Previous Page Next Page

Cisco Security Manager

Cisco Security Manager is a market-leading security and policy management software application for managing network security functions.

Cisco Security Manager is an essential tool to centrally provision all aspects of device configuration and security policies for firewalls, including PIX Security Appliance, Adaptive Security Appliance (ASA), and Firewall Services Module (FWSM), Virtual Private Networks (VPN) technologies, and Intrusion Prevention System (IPS) services across Cisco routers, security appliances, Catalyst 6500/7600 series devices, and Catalyst switch security services modules (VPNSM, FWSM).

Cisco Security Manager offers configuration, deployment, and management services across all major Cisco security devices. Cisco Security Manager can provision small networks of fewer than ten devices and scale to large-scale networks with thousands of devices.

Note

The Cisco Security Manager is part of the Cisco Security Management suite—a framework of products and technologies, delivering scalable policy administration and enforcement for the Cisco Self-Defending Network. The suite also includes the CS-MARS product for monitoring and mitigation. CS-MARS is covered in Chapter 23, "Security Monitoring and Correlation."

For more details about the Cisco Security Management suite, refer to the following Cisco documentation URL: http://www.cisco.com/en/US/netsol/ns647/networking_solutions_sub_solution_home.html.


Cisco Security Manager—Features and Capabilities

Cisco Security Manager provides the capability to deploy and manage security policies on Cisco security devices.

Cisco Security Manager supports integrated provisioning of firewall, VPN, and IPS services across Cisco IOS routers, PIX, and ASA security appliances, and Catalyst 6500/7600 services modules (FWSM and VPNSM).

Cisco Security Manager also supports provisioning of various platform-specific configurations—for example, Interface parameters, Routing protocols, Quality of Service (QoS), Network Address Translation (NAT), Syslog, Dynamic Host Configuration Protocol (DHCP), Multicast, Authentication, Authorization and Accounting (AAA), and so forth.

Cisco Security Manager offers various features and functions. The following are some of its common capabilities:

Cisco Security Manager provides centralized policy administration of Cisco security appliances, integrated security routers, and security service modules for

Figure 24-1 depicts a high-level overview of Cisco Security Manager providing integrated security management provisioning functions.

Figure 24-1. Cisco Security Manager—Integrated Security Configuration Management Application

The information in Figure 24-1 is taken from the Cisco general product presentation on Cisco Security Manager.


Cisco Security Manager—Firewall Management

Cisco Security Manager supports configuration and management of Cisco firewall policies across multiple platforms, including

Following are some of the common features and capabilities in the firewall management system:

Cisco Security Manager—VPN Management

The Cisco Security Manager supports configuration and management of Cisco VPN policies across multiple platforms, including

The VPN management system allows setup and configuration of IPsec Site-to-Site and Remote Access VPNs. Supported VPN technologies include

Some of the common features and capabilities in the VPN management system are

Cisco Security Manager—IPS Management

Cisco Security Manager supports configuration and management of Cisco IPS policies across multiple platforms, including

The IPS management system allows setup and configuration of IPS sensor management, including

The IPS management system allows setup and configuration of IPS sensors software. Supported IPS Software versions include

Some of the common features and capabilities in the IPS management system include

Cisco Security Manager—Platform Management

In addition to firewall, VPN, and IPS management, the Cisco Security Manager supports configuration and management of platform-specific configuration parameters, for example:

The Cisco Security Manager supports the wide range of platform settings in the previous list that supplies coverage beyond the basic firewall, VPN, and IPS services.

Cisco Security Manager—Architecture

Cisco Security Manager is built with robust architecture to centrally provision all aspects of device configuration and security policies for Cisco security devices.

Figure 24-2 illustrates the system architecture of the Cisco Security Manager.

Figure 24-2. Cisco Security Manager—System Architecture


Note

The information in Figure 24-2 is taken from the Cisco general product presentation on Cisco Security Manager.


Cisco Security Manager—Configuration Views

Cisco Security Manager provides a powerful, user-friendly, easy-to-use interface. The simple and flexible user interface provides users with the capability to perform complex tasks with great ease.

Cisco Security Manager provides three feature-rich, simple-to-use views into the management system for users to manage devices and policies. Users can swap among these user views according to their needs at any time:

Figure 24-5. Cisco Security Manager—Map View


Cisco Security Manager—Managing Devices

Before Cisco Security Manager can manage a device, each device must be configured to communicate with Cisco Security Manager on the required transport protocol and the necessary settings. For example, Cisco Security Manager uses Secure Socket Layer (SSL) as the default transport protocol to communicate with PIX Firewall, Adaptive Security Appliances (ASA), Firewall Service Modules (FWSM), and Cisco IOS routers. Therefore, configure SSL settings on these devices to communicate with Cisco Security Manager before adding them to the device list.

