Guest

Cisco Security Manager

Deployment Planning Guide for Cisco Security Manager 4.1

  • Viewing Options

  • PDF (736.4 KB)
  • Feedback
Deployment Planning Guide for Cisco Security Manager 4.1

Table Of Contents

Deployment Planning Guide for Cisco Security Manager 4.1

Introduction

Cisco Security Manager 4.1 Applications

Configuration Manager

Event Viewer

Report Manager

Common Services 3.3

Auto Update Server 4.1

Resource Manager Essentials 4.3

Performance Monitor 4.1

Related Applications

Cisco Secure Access Control Server (ACS) 4.2.x

Cisco CNS Configuration Engine 3.5 and 3.5(1)

Minimum Hardware and Software Requirements

Virtual Machine Hardware and Software Requirements

Recommended Hardware and Software Specifications

Small Deployment with VMware ESX 4.0/4.0i

Small Enterprise Deployment

Medium Enterprise Deployment

Large Enterprise Deployment

Deployment Scenarios

Factors which Affect Application Performance

Single Server Installation

Multiple Servers Installation

Large Retail Deployment

Installation in VMware's Virtual Machine Environment

High-Availability/Disaster Recovery

Installation Guidelines

Installable Modules

IP address, Hostname and DNS name

Client Deployment

Security Manager Server Tuning

Windows Operating System's Swap-File size

Sybase database registry parameters

Understanding Security Manager Licensing

Licensing Examples


Deployment Planning Guide for Cisco Security Manager 4.1


First Published: May 24, 2011
Updated: July 11, 2011
Last Updated: October 19, 2011

Introduction

This document provides guidance on planning a deployment of Cisco Security Manager 4.1 server. It includes these topics: included applications, recommended server hardware, client hardware, sizing and software based on reference networks, deployment options for the set of applications included with Security Manager, advanced Security Manager server tuning options, and licensing. For more information about Security Manager software features, refer to product documentation located at http://www.cisco.com/go/csmanager.

This document complements other Security Manager user documentation such as the User Guide for Cisco Security Manager 4.1 and the Installation Guide for Cisco Security Manager 4.1.

Cisco Security Manager 4.1 Applications

Each Cisco Security Manager 4.1 installation includes the following applications:

Configuration Manager

Event Viewer

Report Manager

Configuration Manager

Configuration Manager enables you to centrally manage security policies over 250 different types and models of Cisco security devices. Security Manager supports integrated provisioning of firewall, IPS, and VPN (most Site-to-site, Remote Access and SSL) services across:

IOS/ISR/ASR routers

Catalyst switches

ASA and PIX security appliances

Catalyst Service Modules related to firewall, VPN, and IPS

IPS appliances and various service modules for routers and ASA devices

For a complete list of devices and OS versions supported by Security Manager, please refer to Supported Devices and Software Versions for Cisco Security Manager on Cisco.com.

Event Viewer

The high-performance and easy-to-use integrated Event Viewer allows you to centrally monitor events from IPS, ASA, and FWSM devices and correlate them to the related configuration policies. This helps you identify problems and troubleshoot configurations. Then, using Configuration Manager, you can make adjustments to the configurations and deploy them. Event Viewer supports event management for Cisco ASA, IPS, and FWSM devices.

In addition to the Primary Event Data Store, events can be copied and stored in the Extended Event Data Store. The Extended Event Data Store can be used to back up and archive a larger number of events. This is useful for historical review and analysis of events where Event Viewer can gather event data from both the Primary Event Data Store and the Extended Event Data Store. The Extended Event Data Store can be enabled in Event Management in Security Manager's Administration settings.

For supported platforms and more information, refer to the "Monitoring and Diagnostics" part of the User Guide for Cisco Security Manager 4.1 on Cisco.com.

Report Manager

The new integrated Report Manager application allows you to generate and schedule ASA, IPS, and Remote Access VPN reports. Reports for ASA and IPS devices are created by aggregating and summarizing events collected by Event Viewer. Security reports can be utilized to efficiently monitor, track, and audit network use and security problems reported by managed devices. Users can use Report Manager to develop and customize reports for Cisco ASA and IPS devices.

For supported platforms and more information, refer to the "Monitoring and Diagnostics" part of the User Guide for Cisco Security Manager 4.1 on Cisco.com.

