Welcome to the extraxi blog...

If you found this page accidentally and don't know what extraxi is about... we specialise in reporting solutions for the Cisco Secure ACS and Funk SBR access control servers (aka AAA servers).

The servers are predominantly used to secure network services such as dial, wireless lan, vpn, firewall and network device management.

Typically these servers just chuck out MBs of raw CSV log data about network activity. What we do is to help collect this data then import and turn it into useable information.

Monday 19 May 2008

Cisco Secure ACS View 4.0

Well they've been talking about it for long enough... and finally Cisco Secure ACS View 4.0 arrived. Although we have not actually been able to see it in the flesh on first look it seems OK. However Cisco have made some questionable architecture choices.. #1 being that they based log collection on syslog and #2 its appliance only.

Ok, so syslog is one of the widest used logging protocols (historically) but its hardly the robust transport one would wish for when logging security events. The implementation by ACS is also hampered by their choice of format... basically each syslog packet comprises a single line of log data of the form "attr=value, attr=value, ... " so there is a lot of bloat in carrying the attribute names. Its unlikely that complex ACS deployments will be able to log all the required attributes in a single syslog packet (1024 characters max in ACS 4.1). The View user guide does include the odd explanation that is ok to receive partial data because the rest will get picked up at a later date (presumably by importing the ACS cab file). Yikes - creating a cab requires you stop (or at least pause) the ACS services AND importing the same data twice could lead to duplicate rows.

So it uses syslog (unreliable, non-ack'd, un-encrypted) to send partial (1024 characters we guess) log entries using a bloated ascii format that buries attributes names in the data. That could add up to a whole load more WAN traffic if your ACSs are distributed.

extraxi aaa-reports! on the other hand uses the tried and tested bulk download over http(s) using our csvsync client to download logs. The benefit here being that ACS just does what it does best - log locally then csvsync/aaa-reports! download the logs in bulk (and with encryption) at a time of your choosing.

Being appliance only there is no trial version so you cant test it before buying. It really only works with 4.1(4) but needs 4.2(1) to work well - so if you currently still have some 3.x servers in production you're out of luck. extraxi aaa-reports! works with all versions from 2.x through to 4.x and can be installed on anything from Windows XP to Server 2003 Terminal Server running inside VMWare.

On the topic of database size, View is based on Sybase SQL Anywhere which has a fixed 4GB of storage. aaa-reports! enterprise (due for release end of May 2008) uses multiple SQL Server Express databases offering a total of 48GB.

More as it arrives...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)