After the device is configured and ready to be managed, add the device to the Cisco Security Manager device inventory from the Device page.

Table 24-1 summarizes the types of devices and the transport protocols used for each device to communicate with Cisco Security Manager.

Table 24-1. Cisco Security Manager—Devices and Transport Settings
DevicesTransport Settings
PIX Firewall, ASA, FWSM, and Cisco IOS routers (default)SSL
Cisco IOS routersSSH
Catalyst 6500/7600 devices (default)SSH
PIX and ASA devices—For devices managed by an Auto Updated Server (AUS)AUS
Cisco IOS routers—For devices managed by a CNS-Configuration EngineCNS
Cisco IOS routers—For devices managed by a Token Management Server (TMS)TMS


Cisco Security Manager—Workflow Mode

By default, Cisco Security Manager operates in the nonworkflow mode, which is the simplest approach; that is, select a device, make a change, and deploy the policy.

For more sophisticated and complex policy deployments, Cisco Security Manager provides a structured process for change management that complements the operational environment. For example, there can be different stages in the life cycle of a policy deployment:

The Cisco Security Manager workflow mode provides the capability for multiple users to be involved in the entire process.

As illustrated in Figure 24-6, the Security Operations (SecOps) officer can define the policy changes and submit them for approval to a senior authorized officer. After approval, the Network Operations (NetOps) team can generate deployment jobs, which can be approved by a senior authorized officer for deployment.

Figure 24-6. Cisco Security Manager—Workflow Mode


The main advantage of the workflow capability is to allow a separation of responsibilities between those who define the security policies and those who implement them.

Figure 24-6 illustrates a sample structured process for change management from defining to deploying the policy and demonstrating the collaboration across the SecOps and NetOps teams.

Cisco Security Manager—Role-Based Access Control (RBAC)

Cisco Security Manager provides two levels of role-based access control providing appropriate separation of ownership and controls to manage the system:

Figure 24-7 illustrates the two role-based access control mechanisms used by the Cisco Security Manager.

Figure 24-7. Cisco Security Manager—Role-Based Access Control

The information in Figure 24-7 is taken from the Cisco general product presentation on Cisco Security Manager.


Cisco Security Manager—Cross-Launch xDM

The Cisco Security Manager provides another unique feature—cross-launching, which supplies the capability to open connections to other device manager applications directly from the Cisco Security Manager interface.

Supported cross-launch xDMs include Cisco ASDM, Router and Security Device Manager (SDM), IPS Device Manager (IDM), and IPS Event Viewer (IEV).

This provides great flexibility and faster startup to connect to the device without having a connection from a user desktop. It also provides collaboration between security events and policy management.

Figure 24-8 illustrates an example of opening Cisco ASDM directly from the Cisco Security Manager by right-clicking the managed ASA device and selecting Device Manager to launch the Cisco ASDM application.

Figure 24-8. Cisco Security Manager—Cross-Launch Cisco ASDM


Figure 24-9 illustrates another example of opening Cisco IDM (IPS Device Manager) directly from the Cisco Security Manager by right-clicking the managed IPS device and selecting Device Manager to launch the Cisco IDM application.

Figure 24-9. Cisco Security Manager—Cross-Launch IPS Device Manager (IDM)


Similarly, users can cross-launch Cisco Security Manager from the d71471evice manager (xDM) and vice versa.

For example, users can cross-launch Cisco Security Manager from the Cisco ASDM application, as illustrated in Figure 24-10.

Figure 24-10. Cisco Security Manager—Cross-Launch Cisco Security Manager


From the Cisco ASDM, select the Monitoring tab, select Logging, go to Log Buffer, and click View, and the log buffer screen panel will show all the log outputs captured from Cisco ASA.

Then, right-click any particular log entry and select Goto Rule in CSM to cross-launch Cisco Security Manager and review the corresponding Access Rule policy that triggered this log.

This feature gives enhanced power to the user to manage and correlate entries between applications without having to connect to the device directly. All this can be managed through single-click options.

Figure 24-10 shows a sample log entry output in Cisco ASDM logs. Right-click the log entry to launch the Cisco Security Manager and view the corresponding access rule that triggered the log.

