Cisco® Adaptive Security Device Manager (ASDM) delivers world-class security management and monitoring through an intuitive, easy-to-use Web-based management interface. Bundled with Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX® Security Appliances, Cisco ASDM accelerates security appliance deployment with intelligent wizards, robust administration tools, and versatile monitoring services that complement the advanced integrated security and networking features offered by the market-leading suite of Cisco security appliances. Its secure, Web-based design enables anytime, anywhere access to Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances.
Cisco Adaptive Security Device Manager (ASDM) can be accessed directly with a Web browser from any Java plug-in enabled computer on the network, providing security administrators with rapid, secure access to their Cisco ASA 5500 Series Adaptive Security Appliances or Cisco PIX Security Appliances. It provides a unique option for administrators-a new Microsoft Windows-based launcher application can be downloaded directly from the security appliance to a management computer. This application accelerates the startup of Cisco ASDM, increasing ASDM's efficiency in managing security appliances. By running separate instances of the Cisco ASDM launcher application, administrators can connect to multiple security appliances from the convenience of a single management workstation, simplifying management in small business environments.
Cisco ASDM features a Startup Wizard that helps accelerate the security appliance deployment process. A series of simple step-by-step configuration panels help administrators get their appliances up and running quickly and create a robust configuration that allows traffic to flow securely through their networks. The Startup Wizard provides the ability to configure optional features such as Dynamic Host Control Protocol (DHCP) server settings, Network Address Translation (NAT), administrative access, and Auto Update, a revolutionary secure remote-management capability that helps keep appliance configurations and software images up-to-date.
DASHBOARD SUPPLIES ADMINISTRATORS WITH VITAL REAL-TIME SYSTEM STATUS INFORMATION
Cisco ASDM 5.1 includes a dynamic dashboard that provides a complete system overview and device health statistics (Figure 1). It can automatically detect the Cisco security appliances being configured; for each, it will display the software version, license information, and important statistics. In complex network environments, it presents administrators with real-time status indicators and provides a launching point for analysis tools and advanced monitoring capabilities-including a real-time syslog viewer, with pattern-matching capabilities to filter syslogs based on network addresses, port numbers, host names, and more. This release includes a configuration search engine that helps administrators locate where specific features can be configured, and provides convenient point-and-click access to the search results.
Cisco ASDM Version 5.1 features powerful management services that simplify security policy definition and ongoing policy maintenance by giving security administrators the ability to create reusable network and service object groups and inspection policy maps that can be referenced by multiple security policies. It supports the wide range of access control features offered by both Cisco ASA Software Version 7.1 and Cisco PIX Security Appliance Software Version 7.1, such as user- and group-based access lists, time-based access lists, and inbound/outbound access lists. Cisco ASDM Version 5.1 also supports the new Modular Policy Framework offered in both of these software versions. This rich, highly flexible framework allows administrators to identify a network flow or a traffic class based on different conditions, and then apply a set of customizable inspection services, quality of service (QoS), and connection services to each flow or traffic class. These advanced access control and application inspection capabilities, coupled with easy-to-use ongoing policy management services, help to ensure a robust and dynamic security profile for businesses of all sizes.
Cisco ASDM Version 5.1 integrates an array of robust security services to prevent unauthorized administrative access to a device. It supports a wide range of methods for authenticating administrators, including a local authentication database on a Cisco ASA 5500 Series Adaptive Security Appliance or a Cisco PIX Security Appliance, or via a RADIUS/TACACS server. All communications between Cisco ASDM (running on an administrator's computer) and the security appliance are encrypted using Secure Sockets Layer (SSL) with either 56-bit Data Encryption Standard (DES) or the more secure 168-bit Triple DES (3DES) algorithm. Cisco ASDM Version 5.1 supports up to 16 levels of customizable administrative access that grant administrators and operations personnel the appropriate level of permissions for every Cisco security appliance they manage (for example, monitoring-only, read-only access to the configuration).
