Previous Page Next Page

Cisco Router and Security Device Manager (SDM)

Cisco Router and Security Device Manager (SDM) is a secure web-based device-management tool integrated in the Cisco IOS Software to manage Cisco routers.

Cisco SDM greatly improves productivity, simplifies router and security configuration through step-by-step smart wizards, offers proactive management through performance monitoring, and helps troubleshoot complex network and VPN connectivity issues.

The main advantage of using Cisco SDM is for the non-expert users who are not very familiar with Cisco IOS Software and its features, because it provides an easy-to-use graphical management system to aid in day-to-day operations. For the more experienced users who are familiar with Cisco IOS Software, the Cisco SDM offers advanced configuration tools to quickly configure and fine-tune their work. Users can review the commands generated by the Cisco SDM before pushing the final configuration changes to the router.

Cisco SDM can be used for day-to-day operations such as configuration tuning, monitoring, fault management, and troubleshooting.

Cisco SDM—Features and Capabilities

Cisco SDM provides an easy-to-use browser-based interface for deploying and monitoring Cisco routers without requiring advanced knowledge of the command-line interface (CLI). With Cisco SDM, users can remotely manage and configure dynamic routing, LAN, WAN, WLAN, interfaces, NAT, firewall, VPN, IPS, QoS, and various other basic and advanced IOS router and security features.

Cisco SDM offers various features and functions. The following are some of its common capabilities for configuring and deploying Cisco Routers using a web-based management interface:

Cisco SDM—How It Works

Cisco SDM is an integrated solution embedded within the Cisco IOS Software release. Cisco SDM communicates with routers for two purposes:

Cisco SDM can be launched remotely from any user desktop PC using HTTP, HTTPS, SSL, Telnet, and SSH Protocol connections. The SSL and SSH technology provides a secure connection to manage Cisco IOS Software routers remotely over the Internet or any shared network without compromising the integrity.

The preferred communication protocol used by Cisco SDM is HTTPS (using browser-based SSL) to connect to the router for secure remote management. Users can choose to use non-SSL, less secure standard HTTP-based browsing, too, but it is not recommended.

Users can launch Cisco SDM from a supported Internet browser using the router IP address as follows (HTTP or HTTPS):

https://router_ip_address

Figure 24-11 illustrates a user establishing a secure connection to launch Cisco SDM over the Internet using browser-based SSL technology.

Figure 24-11. Cisco SDM Connection Using SSL


Figure 24-12 shows the Cisco SDM home page when the application is launched.

Figure 24-12. Cisco SDM Home Page


The Cisco SDM home page provides comprehensive information regarding the device, including the following:

The green circles show the features supported on the router, and the red circles show the features that are not supported.

Cisco SDM—Router Security Audit Feature

Cisco SDM provides an intuitive router security audit feature with one-step security audit capability that validates router configurations against a list of common security vulnerabilities and Cisco recommended settings, and provides a summary of recommended best practices.

The audit report highlights the potential security problems identified in the router configuration and can generate corresponding configurations to correct the shortfalls.

Figure 24-13 shows a sample screen capture from the Router Security Audit report.

Figure 24-13. Cisco SDM—Router Security Audit


Cisco SDM—One-Step Lockdown Feature

In addition to the Router Security Audit function, Cisco SDM can perform a one-step router-lockdown function to configure the router for recommended best practices security configuration.

Table 24-6 lists features that are enabled or disabled when using the one-step lockdown feature.

Table 24-6. Cisco SDM—One-Step Lockdown Feature
One-Step Lock-Down Action ItemsCisco IOS Software Equivalent
Disable Finger Serviceno service finger
Disable Packet Assembler/Disassembler (PAD)no service pad
Disable Small Servers (TCP and User Datagram Protocol [UDP])no service tcp-small-servers no service udp-small-servers
Disable BOOTPno ip bootp server
Disable Identification Serviceno ip identd
Disable Cisco Discovery Protocolno cdp run
Disable Source Routingno ip source-route
Enable Password Encryptionservice password-encryption
Enable TCP Keepalives for Inbound and Outbound Telnet Sessionsservice tcp-keepalives-in service tcp-keepalives-out
Sequence Number and Time Stamps of All Debug and Log Messagesservice timestamps debug datetime localtime show-timezone msec

service timestamps log datetime localtime show-timeout msec

service sequence-numbers
Enable Cisco Express Forwarding or Distributed Cisco Express Forwardingip cef
Cisco IOS Software Autosecure Residuesno ip gratuitous-arps
Minimum Password Lengthsecurity passwords min-length 6
Lock Access to Console or vty Line After Unsuccessful Attemptssecurity authentication failure rate 3 log
Tune Scheduler Interval or Allocationscheduler interval 500 scheduler allocate 4000 1000
Set tcp synwait Time to 10 Secondsip tcp synwait-time 10
Text BannerBanner—"Authorized access only. Disconnect IMMEDIATELY if you are not an authorized user!"
Enable Logging for Security and Sequence Numbers with Input for Logging Serverlogging on

logging console critical

logging trap debugging

logging buffered 51200
For Cryptographic Cisco IOS Software Images, Enable Secure Shell (SSH) Protocol and Serial Control Protocol (SCP) for Access and File Transfer Set SSH Timeouts and Retries to the Minimum Possibleip ssh time-out 60

ip ssh authentication-retries 2

!