Furthermore, a packet tracer option is available in Cisco ASDM to gain more insight into the packet flow, route flow, and relevant filters pertaining to the log entries.

Cisco Security Manager—Supported Devices and OS Versions

Cisco Security Manager provides configuration and management services across multiple Cisco platforms and OS versions.

Table 24-2 provides a complete list of devices with OS versions supported by Cisco Security Manager.

Table 24-2. Cisco Security Manager—List of Supported Cisco Devices and OS Versions
PlatformsOS Versions
Cisco PIX Firewall and Cisco ASA Appliances
  • Cisco PIX 500 Series (Cisco PIX 501, PIX 506, PIX 506E, PIX 515, PIX 515E, PIX 520, PIX 525, and PIX 535)

  • Cisco ASA 5500 Series (Cisco ASA 5505, ASA 5510, ASA 5520, ASA 5540, and ASA 5550)

  • Cisco PIX 6.3, PIX 7.0, PIX 7.1, and PIX 7.2

  • Cisco ASA 7.0, ASA 7.1, and ASA 7.2

Cisco IOS Software Routers
  • Cisco SOHO 70, SOHO 90, Cisco 800, 1600, 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7100, 7200 (VSA), 7300, 7500, and 7600

  • Cisco IOS Software Releases 12.3, 12.3T, 12.4, and 12.4T. Limited support (including Layer 3 ACL, interfaces, and FlexConfig) is available for Cisco IOS Software Releases 12.1 and 12.2.

  • Cisco IOS IPS needs Cisco IOS Software Release 12.4(11)T2 and later.

Cisco IPS Appliances and Modules
  • Cisco IDS 4210, IDS 4215, IDS 4235, IDS 4240, IDS 4250 (SX and XL), IDS 4255, and IDS 4260, Cisco Catalyst 6500 Series Intrusion Detection System (IDSM-2), NM-CIDS, AIP-SSM 10 or 20

  • Cisco IPS 5.1, and 6.0

Cisco Catalyst Switches and Security Modules
  • Cisco Catalyst 6500 (Cisco Catalyst 6503E, Catalyst 6504E, Catalyst 6506E, Catalyst 6509E, and Catalyst 6513)

  • Cisco FWSM

  • VPN-SM/VPN-SPA

  • IDSM-2

  • Cisco IOS Software Releases 12.1S and 12.2SX; Layer 3 ACL and VLAN; VLAN ACL and FlexConfig support only on Cisco Catalyst 6500

  • Cisco FWSM 2.2, 2.3, 3.1, and 3.2

  • Cisco IPS 5.1 and 6.0 for IDSM


Cisco Security Manager—Server and Client Requirements and Restrictions

Cisco Security Manager can be installed on a Windows-based server that is using either one CPU or multiple CPUs.

Table 24-3 describes the minimum server requirements for installing Cisco Security Manager and highlights the restrictions.

Table 24-3. Cisco Security Manager—Server Requirements
ComponentMinimum Requirement
System Hardware
  • IBM PC-compatible with a 2 GHz or faster processor

  • Color monitor with at least 1024x768 resolution and a video card capable of 16-bit colors

  • DVD-ROM drive

  • 100BASE-T (100 Mbps) or faster network connection; single interface only

  • Keyboard

  • Mouse

File systemNTFS
Memory (RAM)2 GB
System SoftwareOne of the following:
  • Microsoft Windows 2003 Server:

    - Enterprise Edition with SP1

    - Enterprise Edition Release 2

    - Standard Edition with SP1

    - Standard Edition Release 2

  • Microsoft Windows 2000:

    - Advanced Server with SP4

    - Server with SP4

    - Professional with SP4

Note: Cisco Security Manager supports only U.S. English and Japanese versions of Windows.

Microsoft ODBC Driver Manager 3.510 or later is also required so that your server can work with Sybase database files.
BrowserOne of the following:
  • Microsoft Internet Explorer 6.0 (6.0.2600)

  • Microsoft Internet Explorer 6.0 with SP1 (6.0.2800)

  • Mozilla 1.7 or 1.7.5

Compression SoftwareWinZip 9.0 or compatible
Hard Drive Space20 GB
IP AddressOne static IP address. If the server has more than one IP address, disable all but one address. The Cisco Security Manager installer displays a warning if it detects any dynamic IP addresses on the target server. Dynamic addresses are not supported.
The information in Table 24-3 is taken from "Cisco Security Manager 3.1 Data Sheet" at http://www.cisco.com/en/US/products/ps6498/products_data_sheet0900aecd8062bf6e.html.


