Cisco Security System Shuts Out Third-Party Tools

alphadogg writes "Cisco has finally publicly acknowledged it won't add support for new third-party devices to its security information and event monitoring appliance, ending months of speculation about the future of its Monitoring, Analysis and Response System. Some claim it's the beginning of the end for MARS as a multi-vendor SIEM device. 'MARS customers can expect non-Cisco network device data and signature updates to continue for currently supported third-party systems, but no new third-party devices will be added,' Cisco declared in a statement, noting that 'Cisco MARS continues to focus on supporting Cisco devices for threat identification and mitigation.' Cisco's SIEM competitors this week have eagerly grabbed at the topic of Cisco MARS freezing third-party support because of a Gartner research memo published Oct. 29 in which analyst Mark Nicolett stated, 'Cisco has quietly begun informing its customers of a decision to freeze support for most non-Cisco event sources with its [MARS].'"

This isn't new.

Cisco only supports Cisco. No Standard interfaces, nothing. Once they get in your shop, you are forced to buy other Cisco devices and Software to work with them.

Re:This isn't new.

[Ironsides]

Cisco only supports Cisco. No Standard interfaces, nothing.

So, they don't support IPv4, IPv6, RJ-45 or RS-232?

Re:This isn't new.

Probably only be because they have to.

Re:This isn't new.

What a bunch of wankers, shutting out third-party tools. Who do they think they are, Microsoft?? Apple?

Re:This isn't new.

[Antique+Geekmeister]

Have you examined that weird pinout they use for RS-232 on RJ-45 connectors? It's the combination of any 2 features that they do oddly.

Re:This isn't new.

[Myrimos]

Have you examined that weird pinout they use for RS-232 on RJ-45 connectors? It's the combination of any 2 features that they do oddly.

You mean for their console cables? That irritated me to no end, but it's not as bad as the their DB-25 to proprietary 60 pin interface.

Re:This isn't new.

Take a look here: http://www.lammertbies.nl/comm/cable/yost-serial-rj45.html

Then take a look here and compare the pinouts:
http://www.cisco.com/en/US/products/hw/routers/ps332/products_tech_note09186a0080094ce6.shtml

and compare the pinouts. The fact that it irritates you does not mean it is stupid or "proprietary just because". It may be you do not know the good reason behind, eh ?

Re:This isn't new.

[Myrimos]

You're putting words into my mouth, Anonymous. :) I didn't say it irritated be because it was stupid, but it does irritate me because I believe a 9 pin RS-232 port would work just as well without the need for the unusual cable.

Re:This isn't new.

[dissy]

You're putting words into my mouth, Anonymous. :) I didn't say it irritated be because it was stupid, but it does irritate me because I believe a 9 pin RS-232 port would work just as well without the need for the unusual cable.

For you maybe, but not for most network engineers.
You patch the console cable into your patch panel and existing RJ-45 wiring just like the ethernet ports on the same device.

They are extremely common connectors in the networking world, and used on many devices.
Even my terminal server uses RJ-45 serial ports, which is exactly where all those switch and router RJ-45 serial ports get patched into. And then another RJ-45 from the terminal server to ethernet to a jack in my office that I can connect to with my desktop or laptop if some part of the network failed and make it so my own system can not reach the switch/router via ethernet.

This is fairly basic network design used in most places.

To add in some funky DB-9 serial port anywhere in the mix would just require everyone else but you to be required to buy 'these damn funny rj-45 to db9 adapters'

Either way, I am sorry they irritate you.

Thank Heavens for Competition

[chill]

Try something that works WITH you as a SECURITY appliance, as opposed to yet another sales opportunity. There is lots of competition that easily beats MARS in functionality, ease of use and comprehensive support. TriGeo, for one.

DMCA Borks Homeland Security, Film at 11

[girlintraining]

Since SIEM equipment is typically used to consolidate alert and event data from multiple vendor sources...

Isn't that quaint! All these demands by the government to secure and protect critical "cyber"-resources, and here we have a major vendor basically giving the middle finger to that initative, making it more expensive and difficult to accomplish that objective. Once again two government initatives are at odds with each other: You have the DMCA and copyright advocates on one side, who have made overriding vendor lock-in by creating interoperability illegal, and national security interests on the other side asking ISPs and internet-connected networks to be secure.

Re:DMCA Borks Homeland Security, Film at 11

[John+Hasler]

> You have the DMCA and copyright advocates on one side, who have made
> overriding vendor lock-in by creating interoperability illegal...