RICH VPN MANAGEMENT EXTENDS SECURE CONNECTIVITY TO BUSINESS PARTNERS AND REMOTE SITES
Cisco ASDM Version 5.1 features comprehensive VPN configuration capabilities, including an intelligent VPN wizard for simplified provisioning, which allows businesses to establish Internet Key Exchange (IKE) and IP Security (IPsec) policies for site-to-site VPN deployments. Cisco ASDM also delivers full-featured management for Cisco Easy VPN remote-access VPN concentrator services, supporting features ranging from VPN client security posture enforcement, automatic software updating, VPN clustering, and more.
On the Cisco ASA 5500 Series, Cisco ASDM integrates rich Cisco SSL VPN management features (Figure 2) to allow administrators to quickly provision and enable remote-access connectivity from any Internet-enabled Web browser and its native SSL encryption.
Figure 2. SSL VPN Configuration
A core component of Cisco SSL VPN is the Cisco Secure Desktop, delivered as part of Cisco ASA 5500 Series Software Version 7.1. The Cisco Secure Desktop seeks to minimize data such as cookies, browser history, temporary files, and downloaded content from being left behind after an SSL VPN session terminates. Protection is increased against data theft and client system malware by encrypting data and files associated with or downloaded during the SSL VPN session. Cisco ASDM enables rapid deployment and control of Cisco Secure Desktop functions through a dedicated Cisco Secure Desktop Manager (Figure 3). Cisco ASDM also delivers advanced VPN monitoring capabilities, providing administrators with numerous statistics and graphs showing metrics such as session uptimes, data transferred per session, and more.
Cisco Adaptive Security Appliance Software Version 7.1 and Cisco PIX Security Appliance Software Version 7.1 include more than 30 dedicated inspection engines for a range of modern applications driven by protocols such as HTTP (Figure 4), FTP, GPRS Tunneling Protocol (GTP), Sun Remote Procedure Call (SunRPC), H.323, and Session Initiation Protocol (SIP). Cisco ASDM Version 5.1 point-and-click capabilities, which have been conditioned by intelligent application defaults, enable the quick creation of security profiles that protect mission-critical applications and resources from misuse and tunneling attacks. Cisco ASDM Version 5.1 enforces flow-based control in defining inspection services and gives administrators enterprise-class tools to exercise microscopic control over applications.
INTELLIGENT USER INTERFACE SIMPLIFIES INTEGRATION INTO COMPLEX NETWORK ENVIRONMENTS
Cisco ASDM Version 5.1 provides easy and convenient access to managing the rich network integration features found in Cisco ASA 5500 Series and Cisco PIX security appliances. Virtualization allows the creation of multiple security contexts (virtual firewalls) within a single security appliance, with each context having its own set of security policies, logical interfaces, and administrative domain. Cisco ASDM uses an intelligent virtualization management system to provide unrestricted access for central system administrators who desire complete visibility into all virtual firewalls and features on the system (Figure 5). Individual context users get the same look and feel of Cisco ASDM, as well as the same rich management and monitoring capabilities. However, configuration and feature access are restricted only to the assigned context, and as specified by the central system administrators. Individual context users can build upon the administrator-created security policies to create a customized configuration for their virtual firewalls using Cisco ASDM.
Figure 5. System Administrator View of Security Contexts
Cisco ASDM Version 5.1 gives administrators complete control over multicast routing protocols such as Protocol Independent Multicast (PIM), Open Shortest Path First (OSPF) dynamic routing, IEEE 802.1q-based VLAN interfaces, and QoS mechanisms. For novice users, it combines intelligent defaults and detailed online help to simplify configuration of these networking services. Advanced users can take full advantage of the depth of feature support to integrate Cisco security appliances into complex routing and switching environments.
ADAPTABLE SECURITY MANAGEMENT INTERFACE ENHANCES THE UNIFIED THREAT MANAGEMENT EXPERIENCE
Cisco ASDM Version 5.1 delivers a single solution for all the configuration, management, and monitoring needs of Cisco ASA 5500 Series and Cisco PIX security appliances. It provides a business-class solution to manage the truly adaptive security services provided by the Cisco ASA 5500 Series.
