Chào mọi người,
Cho em hỏi về trường hợp sử dụng LC và GC nha. Hình bên dưới

http://img27.imageshack.us/img27/4027/51915036.jpg (http://img27.imageshack.us/i/51915036.jpg/)

Cho em hỏi trường hợp này mình hiểu là trong một công ty lớn có nhiều phòng ban hay là có nhiều site vậy?
Nếu nhiều site thì đặt MARS-200 và MARS-100 tại GC sao mình monitor được thằng Widget? ( phai đặt tại widget 1 con LC )
Con nếu nó là trong nhiều phòng ban sao để Widget Porland, Widget London tưởng như các site ?

Bạn nào hiểu về trường hợp này của MARS giải thích dùm mình nha

Chào bạn,
Đặt LC tại mỗi Widget chủ yếu để tiết kiệm băng thông. LC tập trung hết dữ liệu của chi nhánh đó ->lọc lại -> tạo ra mô hình -> gửi cho GC qua HTTPs.
Nếu không có LC thì cũng ổn, nhưng ví dụ log gửi trực tiếp qua chi nhánh chính thì sẽ tốn rất nhiều băng thông.


A global deployment simply means that one or more Local Controllers are reporting to the CS-MARS Global Controller. In this deployment, Local Controllers report summarized event and session data to the Global Controller in both text and graphical format over an HTTPS session. Additionally, all operations in the Local Controller now become globally manageable. A Global Controller does not do global correlationthat is, the data from each Local Controller is not correlated. You need a global CS-MARS deployment for several reasons:


To conserve WAN bandwidth
To log data security
To facilitate distributed processing of event data
To facilitate distributed management and reporting
For high availability and to archive log retention

In a standalone deployment, all event-reporting devices send their respective log data to a single CS-MARS device. All capabilities discussed in this text are the function of the Local Controller, unless specifically indicated otherwise. This deployment is the most common for small to medium-size businesses. These are some reasons for deploying a single Local Controller:


Cost
Isolated (non-WAN) or local network with Internet or VPN
Minimal number of reporting devices

CS-MARS là một dạng STM

The real value of an STM over a SIM is achieved through the following:


Data reduction An STM appliance with deep awareness of network topology and addressing can reduce millions of security events to hundreds of actual network incidents.
Timely attack mitigation An STM has both the performance and the built-in intelligence to recognize and recommend mitigation for attacks before they bring down an entire network.
End-to-end network awareness An STM uses the full configurations of all types of network devices and end systems, with the capability to process NAT and MAC address information to identify attackers, targets, and network hot spots in graphical form for quick action.
Integrated vulnerability assessment An STM determines whether a possible network attack is genuine or a false positive, further reducing the number of alarms and the time needed to take action.
Session correlation Intersession correlation, combined with its very flexible rules framework, enables timely analysis and mitigation of incidents



SIMs have five core functions:


Collect event data from reporting sources
Store data for analysis, reporting, and archiving
Correlate the data to show relationships
Present the data for analysis
Report on, alarm on, and/or notify about the data