Table Of Contents
Deployment Planning Guide for Cisco Security Manager 3.3
Revised: September 30, 2009, OL-20258-01
This document provides guidance on planning a deployment of Cisco Security Manager 3.3.x. It includes these topics: recommended server and client sizing based on reference networks, deployment options for the set of applications included with Security Manager, licensing, advanced Security Manager tuning options, and case studies.
Cisco Security Manager 3.3 Applications
Cisco Security Manager 3.3 includes the following applications:
•Common Services 3.2
Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to applications that include:
–An embedded SQL database
–The Apache web server
–The Tomcat servlet engine
–The CiscoWorks home page
–Backup and restore functions
Common Services is required for all the applications included with Security Manager listed below.
For more information about Common Services, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_series_home.html.
•Cisco Security Manager 3.3
Cisco Security Manager is an enterprise-class management application designed to configure firewall, VPN, and intrusion prevention system (IPS) security services on Cisco network and security devices. Security Manager uses a rich-client graphical user interface and requires Common Services 3.2.
For more information about Security Manager, refer to the documentation located at http://www.cisco.com/go/csmanager.
•Auto Update Server 3.3
AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition:
–Supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.
–Cisco IOS routers that use dynamic IP addresses can use AUS in combination with the CNS Gateway protocol to retrieve device IP addresses.
AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls. AUS uses a browser-based, graphical user interface and requires Common Services 3.2.
For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.
•Resource Manager Essentials 4.2
To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images—as well as syslog analysis. RME uses a browser-based graphical user interface. RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution — Deployment Guide 3.0, although be aware that some information does not apply in the case of RME bundled with Security Manager.
For more information about RME, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_series_home.html.
•Performance Monitor 3.3
Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPNs, site-to-site VPNs, firewall, web server load-balancing, and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.2.
For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.
Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:
•Cisco Security Monitoring Analysis and Response System (MARS) — Security Manager supports policy <> event cross-linkages with MARS for firewall and IPS. Using the Security Manager client you highlight specific firewall rules or IPS signatures and request to see the events related to those rules or signatures, respectively. Using the MARS interface you can select firewall or IPS events and request to see the matching rule or signature in Security Manager. These policy <> event cross-linkages are especially useful for network connectivity troubleshooting, identifying unused rules, and signature tuning activities. The policy <> event cross-linkage feature is explained in detail in the User Guide for Cisco Security Manager 3.3. For more information about MARS you can visit http://www.cisco.com/go/mars.
•Cisco Secure Access Control Server (ACS) — You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role based authorization control and ability to restrict users to specific sets of devices. For details on configuring Security Manager and ACS integration refer to the Installation Guide for Cisco Security Manager 3.3. For more information about ACS you can visit http://www.cisco.com/go/acs.
•Cisco CNS Configuration Engine — Security Manager supports the use of Cisco Configuration Engine 3.0 as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS routers, PIX Firewalls, and ASAs that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. Security Manager also supports management of devices which have static IP address via CNS configuration engine. In such case, the discovery is done live and the deployments to the device happen via CNS configuration engine. For more information about the Configuration Engine you can visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.
Security Manager includes four different installers:
•The Security Manager installer which is responsible for installing the following:
–Common Services 3.2
–Cisco Security Agent 22.214.171.1242
–Security Manager 3.3 Server (optional)
–AUS 3.3 (optional)
–Security Manager 3.3 Client (optional)—for installing the client on the server
•The Security Manager client installer, which is also available as a standalone installer for the client. The most common way to access this installer is to log in to the server using a web browser and click on the client installer. The client installer executable can also be found on the server at $NMSROOT\MDC\tomcat\vms\desktop\CSMClientSetup.exe or on the product DVD under csm3_3_win_client\CSMClientSetup.exe.
•The RME installer, which is responsible for installing RME. This installer requires that you have already installed Common Services 3.2 using the Security Manager installer.
•Performance Monitor installer, which is responsible for installing Performance Monitor. This installer requires that you have already installed Common Services 3.2 using the Security Manager installer.
Detailed use of the Security Manager installer and RME installer is included in the Installation Guide for Cisco Security Manager 3.3, while use of the Performance Monitor installer is covered in the Installation and Release Notes for Cisco Performance Monitor 3.3.
