Guest

Cisco Security Manager

Deployment Planning Guide for Cisco Security Manager 3.3

 Feedback

Table Of Contents

Deployment Planning Guide for Cisco Security Manager 3.3

Introduction

Cisco Security Manager 3.3 Applications

Related Applications

Installers

Understanding Security Manager Licensing

Licensing Overview

Unmanaged Devices

Active and Standby Servers

Licensing for RME and Performance Monitor

Licensing Examples

Factors which Affect Application Performance

Effect of Number of Processors/Cores on Performance

Effect of Memory Size on Performance

Deployment Scenarios

Single Server

Multiple Servers

High-Availability/Disaster Recovery

VMware Deployments

Client Deployment

Reference Networks

Small Enterprise Reference Network

Medium Enterprise Reference Network

Large Enterprise Reference Network

Number of Simultaneous Users

Server and Client Hardware Recommendations

Server Sizing

Client Sizing

Security Manager Tuning


Deployment Planning Guide for Cisco Security Manager 3.3


Revised: September 30, 2009, OL-20258-01

Introduction

This document provides guidance on planning a deployment of Cisco Security Manager 3.3.x. It includes these topics: recommended server and client sizing based on reference networks, deployment options for the set of applications included with Security Manager, licensing, advanced Security Manager tuning options, and case studies.

This document complements other Security Manager user documentation such as the User Guide for Cisco Security Manager 3.3 and the Installation Guide for Cisco Security Manager 3.3.

Cisco Security Manager 3.3 Applications

Cisco Security Manager 3.3 includes the following applications:

Common Services 3.2

Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to applications that include:

SSL libraries

An embedded SQL database

The Apache web server

The Tomcat servlet engine

The CiscoWorks home page

Backup and restore functions

Common Services is required for all the applications included with Security Manager listed below.

For more information about Common Services, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_series_home.html.

Cisco Security Manager 3.3

Cisco Security Manager is an enterprise-class management application designed to configure firewall, VPN, and intrusion prevention system (IPS) security services on Cisco network and security devices. Security Manager uses a rich-client graphical user interface and requires Common Services 3.2.

For more information about Security Manager, refer to the documentation located at http://www.cisco.com/go/csmanager.

Auto Update Server 3.3

AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition:

Supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.

Cisco IOS routers that use dynamic IP addresses can use AUS in combination with the CNS Gateway protocol to retrieve device IP addresses.

AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls. AUS uses a browser-based, graphical user interface and requires Common Services 3.2.

For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.

Resource Manager Essentials 4.2

To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images—as well as syslog analysis. RME uses a browser-based graphical user interface. RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution — Deployment Guide 3.0, although be aware that some information does not apply in the case of RME bundled with Security Manager.

For more information about RME, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_series_home.html.

Performance Monitor 3.3

Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPNs, site-to-site VPNs, firewall, web server load-balancing, and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.2.

For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.

Related Applications

Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:

Cisco Security Monitoring Analysis and Response System (MARS) — Security Manager supports policy <> event cross-linkages with MARS for firewall and IPS. Using the Security Manager client you highlight specific firewall rules or IPS signatures and request to see the events related to those rules or signatures, respectively. Using the MARS interface you can select firewall or IPS events and request to see the matching rule or signature in Security Manager. These policy <> event cross-linkages are especially useful for network connectivity troubleshooting, identifying unused rules, and signature tuning activities. The policy <> event cross-linkage feature is explained in detail in the User Guide for Cisco Security Manager 3.3. For more information about MARS you can visit http://www.cisco.com/go/mars.

Cisco Secure Access Control Server (ACS) — You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role based authorization control and ability to restrict users to specific sets of devices. For details on configuring Security Manager and ACS integration refer to the Installation Guide for Cisco Security Manager 3.3. For more information about ACS you can visit http://www.cisco.com/go/acs.

Cisco CNS Configuration Engine — Security Manager supports the use of Cisco Configuration Engine 3.0 as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS routers, PIX Firewalls, and ASAs that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. Security Manager also supports management of devices which have static IP address via CNS configuration engine. In such case, the discovery is done live and the deployments to the device happen via CNS configuration engine. For more information about the Configuration Engine you can visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.

Installers

Security Manager includes four different installers:

The Security Manager installer which is responsible for installing the following:

Common Services 3.2

Cisco Security Agent 5.2.0.272

Security Manager 3.3 Server (optional)

AUS 3.3 (optional)

Security Manager 3.3 Client (optional)—for installing the client on the server

The Security Manager client installer, which is also available as a standalone installer for the client. The most common way to access this installer is to log in to the server using a web browser and click on the client installer. The client installer executable can also be found on the server at $NMSROOT\MDC\tomcat\vms\desktop\CSMClientSetup.exe or on the product DVD under csm3_3_win_client\CSMClientSetup.exe.