Managing Inline Intrusion Prevention Services and Network-Based Worm Mitigation
Cisco ASDM Version 5.1 enables businesses to increase the levels of security in their network environments, while lowering operational costs by streamlining the management of the wide range of anti-X defenses available through the Cisco Advanced Inspection and Protection Security Services Module (AIP SSM). These services provide protection from intrusions, network attacks, denial of service (DoS) attacks, and malware, including worms and adware. Cisco ASDM allows administrators to rapidly configure these services, including unique Cisco accurate prevention technologies such as Traffic Risk Rating and the Meta Event Generator (Figure 6). Cisco ASDM provides businesses with greater confidence in protecting their networks from a wide range of threats, without the risk of dropping legitimate network traffic.
The Cisco ASA 5500 Series Content Security and Control Security Services Module (CSC SSM) delivers high-performance anti-X services on a single services card. The Cisco CSC SSM incorporates security technology from Trend Micro's industry-leading and award-winning InterScan suite of secure content management products. The Cisco CSC SSM delivers comprehensive protection and control for the Internet gateway, including antivirus, antispam, and antiphishing, as well as URL blocking and filtering services. In conjunction with the CSC SSM, Cisco ASDM Version 5.1 delivers an industry-first solution that blends the simplicity of Trend Micro's HTML-based configuration panels with the ingenuity of Cisco ASDM (Figure 8). This helps ensure consistent policy enforcement, and simplifies the complete provisioning, configuration, and monitoring processes for these rich unified threat management functions.
Figure 7. Cisco CSC SSM SMTP Incoming Mail Scanning Configuration
Cisco ASDM Version 5.1 provides a complementary monitoring solution with a new CSC SSM homepage and new monitoring panels. Once a CSC SSM is installed, the main ASDM homepage is automatically updated to display a new CSC SSM panel (Figure 8), which provides a historic view into threats, e-mail viruses, live events, vital module statistics such as last installed software/signature updates, system resources, and more.
Figure 8. Cisco CSC SSM Homepage
Within the monitoring section of Cisco ASDM Version 5.1, a rich set of analysis tools provide detailed visibility into threats, software updates, resource graphs, and more. The Live Security Event Monitor (Figure 9) is a new troubleshooting and monitoring tool that provides real-time updates regarding scanned or blocked e-mail messages, identified viruses/worms, and detected attacks. It gives administrators the option to filter messages using regular-expression string matching, so specific attack types and messages can be focused on and analyzed in detail.
Figure 9. Cisco CSC SSM Monitoring Panel and Live Security Event Monitor
ENHANCED MONITORING AND REPORTING TOOLS ENABLE VALUABLE BUSINESS-CRITICAL ANALYSIS
Syslog to Access Rule Correlation
Cisco ASDM Version 5.1 introduces a new Syslog to Access Rule Correlation tool that greatly enhances day-to-day security management and troubleshooting activities. With this dynamic tool, security administrators can quickly resolve common configuration issues, along with most user and network connectivity problems. Users can select a syslog message within the Real-Time Syslog Viewer panel, and by simply clicking the Create button at the top of the panel (Figure 10), can invoke the access-control options for that specific syslog. Intelligent defaults help ensure that the configuration process is simple, which helps improve operational efficiency and response times for business-critical functions. The Syslog to Access Rule Correlation tool also offers an intuitive view into syslog messages invoked by user-configured access rules. Administrators can closely observe enterprise traffic patterns and monitor resource access behavior. Figure 10 indicates the Syslog to Access Rule Correlation capability where a user has selected a syslog message, and has clicked on the Create button to define policies for that flow.
Figure 10. Syslog to Access Rule Correlation Tool
Cisco ASDM Version 5.1 offers in-depth monitoring and reporting services in addition to the at-a-glance monitoring capabilities on the new homepage (Figure 11). Versatile analysis tools create graphical summary reports showing real-time usage, security events, and network activity. Data from each graphical report can be displayed in customizable increments-for example, a user can choose either a 10-second snapshot or analysis over an extended timeline. The ability to view multiple graphs simultaneously allows users to perform detailed evaluations in parallel. Graphs can be conveniently bookmarked, and data can be exported for future access.