Common Services 3.3

Common Services provides the framework for data storage, web login portal, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to applications that include:

SSL libraries

An embedded Sybase SQL database

The Apache web server

The Tomcat servlet engine

The CiscoWorks web portal

Backup and restore functions

RBAC functionality. The RBAC functionality provided by Common Services includes the following:

local authentication combined with RBAC and

additional capability to integrate with external AAA servers (such as ACS and AD).

Common Services is required for all the applications included with Security Manager. For more information about Common Services 3.3, refer to the documentation located at http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/cs_33_ug.html.

Auto Update Server 4.1

AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition, supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.

In this method, Security Manager deploys configuration updates to the AUS server, the managed device contacts the AUS server to download new configuration updates using a periodic time interval, a specific date and time, or on-demand.

AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.

AUS uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.

Resource Manager Essentials 4.3

To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images, and basic syslog analysis (for configuration archival and tracking purposes). To support the 64-bit OS, RME installation must be installed from the RME package with the Security Manager 4.1 bundle. RME included with the CiscoWorks LAN Management Solution (LMS) is not compatible with the 64-bit OS.

RME uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about RME, refer to datasheets at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_data_sheets_list.html.

Supported device information for RME is available at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html.

Performance Monitor 4.1

Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPN, site-to-site VPN, firewall, web server load-balancing, and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.3.

For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.

Related Applications

Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:

Cisco Secure Access Control Server (ACS) 4.2.x

You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role-based access control (RBAC) and the ability to restrict users to specific sets of devices or operations.

For details on configuring Security Manager and ACS integration refer to the Installation Guide for Cisco Security Manager 4.1. For more information about ACS you can visit http://www.cisco.com/go/acs.

Cisco CNS Configuration Engine 3.5 and 3.5(1)

Security Manager supports the use of Cisco Configuration Engine 3.5 and 3.5(1) as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices such as Cisco IOS routers, PIX, and ASA firewalls that use a Dynamic Host Configuration Protocol (DHCP) server contact the Cisco Configuration Engine for configuration (and image) updates. Security Manager also supports management of devices which have a static IP address via CNS configuration engine. In such cases, the discovery is done live and the deployments to the device happen via the CNS configuration engine.

For more information about the Configuration Engine you can visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.

Minimum Hardware and Software Requirements

Each Cisco Security Manager server installation requires a single dedicated physical server or virtual machine for policy, event, and report management. Optional components such as Auto Update Server, Performance Monitor, or Resource Manager Essentials can be installed on the same or a separate system.

Table 1 is the list of minimum hardware and software specifications for Cisco Security Manager server software and other, optional module installation. While Security Manager software can be installed on a system with minimum specifications, its performance and capacity is limited to smaller deployment (manages up to 25 devices). For larger deployments, you should use a physical server with the specifications recommended in the Recommended Hardware and Software Specifications section.

Table 1 Minimum Server Hardware and Software 

Minimum Server Hardware

Recommended Server

Cisco UCS C210 M2 or equivalent

CPU

1 x Intel Xeon Four-core 5600 Series. This four-core (quad-core) CPU is the minimum. Additional cores provide better performance.

Memory (RAM)

16 GB is the minimum needed to use all features of Security Manager. With less memory, features such as Event Management and Report Management are affected.

In particular, if the amount of RAM available to the operating system is less than 8 GB, Event Viewer and Report Manager are disabled during installation.

If the memory available to the OS is between 8 and 12 GB, you can turn off Event Viewer and Report Manager, presuming that you do not plan to use them. Configuration Management will be usable in such systems.

Although not recommended, you can enable Event Viewer and Report Manager for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Viewer and Report Manager on a system with low memory can severely affect the performance of the entire application.

If you install AUS, RME, or Performance Monitor on separate servers, the following minimums apply:

AUS- or Performance Monitor-only server—4 GB. We recommend more than 4 GB.

RME-only server—3 GB.

Hard drive space

Use a suitable combination of HDDs to achieve the disk space required, which is as follows:

100 GB for the OS partition is recommended by Cisco.

150 GB for the application (Security Manager) partition is recommended by Cisco.

Note Cisco strongly recommends installing the OS and application on separate partitions.

Note The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html) and Vertias documentation for further details.

An additional 1.0 TB for log storage for the Event Viewer on a separate partition: This is a requirement, but ONLY if you plan to use Event Viewer. Cisco recommends creating this separate partition on a directly attached storage device.