The RME installer, which is responsible for installing RME. This installer requires that you have already installed Common Services 3.2 using the Security Manager installer.

Performance Monitor installer, which is responsible for installing Performance Monitor. This installer requires that you have already installed Common Services 3.2 using the Security Manager installer.

Detailed use of the Security Manager installer and RME installer is included in the Installation Guide for Cisco Security Manager 3.3, while use of the Performance Monitor installer is covered in the Installation and Release Notes for Cisco Performance Monitor 3.3.

Understanding Security Manager Licensing

It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. This section provides an overview of Security Manager licensing and some specific license examples.

Licensing Overview

There are three base versions of Cisco Security Manager Enterprise Edition:

Standard-5

Standard-25

Professional-50

The versions provide management for 5, 25, and 50 devices, respectively.

The Professional version supports incremental device license packages available in increments of 50, 100, 500, and 1000 devices. The Professional version also includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include this support.

Security Manager consumes a device license for the following:

Each added physical device

Each added Cisco Catalyst 6500 Series services module

Each security context

Each virtual sensor

Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIM) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.

In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it, too, will consume a license.

Unmanaged Devices

In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager under Device Properties. An unmanaged device does not consume a license.

Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object to add different types of objects on the map such as Clouds, Firewalls, Host, Network, and Router. These objects do not appear in the device inventory and do not consume a device license.

Active and Standby Servers

The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.

Licensing for RME and Performance Monitor

Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.

Licensing Examples

This section provides some representative licensing examples to help better understand Security Manager licensing.

Example 1

Description of Managed Network: 15 Cisco Integrated Services Routers.

Required Licensing: Fifteen device licenses are required. Since there are no Catalyst 6500 services modules involved and there are fewer than 50 devices, order Standard-25 (CSMST25-3.3-K9).

Example 2

Description of Managed Network: 5 IDSM-2 modules, where each module has two virtual sensors.

Required Licensing: Ten licenses are required (10 virtual sensors split between five modules). Although Standard-25 might appear to be sufficient, because a Catalyst 6500 services module is involved, Pro-50 (CSMPR50-3.3-K9) as a minimum is required.

Example 3

Description of Managed Network: 350 ASAs operating in single-mode.

Required Licensing: 350 device licenses are required. You can order exactly 350 licenses by ordering Pro-50 (CSMPR50-3.3-K9) and 3 Inc-100s (CSMPR-LIC-100). However, it is less expensive to order Pro-50 and 1 Inc-500 (CSMPR-LIC-500), because the larger the incremental the lower the average cost per device license. Therefore, in some cases it is less expensive to order more licenses than actually required.

Example 4

Description of Managed Network: You have Security Manager Standard Edition - 5 device, but now you need to manage 20 ASAs operating in single-mode.

Required Licensing: Order CSMST25-3.3-K9 and optionally CON-SAS-CSM33SM for SAS coverage. There is no upgrade part number from Standard Edition - 5 device; however, you do not lose your original investment in the Standard Edition - 5 device, because you can combine the Standard 5 license with the Standard 25 license for a net result of Standard Edition - 30 device.

Example 5

Description of Managed Network: 20 ASAs deployed in a combination of active/standby and active/active pairs each with 5 security contexts.

Required Licensing: When deploying a pair of devices for redundancy, you only need to add the active device or context into Security Manager. As such the number of required device licenses is 10 devices x (5 contexts plus 1 chassis each) for a total of 60 licenses. Order Pro-50 and one Inc-50.


Note In all the above examples you should consider ordering the corresponding Cisco Service Application Support (SAS) to obtain access to Cisco Technical Assistance Center (TAC) and application minor release updates at no charge.


Factors which Affect Application Performance

There are many factors that affect application performance. These include, but are not limited to the following:

Server and client hardware (for example, processor, memory, and storage technology)

Number of managed devices, including the type of the devices, and the complexity of the device configurations (such as large number of ACLs)

Number and complexity of policy objects

Number of simultaneous users and the specific activities the users are performing

Network bandwidth and latency, such as between Security Manager clients and the server and between the server and the managed devices

Use of virtualization technology such as VMware

Security Manager version, due to the addition of new features which can affect performance as well as the introduction of performance enhancements

Use of ACS server for AAA services

Number of devices present in a deployment job

Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.

Effect of Number of Processors/Cores on Performance

Performance improvements with Security Manager have been observed when going from a single processor/core to a dual/quad processor/core server.

Effect of Memory Size on Performance

Performance improvements with Security Manager have been observed with servers having 4 GB or more RAM installed on the system. Please see Table 1for additional hardware sizing recommendations.

Deployment Scenarios

There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario you should consider the following items:

Which specific applications included with Security Manager do you need to deploy?

How many devices will each application manage?