line vty 0 4

transport input ssh telnet

!
Disable SNMP if Not Being UsedOnly Disable SNMP: no snmp-server
Enable NetFlow on Software Forwarding Platformsinterface <all-interfaces> ip route-cache flow
Disable Internet Control Message Protocol (ICMP) Redirectsinterface <all-interfaces> no ip redirects
Disable Proxy-arpinterface <all-interfaces> no ip proxy-arp
Disable Directed Broadcastinterface <all-interfaces> no ip directed-broadcast
Disable Maintenance Operation Protocol (MOP) Service on Ethernet Interfacesinterface <all-Ethernet-&-FastEthernet-interfaces> no mop enabled
Disable ICMP Unreachables on All Interfacesinterface <all-interfaces> no ip unreachables
Disable Mask Reply Messagesinterface <all-interfaces> no ip mask-reply
Disable Sending Unreachable Messages to the Source for the Packets That Are Discarded or Routed to NULLinterface null 0 no ip unreachables
The information in Table 24-6 is taken from "Cisco Router and Security Device Manager Q&A" at http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_qanda_item0900aecd800fd11b.shtml.


Cisco SDM—Monitor Mode

Cisco SDM provides an intuitive monitor mode for router health checks. Monitor mode can provide a graphical status displaying important information related to the router's resource performance. For example, the following information can be displayed: whether the interface status is up or down, the CPU usage, and memory usage accordingly.

Using the integrated routing and security features, Cisco SDM provides in-depth diagnostics and troubleshooting of WAN and VPN connections.

Figure 24-14 shows an example of VPN troubleshooting. Cisco SDM verifies multiple items to troubleshoot the failed VPN connection, identify the fault, and provide recommendations to correct the issue. Some of the basic tasks performed include checking the interface status, IP connectivity, and complete VPN configuration from ISKAMP settings to Crypto Map parameters. At each stage, Cisco SDM provides status information for each test function performed, so that the user can easily understand and determine the root cause. Finally, Cisco SDM will provide possible reasons of failure and provide Cisco TAC recommended actions to be taken for recovery. As shown in Figure 24-14, Cisco SDM performed several checks to verify the VPN failure, has identified an IKE policy configuration issue, and recommends configuring the relevant IKE proposals on the router.

Figure 24-14. Cisco SDM—Monitor Mode—VPN Troubleshooting


Cisco SDM—Supported Routers and IOS Versions

Cisco SDM is supported on all major Cisco routers. Table 24-7 shows a list of Cisco routers and Cisco IOS Software versions supported by the Cisco SDM application.

Table 24-7. Cisco SDM—Supported Router and IOS Software Revisions
RouterCisco IOS Software Version
Cisco Small Business 101, 106, and 10712.3(8)YG or later
Cisco 831 and 83712.2(13)ZH or later 12.3(2)T or later
Cisco 83612.2(13)ZH or later

12.3(2)XA or later

12.3(4)T or later
Cisco 851, 856, 871, 876, 877, and 87812.3(8)YI or later
Cisco 1701, 1710, 1711, 1712, 1721, 1751, 1751-V, 1760, and 1870V12.2(13)ZH or later

12.3(13)T3 or later

12.3(1)M or later
Cisco 1801, 1802, 1803, 1811, and 181212.3(8)YI or later
Cisco 184112.3(8)T4
Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Multiservice Routers, and Cisco 2691 Multiservice Routers12.2(15)ZJ3 or later

12.2(11)T6 or later

12.3(1)M or later
Cisco 2801, 2811, 2821, and 285112.3(8)T4 or later
Cisco 3620, 3640, 3661, and 366212.2(15)ZJ3 or later

12.211)T6 or later

12.3(1)M or later
Cisco 3725 and 374512.2(15)ZJ3 or later

12.2(11)T6 or later

12.3(1)M or later
Cisco 3825 and 384512.3(11)T or later
Cisco 7204VXR, 7206VXR, and 730112.3(2)T or later

12.3(1)M or later

No support for B, E, or S train releases on Cisco 7000 routers
The information in Table 24-7 is adapted from "Cisco Router and Security Device Manager" at http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.html.

Cisco SDM is available free of charge on all major Cisco router models from Cisco 830 to Cisco 7301.

Cisco SDM ships preinstalled on all new Cisco router 850 Series, 870 Series, 1800 Series, 2800 Series, and the 3800 Series integrated services routers (ISR).


Cisco SDM—System Requirements

As mentioned earlier, Cisco SDM can be launched from any user desktop PC using a supported browser.

Table 24-8 shows the basic list of system requirements for the Cisco SDM application.

Table 24-8. Cisco SDM—System Requirements
FeatureDescription
Router Flash MemoryMinimum of 6 MB of free Flash memory on the router for Cisco SDM files. Minimum of 2 MB of free Flash memory on the router for Cisco SDM Express. Wireless Management file requires additional 1.7 MB. Rest of the SDM files can be installed on PC hard disk.
PC HardwarePentium III or later series processor
PC Operating SystemWindows XP Professional

Windows 2003 Server (Standard Edition)

Windows 2000 Professional

Windows NT 4.0 Workstation (Service Pack 4)

Windows ME

Japanese, Simplified Chinese, French, German, Spanish, and Italian language OS support
Browser SoftwareMicrosoft Internet Explorer 5.5 or later

Netscape Navigator 7.1 and 7.2

Firefox 1.0.5
Java SoftwareJava Virtual Machine (JVM) built-in browsers required Java plug-in (Java Runtime Environment Version 1.4.2_05 or later)
The information in Table 24-8 is taken from "Cisco Router and Security Device Manager" at http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.html. Windows 2000 (Advanced Server) is not supported by Cisco SDM.


For more details to install and configure Cisco SDM, refer to the following Cisco documentations:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_installation_guides_list.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_list.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_configuration_examples_list.html

http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_technical_reference_list.html

Previous Page Next Page