Understanding Security Manager Licensing
It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. This section provides an overview of Security Manager licensing and some specific license examples.
There are three base versions of Cisco Security Manager Enterprise Edition:
The versions provide management for 5, 25, and 50 devices, respectively.
The Professional version supports incremental device license packages available in increments of 50, 100, 500, and 1000 devices. The Professional version also includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include this support.
Security Manager consumes a device license for the following:
•Each added physical device
•Each added Cisco Catalyst 6500 Series services module
•Each security context
•Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIM) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.
In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it, too, will consume a license.
In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager under Device Properties. An unmanaged device does not consume a license.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object to add different types of objects on the map such as Clouds, Firewalls, Host, Network, and Router. These objects do not appear in the device inventory and do not consume a device license.
Active and Standby Servers
The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.
Licensing for RME and Performance Monitor
Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.
This section provides some representative licensing examples to help better understand Security Manager licensing.
Description of Managed Network: 15 Cisco Integrated Services Routers.
Required Licensing: Fifteen device licenses are required. Since there are no Catalyst 6500 services modules involved and there are fewer than 50 devices, order Standard-25 (CSMST25-3.3-K9).
Description of Managed Network: 5 IDSM-2 modules, where each module has two virtual sensors.
Required Licensing: Ten licenses are required (10 virtual sensors split between five modules). Although Standard-25 might appear to be sufficient, because a Catalyst 6500 services module is involved, Pro-50 (CSMPR50-3.3-K9) as a minimum is required.
Description of Managed Network: 350 ASAs operating in single-mode.
Required Licensing: 350 device licenses are required. You can order exactly 350 licenses by ordering Pro-50 (CSMPR50-3.3-K9) and 3 Inc-100s (CSMPR-LIC-100). However, it is less expensive to order Pro-50 and 1 Inc-500 (CSMPR-LIC-500), because the larger the incremental the lower the average cost per device license. Therefore, in some cases it is less expensive to order more licenses than actually required.
Description of Managed Network: You have Security Manager Standard Edition - 5 device, but now you need to manage 20 ASAs operating in single-mode.
Required Licensing: Order CSMST25-3.3-K9 and optionally CON-SAS-CSM33SM for SAS coverage. There is no upgrade part number from Standard Edition - 5 device; however, you do not lose your original investment in the Standard Edition - 5 device, because you can combine the Standard 5 license with the Standard 25 license for a net result of Standard Edition - 30 device.
Description of Managed Network: 20 ASAs deployed in a combination of active/standby and active/active pairs each with 5 security contexts.
Required Licensing: When deploying a pair of devices for redundancy, you only need to add the active device or context into Security Manager. As such the number of required device licenses is 10 devices x (5 contexts plus 1 chassis each) for a total of 60 licenses. Order Pro-50 and one Inc-50.
Note In all the above examples you should consider ordering the corresponding Cisco Service Application Support (SAS) to obtain access to Cisco Technical Assistance Center (TAC) and application minor release updates at no charge.
Factors which Affect Application Performance
There are many factors that affect application performance. These include, but are not limited to the following:
•Server and client hardware (for example, processor, memory, and storage technology)
•Number of managed devices, including the type of the devices, and the complexity of the device configurations (such as large number of ACLs)
•Number and complexity of policy objects
•Number of simultaneous users and the specific activities the users are performing
•Network bandwidth and latency, such as between Security Manager clients and the server and between the server and the managed devices
•Use of virtualization technology such as VMware
•Security Manager version, due to the addition of new features which can affect performance as well as the introduction of performance enhancements
•Use of ACS server for AAA services
•Number of devices present in a deployment job
Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.
Effect of Number of Processors/Cores on Performance
Performance improvements with Security Manager have been observed when going from a single processor/core to a dual/quad processor/core server.
Effect of Memory Size on Performance
Performance improvements with Security Manager have been observed with servers having 4 GB or more RAM installed on the system. Please see Table 1for additional hardware sizing recommendations.
There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario you should consider the following items:
•Which specific applications included with Security Manager do you need to deploy?
•How many devices will each application manage?
