 Feedback
|
Table Of Contents
Deployment Planning Guide for Cisco Security Manager 4.0
Cisco Security Manager 4.0 Applications
Minimum Hardware and Software Requirements
Virtual Machine Hardware and Software Requirements
Recommended Hardware and Software Specifications
Small Deployment with VMWare Virtual Machine
Factors That Affect Application Performance
Installation in VMware's Virtual Machine Environment
High-Availability/Disaster Recovery
IP address, Hostname and DNS name
Security Manager Server Tuning
Windows Operating System's Swap File Size
Sybase Database Registry Parameters
Sybase Temporary File Location
Understanding Security Manager Licensing
Licensing for RME and Performance Monitor
Deployment Planning Guide for Cisco Security Manager 4.0
Published: August 19, 2010Last Updated: November 29, 2010Introduction
This document provides guidance on planning a deployment of Cisco Security Manager 4.0 server. It includes these topics: included applications, recommended server hardware, client hardware, sizing and software based on reference networks, deployment options for the set of applications included with Security Manager, advanced Security Manager server tuning options and licensing. For more information about Security Manager software features, refer to product documentation located at http://www.cisco.com/go/csmanager.
This document complements other Security Manager user documentation such as the User Guide for Cisco Security Manager 4.0 and the Installation Guide for Cisco Security Manager 4.0.
Cisco Security Manager 4.0 Applications
Cisco Security Manager 4.0 includes the following applications:
•
Security Manager 4.0 Policy Configuration
Cisco Security Manager enables you to centrally manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, IPS, and VPN (site-to-site, remote access, and SSL) services across:
–
–
–
–
–
For a complete list of devices and OS versions supported by Security Manager, please refer to Supported Devices and Software Versions for Cisco Security Manager on Cisco.com.
•
The new integrated tool allows you to centrally monitor events from IPS and ASA devices and correlate them to the related configuration policies. This helps you identify problems, troubleshoot configurations, and then make adjustments to the configurations and deploy them. For supported platforms and more information, refer to the Viewing Events section of the User Guide for Cisco Security Manager on Cisco.com.
•
Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, job and process management. Common Services supplies essential server-side components to applications that include:
–
–
–
–
–
–
Common Services is required for all the applications included with Security Manager. For more information about Common Services, refer to the documentation located at:
http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_eol_series_home.html
•
AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition, supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.
In this method, Security Manager deploys configuration updates to the AUS server, the managed device contacts the AUS server to download new configuration updates using a periodic time interval, a specific date and time, or on-demand.
AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.
AUS uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.
•
To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images and basic syslog analysis (for configuration archival and tracking purposes). RME uses a browser-based graphical user interface. RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution Deployment Guide, although be aware that some information does not apply in the case of RME bundled with Security Manager.
For more information about RME, refer to the documentation located at:
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_eol_series_home.html
•
Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPN, site-to-site VPN, firewall, web server load-balancing and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.3. For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.
•
This is a stand-alone host security agent software that is installed on Security Manager server. This component is installable only on Windows 2003 32-bit environment. Security Manager installation will automatically detect the OS and install this software if it is supported.
Related Applications
Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:
•
Security Manager supports policy <> event cross-linkages with MARS for firewall and IPS. Using the Security Manager client you highlight specific firewall rules or IPS signatures and request to see the events related to those rules or signatures, respectively. Using the MARS interface you can select firewall or IPS events and request to see the matching rule or signature in Security Manager. These policy <> event cross-linkages are especially useful for network connectivity, firewall rule troubleshooting, identifying unused rules, and signature tuning activities. The policy <> event cross-linkage feature is explained in detail in the User Guide for Cisco Security Manager 4.0. For more information about MARS you can visit http://www.cisco.com/go/mars.
•
You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role based authorization control (RBAC) and the ability to restrict users to specific sets of devices. For details on configuring Security Manager and ACS integration refer to the Installation Guide for Cisco Security Manager 4.0. For more information about ACS you can visit http://www.cisco.com/go/acs.
