. N ow w e w a nt to crea te a ru l e th a t triggers on a ny ev ent th a t M A R S considers to b e R E D .

a . Cl ick th e R U L E S b u tton f rom th e menu a nd th e sel ect th e Ad d b u tton to a dd a new ru l e.

b . R u l e N a me: E ma il on R ed

c. D escrip tion: T rigger on a ny red a l ert a nd send ema il to R ed A l erts G rou p

d. Cl ick Ne x t.

NO T E : In ste a d o f w a l k i n g y o u th r o u g h th e r e d u n d a n t ste p s to se t th e i n d i v i d u a l se a r c h f i e l d s f o r th i s
r u l e , u se th e f o l l o w i n g su b -ste p s a s a te m p l a te u n ti l th e K e y w o r d c o l u m n .

S te p 13. In th e righ t h a nd p a ne, ch eck th e b ox nex t to A N Y a nd th en u se th e righ t a rrow b u tton, l oca ted
b etw een th e tw o p a nes, to mov e th e ch eck ed items to th e l ef t.

© 2008 Cisco Systems, Inc. 23

 M A R S J u mp Sta rt L a b G u ide

S te p 14. Scrol l dow n to th e b ottom a nd cl ick Ne x t.

S te p 15. R inse, rep ea t.

S te p 16. O n th e K eyw ord col u mn j u st cl ick Ne x t.

© 2008 Cisco Systems, Inc. 24

 M A R S J u mp Sta rt L a b G u ide

S te p 17. O n th e Sev erity col u mn p a ge set th e Sev erity to R E D a nd p u t in a v a l u e of 1 in th e Cou nts f iel d.

S te p 18. Cl ick Ne x t.

S te p 19. A new screen w il l a sk if you a re done def ining th e ru l e conditions. T a k e a moment a nd rev iew you r
ru l e' s col u mns to ensu re th a t A N Y sh ow s u p in a l l th e col u mns a nd Sev erity is R E D a nd Cou nt is 1 . NO T E :
Yo u c a n n o t d e l e te a r u l e o n c e i t h a s b e e n c r e a te d b u t y o u c a n i n a c ti v a te th e m . Cl ick Y es to continu e.

S te p 20. T h e conditions f or th e ru l e h a v e now b een set. It is time to set th e a ctions triggered on a ma tch of
th is ru l e.

a . Scrol l to th e b ottom a nd cl ick a dd to crea te a new a ction. T h is w il l ta k e you th e a ction crea tion
w indow .

b . N a me: E ma il on R ed

c. D escrip tion: E ma il R ed A l ert L ist

d. Ch eck th e b ox nex t to E ma il a nd th en cl ick th e Ch a nge R ecip ient l ink nex t to th a t.

e. A f a mil ia r screen w il l a p p ea r. U se it to a dd th e R ed A l erts G rou p a nd th en S u b m i t.

f. T h is retu rns you to th e p rev iou s screen. Scrol l dow n a nd cl ick S u b m i t.

g. N ow th a t ou r a ction h a s b een crea ted w e ca n now sel ect it a nd a ssocia te it to th e ru l e. A dd ou r ru l e

a nd cl ick Ne x t.

h . Since ou r cou nt col u mn w a s set to 1 you ca n ta k e th e def a u l ts on th e T ime R a nge p a ge. A s you
ca n see, w e cou l d l imit ou r ru l e b eing triggered to a nu mb er of cou nts w ith in a giv en time f ra me.
© 2008 Cisco Systems, Inc. 25
 M A R S J u mp Sta rt L a b G u ide

i. Cl ick S u b m i t to crea te th is ru l e. D on' t f orget to h it th e Ac ti v a te b u tton.

S te p 21. If you ' d l ik e to rev iew you r ru l e, you ca n f ind it a s th e l a st entry in th e R u l es p a ge ( don' t f orget th ere
a re mu l tip l e p a ges) .

S te p 22. N ow l et' s trigger a red ev ent to trigger th is ru l e to ema il th e grou p .

S te p 23. U se U serP C2 to l a u nch , yet a ga in, th e Sig 5326 a tta ck .

S te p 24. R etu rn to th e M A R S Su mma ry p a ge to see th is ev ent. N ote th a t you ' l l see mu l tip l e entries on th e
Su mma ry p a ge rel a ted to th is a tta ck ; O ne of w h ich is th e ru l e w e j u st crea ted.