Table 24-4 describes the minimum client requirements for installing Cisco Security Manager and highlights the restrictions.

Table 24-4. Cisco Security Manager—Client Requirements
ComponentMinimum Requirement
System Hardware
  • IBM PC-compatible with a 1 GHz or faster processor

  • Color monitor with video card set to 24-bit color depth

  • Keyboard

  • Mouse

Memory (RAM)1 GB
Virtual Memory/Swap Space512 MB
Hard Drive Space10 GB
Operating SystemOne of the following:
  • Microsoft Windows XP Professional with SP1 or later

  • Microsoft Windows 2003:

    - Server Edition with SP1

    - Enterprise Edition with SP1

  • Microsoft Windows 2000:

    - Advanced Server with SP4

    - Professional with SP4

Note: The Cisco Security Manager Client supports only U.S. English and Japanese versions of Windows. It does not support any other language version.
BrowserOne of the following:
  • Microsoft Internet Explorer 6.0 (6.0.2600)

  • Microsoft Internet Explorer 6.0 with SP1 (6.0.2800)

  • Mozilla 1.7 or 1.7.5

JavaThe Cisco Security Manager Client includes an embedded and completely isolated version of Java. This Java version does not interfere with your browser settings or with other Java-based applications. If you try to open Cisco Security Manager but do not have the required version of Java, your Cisco Security Manager server will display a message that tells you how to download and install the required Java version.
The information in Table 24-4 is taken from "Cisco Security Manager 3.1 Data Sheet" at http://www.cisco.com/en/US/products/ps6498/products_data_sheet0900aecd8062bf6e.html.


Cisco Security Manager—Traffic Flows and Ports to Be Opened

Required traffic flows identify the necessary protocol and port numbers that must be allowed by firewalls/ACLs if they separate the Cisco Security Manager from a supporting device (as listed in Table 24-2). Several protocol and port numbers are used for varying functions when the Cisco Security Manager communicates with a device. Various Internet Control Message Protocol (ICMP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) ports need to be enabled for use by the Cisco Security Manager and its associated applications on the server to support their associated services.

Table 24-5 identifies the various traffic flows and the associated protocol and port numbers required to be opened if a gateway, firewall, ACL, or any type of filtering device exists between Cisco Security Manager and the service/device.

Table 24-5. Cisco Security Manager—Required Traffic Flows and Ports to Be Opened
ServiceUsed For/Used ByPortProtocolInboundOutbound
PingResource Manager Essentials (RME)ICMPX
SSHCommon Services22TCPX
RME22TCPX
TelnetCommon Services23TCPX
DM 6500/760023TCPX
RME23TCPX
TACACS+ (for ACS)Common Services49TCPX
RMETCPX
Trivial File Transfer Protocol (TFTP)Common Services69UDPXX
HTTPCommon Services80TCPX
DM 6500/7600TCPX
SNMP (polling)Common Services161UDPX
SNMP (traps)Common Services162UDPX
HTTPs (SSL)Common Services443TCPX
Security Manager443TCPX
AUS443TCPX
SyslogCommon Services514UDPX
Remote Copy ProtocolCommon Services514TCPXX
VisiBroker IIOP port for gatekeeperCommon Services1683/1684TCPXX
HTTPCommon Services1741TCPX
Security Manager1741TCPX
MySQLSecurity Manager3306, 5501MySQLXX
Cisco IPS Event ViewerSecurity Manager server60002, 60003TCPXX
Security Manager client5001TCPXX
HIPO port for CiscoWorks gatekeeperCommon Services8088TCPXX
Tomcat shutdownCommon Services9007TCPX
Tomcat Ajp13 connectorCommon Services9009TCPX
DatabaseSecurity Manager10033TCPX
License ServerCommon Services40401TCPX
Daemon ManagerCommon Services42340TCPXX
OsagentCommon Services42342UDPXX
DatabaseCommon Services43441TCPX
DCR and OGSCommon Services40050–40070TCPX
Event ServicesSoftware Service42350/44350UDPXX
Software Listening42351/44351TCPXX
Software HTTP42352/44352TCPXX
Software Routing42353/44353TCPXX
Transport Mechanism (CSTM)Common Services50000–50020TCPX
The information in Table 24-5 is taken from "Installation Guide for Cisco Security Manager 3.1—Requirements and Dependencies" at http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.1/installation/guide/requirem.html.


Several other features are unique to Cisco Security Manager and can be used as required.

For more details to install and configure Cisco Security Manager, refer to the following Cisco documentations:

http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

Previous Page Next Page