An additional 1.0 TB or more: This is a requirement, but ONLY if you plan to enable Event Archival. Event Archival functionality creates a secondary storage of events when log storage is required beyond primary storage capacity (for long term preservation etc.). The Secondary Event Store size is required to be bigger than the configured primary storage size, so an additional 1.0 TB or more of disk space is required to use Event Archival. Both primary & secondary event stores can be on a SAN but it is recommended to create the primary store partition on a directly attached storage (DAS) for optimum performance.

Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.

Tips

A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.

Supported Devices

up to 25

Network adapter

1 Gbps

Minimum Server Software

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit SP2

Microsoft Windows 2008 Enterprise Server 64-bit R2


Table 2 is the list of minimum hardware and software specifications for Cisco Security Manager client software installation. It is recommended to install Security Manager client software on a dedicated machine:

Table 2 Minimum Client Hardware and Software 

Minimum Client Hardware

CPU

Dual-Core 2.0 GHz or better

Memory

2 GB or more recommended

HDD

10 GB free space

Display

1280 x 1024

Network adapter

1 Gbps

Minimum Client Hardware

Operating System

One of the following (all 32-bit unless otherwise specified):

Windows XP (Service Pack 3).

Windows 7 Enterprise Edition—64-bit and 32-bit.

Windows 2008 Enterprise Server (Service Pack 2)—64-bit only.

Windows 2008 R2 Enterprise Server—64-bit.

Security Manager supports only the U.S. English and Japanese versions of Windows. From the Start Menu, open the Control Panel for Windows, open the panel where you configure region and language settings, then set the default locale. (We do not support English as the language in any Japanese version of Windows.

Browser

One of the following:

Internet Explorer 7.0.

Internet Explorer 8.0, but only in Compatibility View.

Tip To use Compatibility View, open Internet Explorer 8, go to Tools > Compatibility View Settings, and add the Security Manager server as a "website to be displayed in Compatibility View."

Firefox 3.6.x.


Virtual Machine Hardware and Software Requirements

For virtual machine hardware and software requirements, refer to Table 3, Small Deployment with VMware ESX 4.0/4.0i.

Recommended Hardware and Software Specifications

Performance improvements with Security Manager have been observed when going from a single processor (or core) server to a multiple-processor (or core) server. With new Event Management, Report Management, and other new features in this release, Cisco recommends that you use proper hardware and software specifications to have optimal performance. Cisco also recommends sizing the server for future expansions.

For best performance, a Security Manager server with a 2.66-MHz Intel Xeon quad-core processor (with Hyper-Threading) or faster is recommended at a minimum. If Event Management is used, it is highly recommended to have a dedicated hard disk or storage volume to be used for Security Manager applications and a dedicated disk or volume for event storage. For a Security Manager client system, you can use the minimum hardware specifications specified in the Minimum Hardware and Software Requirements section of this document.

The following specifications are lists of recommended specifications for a Security Manager server for different sizes of deployments:

Small Deployment with VMware ESX 4.0/4.0i

Small Enterprise Deployment

Medium Enterprise Deployment

Large Enterprise Deployment

These specifications are general guidelines on the proper hardware and software to support such deployments based on the number of devices; performance results might vary depending on other factors discussed in the Deployment Scenarios section of this document. These hardware and software requirements for Security Manager are the same for new installations and for upgrading to version 4.1 from older versions of Security Manager.

Small Deployment with VMware ESX 4.0/4.0i

Recommended specifications for a Security Manager server for a small deployment with VMware ESX 4.0/4.0i are listed in Table 3:

Table 3 Small Deployment with VMware ESX 4.0/4.0i 

Note VMware performance is gated by the load generated by other VMs on the same host system, so these VM sizing figures are based on a system that is not under heavy load by other VMs.

Recommended Host Server

Cisco UCS C210 M2 or equivalent

UCS Part Number

R210-2121605W

Virtual CPU

6 vCPUs. Having more vCPUs provides better performance.

Memory (RAM)

16 GB is the minimum needed to use all features of Security Manager. With less memory, features such as Event Management and Report Management are affected.

In particular, if the amount of RAM available to the operating system is less than 8 GB, Event Viewer and Report Manager are disabled during installation.

If the memory available to the OS is between 8 and 12 GB, you can turn off Event Viewer and Report Manager, presuming that you do not plan to use them. Configuration Management will be usable in such systems.