S te p 25. U serP C1 h a s a n ema il a ccou nt f or W il ie a nd U serP C2 h a s a n a ccou nt f or R oa d. O p en u p O u tl ook

E x p ress on b oth desk top s a nd do a Send a nd R eceiv e.

O n U serP C1 , since th e l ink in th e W il ie' s ema il w il l op en a new l ink to M A R S cl ose ou t, you r ex isting M A R S
w indow b ef ore cl ick ing on a ny l ink s in th e ema il . If you a ttemp t to l og in w ith th e “N otif ica tion O nl y”
a ccou nt you w il l N O T b e a b l e to l og in. H ow ev er, th e Secu rity A na l yst ca n l og in to dea l w ith th is a tta ck .

T h is c o m p le te s th e e x e r c is e s fo r to d a y . N O W is a G R E A T tim e to c o m p le te th e tr a in in g s u r v e y .

© 2008 Cisco Systems, Inc. 26

 M A R S J u mp Sta rt L a b G u ide

E x e r c is e 1 : S o lu tio n s S a le M o c k I n te r v ie w & S o W
G e n e r a t io n –w it h a p p r o p r ia t e c u s t o m e r r e s p o n s e s
M o c k I n t e r v ie w A s s u m p t io n s :
1 . C u s to m e r d e s ir e s b e tte r v is ib ilit y d u e to h ig h fr e q u e n c y o f u n d e t e r m in e d n e t w o r k o u t a g e s .
2. C is c o c o r e in fr a s t r u c tu r e w it h C h e c k p o in t F ir e w a lls , J u n ip e r I D P
3 . A M h a s e s t a b lis h e d c h a in o f c o m m a n d , S E w o r k in g w it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e
lis t o f d e liv e r a b le s in c lu d in g P r o d u c t, S e r v ic e s , a n d S O W .

DATE:

C I S C O P AR TN ER :

C o m p a n y N a m e : A c m e C o r p
A d d r e s s :A n y w h e r e , U S A
P r im a r y C o n ta c t:J o e y B lo w
T it le :N e t w o r k E n g in e e r
P h o n e :
e M a il:

G EN ER AL C U S TO M ER I N F O R M ATI O N :

I n d u s t r y V e r t ic a l/ L in e o f B u s in e s s :S e r v ic e s , C a ll C e n t e r o u t s o u r c in g , c u s t o m e r s u p p o r t

P u b lic o r P r iv a t e : P u b lic

T o t a l n u m b e r o f E m p lo y e e s :1 ,3 0 0

T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff:1 5

• H o w m a n y fo c u s e d o n s e c u r it y is s u e s ? 2

H o w a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ? M o s t ly w h e n w e a r e g o in g t h r o u g h
a n a u d it , t h e y a lw a y s w a n t r e p o r t s .

W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ?

• N e t w o r k O p s : W e o w n t h e r o u t in g / s w it c h in g a n d fir e w a ll

• S e c u r it y O p s :n o t s u r e

W H AT AR E Y O U R TO P 3 N ETW O R K S EC U R I TY C O N C ER N S TO ADDR ES S U S I N G L O G AN AL Y S I S AN D C O R R EL ATI O N :

1) T o f i n d t h e c a u s e o f r e c e n t u n e x p e c t e d n e t w o r k d o w n t im e
2 ) T o s e e if w e a r e b e in g h a c k e d
3 ) T o s h o w m a n a g e m e n t t h a t o u r s e c u r it y p r o d u c t s a r e p r o t e c t in g u s

R E G U L A T O R Y –C O R P O R A T E C O M P L I A N C E
L is t r e le v a n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s :
a ) S o X
b ) H I P A A
c ) S L A fo r o u r c u s to m e r s

W h o is r e s p o n s ib le fo r in t e r n a l a u d it ? N a n c y S m it h le a d s t h e t e a m

W h o is y o u r e x t e r n a l A u d it in g F ir m ? N o t s u r e

© 2008 Cisco Systems, Inc. 27

 M A R S J u mp Sta rt L a b G u ide
W h a t a r e th e r a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ?
a ) L o s t c u s to m e r s
b ) F a ile d a u d it s
c ) F in e s ?
W h a t a r e y o u r lo n g t e r m s t o r a g e r e q u ir e m e n t s ? 3 y e a r s

W h a t A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ?
a )
b )
c )
d )