•
Security Manager supports the use of Cisco Configuration Engine 3.0 as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices, such as Cisco IOS routers, PIX and ASA firewalls that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. Security Manager also supports management of devices that have static IP address via CNS configuration engine. In such case, the discovery is done live and the deployments to the device happen via CNS configuration engine. For more information about the Configuration Engine you can visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.
Minimum Hardware and Software Requirements
Each Cisco Security Manager server installation requires a single physical server for both policy and event management. Optional components such as Auto Update Server, Performance Monitor, or Resources Manager Essentials can be installed on the same or separate systems.
The following table is the list of minimum hardware and software specifications for Cisco Security Manager server software and other optional modules installation. While Security Manager software can be installed on system with minimum specifications, its performance and capacity is limited to smaller deployments (managing up to 5 devices). For larger deployments, you should use the recommended specifications in Recommended Hardware and Software Specifications.
The following table is the list of minimum hardware and software specifications for Cisco Security Manager 4.0 client software installation. It is recommended to install Security Manager client software on a separate machine:
Virtual Machine Hardware and Software Requirements
For installation of Cisco Security Manager on VMWare ESX virtual machine, the software requirements are the same as described in Minimum Hardware and Software Requirements. However, it is recommended to turned off the Event Management feature in a VMware environment because virtualized CPU and memory performance are limited. The Event Management feature requires a physical server with the described minimum specifications. Cisco Security Manager installation is supported on VMware ESX 3.5 with Update 4.
Recommended Hardware and Software Specifications
Performance improvements with Security Manager have been observed when going from a single processor (or core) to multiple processors (or cores) server. With the new Event Management feature and other new features in this release, it is recommended to use proper hardware and software specifications to have optimal performance.
For best performance, Security Manager server with 2.66Mhz Intel Xeon quad-core processor (with Hyper-Threading) or faster is recommended at the minimum. If Event Management is used, it is highly recommended to have a dedicated hard disk or storage volume to be used for Security Manager applications and a dedicated disk or volume for events storage. For the Security Manager client system, you can use the minimum hardware specifications specified in Minimum Hardware and Software Requirements.
The following specifications are a list of recommended specifications for Security Manager server for different sizes of deployments. These specifications are general guidelines of the proper hardware and software to support such deployments based on the number of devices; performance results might vary depending on other factors discussed in Deployment Scenarios. These hardware and software requirements for Security Manager are the same for new installations or upgrading to version 4.0 from older versions of Security Manager.
•
Small Deployment with VMWare Virtual Machine
The following table lists the recommended configuration for small deployments that use VMWare virtual machines:
Small Enterprise Deployment
The following table lists the recommended configuration for small enterprise deployments:
Medium Enterprise Deployment
The following table lists the recommended configuration for medium enterprise deployments:
Large Enterprise Deployment
The following table lists the recommended configuration for large enterprise deployments:
Deployment Scenarios
There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario, you should consider the following important factors, which can affect system performance:
•
While Security Manager does not have a hard limit for the number of devices managed, it is recommended to have less than 500 devices per Security Manager server with the recommended hardware and software. You should use the recommended specifications listed in Recommended Hardware and Software Specifications to manage the proper amount of devices per server. The number of devices could be smaller if managed devices have very large configurations. For example, a large number of firewall devices with 20,000 - 50,000 access rules, large IPS signature sets or very large and complex VPN policies with thousands of branches can cause Security Manager to run under optimal performance. The number of managed devices also depends on the hardware and operating system that Security Manager runs on. If needed, multiple Security Manager servers should be deployed to manage a larger number of devices and a larger network.
•
There are types of devices that require more frequent changes than others. Devices such as firewalls and IPS sensors require more frequent policy changes, which therefore requires much more resources than VPN devices. In general, Security Manager can manage more devices in a VPN environment than firewalls or IPS sensors.
•
For small environments, this could vary from hundreds to thousands of lines. For medium environments, this could vary from 1,000 to 5,000 ACLs while in some large environments, this number can be from 5,000 ACLs to 50,000 ACLs or more. In larger environments, you should consider reducing the number of devices per Security Manager server to prepare enough headroom for future growth.