Although not recommended, you can enable Event Viewer and Report Manager for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Viewer and Report Manager on a system with low memory can severely affect the performance of the entire application.

If you install AUS, RME, or Performance Monitor on separate servers, the following minimums apply:

AUS- or Performance Monitor-only server—4 GB. We recommend more than 4 GB.

RME-only server—3 GB.

HDD

100 GB minimum

Host Server HDD RAID

RAID inside a VM is not applicable since it uses a virtualized file system on top of the underlying host system's HDD configuration. Also, software-based RAID cannot be used with a VMware ESX VM. For more information, refer to documentation published by VMware, Inc.

Network adapter

1 Gbps

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit SP2

Microsoft Windows 2008 Enterprise Server 64-bit R2

Recommended Sizings

Max number of devices

up to 25

Maximum Cumulative EPS Supported

5000 Events per second [this value is a 9:1 ratio of syslogs to IPS SDEE (i.e., 4500 syslog + 500 SDEE)]

Max concurrent users

Two concurrent users at most (one configuration-only user and one user using event and/or reporting screens)


Small Enterprise Deployment

Recommended specifications for a Security Manager server for a small enterprise deployment are listed in Table 4:

Table 4 Small Enterprise Deployment 

Recommended Server

Cisco UCS C210 M2 or equivalent

UCS Part Number

R210-2121605W

CPU

1 x Hex Core (X5670 or equivalent series recommended)

Memory (RAM)

16 GB is the minimum needed to use all features of Security Manager. With less memory, features such as Event Management and Report Management are affected.

In particular, if the amount of RAM available to the operating system is less than 8 GB, Event Management and Report Manager are disabled during installation.

If the memory available to the OS is between 8 and 12 GB, you can turn off Event Management and Report Management, presuming that you do not plan to use them. Configuration Management will be usable in such systems.

Although not recommended, you can enable Event Management and Report Management for low memory systems from the Security Manager client after completing the installation (select Tools > Security Manager Administration > Event Management). Keep in mind that enabling Event Management and Report Management on a system with low memory can severely affect the performance of the entire application.

If you install AUS, RME, or Performance Monitor on separate servers, the following minimums apply:

AUS- or Performance Monitor-only server—4 GB. We recommend more than 4 GB.

RME-only server—3 GB.

Hard drive space

Use a suitable combination of HDDs to achieve the disk space required, which is as follows:

100 GB for the OS partition is recommended by Cisco.

150 GB for the application (Security Manager) partition is recommended by Cisco.

Note Cisco strongly recommends installing the OS and application on separate partitions.

Note The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html) and Vertias documentation for further details.

An additional 1.0 TB for log storage for the Event Viewer on a separate partition: This is a requirement, but ONLY if you plan to use Event Viewer. Cisco recommends creating this separate partition on a directly attached storage device.

An additional 1.0 TB or more: This is a requirement, but ONLY if you plan to enable Event Archival. Event Archival functionality creates a secondary storage of events when log storage is required beyond primary storage capacity (for long term preservation etc.). The Secondary Event Store size is required to be bigger than the configured primary storage size, so an additional 1.0 TB or more of disk space is required to use Event Archival. Both primary & secondary event stores can be on a SAN but it is recommended to create the primary store partition on a directly attached storage (DAS) for optimum performance.

Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.

Tips

A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.

Network adapter

1 Gbps

Operating Systems

Microsoft Windows 2008 Enterprise Server 64-bit SP2

Microsoft Windows 2008 Enterprise Server 64-bit R2

Recommended Sizings

Max number of devices

up to 100

Maximum Cumulative EPS Supported

5000 Events per second [this value is a 9:1 ratio of syslogs to IPS SDEE (i.e., 4500 syslog + 500 SDEE)]

Max concurrent users

Four concurrent users at most (two configuration-only users and two users using event and/or reporting screens)


Medium Enterprise Deployment

Recommended specifications for a Security Manager server for a medium enterprise deployment are listed in Table 5:

Table 5 Medium Enterprise Deployment 

Recommended Server

Cisco UCS C210 M2 or equivalent

UCS Part Number

R210-2121605W

CPU

1 x Hex Core (X5670 or equivalent series recommended)

Memory (RAM)

16 GB for Configuration Manager only

24 GB for all functions

Hard drive space

Use a suitable combination of HDDs to achieve the disk space required, which is as follows:

100 GB for the OS partition is recommended by Cisco.

150 GB for the application (Security Manager) partition is recommended by Cisco.

Note Cisco strongly recommends installing the OS and application on separate partitions.