O P E R A T I O N A L I N F O R M A T I O N
1 ) D o y o u c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o p e r a t io n s ? N o
a . T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a ( I P S fo r e x a m p le )
2) D o e s c o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ? N o
a . T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a n d r e p o r t in g .
3 ) D o y o u w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r L o g s ? Y E S
a . C a n S n a r e b e p la c e d o n t h e s e r v e r ? Y E S
b . W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ? D o n e
4 ) I s th e r e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ? Y E S
a . D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n a ly z e d / m o n it o r e d ? N o t a t t h is t im e , b u t w e m ig h t
w a n t t o in t h e fu t u r e
5 ) D o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ? N O
a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ? Y E S
6 ) W h o is r e s p o n s ib le f o r r e v ie w in g d a t a f r o m F ir e w a ll? T h e N e t S e c T e a m
7 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ? T h e N e t S e c T e a m
a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ? T h e y a r e n o t
8 ) W h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k o f n e t w o r k a v a ila b ilit y ? L a s t w e e k
a . W a s t h e n e tw o r k d o w n ? Y e s
b . I f s o , fo r h o w lo n g ? 3 h o u r s
c . H o w r e s o lv e d ? R e b o o t
9 ) O n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e o f a n e t w o r k o r s e c u r it y p r o b le m ? I t d e p e n d s ,
s o m e t im e s a n h o u r s o m e t im e s w e n e v e r k n o w w h a t h a p p e n e d .
1 0 ) W h a t t o o ls d o e s t h e h e lp d e s k u s e t o in v e s t ig a t e a n d r e s o lv e n e t w o r k o r s e c u r it y p r o b le m s ? S n if f e r s

T O P O L O G Y / T O P O G R A P H Y :
1 ) L is t a ll o ff ic e s a n d th e n u m b e r o f e m p lo y e e s in e a c h o ffic e :
a . H Q :D a lla s , 4 0 0
b . D a ta C e n te r s :D a lla s a n d L o s A n g e le s
c . B r a n c h o ffic e s :O h io = 1 0 0 , A t la n t a = 1 5 0 , L o s A n g e le s 3 0 0 , L o n d o n = 1 0 0 , J a p a n = 1 0 0
d . S O H O : ~1 0 0 r e m o t e u s e r s

G E N E R A L R E P O R T I N G R E Q U I R E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts
1 ) S p e c ify t h e t y p e o f r e p o r t s M a n a g e m e n t w a n ts to s e e :
a . F a ile d lo g in s
b . A tta c k s s to p p e d b y F ir e w a ll
c . T o p D e s t in a t io n s
d . T o p S o u r c e s
e . O th e r ? ?
U P T I M E A N D S L A ’S
1 ) D o y o u h a v e S e r v ic e L e v e l A g r e e m e n t s in p la c e ?
a . F o r C u s to m e r s ? Y E S
b . F o r P a r tn e r s ? N O
c . F o r V e n d o r s ? N O

2) C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ? N O

S e n s it iv e D a t a
1 ) D o y o u s t o r e e m p lo y e e p e r s o n a l h e a lt h in fo r m a t io n ? Y E S , H R R e c o r d s
2) D o y o u t r a n s m it , s t o r e , o r p r o c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ? N o t t h a t I ’m a w a r e o f…
3 ) H o w is p r o p r ie t a r y d a t a p r o t e c t e d : N o t s u r e o t h e r t h a n f ir e w a lls
© 2008 Cisco Systems, Inc. 28
 M A R S J u mp Sta rt L a b G u ide
4 ) D o y o u s h a r e d a t a o u t s id e t h e o r g a n iz a t io n :Y E S , w it h p a r t n e r s a n d M a r k e t in g c o m p a n ie s

L o g g in g
1 ) D o y o u c u r r e n t ly d e p lo y a s y s lo g s e r v e r ? Y e s , f o r F ir w a lls
a . W h a t B r a n d / V e r s i o n ? K iw i
b .W h a t is t h e c u r r e n t r e te n t io n p e r io d f o r lo g f ile s ? 3 y e a r s
2) D o y o u h a v e a S A N o r N A S s e t u p fo r lo n g t e r m lo g s t o r a g e ? S A N
3 ) H o w m a n y lo g e n t r ie s p e r d a y :N o t s u r e
4 ) L is t d e v ic e s s e n d in g s y s lo g d a t a in c h a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls
L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .

