Guest

Cisco Security Manager

Deployment Planning Guide for Cisco Security Manager 4.0

  • Viewing Options

  • PDF (675.6 KB)
  • Feedback
Deployment Planning Guide for Cisco Security Manager 4.0

Table Of Contents

Deployment Planning Guide for Cisco Security Manager 4.0

Introduction

Cisco Security Manager 4.0 Applications

Related Applications

Minimum Hardware and Software Requirements

Virtual Machine Hardware and Software Requirements

Recommended Hardware and Software Specifications

Small Deployment with VMWare Virtual Machine

Small Enterprise Deployment

Medium Enterprise Deployment

Large Enterprise Deployment

Deployment Scenarios

Factors That Affect Application Performance

Single Server Installation

Multiple Servers Installation

Installation in VMware's Virtual Machine Environment

High-Availability/Disaster Recovery

Installation Guidelines

Installable Modules

IP address, Hostname and DNS name

Client Deployment

Security Manager Server Tuning

Windows Operating System's Swap File Size

Sybase Database Registry Parameters

Sybase Temporary File Location

Understanding Security Manager Licensing

Licensing Overview

Unmanaged Devices

Active and Standby Servers

Licensing for RME and Performance Monitor

Licensing Examples


Deployment Planning Guide for Cisco Security Manager 4.0


Published: August 19, 2010
Last Updated: November 29, 2010

Introduction

This document provides guidance on planning a deployment of Cisco Security Manager 4.0 server. It includes these topics: included applications, recommended server hardware, client hardware, sizing and software based on reference networks, deployment options for the set of applications included with Security Manager, advanced Security Manager server tuning options and licensing. For more information about Security Manager software features, refer to product documentation located at http://www.cisco.com/go/csmanager.

This document complements other Security Manager user documentation such as the User Guide for Cisco Security Manager 4.0 and the Installation Guide for Cisco Security Manager 4.0.

Cisco Security Manager 4.0 Applications

Cisco Security Manager 4.0 includes the following applications:

Security Manager 4.0 Policy Configuration

Cisco Security Manager enables you to centrally manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, IPS, and VPN (site-to-site, remote access, and SSL) services across:

Cisco IOS routers, including Integrated Services Routers (ISR) and Aggregation Services Routers (ASR)

Catalyst switches

ASA and PIX security appliances

Catalyst Service Modules related to firewall, VPN, and IPS

IPS appliances and various service modules for routers and ASA devices

For a complete list of devices and OS versions supported by Security Manager, please refer to Supported Devices and Software Versions for Cisco Security Manager on Cisco.com.

Security Manager 4.0 Event Viewer

The new integrated tool allows you to centrally monitor events from IPS and ASA devices and correlate them to the related configuration policies. This helps you identify problems, troubleshoot configurations, and then make adjustments to the configurations and deploy them. For supported platforms and more information, refer to the Viewing Events section of the User Guide for Cisco Security Manager on Cisco.com.

Common Services 3.3

Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, job and process management. Common Services supplies essential server-side components to applications that include:

SSL libraries

An embedded SQL database (Sybase 10.0.1.3830)

The Apache web server

The Tomcat servlet engine

The CiscoWorks home page

Backup and restore functions

Common Services is required for all the applications included with Security Manager. For more information about Common Services, refer to the documentation located at:

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_eol_series_home.html

Auto Update Server 4.0

AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition, supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.

In this method, Security Manager deploys configuration updates to the AUS server, the managed device contacts the AUS server to download new configuration updates using a periodic time interval, a specific date and time, or on-demand.

AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.

AUS uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.

Resource Manager Essentials 4.3

To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images and basic syslog analysis (for configuration archival and tracking purposes). RME uses a browser-based graphical user interface. RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution Deployment Guide, although be aware that some information does not apply in the case of RME bundled with Security Manager.

For more information about RME, refer to the documentation located at:

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_eol_series_home.html

Performance Monitor 4.0

Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPN, site-to-site VPN, firewall, web server load-balancing and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.

Cisco CSA 5.2.0.282

This is a stand-alone host security agent software that is installed on Security Manager server. This component is installable only on Windows 2003 32-bit environment. Security Manager installation will automatically detect the OS and install this software if it is supported.