Note The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html) and Vertias documentation for further details.

An additional 1.0 TB for log storage for the Event Viewer on a separate partition: This is a requirement, but ONLY if you plan to use Event Viewer. Cisco recommends creating this separate partition on a directly attached storage device.

An additional 1.0 TB or more: This is a requirement, but ONLY if you plan to enable Event Archival. Event Archival functionality creates a secondary storage of events when log storage is required beyond primary storage capacity (for long term preservation etc.). The Secondary Event Store size is required to be bigger than the configured primary storage size, so an additional 1.0 TB or more of disk space is required to use Event Archival. Both primary & secondary event stores can be on a SAN but it is recommended to create the primary store partition on a directly attached storage (DAS) for optimum performance.

Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.

Tips

A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.

Network adapter

1 Gbps

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit SP2

Microsoft Windows 2008 Enterprise Server 64-bit R2

Recommended Sizings

Max number of devices

up to 200

Maximum Cumulative EPS Supported

10,000 Events per second [this value is a 9:1 ratio of syslogs to IPS SDEE (i.e., 9000 syslog + 1000 SDEE)]

Max concurrent users

Seven concurrent users at most (five configuration-only users and two users using event and/or reporting screens)


Large Enterprise Deployment

Recommended specifications for a Security Manager server for a large enterprise deployment are listed in Table 6:

Table 6 Large Enterprise Deployment 

Recommended Server

Cisco UCS C210 M2 or equivalent

UCS Part Number

R210-2121605W

CPU

2 x Hex Core (X5670 or equivalent series recommended)

Memory (RAM)

24 GB for Configuration Manager only

32 GB for all functions

Hard drive space

Use a suitable combination of HDDs to achieve the disk space required, which is as follows:

100 GB for the OS partition is recommended by Cisco.

150 GB for the application (Security Manager) partition is recommended by Cisco.

Note Cisco strongly recommends installing the OS and application on separate partitions.

Note The application partition mentioned above and any other event store partitions may not be relevant when using Veritas in HA (high availability) mode. Please refer to the applicable Security Manager high availability documentation (http://www.cisco.com/en/US/products/ps6498/prod_installation_guides_list.html) and Vertias documentation for further details.

An additional 1.0 TB for log storage for the Event Viewer on a separate partition: This is a requirement, but ONLY if you plan to use Event Viewer. Cisco recommends creating this separate partition on a directly attached storage device.

An additional 1.0 TB or more: This is a requirement, but ONLY if you plan to enable Event Archival. Event Archival functionality creates a secondary storage of events when log storage is required beyond primary storage capacity (for long term preservation etc.). The Secondary Event Store size is required to be bigger than the configured primary storage size, so an additional 1.0 TB or more of disk space is required to use Event Archival. Both primary & secondary event stores can be on a SAN but it is recommended to create the primary store partition on a directly attached storage (DAS) for optimum performance.

Cisco recommends RAID 10 for better performance. RAID 5 can be used if desired.

Tips

A sustained 10,000 events per second (EPS) consumes about 86 GB of compressed disk space per day. Log rollover happens when 90% of the disk space allocated for event store (primary/secondary) is filled. Smaller disk size causes quicker rollovers. Based on your expected EPS rate and rollover requirements, you can increase or decrease the minimum disk size when using Event Management.

Network adapter

1 Gbps

Operating System

Microsoft Windows 2008 Enterprise Server 64-bit SP2

Microsoft Windows 2008 Enterprise Server 64-bit R2

Recommended Sizings

Max number of devices

up to 500

Maximum Cumulative EPS Supported

10,000 Events per second [this value is a 9:1 ratio of syslogs to IPS SDEE (i.e., 9000 syslog + 1000 SDEE)]

Max concurrent users

Ten concurrent users at most (five configuration-only users and five users using event and/or reporting screens)



Note For enabling event archival, additional storage capacity the same size as the primary store or bigger is required.



Note The above sizing guidelines are based on firewall devices having an average of 3000-5000 rules. If the number of rules is much larger than this number, either the number of devices supported in the deployment should be reduced or the next higher hardware should be considered.


Deployment Scenarios

There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario, you should consider the following important factors, which can affect system performance:

How many devices will Security Manager manage?