N e tw o rk a n d A n n u a l
S e c u r it y D e v ic e M o d e l & M a in te n a n c e N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y ,
In fo r m a tio n V e n d o r V e r s io n # Q T Y C o s t e tc

F ir e w a ll C h e c k p o in t N G 1 2 T B D

F ir e w a ll

F ir e w a ll

R o u te r C is c o 3 8 45 2 0

R o u te r C is c o 2 8 1 1 40

R o u te r

S w itc h C is c o 6 5 0 9 4

S w itc h

S w itc h

S w itc h

V P N IP S e c C is c o 3 0 1 5

V P N S S L J u n ip e r

A u t h e n t ic a t io n
C is c o A C S
S e rv e r

A u t h e n t ic a t io n
S e rv e r

W ir e le s s A P –
C o n t r o lle r ?

P a c k e t S h a p e r,
P e r ib it
S n iffe r

S y s lo g K iw i

N e tw o rk
J u n ip e r ID P
IP S /ID S

© 2008 Cisco Systems, Inc. 29

 M A R S J u mp Sta rt L a b G u ide
H O S T IP S

W in d o w s D e ll
S e rv e rs

D a ta b a s e s O r a c le 1 0 g

C r it ic a l
G 2 C R M
A p p lic a tio n s
V u ln e r a b ilit y
A s s e s s m e n t F o u n d s to n e
T o o ls

C a c h in g

N A C

M P L S V e r iz o n

O th e r

O th e r

T O P O F M I N D S E C U R I T Y C O N C E R N S :
1 . E x e c u t iv e L e v e l:C a n ’t s e e w h y w e n e e d t o s p e n d s o m u c h o n S e c u r it y
2. M a n a g e m e n t L e v e l: T a k in g h e a t fo r s o m a n y n e tw o r k o u t a g e s
3 . E n g in e e r in g L e v e l :C a n ’t k e e p u p w it h a ll t h e t a s k s , fr o m P a t c h in g s y s t e m s , t o c h a s in g d o w n r o o t c a u s e fo r
d o w n t im e , c a n ’t g e t w o r k d o n e .

DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
1 . V I S I O N E T W O R K D I A G R A M
2. S E C U R I T Y P O L I C Y ( o p t io n a l)

© 2008 Cisco Systems, Inc. 30

 M A R S J u mp Sta rt L a b G u ide

E x e r c is e 2 : S o lu tio n s S a le M o c k I n te r v ie w & S o W
G e n e r a t io n –S E in t e r v ie w
M o c k I n t e r v ie w A s s u m p t io n s :
4 . C u s to m e r d e s ir e s b e tte r v is ib ilit y d u e to h ig h fr e q u e n c y o f u n d e t e r m in e d n e t w o r k o u t a g e s .
5 . C is c o c o r e in fr a s t r u c tu r e w it h C h e c k p o in t F ir e w a lls , J u n ip e r I D P
6 . A M h a s e s t a b lis h e d c h a in o f c o m m a n d , S E w o r k in g w it h N e t w o r k E n g in e e r t o c o n d u c t a s s e s s m e n t , c r e a t e
lis t o f d e liv e r a b le s in c lu d in g P r o d u c t, S e r v ic e s , a n d S O W .

DATE:

C I S C O P AR TN ER :

C o m p a n y N a m e :
A d d r e s s :
P r im a r y C o n t a c t :
T it le :
P h o n e :
e M a il:

W H AT AR E Y O U R TO P 3 N ETW O R K S EC U R I TY C O N C ER N S TO ADDR ES S U S I N G L O G AN AL Y S I S AN D C O R R EL ATI O N :

4 ) >
5 ) >
6 ) >

G EN ER AL C U S TO M ER I N F O R M ATI O N :

I n d u s t r y V e r t ic a l:

P u b lic o r P r iv a t e :

T o t a l n u m b e r o f E m p lo y e e s :

T o t a l n u m b e r o f E m p lo y e e s o n I T S t a ff:

• H o w m a n y fo c u s e d o n s e c u r it y is s u e s ?

H o w a r e I T s t a ff s e g m e n t e d , i. e . d o N e t w o r k O p s a n d S e c O p s w o r k t o g e t h e r ?

W h o is r e s p o n s ib le fo r e n s u r in g s e c u r it y p o lic y is e n fo r c e d ?

• N e tw o r k O p s :

• S e c u r it y O p s :

R E G U L A T O R Y –C O R P O R A T E C O M P L I A N C E
L is t r e le v a n t le g is la t iv e a n d c o r p o r a t e c o m p lia n c e r e q u ir e m e n t s :
d ) >
e ) >
f) >

W h o is r e s p o n s ib le fo r in t e r n a l a u d it ?

