One of the major challenges of network management is to create a solution that is flexible enough to adapt to the changing needs of your network. While it makes sense to have applications that provide basic network management functionality regardless of the function, the network environment must also be considered. To do this successfully, it is better to have a focused set of tools for management. For example, a tool that focuses on managing quality of service (QoS) levels is probably not going to be very good at managing a server farm topology.
Growth and Enhancements in Network Security
When we look at the network as a strategic asset to the enterprise, network management clearly becomes an important factor in the success ofthe company. When we consider the evolution of business applications running across the traditional data network including e-commerce, business-to-business transactions, and voice over IP (VoIP), the need to provide secure network connections grows. As a result, we have witnessed a proliferation in virtual private networks (VPNs) and an enhanced awareness of network security.
PAPER OBJECTIVE
This paper provides guidance on how to effectively deploy CiscoWorks VPN/Security Management Solution (VMS). Covered topics include: server, installation and operating system requirements, reference topology, metrics to monitor, and device configuration considerations. It supplements the quick start guide and user manual, and addresses such questions as: Which products are included and what are they used for? How many servers will I need? What devices can I manage with this application? How can I harden VMS server itself? By answering these questions, we can provide some basic best practices for managing specific Cisco® security technologies.
What It Does NOT Do
This paper is not intended to replace user guides (or other product documentation). It does not go into comprehensive detail about the various features or capabilities of the products.
Intended Audience
This paper is intended for audiences that are already familiar with network security, VPNs, firewalls, and intrusion detection, and have a basic understanding of these concepts and tools. It explains how best to deploy VMS in a production environment.
HIGH-LEVEL OVERVIEW OF VMS 2.3
What Does It Do?
CiscoWorks VMS is a set of integrated tools that provide a comprehensive solution for VPN and security management. VMS features are positioned to configure, monitor, and troubleshoot enterprise VPNs, firewalls, and network- and host-based intrusion detection and prevention systems (IDS/IPS). VMS provides key features to assist customers in the deployment, monitoring, and management of their security-specific hardware. It also provides the operational management support, software distribution, configuration archive, change-audit, and logging management for different elements of a Cisco security infrastructure. VMS provides a scalable solution that addresses the needs of small- to large-scale VPN and security deployments.
VMS 2.3 COMPONENTS
CiscoWorks VMS 2.3 consists of installable software components for flexible deployment options. Table 1 lists the different VMS modules and what they do.
Table 1. VMS 2.3 Modules*
VMS Module & Versions
Platform
Usage
Common Services 2.2
Windows
Solaris
Provides a set of common software and services for VMS components and CiscoWorks Resource Manager Essentials (RME)
CiscoView 5.5
CiscoView provides physical graphical view of device chassis and basic status monitoring
Management Center for Firewalls 1.3.3 (FWMC)
Windows
Solaris
Configures Cisco PIX® firewalls and Cisco Catalyst® Firewall Service Modules
Auto Update Server 1.3 (AUS)
Windows
Solaris
Permits configurations, PIXOS and PDM files to be pulled from update server
Management Center for VPN Routers 1.3.1 (RouterMC)
Windows
Solaris
Configures VPN and firewall feature set on Cisco IOS® routers and Cisco Catalyst VPN Service Modules
Management Center for IDS Sensors 2.0 (IDSMC)
Windows
Solaris
Configures and updates network-based IDS sensors and Cisco Catalyst IDS Service Modules
Monitoring Center for Security 2.0.2 (SECMON)
Windows
Solaris
Monitors network and host-based IDS events, Cisco IOS Software, and Cisco PIX syslog
Monitor Center for Performance 2.0.2
Windows
Solaris
Monitors and troubleshoots the health and performance of enterprise network security services (remote-access VPN, site-to-site VPN, firewall, web server load-balancing, and proxied SSL).
Management Center for Cisco Security Agent 4.5 (CSAMC)
Note: 4.5 will be available on CCO shortly after the release of VMS 2.3, while officially the version in VMS 2.3 is 4.0.3. We have decided to include directly 4.5 in this guide, since it is going to be released shortly after the VMS2.3 bundle.