If one of the applications you are using is approaching its scale limits (Table 5), it is a good idea to dedicate a server to that application. For obvious reasons of resource allocation and task distribution, it is best not to have other applications using valuable CPU and memory resources if you are trying to manage a large number of devices.

How many users will use these applications?

Active user sessions also place a load on the server and should be factored in when deciding on the deployment configuration. For example, an application may not have reached its limit due to the number of devices, but could be nearing maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application.

Do you require the application to be highly available or survivable in the event of a site disaster or outage?

If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers. Each running instance of the application needs to be separately purchased and licensed.

Single Server

A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrator, a single-server deployment is usually adequate.

Multiple Servers

For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:

Server A (Configuration/Inventory)

Common Services

Security Manager

RME

Server B (Monitoring)

Common Services

Performance Monitor

Server C (Autoupdate)

Common Services

AUS

Server A is dedicated for the Configuration and Inventory Management applications, namely Security Manager and RME. Server B is dedicated for monitoring. Monitoring tends to place a continuous and potentially heavy load on a server, so there are advantages to using a dedicated set of resources for monitoring. Server C is dedicated for AUS. Since AUS is intended to manage remote firewalls, it can be resource intensive when many remote devices are contacting AUS for configuration, OS, or DM updates. Also, AUS should normally be placed in the DMZ of the network, so this recommendation alone can lead to dedicating a server for AUS.

For situations where you are reaching the scale limits of either Security Manager or RME, you may also need to split these applications onto dedicated servers. For example, RME also includes a syslog analyzer that can be performance intensive depending on the rate of syslog messages directed at the server. If you intend to use the RME syslog analyzer function you may want to dedicate a server to RME.

High-Availability/Disaster Recovery

You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 3.3.

VMware Deployments

Security Manager supports running in VMware ESX Server 3.5 beginning with Security Manager 3.2.1. Other VMware environments such as VMware Server and VMware Workstation are not supported. You can use any server operating system supported by Security Manager as guest operating system for VMware.

The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 3.5 introduces a modest amount of application performance degradation which varies based on the size of the reference network involved and the specific test case. In a few test cases the performance actually improved, but this was more the exception than the rule. One area where the performance degradation was unusually large was the case of performing a deployment to a PIX or ASA device with a large number of rules (on the order of 5 to 50 thousands rules). In this case the deployment took roughly twice as long.

You should allocate 4 GB of memory to the virtual machine you use with Security Manager for all reference network sizes. In general you should follow the best practices documented in the VMware document: Performance Tuning Best Practices for ESX Server 3. However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimum.

It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 3.5 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).

Client Deployment

The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.2 and 3.3 on the same machine. You can install and use the client on the server; however, this practice is suitable only for an SE size network and is not recommended for the larger ME or LE size networks.

As mentioned in Factors which Affect Application Performance, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance, in the event that end users are located a large distance from the server which introduces significant latency (for example, intercontinental distances).

Reference Networks

Application performance and server and client sizing recommendations are affected by the size and composition of the network under management. Application performance was characterized for three different reference network configurations: Small Enterprise (SE), Medium Enterprise (ME), and Large Enterprise (LE) and a corresponding server and client specification. The characteristics of the three reference networks are defined below.

These reference networks consist of a mixture of dedicated firewall devices (for example, PIX, FWSM), dedicated IPS devices (for example, IPS 4200 Series), and multi-service (firewall, VPN, and IPS) routers. You should understand the following when you compare these reference networks to the makeup of your own network.

In general you can equate like types of devices. For example, if the reference network refers to a PIX 535, this is comparable to similar devices such as other PIX models or the ASA 5500 Series with a similar number of rules defined. Likewise an IPS 4250 Sensor is comparable to similar IPS devices such as the AIP-SSM or IPS AIM. Finally a Cisco 2801 router is comparable to other IOS-based routers.

In general you cannot add additional devices to one category (for example, firewall appliances) by not using devices of another category (for example, IPS appliances). So for example, even if you do not use IPS devices, if you add additional PIX devices beyond the specified number it will increase the load on the server beyond what has been tested for that particular reference network.

In general Security Manager does not have any fixed scalability limitations. For example, Security Manager does not impose any fixed limit on the number of devices you can add of any type (assuming you have sufficient licenses) or on the number of policy objects of a given type. However, exceeding the limits identified in these reference networks would place you in an untested, uncharacterized situation.

Small Enterprise Reference Network

The Small Enterprise Reference Network has the following makeup:

10 PIX 535s

200 ACEs in each PIX Firewall rule table

50 Cisco 2801s

20 ACEs in each router rule table

IOS IPS Enabled

10 IPS 4250 Sensors

4 virtual sensors per device (10 total virtual sensors)

Full Mesh VPN

Technology: Regular IPsec VPN

Size: 3 routers

4,500 access-list rules

100 user-defined network objects, where each object contains a single IP entry. 50 of the network objects are referenced by an access-list rule.