Each Security Manager installation does not have a hard limit for number of devices that it manages, however it is recommended to have less than 500 devices per Security Manager server with recommended hardware and software. You should use recommended specifications listed in previous section to manage proper amount of devices per server. The number of devices could be smaller if managed devices have very large configuration. For example, large number of firewall devices with 20,000 - 50,000 rules, large IPS signature set or very large and complex VPN policies with 1000s of branches can cause Security Manager to run under sub-optimal performance. If needed, multiple Security Manager servers should be deployed to manage a larger number of devices and network.

How can policies, objects and devices be managed across multiple Security Manager servers?

Shared policies, objects and devices can be exported and imported from one Security Manager server to others with Policy Export/Import feature. This feature makes it easy to synchronize shared policies and objects across multiple servers. It also can be used to migrate (move) managed devices from one server to another when needed.

What type of devices will be managed with Security Manager? Will performance be varied for different type of devices?

Many types of devices can be managed with Security Manager, but among the most common are firewalls, IPS sensors, and VPN devices; these types of devices provide good examples of how performance can be different for different types of devices.

Some types of devices require policy changes more frequently than other types of devices. For example, devices such as firewalls and IPS sensors require policy changes more frequently than VPN devices; therefore, firewalls and IPS sensors require much more resources than VPN devices. The result is that Security Manager can, in general, manage more devices in a VPN environment than in a firewall or IPS environment.

What is the common size of configuration?

For small environment, this could vary from 100 to 1000s of lines. For medium environment, this could vary from 1000s to 5000 ACLs while some large environment; this number can be from 5000 ACLs to 50,000 ACLs or more. In larger environment, you should consider to reduce number of devices per Security Manager server to prepare enough headroom for future growth.

How many events can Security Manager manage? What are the right settings for firewall and IPS logging?

Event Management can consume a lot of system resources especially in a large environment with many users and devices. While a single Security Manager server can manage up to 10,000 events per second with the right hardware and software specifications, it is recommended that you configure the devices to send only important logs that are required for your operation. Recommended logging levels for firewall devices are from 0:Emergencies to 5:Notifications where 0 produces the least amount of logs to be sent to Security Manager. For additional logging, you can always turn them on per device when necessary for troubleshooting and debugging purposes. Be cautious when using 7:Debugging or 6:Informational level for logging. These should be turned on at only device's console or Device Manager when needed and turned off when done. For IPS device, signature settings can be tuned from Low, Medium, High or Informational. These settings vary in different environments and can affect system performance. Refer to IPS configuration guide for more information.

How many users will use these applications?

Active user sessions also place a load on the server and should be factored in when deciding on the deployment size. For example, an application may not have reached its limit due to the number of devices, but could be nearing maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application. Security Manager supports more than five concurrent users, however maximum number of five real-time event views in Event Viewer can be opened by users at anytime. Event Server does not limit the number of Event Viewer instances connecting to it but places a hard-limit of 5 concurrent real-time event views across all active Event Viewers.

Which specific applications included with Security Manager do you need to deploy?

Do you require the applications (such as Auto Update Server or RME) to be highly available or survivable in the event of a site disaster or outage? If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers.

Factors which Affect Application Performance

There are many factors that affect application performance. These include, but are not limited to the followings:

Server and client hardware (for example, processor, memory, and storage technology)

Number of managed devices, including the type of the devices, and the complexity of the device and size of configurations (such as large number of ACLs)

Event management engine, event volume reported by manage device and logging level

Number and complexity of policy objects

Number of simultaneous users and the specific activities the users are performing

Frequency of configuration deployment or IPS signature update for large number of devices

Number of devices present in a deployment job

Network bandwidth and latency, such as between Security Manager clients and the server and between the server and the managed devices

Use of virtualization technology such as VMware ESX

Use of ACS server for AAA services

Number of scheduled reports

Reporting engine, event volume reported by managed devices, and event aggregation

Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.

Single Server Installation

A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrators, a single-server deployment is usually adequate.