Wrong. The DMCA explicitly permits "reverse engineering" for the purpose of interoperability.

Re:DMCA Borks Homeland Security, Film at 11

[girlintraining]

Wrong. The DMCA explicitly permits "reverse engineering" for the purpose of interoperability.

Did you forget about DeCSS?

Re:DMCA Borks Homeland Security, Film at 11

[John+Hasler]

> Did you forget about DeCSS?

No. The subject is interoperability. Nothing to do with DVDs.

Re:DMCA Borks Homeland Security, Film at 11

[TheRaven64]

DeCSS was reverse engineering for the purpose of interoperability; it allowed you to play DVDs with other software. A side effect was that it could also be used for copyright infringement (you could burn a region-0 version of the DVD), which is what got it into trouble.

Cisco won't allow legitimate owners to patch

[overThruster]

Cisco doesn't allow legitimate owners of their hardware to apply security patches without an exorbitantly expensive software subscription. I found this out when I purchased some of their hardware on ebay for self-study purposes. Personally, I think that's a bigger issue. It means that many individuals and small businesses out there are probably running outdated, insecure versions of their software. Not good!

Security patches should be freely available for the good of the whole Internet community.

Re:Cisco won't allow legitimate owners to patch

[jgasher]

Very few vendors allow that. While the hardware can be resold by unauthorized resellers on what Cisco refers to as the "gray market," the software and OS licenses are non-transferable.
Technically, anyone that buys equipment like that can't legally use it at all because they don't have a valid license for the OS.

Re:Cisco won't allow legitimate owners to patch

[Awptimus+Prime]

You didn't do a quick google before throwing down money on a used security device? This is similar to picking up a used spam appliance for $100 and demanding a free subscription to updated signatures.

Sorry dude, those signatures aren't written by the signature writing security fairy on top of twinkle toe mountain. People are paid to do it and that money has to come from a stable business model.

Don't like it? Build up something using open source and roll with it, nobody is going to stop you and you should probably work it into a distributable ISO and share with the rest of the world for free. But for the love of god, don't whine about companies who let you know up front what subscription rates are for their appliances. IF YOU DONT LIKE OR NEED IT DON'T FUCKING BUY IT.

Apologies, but sometimes you have to type in caps to remind people everything on the goddamned planet isn't going to be free and served to them on a silver platter. :)

Re:Cisco won't allow legitimate owners to patch

[amorsen]

Cisco doesn't allow legitimate owners of their hardware to apply security patches without an exorbitantly expensive software subscription.

This is actually not true. Security patches are available without a subscription. Read the security advisories published by Cisco.

Taking advantage of the offer is sufficiently inconvenient so I don't think very many do.

Re:Cisco won't allow legitimate owners to patch

[John+Hasler]

> Technically, anyone that buys equipment like that can't legally use it at all
> because they don't have a valid license for the OS.

Not true in the USA. Copyright law explicitly grants the owner of a legitimate copy of any piece of software the right to use it: permission of the copyright owner is not required. When you purchase a piece of equipment with software installed on it you are buying a copy of the software (a copy in copyright law is a physical, tangible object: in this case some sort of nonvolatile storage such as a hard disk). Cisco might have a breach of contract case against the first owner, but subsequent owners are not parties to the contract.

Cisco's only out would be to prove that either the sold copy was not legitimate (not likely as they probably installed it themselves and then sold the machine) or that the the copy (and therefor the machine) was not sold but only rented. Even less likely.

Re:Cisco won't allow legitimate owners to patch

[GameboyRMH]

In the case of a spam appliance I could agree, but you can forgive a guy for buying a switch (or something else that doesn't need constant updates just to function effectively) and expecting to be able to download firmware updates for it...unless he was familiar with Cisco's history as a special company, in which case he should have done the smart thing and stayed the hell away from Cisco.

Re:Cisco won't allow legitimate owners to patch

[bertok]

Can you expand on this?

I've never seen a 'free' IOS download on Cisco's site, anywhere, ever.

Re:Cisco won't allow legitimate owners to patch

[Awptimus+Prime]

Agreed. Proliant FTW! Oh wait, HP is a bunch of fuckers too.