Related Applications

Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:

Cisco Security Monitoring Analysis and Response System (MARS)

Security Manager supports policy <> event cross-linkages with MARS for firewall and IPS. Using the Security Manager client you highlight specific firewall rules or IPS signatures and request to see the events related to those rules or signatures, respectively. Using the MARS interface you can select firewall or IPS events and request to see the matching rule or signature in Security Manager. These policy <> event cross-linkages are especially useful for network connectivity, firewall rule troubleshooting, identifying unused rules, and signature tuning activities. The policy <> event cross-linkage feature is explained in detail in the User Guide for Cisco Security Manager 4.0. For more information about MARS you can visit http://www.cisco.com/go/mars.

Cisco Secure Access Control Server (ACS)

You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role based authorization control (RBAC) and the ability to restrict users to specific sets of devices. For details on configuring Security Manager and ACS integration refer to the Installation Guide for Cisco Security Manager 4.0. For more information about ACS you can visit http://www.cisco.com/go/acs.

Cisco CNS Configuration Engine

Security Manager supports the use of Cisco Configuration Engine 3.0 as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS routers, PIX and ASA firewalls that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. Security Manager also supports management of devices that have static IP address via CNS configuration engine. In such case, the discovery is done live and the deployments to the device happen via CNS configuration engine. For more information about the Configuration Engine you can visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.

Minimum Hardware and Software Requirements

Each Cisco Security Manager server installation requires a single physical server for both policy and event management. Optional components such as Auto Update Server, Performance Monitor, or Resources Manager Essentials can be installed on the same or separate systems.

The following table is the list of minimum hardware and software specifications for Cisco Security Manager server software and other optional modules installation. While Security Manager software can be installed on system with minimum specifications, its performance and capacity is limited to smaller deployments (managing up to 5 devices). For larger deployments, you should use the recommended specifications in Recommended Hardware and Software Specifications.

Table 1 Minimum Security Manager Server Hardware and Software 

Component
Requirement

Recommended Server

Cisco UCS C200 M1 or equivalent.

CPU

1 x Intel Xeon Four-core 5500 Series.

Memory

4GB (policy management only), 8GB (policy and event management).

HDD

100GB (application), 1TB (events storage).

Supported Devices

up to 10.

Network adapter

1Gbps.

Operating System

Microsoft Windows 2003 Enterprise Server R2 or Windows 2008 Enterprise 32-bit.


The following table is the list of minimum hardware and software specifications for Cisco Security Manager 4.0 client software installation. It is recommended to install Security Manager client software on a separate machine:

Table 2 Minimum Security Manager Client Hardware and Software 

Component
Requirement

CPU

Dual-Core 2.0 GHz or better

Memory

2GB or more recommended.

HDD

10GB free space.

Display

1280 x 1024.

Network adapter

1Gbps.

Operating System

Windows XP SP3, Windows Vista SP2, Windows 2003/2008 Enterprise Server SP2.

Browser

Microsoft Internet Explorer 6, 7, or 8, or Firefox 2.x, 3.x.


Virtual Machine Hardware and Software Requirements

For installation of Cisco Security Manager on VMWare ESX virtual machine, the software requirements are the same as described in Minimum Hardware and Software Requirements. However, it is recommended to turned off the Event Management feature in a VMware environment because virtualized CPU and memory performance are limited. The Event Management feature requires a physical server with the described minimum specifications. Cisco Security Manager installation is supported on VMware ESX 3.5 with Update 4.

Recommended Hardware and Software Specifications

Performance improvements with Security Manager have been observed when going from a single processor (or core) to multiple processors (or cores) server. With the new Event Management feature and other new features in this release, it is recommended to use proper hardware and software specifications to have optimal performance.

For best performance, Security Manager server with 2.66Mhz Intel Xeon quad-core processor (with Hyper-Threading) or faster is recommended at the minimum. If Event Management is used, it is highly recommended to have a dedicated hard disk or storage volume to be used for Security Manager applications and a dedicated disk or volume for events storage. For the Security Manager client system, you can use the minimum hardware specifications specified in Minimum Hardware and Software Requirements.

The following specifications are a list of recommended specifications for Security Manager server for different sizes of deployments. These specifications are general guidelines of the proper hardware and software to support such deployments based on the number of devices; performance results might vary depending on other factors discussed in Deployment Scenarios. These hardware and software requirements for Security Manager are the same for new installations or upgrading to version 4.0 from older versions of Security Manager.