Multiple Servers Installation

In some large environment with hundreds or thousand of devices, a single server cannot manage all devices efficiently. For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:

Server A: Firewall Policy & Device Management

Common Services

Security Manager

Event/Log Monitoring

Report Manager

Auto Update Server (optional)

Server B: IPS Policy & Device Management

Common Services

Security Manager

Event/Log Monitoring

Report Manager

Server C: VPN Policy & Device Management

Common Services

Security Manager

Event/Log Monitoring

Report Manager

Server A is dedicated for the Configuration and Event Management for all ASA/PIX/FWSM firewall devices. Server B is dedicated for the Configuration and Event Management for all IPS devices while Server C is dedicated for VPN policy management for ASA/IOS/ISR VPN devices; Server C will also manage firewall devices because those are the ones that will be part of the VPN topology. With this deployment method, the needs of sharing policy data between servers is minimized since each server will use mostly same policy data within itself. However, this deployment is not suitable for network where Security Manager servers might be deployed in great distance away from managed devices, which can affect monitoring, configuration discovery and deployment.

Another method is to divide the devices by region so that each Security Manager will only manage smaller amount of devices for the region (US-West, US-Central, US-East, Europe, or Asia, as examples). This provides optimal performance for management console, event monitoring and configuration deployment of managed devices from their local Security Manager server.

In Multiple Servers deployment, shared policies and objects can be exported and imported between different servers using Policy Import/Export feature. Devices also can be migrated (moved) to different server using Policy Import/Export. This helps to scale management while still keeping policies and objects synchronized across large number of devices in different servers.

Large Retail Deployment

Customers with large-scale router deployments such as those found in the retail vertical have several management options.  These environments typically include thousands of routers deployed in a highly distributed model.  Customers that require management for these environments are encouraged to evaluate Cisco CNS Configuration Engine (http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html) and Cisco Virtual Office MEVO (http://www.cisco.com/en/US/netsol/ns855/index.html) as highly scalable solution.

In some environment where Event Management in Security Manager is not required (using CS-MARS or third-party logs management), Event Management engine can be turned off to provide better performance for policy management, but in such cases Report Manager will also be disabled along with Event Server.

Installation in VMware's Virtual Machine Environment

Security Manager supports running in VMware ESX 4.0/4.0i. Other VMware environments such as VMware Server and VMware Workstation are not supported.

You can use any server operating system supported by Security Manager as guest operating system for VMware. The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 4.0 introduces a modest amount of application performance degradation which varies based on the size of the reference network involved and the specific test case. Deployment of Security Manager in VMware environment is only suitable for smaller size of network.

One area where the performance degradation was usually large was the case of performing a deployment to large number of PIX or ASA devices or a device with large number of rules (on the order of 5 to 50 thousands rules). In this case the deployment took much longer than acceptable speed. For VMware performance best practices you should refer to the following document: http://www.vmware.com/pdf/Perf_Best_Practices_vSphere4.0.pdf.

However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimal.

It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 4.0 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).

For virtual machine hardware and software requirements, refer to Table 3, Small Deployment with VMware ESX 4.0/4.0i.

High-Availability/Disaster Recovery

You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 4.1.

Installation Guidelines

For detailed instructions on Security Manager installation, refer to the Installation Guide for Cisco Security Manager 4.1.

Installable Modules

Security Manager server installation includes different components and some of them are optional. The Security Manager installer is responsible for installing the following components:

Common Services 3.3 (required)

Security Manager 4.1 Server (required)

AUS 4.1 (optional)

Security Manager 4.1 Client (optional if client will be installed on a dedicated client machine)

Separate components can be installed using separate installer. Following are the standalone installer:

The Security Manager client installer, which is also available as a standalone installer for the client. The most common way to access this installer is to log in to the server using a web browser (https://server_hostname_or_ip) and click on the client installer.

The RME installer, which is responsible for installing RME. This installer requires that you have already installed Common Services 3.3 using the Security Manager installer. RME installation package in Security Manager 4.1 bundle must be used instead of stand-alone download.

Performance Monitor installer is a separate installation module, which is responsible for installing Performance Monitor on Common Services. This installer requires that you have already installed Common Services 3.3 using the Security Manager installer. Detailed use of the Security Manager installer, RME installer, and Performance Monitor installer are included in the Installation Guide for Cisco Security Manager 4.1.

IP address, Hostname and DNS name

Cisco Security Manager requires a static IP address instead of using DHCP address. IP address of Security Manager server can be changed and requires a system reboot. If DNS server is configured on Security Manager's TCP/IP settings, make sure Hostname and DNS name of Security Manager server are identical and resolvable by configured DNS servers. Before Security Manager installation, you should choose a permanent DNS and computer host name for the server since Host name and DNS name should not be modified after the installation. Changing hostname of Security Manager server after the installation might require re-installing the product.