Re:Cisco won't allow legitimate owners to patch

[thomasdz]

I use this all the time for equipment that isn't covered under any maintenance contract. You call Cisco, give them the equipment model & serial number, quote the security advisory URL, and voila...they give you download access for the most recent code for your switch/router/firewall... NOTE: You sometimes have to be on hold for an hour or more...but it DOES work...I've done it in the last 3 months for an old 28xx router.

For example: http://www.cisco.com/en/US/products/products_security_advisory09186a0080af8115.shtml

"Customers without Service Contracts

Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.

+1 800 553 2447 (toll free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
e-mail: tac@cisco.com
Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC."

Re:Cisco won't allow legitimate owners to patch

[TaliesinWI]

Actually that's not quite true. If there's a security update for your version of IOS you can get the fixed version for the asking from them, no contract necessary. You have to specifically say "I have version 12.2(10) and bug report xxxxxx metions a IP DOS attack vector, I'm requesting 12.2(24)" or whatever. This includes taking you up to a new major or minor version if whatever you're on is deprecated, but again, only if it's a security related patch as opposed to a bugfix. You're stuck with whatever feature set you're on though. They won't take you from IP to IP Plus (or whatever they're calling it now) for free.

What you cannot do is buy a blanked-out Cisco device from Ebay (or company acquisition) and then just go download a firmware image for it. But then again, I've never really encountered any vendor that would let you do that.

ISP I worked for until 18 months ago never once bought an IOS license, we'd buy Ciscos off of Ebay and they generally had IOS images on them that needed updates, we'd E-mail Cisco TAC and get what we needed and be off to the races.

MARS is a joke

[vvaduva]

I've been a MARS admin/user for a few years and this is not a surprise at all. I have first generation hardware - right after the purchase, Cisco announced that they no longer provide software updates for 1st gen machines, trying to push new hardware down customers throats, so for about a year I was unable to patch or update my environment. Finally they gave in last year and started supporting both 1st and 2nd generation hardware again (I assume because customers were running away from their sinking MARS ship).

This announcement is not a surprise at all since they've been pushing netflow like crazy, however a true event management solution should not be vendor centric to begin with. It's a pain to get MARS to take in events from Windows machines for example, or accept and manage events from other sources, so the announcement that that will no longer continue the non-existent support they had before is a non-sequitur.

Apparently the mentality at Cisco now is that if they paint a box green and write Cisco on it, people will buy it.

Re:MARS is a joke

[HockeyPuck]

Obviously you've never been a HP Openview operator/admin. This stuff takes a dozen dedicated programmers to work correctly. I believe that's why they call it a 'frame work" because you need a main frame to get it to work.

Re:MARS is a joke

[jgreen1024]

Apparently the mentality at Cisco now is that if they paint a box green and write Cisco on it, people will buy it.

As a longtime Cisco competitor, I can tell you that that is their mentality, and they are right. There are a huge number of IT departments that buy Cisco just because it says Cisco, and refuse to consider anything else. Whether it's for purchasing convenience, politics, job protection, or just reasons of laziness, there are people who just buy what their Cisco rep wants them to buy. If you manage to actually get into a bakeoff test at these places, network engineers will actively try to sabotage the non-Cisco gear in an attempt to get it to fail, and thus provide justification for spending 50% more on the Cisco gear because "it's the only product that meets our stringent requirements." It is a sad thing to watch, but a fact of life if you compete against Cisco. The trick is recognizing those places early in the sales process and adjusting your efforts accordingly so you don't waste too much time.

Re:MARS is a joke

If you're still using mars, you might be interested in the following:

upgrade.conf
5c9483e84b320d017dea913c237b5ff2

install.conf
814521e15bd92880fc27811707c8156f

unpack_mars.sh
#!/bin/sh
cat ./upgrade.conf | gpg --passphrase-fd 0 --batch -d -o $2 $1

They do some really interesting things to try and obfuscate what they are doing under the hood. Is it still based on RHAS 2, or have they finally upgraded?

If the key no longer works, you'll need to look at one of the versions after 4.2.1 (last version I ever bothered to unpack) and find out what they changed the key to. Odds are though it's still the same key it was back from the beginning. The upgrade key is used to decrypt the upgrade packages, the install key is used to decrypt the dvd iso.

Oh, one other thing. If you have older hardware it should be trivial to make it work with the new versions. One of the scripts looks for a few specific raid controllers, it should be easy to re-add your model back in there.

(posted anon for obvious reasons)

Inaccurate blog title

Cisco is not "shutting out third party tools," they are simply stopping official support of third party (non Cisco) devices and applications - they are not shutting anyone out.