Small Deployment with VMWare Virtual Machine

Small Enterprise Deployment

Medium Enterprise Deployment

Large Enterprise Deployment

Small Deployment with VMWare Virtual Machine

The following table lists the recommended configuration for small deployments that use VMWare virtual machines:

Table 3 Small Deployment with VMWare Virtual Machine 

Component
Requirement

Recommended Server

Cisco UCS C210 M2 or equivalent.

UCS Part Number

R210-2121605W.

CPU

2 x Intel Xeon Quad-Core E5600 Series.

Memory

8GB minimum.

HDD

100GB minimum.

HDD Raid

Hardware RAID 0 or 10.

Events per second

NOT recommended. Perform policy configuration only.

Supported Devices

Up to 10.

Maximum number of concurrent users

1-2.

Network adapter

1Gbps.

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit.


Small Enterprise Deployment

The following table lists the recommended configuration for small enterprise deployments:

Table 4 Small Enterprise Deployment 

Component
Requirement

Recommended Server

Cisco UCS C210 M2 or equivalent.

UCS Part Number

R210-2121605W.

CPU

2 x Intel Xeon Quad-Core E5600 Series.

Memory

8GB minimum, 16GB recommended.

HDD

100GB for application, 1TB for events storage.

Tip A 1TB disk can store less than eight weeks of events at the rate of 2,500 events/sec. with an average size of 250 bytes compressed per event.

HDD Raid

Hardware RAID 0 or 10.

Supported Devices

Up to 25.

Maximum number of concurrent users

1-5.

Network adapter

1Gbps.

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit.


Medium Enterprise Deployment

The following table lists the recommended configuration for medium enterprise deployments:

Table 5 Medium Enterprise Deployment 

Component
Requirement

Recommended Server

Cisco UCS C250 M2 or equivalent.

UCS Part Number

R250-2480805W.

CPU

2 x Intel Xeon Six-Core X5600 Series.

Memory

16GB minimum.

HDD

100GB for application, 2TB for events storage.

Tip A 2TB disk can store less than eight weeks of events at the rate of 5,000 events/sec. with an average size of 250 bytes compressed per event.

HDD Raid

Hardware RAID 0 or 10.

Supported Devices

Up to 100.

Maximum number of concurrent users

5-10.

Network adapter

1Gbps.

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit.


Large Enterprise Deployment

The following table lists the recommended configuration for large enterprise deployments:

Table 6 Large Enterprise Deployment 

Component
Requirement

Recommended Server

Cisco UCS C460 M1 or equivalent

UCS Part Number

R460-4640810.

CPU

4 x Intel Xeon Six-Core X7500 Series.

Memory

32GB minimum.

HDD

100GB for application, 4TB for events storage.

Tip A 4TB disk can store less than eight weeks of events at the rate of 10,000 events/sec. with an average size of 250 bytes compressed per event.

HDD Raid

Hardware RAID 0 or 10.

Supported Devices

Up to 500.

Maximum number of concurrent users

10-15.

Network adapter

1Gbps.

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit.


Deployment Scenarios

There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario, you should consider the following important factors, which can affect system performance:

How many devices will Security Manager manage?

While Security Manager does not have a hard limit for the number of devices managed, it is recommended to have less than 500 devices per Security Manager server with the recommended hardware and software. You should use the recommended specifications listed in Recommended Hardware and Software Specifications to manage the proper amount of devices per server. The number of devices could be smaller if managed devices have very large configurations. For example, a large number of firewall devices with 20,000 - 50,000 access rules, large IPS signature sets or very large and complex VPN policies with thousands of branches can cause Security Manager to run under optimal performance. The number of managed devices also depends on the hardware and operating system that Security Manager runs on. If needed, multiple Security Manager servers should be deployed to manage a larger number of devices and a larger network.

What types of devices will be managed with Security Manager? Will performance be varied for different types of devices?

There are types of devices that require more frequent changes than others. Devices such as firewalls and IPS sensors require more frequent policy changes, which therefore requires much more resources than VPN devices. In general, Security Manager can manage more devices in a VPN environment than firewalls or IPS sensors.

What is the common size of configurations?