Client Deployment

The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.3 and 4.1 on the same machine. You can install and use the client on the server; however, this practice is suitable only for a small size network and is not recommended for the larger enterprise networks.

As mentioned in Factors which Affect Application Performance section, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance, in the event that end users are located a large distance from the server which introduces significant latency (for example, intercontinental distances).

Security Manager Server Tuning

Security Manager includes several advanced parameters that you can modify to tune the application performance. For medium and large deployments managing 50 devices or more, you can modify following parameters in Security Manager for optimal performance:

Windows Operating System's Swap-File size

Virtual memory (the paging file) should be 1.5 x installed memory. This is a recommendation from Microsoft for Windows platforms. It is not a Cisco requirement. Memory paging is necessitated only if the installed RAM on the system is insufficient to handle the load.


Caution You must deselect (clear) the checkbox "Automatically manage paging file size for all drives" in Windows Server 2008. The navigation path to this checkbox is Computer > Properties > Advanced System Settings > Performance > Settings > Advanced > Virtual Memory > Change.

Sybase database registry parameters

For Medium or Large Deployment, following parameters should be tuned to provide optimal performance and scalability.


Step 1 In Security Manager's server, locate following file at this location <NMSROOT>\databases\vms\orig\odbc.tmpl and modify and following parameters with a text editor:

a. In parameter "___Switches", there should be "-gb high" [then Enter]

b. Shutdown CSM using "net stop crmdmgtd" and wait until Security Manager is fully shut down before next step

Figure 1 Editing odbc.tmpl parameters

Step 2 This step consists of two sub-steps:

a. Re-Register the database parameters in Windows registry using a perl utility available in <NMSROOT>\objects\db\conf. Here is the example of the command and its syntax:

"perl configureDb.pl action=reg dsn=vms dmprefix=vms"

Figure 2

Re-registering Database Parameters

b. Verify above parameters are registered properly, check Windows Registry setting under:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsDbEngine\Parameters, there should be "-gb high -c 512M" entry:

Figure 3

Verifying Registration of Database Parameters

Step 3 Start up Security manager using "net start crmdmgtd" from Command Prompt and wait until Security Manager is fully functional.

Understanding Security Manager Licensing

It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage.

For important licensing information, refer to the following documents:

Installation Guide for Cisco Security Manager 4.1

the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html

Licensing Examples

This section provides some representative licensing examples to help better understand Security

Manager licensing.

Example 1

Description of Managed Network: 15 Cisco Integrated Services Routers.

Required Licensing: Enterprise Standard - 25 Device license is required. Since there are no Catalyst 6500 services modules involved and there are fewer than 50 devices, order Standard-25 license.

Example 2

Description of Managed Network: 5 IDSM-2 modules, where each module has two virtual sensors.

Required Licensing: Enterprise Standard - 10 Device license is required (10 virtual sensors split between five modules). Although Standard-25 might appear to be sufficient, because a Catalyst 6500 services module is involved, Pro-50 license is a minimum is required if you need to use Security Manager to manage Catalyst 6500 switch

Example 3

Description of Managed Network: 250 pairs of ASAs (500 devices) operating in single and failover mode.

Required Licensing: Enterprise Professional - 50 Device + two Enterprise Incremental - 100 licenses are required. When you need to manage additional devices, you can order incremental device license in 50, 100 or 250 devices.

Example 4

Description of Managed Network: You have Security Manager Standard Edition - 25 devices, but now you need to manage additional 20 ASA devices operating in single-mode

Required Licensing: Enterprise Standard 25 to Professional 50 Upgrade license is required.

Example 5

Description of Managed Network: 10 pairs of failover ASA devices (20 devices) deployed in a combination of active/standby or active/active pairs, each has 5 security contexts.

Required Licensing: Enterprise Professional - 50 & Enterprise Professional Incremental 50 Device

When deploying a pair of failover devices for redundancy, you only need to add the active devices and contexts into Security Manager. As such the number of required device licenses is 10 device counts x 5 contexts + 10 chassis for a total of 60 devices license.


Note For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for the most recent major release of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.



Note In all the above examples you should consider ordering the corresponding Cisco Service Application Support (SAS) to obtain access to Cisco Technical Assistance Center (TAC) and application minor release updates at no charge.