- Physical Security
- Inherent Security of MARS Appliances
- Security Management Network
- MARS Communications Requirements
- Network Security Recommendations
- Summary
MARS Communications Requirements
Before you can protect MARS with a firewall, you first need to understand which TCP and UDP ports MARS requires to operate properly, and which of these carry outbound or inbound traffic. Table 4-1 provides a summary of all communications when MARS and the various monitored devices are all configured with default ports. Many or all of these can be changed, and you might need to modify this table for your installation.
Table 4-1. MARS TCP and UDP Ports
Port |
Description |
Direction |
TCP/21 |
Used by MARS to retrieve switch and router configuration files from centralized servers. FTP uses additional TCP ports (usually TCP/20), and most firewalls allow this to occur automatically. |
Outbound |
TCP/22 |
Used for management access to MARS LCs and GCs. |
Inbound |
Used by MARS to connect to devices when learning topology or investigating hosts. |
Outbound |
|
TCP/23 |
MARS uses Telnet as one method to connect to some network devices when learning topology or investigating hosts. |
Outbound |
TCP/25 |
Used by MARS to e-mail reports and alerts. |
Outbound |
UDP/53 |
Used by MARS to look up host name–to–IP address resolution. |
Outbound |
TCP/53 |
Used by MARS to look up host name–to–IP address resolution. |
Outbound |
TCP/80 |
Used by MARS to communicate with Cisco routers for Distributed Threat Mitigation (DTM). |
Outbound |
Used by MARS to receive some events, including web logs from iPlanet and Apache web servers, as well as NetCache. |
Inbound |
|
UDP/123 |
Used by MARS to synchronize time with Network Time Protocol (NTP) servers. |
Outbound |
TCP/137 |
Used by MARS to pull events from Windows systems. |
Outbound |
UDP/161 |
Used for Simple Network Management Protocol (SNMP) communications from MARS to monitored devices that use SNMP as the access method. |
Outbound |
UDP/162 |
Used by MARS to receive SNMP traps from monitored devices that are configured to use traps for logging. |
Inbound |
TCP/443 |
Used for management access to MARS LCs and GCs. |
Inbound |
Used by MARS to pull security events from Cisco IDS 4.x and IPS 5.x sensors and Cisco IOS IPS. |
Outbound |
|
Used by MARS GCs and LCs for communications between appliances. |
Inbound and Outbound |
|
TCP/445 |
Used by MARS to pull events from Windows systems. |
Outbound |
UDP/514 |
Used by MARS to receive syslog messages from monitored devices. |
Inbound |
UDP/2049 |
Used by MARS to write archive data using Network File System (NFS). |
Outbound |
UDP/2055 |
Used by MARS to receive NetFlow data from monitored devices. |
Inbound |
TCP/8444 |
Used for communications between MARS GC and LC appliances. |
Inbound and Outbound |
TCP/18184 |
Used by MARS to pull event logs from Check Point firewalls. |
Outbound |
TCP/18190 |
Used by MARS to retrieve configuration settings from Check Point firewalls. |
Outbound |
TCP/18210 |
Used by MARS to retrieve certificates from Check Point firewalls or management consoles. |
Outbound |
All TCP/UDP |
Used for vulnerability assessment scanning by MARS if enabled. |
Outbound |