For small environments, this could vary from hundreds to thousands of lines. For medium environments, this could vary from 1,000 to 5,000 ACLs while in some large environments, this number can be from 5,000 ACLs to 50,000 ACLs or more. In larger environments, you should consider reducing the number of devices per Security Manager server to prepare enough headroom for future growth.

How many events can Security Manager manage? What are the right settings for firewall and IPS logging?

Event Management can consume a lot of system resources especially in a large environment with many users and devices. While a single Security Manager server can manage up to 10,000 events per second with the right hardware and software specifications, it is recommended that you configure the devices to send important logs that are required for your operation. Recommended logging levels for firewall devices are from 0 (Emergencies) to 5 (Notifications) where 0 produces the least amount of logs to be sent to Security Manager. For additional logging, you can always turn them on per device when necessary for troubleshooting and debugging purposes. Be cautious when using 7 (Debugging) or 6 (Informational) level for logging. These should be turned on at only the device's console or Device Manager when needed and turned off when done. For IPS devices, signature settings can be tuned from Low, Medium, High or Informational. These settings vary in different environments and can affect system performance. Refer to the IPS configuration guide for more information.

How many users will use these applications?

Active user sessions also place a load on the server and should be factored in when deciding on the deployment size. For example, an application may not have reached its limit due to the number of devices, but could be nearing the maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application.

Which specific applications included with Security Manager do you need to deploy?

Do you require the applications (such as Auto Update Server or RME) to be highly available or survivable in the event of a site disaster or outage? If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers.

Factors That Affect Application Performance

There are many factors that affect application performance. These include, but are not limited to the following:

Server and client hardware (for example, processor, memory, and storage technology).

The number of managed devices, including the type of the devices and the complexity of the device and the size of configurations (such as a large number of ACLs).

Event management engine and the event volume reported by manage devices and their logging level.

The number and complexity of policy objects.

The number of simultaneous users and the specific activities the users are performing.

The frequency of configuration deployment or IPS signature updates for large numbers of devices.

The network bandwidth and latency, such as between Security Manager clients and the server and between the server and the managed devices.

The use of virtualization technology such as VMware.

The use of ACS server for AAA services.

The number of devices present in a deployment job.

Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.

Single Server Installation

A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrators, a single-server deployment is usually adequate.

Multiple Servers Installation

In some large environment with hundreds or thousand of devices, a single server cannot manage all devices efficiently. For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:

Server A: Firewall Policy and Device Management

Common Services

Security Manager

Event/Log Monitoring

Auto Update Server (optional)

Server B: IPS Policy and Device Management

Common Services

Security Manager

Event/Log Monitoring

Server C: VPN Policy and Device Management

Common Services

Security Manager

Event/Log Monitoring

Server A is dedicated to the Configuration and Event Management for all ASA/PIX/FWSM firewall devices. Server B is dedicated to the Configuration and Event Management for all IPS devices while Server C is dedicated to VPN policy management for ASA/IOS/ISR VPN devices. When deploying multiple servers, note that policy data between Security Manager servers is not shareable. For example, firewall policy and policy objects on server A cannot be shared on other servers. With this deployment method, the needs of sharing policy data between servers is minimized because each server will use mostly the same policy data within itself. However, this deployment is not suitable for networks where Security Manager servers might be deployed in great distance away from managed devices, which can affect monitoring, configuration discovery and deployment.

Another method is to divide the devices by region so that each Security Manager server will only manage smaller numbers of devices for the region (US-West, US-Central, US-East, Europe or Asia, for example). This provides optimal performance for management console, event monitoring and configuration deployment of managed devices from their local Security Manager server. However, policy data will not be shareable between servers. Each server manages its own set of global policies and policy objects for the same group of devices. This might require manual replication of policy data between servers.

In some environments where Event Management in Security Manager is not required (using CS-MARS or third-party logs management), the Event Management engine can be turned off to provide better performance for policy management. For Security Manager running on a VMWare virtual machine, it is recommended to have Event Management turned off.

Installation in VMware's Virtual Machine Environment

Security Manager supports running in VMware ESX Server 3.5 Update 4. Other VMware environments such as VMware Server and VMware Workstation are not supported. It is recommended that the Event Management feature is turned off for Security Manager deployed in VMWare environments. If you need to use Event Management features, consider using a recommended physical server with the proper hardware and software specifications.