•
Event Management can consume a lot of system resources especially in a large environment with many users and devices. While a single Security Manager server can manage up to 10,000 events per second with the right hardware and software specifications, it is recommended that you configure the devices to send important logs that are required for your operation. Recommended logging levels for firewall devices are from 0 (Emergencies) to 5 (Notifications) where 0 produces the least amount of logs to be sent to Security Manager. For additional logging, you can always turn them on per device when necessary for troubleshooting and debugging purposes. Be cautious when using 7 (Debugging) or 6 (Informational) level for logging. These should be turned on at only the device's console or Device Manager when needed and turned off when done. For IPS devices, signature settings can be tuned from Low, Medium, High or Informational. These settings vary in different environments and can affect system performance. Refer to the IPS configuration guide for more information.
•
Active user sessions also place a load on the server and should be factored in when deciding on the deployment size. For example, an application may not have reached its limit due to the number of devices, but could be nearing the maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application.
•
Do you require the applications (such as Auto Update Server or RME) to be highly available or survivable in the event of a site disaster or outage? If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers.
Factors That Affect Application Performance
There are many factors that affect application performance. These include, but are not limited to the following:
•
•
•
•
•
•
•
•
•
•
Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.
Single Server Installation
A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrators, a single-server deployment is usually adequate.
Multiple Servers Installation
In some large environment with hundreds or thousand of devices, a single server cannot manage all devices efficiently. For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:
•
–
–
–
–
•
–
–
–
•
–
–
–
Server A is dedicated to the Configuration and Event Management for all ASA/PIX/FWSM firewall devices. Server B is dedicated to the Configuration and Event Management for all IPS devices while Server C is dedicated to VPN policy management for ASA/IOS/ISR VPN devices. When deploying multiple servers, note that policy data between Security Manager servers is not shareable. For example, firewall policy and policy objects on server A cannot be shared on other servers. With this deployment method, the needs of sharing policy data between servers is minimized because each server will use mostly the same policy data within itself. However, this deployment is not suitable for networks where Security Manager servers might be deployed in great distance away from managed devices, which can affect monitoring, configuration discovery and deployment.
Another method is to divide the devices by region so that each Security Manager server will only manage smaller numbers of devices for the region (US-West, US-Central, US-East, Europe or Asia, for example). This provides optimal performance for management console, event monitoring and configuration deployment of managed devices from their local Security Manager server. However, policy data will not be shareable between servers. Each server manages its own set of global policies and policy objects for the same group of devices. This might require manual replication of policy data between servers.
In some environments where Event Management in Security Manager is not required (using CS-MARS or third-party logs management), the Event Management engine can be turned off to provide better performance for policy management. For Security Manager running on a VMWare virtual machine, it is recommended to have Event Management turned off.
Installation in VMware's Virtual Machine Environment
Security Manager supports running in VMware ESX Server 3.5 Update 4. Other VMware environments such as VMware Server and VMware Workstation are not supported. It is recommended that the Event Management feature is turned off for Security Manager deployed in VMWare environments. If you need to use Event Management features, consider using a recommended physical server with the proper hardware and software specifications.
You can use any server operating system supported by Security Manager as a guest operating system for VMware. The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 3.5 introduces a modest amount of application performance degradation without the Event Management feature turned on, which varies based on the size of the reference network involved and the specific test case. Deployment of Security Manager in a VMware environment is only suitable for a smaller sized network.
One area where the performance degradation was usually large was the case of performing a deployment to a large number of PIX or ASA devices or a device with a large number of rules (on the order of 5 to 50 thousand rules). In this case the deployment took much longer than acceptable speed. You should allocate at least 8 GB of physical memory to the virtual machine you use with Security Manager for all reference network sizes. In general you should follow the best practices documented in the VMware document Performance Tuning Best Practices for ESX Server 3. However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimal.
It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 3.5 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).
High-Availability/Disaster Recovery
You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 4.0.
Installation Guidelines
For detailed instructions on Security Manager installation, refer to the Installation Guide for Cisco Security Manager 4.0.