However, this does cause some issues as SIEM platforms are meant to be multi-vendor, multi-platform security management solutions and the fact that Cisco will not support third party devices any longer does not bode well for their customers or the long term viability of the MARS offering.

A SIEM platform or any other security or performance management platform, like OpenView or SCOM, needs to have software that can "talk" to the managed system. Every device manufacturer, OS, application, database, etc. has a different API or way to collect logs - some have a standard event format or collection mechanism, but, many do not.

In order to officially support collection of these logs a SIEM vendor has to test their collection method against those devices or applications, which is a very expensive and time consuming process. As third party vendors (i.e. Microsoft) release new versions of their platforms (i.e. Windows 2008 vs 2003) the management platform also has to retest their monitoring against those new versions.

Oftentimes, the new third party version breaks the existing management capability, therefore, the management vendor has to go back and redesign how they "talk" to the platform.

Cisco has simply stated that they are no longer willing to support non Cisco platforms as part of their SIEM offering. There are plenty of other SIEM platforms out there that do support non native platforms, such as ArcSight, NetIQ, RSA, etc.

It sucks that Cisco customers now have to look for another solution for non Cisco devices, but, this is great news for other SIEM vendors as Cisco, by way of their huge client base and marketing clout, were able to amass over 4,000 customers for their SIEM offering. Many of these customers will now look for another SIEM vendor.

Cisco is discontinuing MARS

You heard it here first: Cisco is end-of-life'ing this product line.

Everyone in the industry heard it hear last -- it's common knowledge.

Cisco's channel already knows to stop selling it. Do you really think they would make changes like this unless it was due to pulling engineers off the product? They're not going to sell another subscription to MARS after this, and that's okay with them ... so quit freaking out.

Re:Cisco is discontinuing MARS

[DarkOx]

Right, its not a big deal and anyone who has been making purchase decisions in IT long enough to know what MARS does knows you don't EVER EVER consider a Cisco solution unless:

They are giving you a sweat heart deal to run some other vendor off, so you don't care about scrapping it later.

They have been selling the product for at least two years, otherwise it has a 50pct change of just disappearing

Their offering still has the features that you are primarily interested in after they have existed in the product for two years, otherwise said product is likely to morph into something completely different in operational characteristics.

Re:Cisco is discontinuing MARS

[Kaboom13]

You can probably summarize this to: Don't buy anything Cisco thats not a Router, Switch, or Firewall (honestly the firewall is pretty iffy as well). Their other products seem designed to trade in on the name recognition their core business has created, but are generally sub par. I say this as someone who loves and defends Cisco's core networking gear. Would you buy a router from Microsoft, based on Windows? Of course not. Don't buy a server from Cisco (even if they call it a network appliance). Vendor lock-in is always a bad idea, Cisco lock-in is a world of pain. They will bleed you for money every chance they get, and not even realize they are doing it. Want to update to fix a crippling bug? Better have renewed your Smartnet. Want to enable a feature supported by your device? Better check to make sure your device is licensed for that. Oh, and you will need to buy client licenses for every piece of equipment that interacts with it, and a support agreement for those too.

The one positive side effect of the Cisco way is there is a ton of cheap older hardware out there to train on, Cisco makes reselling the equipment with support intact almost impossible so businesses don't want to touch it.

Aware Now

[omb]

But, he is _aware_of_Cisco's policies now, and the rest of the list is better informed.

SenSage

Cisco has partnered with SenSage to cover the non-Cisco log sources. DISA is implementing this solution as we speak.

3rd party support via importable parsers

Well over a year ago, the Cisco MARS started supported the notion of parser templates that could be imported and exported. Cisco also created a web site for exchanging said parsers. So, in theory a lot of 3rd party devices could be supported by the community of users (and vendors). It's not bad idea really, but no one uses it and frankly...I'm buying a commercial SIM so *I* don't have to do all that work. There is also the problem of 3rd party devices that don't normally use syslog or traps (Checkpoint, for example). Ultimately, the whole point of paying for a commercial SIM is to get a product that can scale and understands and accurately categorizes events across all your relevant systems, not just your routers, switches and IDS/IPS. MARS scales reasonably well (albeit 1/3 of what the specs say), but has never done well with parsing events from even Cisco devices.

Without 3rd party support, MARS is not a SIM...it's just a really expensive syslog aggregator + SDEE.