You can use any server operating system supported by Security Manager as a guest operating system for VMware. The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 3.5 introduces a modest amount of application performance degradation without the Event Management feature turned on, which varies based on the size of the reference network involved and the specific test case. Deployment of Security Manager in a VMware environment is only suitable for a smaller sized network.

One area where the performance degradation was usually large was the case of performing a deployment to a large number of PIX or ASA devices or a device with a large number of rules (on the order of 5 to 50 thousand rules). In this case the deployment took much longer than acceptable speed. You should allocate at least 8 GB of physical memory to the virtual machine you use with Security Manager for all reference network sizes. In general you should follow the best practices documented in the VMware document Performance Tuning Best Practices for ESX Server 3. However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimal.

It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 3.5 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).

High-Availability/Disaster Recovery

You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 4.0.

Installation Guidelines

For detailed instructions on Security Manager installation, refer to the Installation Guide for Cisco Security Manager 4.0.

Installable Modules

Security Manager server installation includes different components and some of them are optional. The Security Manager installer is responsible for installing the following components:

Common Services 3.3 (required)

Security Manager 4.0 Server (required)

AUS 4.0 (optional)

Security Manager 4.0 Client (optional if the client will be installed on a dedicated client machine)

Cisco Security Agent 5.2.0.282 (installable only on Windows 2003 32 bit Operating System)

Separate components can be installed using separate installers. Following are the standalone installers:

The Security Manager client installer, which is also available as a standalone installer for the client. The most common way to access this installer is to log in to the server using a web browser (https://server_hostname_or_ip) and click on the client installer.

The RME installer, which is responsible for installing RME. This installer requires that you have already installed Common Services 3.3 using the Security Manager installer.

The Performance Monitor installer is a separate installation module, which is responsible for installing Performance Monitor on Common Services. This installer requires that you have already installed Common Services 3.3 using the Security Manager installer.

Detailed use of the Security Manager installer and the RME and Performance Monitor installers is included in the Installation Guide for Cisco Security Manager 4.0.

IP address, Hostname and DNS name

Cisco Security Manager requires a static IP address instead of using a DHCP address. The IP address of the Security Manager server can be changed and requires a system reboot. If a DNS server is configured on Security Manager's TCP/IP settings, make sure that the hostname and DNS name of the Security Manager server are identical and resolvable by the configured DNS servers. Before Security Manager installation, you should choose a permanent DNS and computer host name for the server because the hostname and DNS name should not be modified after the installation. Changing the hostname of the Security Manager server after the installation might require re-installing the product.

Client Deployment

The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.3 and 4.0 on the same machine. You can install and use the client on the server; however, this practice is suitable only for a small sized network and is not recommended for the larger enterprise networks.

As mentioned in Factors That Affect Application Performance, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance in the event that end users are located a large distance from the server, which introduces significant latency (for example, intercontinental distances).

Security Manager Server Tuning

Security Manager includes several advanced parameters that you can modify to tune the application performance. For large deployments with 50 devices or more in Windows 2008 64-bit server with 16GB of memory or more, you can modify the parameters described in the following sections for optimal performance:

Windows Operating System's Swap File Size

Sybase Database Registry Parameters

Sybase Temporary File Location

Windows Operating System's Swap File Size

Use the default 4GB settings. Increase this setting if Security Manager manages more devices and larger policies or system memory usage is high. For general Microsoft Windows Server Operating System tuning, refer to Microsoft web site for more information.

Sybase Database Registry Parameters

For medium or large deployments, use the following procedure to tune database parameters to provide optimal performance and scalability.


Step 1 On the Security Manager server, use a text editor to edit the <NMSROOT>\databases\vms\orig\odbc.tmpl file and modify and following parameters:

Modify the parameter "___Cache=32" to "___Cache=512"

In the parameter "___Switches", add the keyword -gb high

The following illustration shows the changes.

Step 2 Shut down Security Manager by entering net stop crmdmgtd at a Windows command line and wait until Security Manager is fully shut down before the next step.

Step 3 Re-register the database parameters in the Windows registry using a perl utility available in <NMSROOT>\objects\db\conf. Following is an example of the command and its syntax:

perl configureDb.pl action=reg dsn=vms dmprefix=vms

The following illustration shows an example.