If one of the applications you are using is approaching its scale limits (Table 5), it is a good idea to dedicate a server to that application. For obvious reasons of resource allocation and task distribution, it is best not to have other applications using valuable CPU and memory resources if you are trying to manage a large number of devices.
•How many users will use these applications?
Active user sessions also place a load on the server and should be factored in when deciding on the deployment configuration. For example, an application may not have reached its limit due to the number of devices, but could be nearing maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application.
•Do you require the application to be highly available or survivable in the event of a site disaster or outage?
If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers. Each running instance of the application needs to be separately purchased and licensed.
A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrator, a single-server deployment is usually adequate.
For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:
•Server A (Configuration/Inventory)
•Server B (Monitoring)
•Server C (Autoupdate)
Server A is dedicated for the Configuration and Inventory Management applications, namely Security Manager and RME. Server B is dedicated for monitoring. Monitoring tends to place a continuous and potentially heavy load on a server, so there are advantages to using a dedicated set of resources for monitoring. Server C is dedicated for AUS. Since AUS is intended to manage remote firewalls, it can be resource intensive when many remote devices are contacting AUS for configuration, OS, or DM updates. Also, AUS should normally be placed in the DMZ of the network, so this recommendation alone can lead to dedicating a server for AUS.
For situations where you are reaching the scale limits of either Security Manager or RME, you may also need to split these applications onto dedicated servers. For example, RME also includes a syslog analyzer that can be performance intensive depending on the rate of syslog messages directed at the server. If you intend to use the RME syslog analyzer function you may want to dedicate a server to RME.
You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 3.3.
Security Manager supports running in VMware ESX Server 3.5 beginning with Security Manager 3.2.1. Other VMware environments such as VMware Server and VMware Workstation are not supported. You can use any server operating system supported by Security Manager as guest operating system for VMware.
The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 3.5 introduces a modest amount of application performance degradation which varies based on the size of the reference network involved and the specific test case. In a few test cases the performance actually improved, but this was more the exception than the rule. One area where the performance degradation was unusually large was the case of performing a deployment to a PIX or ASA device with a large number of rules (on the order of 5 to 50 thousands rules). In this case the deployment took roughly twice as long.
You should allocate 4 GB of memory to the virtual machine you use with Security Manager for all reference network sizes. In general you should follow the best practices documented in the VMware document: Performance Tuning Best Practices for ESX Server 3. However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimum.
It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 3.5 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).
The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.2 and 3.3 on the same machine. You can install and use the client on the server; however, this practice is suitable only for an SE size network and is not recommended for the larger ME or LE size networks.
As mentioned in Factors which Affect Application Performance, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance, in the event that end users are located a large distance from the server which introduces significant latency (for example, intercontinental distances).
Application performance and server and client sizing recommendations are affected by the size and composition of the network under management. Application performance was characterized for three different reference network configurations: Small Enterprise (SE), Medium Enterprise (ME), and Large Enterprise (LE) and a corresponding server and client specification. The characteristics of the three reference networks are defined below.
These reference networks consist of a mixture of dedicated firewall devices (for example, PIX, FWSM), dedicated IPS devices (for example, IPS 4200 Series), and multi-service (firewall, VPN, and IPS) routers. You should understand the following when you compare these reference networks to the makeup of your own network.
•In general you can equate like types of devices. For example, if the reference network refers to a PIX 535, this is comparable to similar devices such as other PIX models or the ASA 5500 Series with a similar number of rules defined. Likewise an IPS 4250 Sensor is comparable to similar IPS devices such as the AIP-SSM or IPS AIM. Finally a Cisco 2801 router is comparable to other IOS-based routers.
•In general you cannot add additional devices to one category (for example, firewall appliances) by not using devices of another category (for example, IPS appliances). So for example, even if you do not use IPS devices, if you add additional PIX devices beyond the specified number it will increase the load on the server beyond what has been tested for that particular reference network.
•In general Security Manager does not have any fixed scalability limitations. For example, Security Manager does not impose any fixed limit on the number of devices you can add of any type (assuming you have sufficient licenses) or on the number of policy objects of a given type. However, exceeding the limits identified in these reference networks would place you in an untested, uncharacterized situation.