25 user-defined service objects, where each object contains one service port and all 25 service-objects are referenced by an access-list rule.

The Small Enterprise (SE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 55 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.

Disclaimer: The above numbers are for inventory sizing only.

Medium Enterprise Reference Network

The Medium Enterprise Reference Network has the following makeup:

21 PIX 535s

500 ACEs in each PIX Firewall's rule table

2 FWSM

20 ACEs in its rule table

100 Cisco 2801

50 ACEs in each router's rule table

IOS IPS Enabled

15 IPS 4250 Sensors

4 virtual sensors per device (60 total virtual sensors)

Hub and Spoke VPN

Technology: Regular IPsec VPN

Size: 1 hub, 20 spokes

44,000 access-list rules

650 user-defined network objects, where each object contains a single IP entry. 150 of the network objects are referenced by an access-list rule.

75 user-defined service objects, where each object contains one service port and all 75 service-objects are referenced by an access-list rule.

The Medium Enterprise (ME) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 65 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.

Disclaimer: The above numbers are for inventory sizing only.

Large Enterprise Reference Network

The Large Enterprise Reference Network has the following makeup:

1000 PIX 535s

2,000 ACEs in each PIX Firewall's rule table

48 FWSM

50,000 ACEs in its rule table

5100 Cisco 2801

300 ACEs in each router rule table

IOS IPS Enabled on 1000 routers

250 IPS 4250 Sensors

4 virtual sensors per device (1,000 total virtual sensors)

Layered VPN

Technology: Regular IPsec VPN

Full Mesh: Four hubs are in full mesh

Hub and Spoke #1: 1 hub and 1250 spokes

Hub and Spoke #2: 1 hub and 1250 spokes

Hub and Spoke #3: 1 hub and 1250 spokes

Hub and Spoke #4: 1 hub and 1250 spokes

3,000,000 access-list rules total

400,000 access-list rules on a single device

5000 user-defined network objects, where each object contains a single IP entry. 50 of the network objects are referenced by an access-list rule.

500 user-defined service objects, where each object contains one service port and all 25 service-objects are referenced by an access-list rule.

The Large Enterprise (LE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 800 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.

Disclaimer: The above numbers are for inventory sizing only.


Note It is recommended to enable PAE (Physical Address Extension) mode if your system has more than 4 GB of main memory. This affects only 32-bit operating systems. Please refer to Microsoft article http://www.microsoft.com/whdc/system/platform/server/PAE/PAEdrv.mspx for more information on this.


Number of Simultaneous Users

Security Manager supports multiple concurrent user sessions and has been specifically tested for 15 simultaneous users where:

5 users perform Read-Only actions: view activities/policies/jobs

5 users perform Read-Write actions: create activities, modify policies, and submit activities

5 users commit jobs and deploy actions

Server and Client Hardware Recommendations

This section provides recommendations for the server and client hardware sizing based on the three reference network configurations.

Server Sizing

Table 1 provides basic recommendations on server sizing for Security Manager 3.3 based on the reference networks.

Table 1 Server Sizing based on Reference Network

 
Small Enterprise (SE)
Medium Enterprise (ME)
Large Enterprise (LE)
CPU

One CPU @ 2.x GHz

Two CPU/Core @ 3.x GHz

Four CPUs/Core @ 3.x GHz

Memory

2 GB

4 GB

8 GB

Free Disk Space

20 GB

30 GB

40 GB

Network Interface

100BaseT (100 Mbps) or faster

100BaseT (100 Mbps) or faster

100BaseT (100 Mbps) or faster

Media Drive

DVD

DVD

DVD



Note The requirements for free disk space are for Cisco Security Manager only and do not consider the disk space requirements for backup and/or other applications like RME.


Security Manager has only been performance characterized on servers with up to dual processors/quad cores. While adequate performance can be obtained using the server specifications noted in Table 1 for the Small Enterprise and Medium Enterprise reference networks, test results show you can obtain improved performance by using the Large Enterprise server specification also for the Small Enterprise and Medium Enterprise reference networks.

Client Sizing

Table 2 provides basic recommendations on client sizing for Security Manager based on the reference networks and assuming a single client running on the machine.

Table 2 Client Sizing Based on Reference Network

 
Small Enterprise
Medium Enterprise
Large Enterprise
CPU

One CPU @ 2.x GHz

One CPU @ 2.x GHz

One CPUs @ 2.x GHz

Memory

1 GB

1 GB

2 GB

Free Disk Space

10 GB

10 GB

10 GB

Network Interface

100BaseT (100 Mbps) or faster

100BaseT (100 Mbps) or faster

100BaseT (100 Mbps) or faster


Security Manager Tuning

Security Manager includes several advanced parameters that you can modify to tune the application performance. For more information, please contact Cisco TAC.