Step 4 Verify that the parameters are registered properly by checking the Windows Registry setting under Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsDbEngine\Parameters. There should be a "-gb high -c 512M" entry, as shown in the following illustration:

Step 5 Restart Security Manager by entering net start crmdmgtd at a Windows command line and wait until Security Manager is fully restarted before using it.


Sybase Temporary File Location

Sybase creates temporary files to store large query result sets. To improve the overall performance of Sybase, the Sybase temp directory can be located in a physical drive other than where the database is located. This will improve the performance as it enables the Sybase DB server to access temp files and the DB in parallel. By default, Sybase uses the Windows temp directory to store Sybase temp files. In case you need to customize the Sybase temp path so that the temp directory is in a different physical drive, then set the system environment variable SA_TMP with the required path.

Understanding Security Manager Licensing

It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. This section provides an overview of Security Manager licensing and some specific license examples.

Licensing Overview

There are several base versions of Cisco Security Manager 4.0 Enterprise Edition:

Standard 5 Device Limit

Standard 10 Device Limit

Standard 25 Device Limit

Professional 50 Device Limit

The versions provide management for 5, 10, 25, and 50 devices, respectively. The Professional version supports incremental device license packages available in increments of 50, 100, and 250 devices. The Professional version also includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include support for these platforms.

For additional devices, you can also order Standard-to-Professional or incremental device upgrade licenses. Following is the list of upgrade and incremental device license in this version:

Enterprise Standard 25 to Professional 50 Upgrade

Enterprise Professional Incremental 50 Device

Enterprise Professional Incremental 100 Device

Enterprise Professional Incremental 250 Device

Security Manager consumes a device license for the following:

Each added physical device

Each added Cisco Catalyst 6500 Series services module

Each Cisco Catalyst switch

Each security context

Each virtual sensor

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIM) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.

In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it will also consume an additional device license.

The failover pair of an ASA/PIX/FWSM device is counted as one single device in Security Manager because Security Manager only manages the active device in a failover pair; therefore it only consumes a single device license count.

Unmanaged Devices

In Security Manager, you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager under Device Properties. An unmanaged device does not consume a license.

Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object to add different types of objects on the map such as Clouds, Firewalls, Host, Network, and Router. These objects do not appear in the device inventory and do not consume a device license.

Active and Standby Servers

The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.

Licensing for RME and Performance Monitor

Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.

Licensing Examples

This section provides some representative licensing examples to help better understand Security Manager licensing.

Example 1

Description of Managed Network: 15 Cisco Integrated Services Routers.

Required Licensing: Enterprise Standard - 25 Device license is required. Because there are no Catalyst 6500 services modules involved and there are fewer than 50 devices, order the Standard-25 license.

Example 2

Description of Managed Network: 5 IDSM-2 modules, where each module has two virtual sensors.

Required Licensing: Enterprise Standard - 10 Device license is required (10 virtual sensors split between five modules). Although Standard-25 might appear to be sufficient, because a Catalyst 6500 services module is involved, Pro-50 license at a minimum is required if you need to use Security Manager to manage the Catalyst 6500 switch.

Example 3

Description of Managed Network: 250 pairs of ASAs (500 devices) operating in single and failover mode.

Required Licensing: Enterprise Professional - 50 Device + two Enterprise Incremental - 100 licenses are required. When you need to manage additional devices, you can order incremental device license in 50, 100 or 250 devices.

Example 4

Description of Managed Network: You have Security Manager Standard Edition - 5 devices, but now you need to manage additional 20 ASA devices operating in single mode.

Required Licensing: Enterprise Standard 25 to Professional 50 Upgrade license is required.

Example 5

Description of Managed Network: 10 pairs of failover ASA devices (20 devices) deployed in a combination of active/standby or active/active pairs, each having 5 security contexts.

Required Licensing: Enterprise Professional - 50 + Enterprise Professional Incremental 50 Device.

When deploying a pair of failover devices for redundancy, you only need to add the active devices and contexts into Security Manager. As such the number of required device licenses is 10 device counts x 5 contexts + 10 chassis for a total of 60 devices license.

For additional information on Security Manager licensing, visit the product home page and data sheets at http://www.cisco.com/go/csmanager.


Note In all the above examples you should consider ordering the corresponding Cisco Service Application Support (SAS) to obtain access to the Cisco Technical Assistance Center (TAC) and application minor release updates at no charge.