Installable Modules
Security Manager server installation includes different components and some of them are optional. The Security Manager installer is responsible for installing the following components:
•
•
•
•
•
Separate components can be installed using separate installers. Following are the standalone installers:
•
•
•
Detailed use of the Security Manager installer and the RME and Performance Monitor installers is included in the Installation Guide for Cisco Security Manager 4.0.
IP address, Hostname and DNS name
Cisco Security Manager requires a static IP address instead of using a DHCP address. The IP address of the Security Manager server can be changed and requires a system reboot. If a DNS server is configured on Security Manager's TCP/IP settings, make sure that the hostname and DNS name of the Security Manager server are identical and resolvable by the configured DNS servers. Before Security Manager installation, you should choose a permanent DNS and computer host name for the server because the hostname and DNS name should not be modified after the installation. Changing the hostname of the Security Manager server after the installation might require re-installing the product.
Client Deployment
The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.3 and 4.0 on the same machine. You can install and use the client on the server; however, this practice is suitable only for a small sized network and is not recommended for the larger enterprise networks.
As mentioned in Factors That Affect Application Performance, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance in the event that end users are located a large distance from the server, which introduces significant latency (for example, intercontinental distances).
Security Manager Server Tuning
Security Manager includes several advanced parameters that you can modify to tune the application performance. For large deployments with 50 devices or more in Windows 2008 64-bit server with 16GB of memory or more, you can modify the parameters described in the following sections for optimal performance:
•
•
•
Windows Operating System's Swap File Size
Use the default 4GB settings. Increase this setting if Security Manager manages more devices and larger policies or system memory usage is high. For general Microsoft Windows Server Operating System tuning, refer to Microsoft web site for more information.
Sybase Database Registry Parameters
For medium or large deployments, use the following procedure to tune database parameters to provide optimal performance and scalability.
Step 1
•
•
The following illustration shows the changes.
Step 2
Step 3
perl configureDb.pl action=reg dsn=vms dmprefix=vms
The following illustration shows an example.
Step 4
Step 5
Sybase Temporary File Location
Sybase creates temporary files to store large query result sets. To improve the overall performance of Sybase, the Sybase temp directory can be located in a physical drive other than where the database is located. This will improve the performance as it enables the Sybase DB server to access temp files and the DB in parallel. By default, Sybase uses the Windows temp directory to store Sybase temp files. In case you need to customize the Sybase temp path so that the temp directory is in a different physical drive, then set the system environment variable SA_TMP with the required path.
Understanding Security Manager Licensing
It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. This section provides an overview of Security Manager licensing and some specific license examples.
Licensing Overview
There are several base versions of Cisco Security Manager 4.0 Enterprise Edition:
•
•
•
•
The versions provide management for 5, 10, 25, and 50 devices, respectively. The Professional version supports incremental device license packages available in increments of 50, 100, and 250 devices. The Professional version also includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include support for these platforms.
For additional devices, you can also order Standard-to-Professional or incremental device upgrade licenses. Following is the list of upgrade and incremental device license in this version:
•
•
•
•
Security Manager consumes a device license for the following:
•
•
•
•
•
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIM) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.
In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it will also consume an additional device license.
The failover pair of an ASA/PIX/FWSM device is counted as one single device in Security Manager because Security Manager only manages the active device in a failover pair; therefore it only consumes a single device license count.
Unmanaged Devices
In Security Manager, you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager under Device Properties. An unmanaged device does not consume a license.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object to add different types of objects on the map such as Clouds, Firewalls, Host, Network, and Router. These objects do not appear in the device inventory and do not consume a device license.
Active and Standby Servers
The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.
Licensing for RME and Performance Monitor
Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.
Licensing Examples
This section provides some representative licensing examples to help better understand Security Manager licensing.
Example 1
•
•
Example 2
•
•
Example 3
•
•
Example 4
•
•
Example 5
•
•
When deploying a pair of failover devices for redundancy, you only need to add the active devices and contexts into Security Manager. As such the number of required device licenses is 10 device counts x 5 contexts + 10 chassis for a total of 60 devices license.
For additional information on Security Manager licensing, visit the product home page and data sheets at http://www.cisco.com/go/csmanager.
Note
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2010 Cisco Systems, Inc. All rights reserved.