W h o is y o u r e x t e r n a l A u d it in g F ir m ?

W h a t a r e t h e r a m i f i c a t i o n s f o r n o n -c o m p l i a n c e ?
d ) >

© 2008 Cisco Systems, Inc. 31

 M A R S J u mp Sta rt L a b G u ide
e ) >
f) >
W h a t a r e y o u r lo n g t e r m s t o r a g e r e q u ir e m e n t s ?

W h a t A u d it o r r e p o r t s a r e r e q u ir e d t o d e m o n s t r a t e a d h e r a n c e t o p o lic y ?
e ) >
f) >
g ) >
h ) >

O P E R A T I O N A L I N F O R M A T I O N
1 1 ) D o y o u c u r r e n t ly o u t s o u r c e a n y n e t w o r k o r s e c u r it y o p e r a t io n s ?
a . T h is c o u ld lim it t h e a b ilit y t o c o lle c t k e y d a t a ( I P S fo r e x a m p le )
1 2) D o e s c o m p a n y h a v e a n e -c o m m e r c e p r e s e n c e ?
a . T h is c o u ld in d ic a t e m a n d a t e s f o r m o n it o r in g a n d r e p o r t in g .
1 3 ) D o y o u w a n t t o c o lle c t a n d c o r r e la t e W in d o w s S e r v e r L o g s ?
a . C a n S n a r e b e p la c e d o n t h e s e r v e r ?
b . W h a t a b o u t c h a n g e m a n a g e m e n t p r o c e s s ?
1 4 ) I s t h e r e i n -h o u s e A p p l i c a t i o n / S o f t w a r e d e v e l o p m e n t ?
a . D o t h e s e a p p lic a t io n s n e e d t o b e c o lle c t e d / a n a ly z e d / m o n it o r e d ?
1 5 ) D o e s o r g a n iz a t io n m a k e u s e o f N e t flo w c u r r e n t ly ?
a . C a n w e g e t a c c e s s t o k e y s o u r c e s o f N e t flo w ?
1 6 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m F ir e w a ll?
1 7 ) W h o is r e s p o n s ib le fo r r e v ie w in g d a t a fr o m I P S ?
a . H o w a r e fa ls e p o s t iv e s r e s o lv e d ?
1 8 ) W h e n w a s t h e la s t t im e u s e r s c o m p la in e d a b o u t la c k o f n e t w o r k a v a ila b ilit y ?
a . W a s t h e n e tw o r k d o w n ?
b . I f s o , fo r h o w lo n g ?
c . H o w r e s o lv e d ?
1 9 ) O n a v e r a g e , h o w lo n g d o e s it t a k e t o fin d t h e s o u r c e o f a n e t w o r k o r s e c u r it y p r o b le m ?
20 ) W h a t t o o l s d o e s t h e h e l p d e s k u s e t o i n v e s t i g a t e a n d r e s o lv e n e t w o r k o r s e c u r it y p r o b le m s ?

T O P O L O G Y / T O P O G R A P H Y :
2) L i s t a ll o ff ic e s a n d t h e n u m b e r o f e m p lo y e e s in e a c h o ffic e :
a . H Q :
b . D a ta C e n te r s :
c . B r a n c h o ffic e s :
d . S O H O :

G E N E R A L R E P O R T I N G R E Q U I R E M E N T S –G e n e r a l M a n a g e m e n t r e p o r ts
2) S p e c i f y t h e t y p e o f r e p o r t s M a n a g e m e n t w a n ts to s e e :
a . >
b . >
c . >
d . >
e . >
U P T I M E A N D S L A ’S
3 ) D o y o u h a v e S e r v ic e L e v e l A g r e e m e n t s in p la c e ?
a . F o r C u s to m e r s ?
b . F o r P a r tn e r s ?
c . F o r V e n d o r s ?

4 ) C a n y o u q u a n t ify t h e c o s t o f n e t w o r k d o w n t im e ?