Figure 11. Monitoring on the Cisco ASDM Homepage
• System graphs-Provide detailed status information on Cisco ASA 5500 Series and Cisco PIX security appliances, including blocks used and free, current memory utilization, and CPU utilization.
• Connection graphs-Track real-time session and performance monitoring data for connections; address translations; authentication, authorization, and accounting (AAA) transactions; URL filtering requests; and more, on a per-second basis. Connection graphs enable administrators to stay fully informed of their network connections and activities, without being overwhelmed.
• Attack protection system graphs-Provide 16 different graphs to display potentially malicious activity. Attack signature information displays activity such as IP, Internet Control Message Protocol (ICMP), User Datagram Protocol (UDP), TCP attacks, and Portmap requests. These graphs also provide a detailed look into the list of attackers, list of events, system statistics, and diagnostics for the Cisco AIP SSM.
• Interface graphs-Provide real-time monitoring of bandwidth usage for each interface on the security appliance. Bandwidth usage is displayed for incoming and outgoing communications. Users can view packet rates, counts, and errors, as well as bit, byte, and collision counts, and more.
• VPN statistics and connection graphs-Provide complete visibility into VPN connections with detailed per-tunnel statistics, including tunnel uptime and bytes/packets transferred, through support for the Cisco IPsec Flow Monitoring MIB.
Table 1 lists features and benefits of Cisco ASDM Version 5.1.
Table 1. Table 1. Cisco ASDM Version 5.1 Features and Benefits Summary
Complete Cisco ASA Software Version 7.1 and Cisco PIX Security Appliance Software Version 7.1 Feature Support
• Provides rich configuration and monitoring support for the new features introduced in Cisco ASA Software Version 7.1 and Cisco PIX Security Appliance Software Version 7.1.
New SSL VPN Features with Cisco Secure Desktop Support
• Makes it easier for users to quickly provision SSL VPN services to enable remote-access connectivity from any Internet-enabled Web browser and its native SSL encryption. It also supports the rapid configuration and monitoring of VPN load-sharing clusters.
• Enables intuitive management support for all Cisco SSL VPN enhancements delivered by Cisco ASA Software Version 7.1 (complete SSL VPN feature parity with Cisco VPN 3000 Software Version 4.7).
• Accelerates the configuration and monitoring of Cisco Secure Desktop parameters, including software updates.
Comprehensive Management and Monitoring Capabilities for the CSC SSM
• Introduces a new CSC SSM homepage to provide at-a-glance information on system licensing, anti X parameters, and system health information.
• Blends the Trend Micro and Cisco management interfaces to facilitate easy configuration and monitoring.
• Provides a Live Security Event Monitor to provide real-time statistics on the latest viruses, worms, and attacks through the network.
Syslog to Access Rule Correlation, and Customizable Syslog Coloring
• Enables rapid troubleshooting by allowing users to create and modify access rules in real time, by simply clicking on syslog messages in the syslog viewer.
• Allows for rapid critical system message identification and convenient syslog monitoring by allowing the colored grouping of syslog messages according to syslog level. Users can select the default coloring options, or create their own unique colored syslog profiles for ease of identification.
Cisco ASDM Version 5.1 is included with Cisco ASA Software Version 7.1 (1) or Cisco PIX Security Appliance Software Version 7.1 and higher. Cisco ASDM Version 5.0 is included with Cisco ASA Software Version 7.0 or Cisco PIX Security Appliance Software Version 7.0 and higher.
Cisco PIX Device Manager Version 3.x is included with Cisco PIX Security Appliance Software Version 6.3. Cisco PIX Device Manager Version 2.x is included with Cisco PIX Security Appliance Software Version 6.2.
A separate license for Cisco ASDM is not required, but a DES or 3DES license is required on the host Cisco ASA 5500 Series or Cisco PIX security appliance. Users who currently do not have encryption enabled on their base Cisco ASA 5500 Series or Cisco PIX security appliances can request free DES/3DES activation keys; alternately, users can upgrade from their current DES licenses to 3DES licenses free of cost, by completing the online forms at: http://www.cisco.com/go/license.