Small Enterprise Reference Network
The Small Enterprise Reference Network has the following makeup:
•10 PIX 535s
–200 ACEs in each PIX Firewall rule table
•50 Cisco 2801s
–20 ACEs in each router rule table
–IOS IPS Enabled
•10 IPS 4250 Sensors
–4 virtual sensors per device (10 total virtual sensors)
•Full Mesh VPN
–Technology: Regular IPsec VPN
–Size: 3 routers
•4,500 access-list rules
•100 user-defined network objects, where each object contains a single IP entry. 50 of the network objects are referenced by an access-list rule.
•25 user-defined service objects, where each object contains one service port and all 25 service-objects are referenced by an access-list rule.
The Small Enterprise (SE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 55 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Medium Enterprise Reference Network
The Medium Enterprise Reference Network has the following makeup:
•21 PIX 535s
–500 ACEs in each PIX Firewall's rule table
–20 ACEs in its rule table
•100 Cisco 2801
–50 ACEs in each router's rule table
–IOS IPS Enabled
•15 IPS 4250 Sensors
–4 virtual sensors per device (60 total virtual sensors)
•Hub and Spoke VPN
–Technology: Regular IPsec VPN
–Size: 1 hub, 20 spokes
•44,000 access-list rules
•650 user-defined network objects, where each object contains a single IP entry. 150 of the network objects are referenced by an access-list rule.
•75 user-defined service objects, where each object contains one service port and all 75 service-objects are referenced by an access-list rule.
The Medium Enterprise (ME) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 65 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Large Enterprise Reference Network
The Large Enterprise Reference Network has the following makeup:
•1000 PIX 535s
–2,000 ACEs in each PIX Firewall's rule table
–50,000 ACEs in its rule table
•5100 Cisco 2801
–300 ACEs in each router rule table
–IOS IPS Enabled on 1000 routers
•250 IPS 4250 Sensors
–4 virtual sensors per device (1,000 total virtual sensors)
–Technology: Regular IPsec VPN
–Full Mesh: Four hubs are in full mesh
–Hub and Spoke #1: 1 hub and 1250 spokes
–Hub and Spoke #2: 1 hub and 1250 spokes
–Hub and Spoke #3: 1 hub and 1250 spokes
–Hub and Spoke #4: 1 hub and 1250 spokes
•3,000,000 access-list rules total
•400,000 access-list rules on a single device
•5000 user-defined network objects, where each object contains a single IP entry. 50 of the network objects are referenced by an access-list rule.
•500 user-defined service objects, where each object contains one service port and all 25 service-objects are referenced by an access-list rule.
The Large Enterprise (LE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 800 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Note It is recommended to enable PAE (Physical Address Extension) mode if your system has more than 4 GB of main memory. This affects only 32-bit operating systems. Please refer to Microsoft article http://www.microsoft.com/whdc/system/platform/server/PAE/PAEdrv.mspx for more information on this.
Number of Simultaneous Users
Security Manager supports multiple concurrent user sessions and has been specifically tested for 15 simultaneous users where:
•5 users perform Read-Only actions: view activities/policies/jobs
•5 users perform Read-Write actions: create activities, modify policies, and submit activities
•5 users commit jobs and deploy actions
Server and Client Hardware Recommendations
This section provides recommendations for the server and client hardware sizing based on the three reference network configurations.
Table 1 provides basic recommendations on server sizing for Security Manager 3.3 based on the reference networks.
Note The requirements for free disk space are for Cisco Security Manager only and do not consider the disk space requirements for backup and/or other applications like RME.
Security Manager has only been performance characterized on servers with up to dual processors/quad cores. While adequate performance can be obtained using the server specifications noted in Table 1 for the Small Enterprise and Medium Enterprise reference networks, test results show you can obtain improved performance by using the Large Enterprise server specification also for the Small Enterprise and Medium Enterprise reference networks.
Table 2 provides basic recommendations on client sizing for Security Manager based on the reference networks and assuming a single client running on the machine.
Security Manager Tuning
Security Manager includes several advanced parameters that you can modify to tune the application performance. For more information, please contact Cisco TAC.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2008-2009 Cisco Systems, Inc. All rights reserved.