S e n s it iv e D a t a
5 ) D o y o u s t o r e e m p l o y e e p e r s o n a l h e a lt h in fo r m a t io n ?
6 ) D o y o u tr a n s m it , s to r e , o r p r o c e s s c r e d it c a r d o r p e r s o n a l fin a n c ia l d a t a ?
7 ) H o w is p r o p r ie t a r y d a ta p r o te c te d :
8 ) D o y o u s h a r e d a ta o u ts id e th e o r g a n iz a t io n :

L o g g in g
5 ) D o y o u c u r r e n t ly d e p lo y a s y s lo g s e r v e r ?
© 2008 Cisco Systems, Inc. 32
 M A R S J u mp Sta rt L a b G u ide
c . W h a t B r a n d / V e r s i o n ?
d .W h a t is th e c u r r e n t r e t e n t io n p e r io d f o r lo g file s ?
6 ) D o y o u h a v e a S A N o r N A S s e t u p fo r lo n g t e r m lo g s t o r a g e ?
7 ) H o w m a n y lo g e n t r ie s p e r d a y :
8 ) L is t d e v ic e s s e n d in g s y s lo g d a t a in c h a r t b e lo w :
P R O D U C T I N F O R M A T I O N –C u r r e n t ly u s e d p r o d u c t s a n d t o o ls
L is t a ll T e c h n o lo g ie s c u r r e n t ly in u s e . U s e N o t e s s e c t io n t o e x p la in lo c a t io n s , H A , e t c .

N e tw o rk a n d A n n u a l
S e c u r it y D e v ic e M o d e l & M a in te n a n c e N o te s : i.e . L o c a tio n s , u s a g e , r e d u n d a n c y ,
In fo r m a tio n V e n d o r V e r s io n # Q T Y C o s t e tc

F ir e w a ll

F ir e w a ll

F ir e w a ll

R o u te r

R o u te r

R o u te r

S w itc h

S w itc h

S w itc h

S w itc h

V P N IP S e c

V P N S S L

A u t h e n t ic a t io n
S e rv e r

A u t h e n t ic a t io n
S e rv e r

W ir e le s s A P –
C o n t r o lle r ?

P a c k e t S h a p e r,
S n iffe r

S y s lo g

N e tw o rk
IP S /ID S

H O S T IP S

© 2008 Cisco Systems, Inc. 33

 M A R S J u mp Sta rt L a b G u ide
W in d o w s
S e rv e rs

D a ta b a s e s

C r it ic a l
A p p lic a tio n s
V u ln e r a b ilit y
A s s e s s m e n t
T o o ls

C a c h in g

N A C

M P L S

O th e r

O th e r

T O P O F M I N D S E C U R I T Y C O N C E R N S :
4 . E x e c u t iv e L e v e l:
5 . M a n a g e m e n t L e v e l:
6 . E n g in e e r in g L e v e l:
DO C U M EN TATI O N : ( p l e a s e p r o v i d e )
3 . V I S I O N E T W O R K D I A G R A M
4 . S E C U R I T Y P O L I C Y ( o p t io n a l)

© 2008 Cisco Systems, Inc. 34

 M A R S J u mp Sta rt L a b G u ide

M A R S L a b L o g ic a l T o p o lo g y D ia g r a m

MARS Lab Topology 167 .21.6.0/24 User PC 2

V L A N x6 W i n 2000 P r o
S P 4
F i r ew a l l O u t s i d e .50

.254
o u t s i d e (0)
e0/0

e0/1
i n s i d e (100)
.254
F i r ew a l l I n s i d e u n t r u s t ed
V L A N x8
192.168.5.0/24

CAS Failover
X-over cable
N A C -C A S

Bridged
In b a n d V P N
4.1.2.1
.10
F i r ew a l l I n s i d e t r u s t ed
V L A N x5
.1 192.168.5.0/24
F a 0.0.x5

3550g n et w o r k 2811
M a n a g em en t f a 0/0.x1 f a 0/0.x9
i n t er f a c e .1 Core Router
.1

.250
V L A N x1
N et M g t f a 0/0.x2 f a 0/0.x4 V L A N x9
192.168.1.0/24 .1 f a 0/0.x3
.1 A t t a c ker V L A N
.1 .50 192.168.9.0/24

A t t a c k er PC 1
B a c k T ra c k

V L A N x2
S ec u r i t y S er v i c es
.30 .32
192.168.2.0/24 U s er V L A N
V L A N x4
.50 192.168.4.0/24

User PC 1
M A R S C S M 3.1.0 W i n 2000 P r o
.10 V L A N x3 S P 4
4.2.6 (2458) C o m m o n
W i n d o w s S er v er s
S er v i c es 3.0.5
192.168.3.0/24
R M E 4.0.5
A u to U p d a te W i n 2k D C
3.0.5
D N S
W i n 2k3 D H C P
IIS
S y s lo g
A C S 4.1

© 2008 Cisco Systems, Inc. 35