Windows
Configures host-based IPS to protect critical servers
Cisco Security Agent 4.5 (CSA)
Windows
Solaris
Linux
The agents installed on the servers to be protected
Resource Manager Essentials 3.5 (RME)
Windows Solaris
Provides operational management, such as software distribution, change audit, syslog analysis
* Users should check the Software Center on CCO to see if any new modules have been added into VMS.
These components can be divided into distinct categories: core asset management applications, security monitoring applications, and security configuration applications. This section details some of the basic features associated with each of these product categories.
Foundation Software, Common Components, Required Installation
1. CiscoWorks Common Services
CiscoWorks Common Services includes basic components of the management server such as the web server, common database, polling engine, and so forth. Install this CD first, because it is a prerequisite for the management center tools in the VMS bundle. Common Services can be thought of as like an "operating system" for CiscoWorks applications.
Core Asset Management Applications
1. Resource Manager Essentials (RME)
Resource Manager Essentials provides the basic network management tools for day-to-day network management including inventory, configuration, change audit, and syslog. RME also provides additional VPN management capabilities. Network administrators will now be able to produce device configuration, software image, and syslog reports specific for VPN environments.
2. CiscoView (an optional install located within Common Services)
CiscoView is a web-based device management application that provides dynamic status, monitoring, and configuration information for the broad range of Cisco internetworking products. CiscoView displays a physical view of a device chassis with color-coded modules and ports for at-a-glance status. Monitoring capabilities display performance and other statistics, and configuration allows comprehensive changes to devices.
Security Monitoring Applications
1. Monitoring Center for Security(SECMON) a.k.a. "Security Monitor"
SECMON monitors the IDS events as well as SYSLOG messages from various Cisco devices. These include network IDS sensor appliances, Cisco Catalyst 6500 Series IDS modules, Network Modules for routers (NM-IDS), Cisco IOS Software IDS messages (including the new IPS IDS feature for the routers), Cisco PIX Firewall syslog messages, Catalyst 6500 Firewall Service Module syslogmessages, Cisco Security Agent events and events coming from another Security Monitor server.
2. Monitoring Center for Performance (MCP)
MCP is a browser-based tool that monitors and troubleshoots the health and performance of enterprise network security services. Performance Monitor replaces the VPN Monitor 1.2 application. Supported service types are remote-access VPN, site-to-site VPN, firewall, web server load-balancing, and SSL accelerators.
Security Configuration Applications
1. Management Center for VPN Routers (Router MC)
Router MC is a VPN and Cisco IOS Firewall feature set configuration and deployment tool for Cisco IOS VPN routers. Router MC is a web-based application installed on top of Common Services.
2. CiscoWorks Management Center for Firewalls (FWMC)
Firewall MC is a complete firewall and access rule policy configuration tool for Cisco PIX firewalls and firewall service modules in Cisco Catalyst switches. You can configure new firewalls as well as import configurations from existing firewalls or configuration files. Firewall MC also provides a powerful tool for controlling changes made to your network, showing configuration and status changes. Firewall MC is a web-based application installed on top of Common Services.
3. CiscoWorks Auto Update Server Software (AUS)
AUS is a tool used to store and upgrade device configuration files and software images (firewall image and Cisco PIX Device Manager [PDM] image). Firewall devices periodically contact the AUS to request configuration and software updates. In this way, firewall devices are actively kept up to date. AUS is particularly useful for scaled deployments of PIX firewalls when the remote PIX Firewall devices are dynamically addressed or behind a Network Address Translation (NAT) device. AUS is a web-based application installed on top of Common Services.
4. Management Center for IDS Sensors (IDSMC)
IDS MC is an IDS configuration and deployment tool for Cisco network IDS sensor appliances, Cisco IDS service modules in Catalyst switches (IDSM) and routers (NM_IDS) and IPS IDS. IDS MC is a web-based application installed on top of Common Services.
5. Management Center for Cisco Security Agent (CSAMC)
Working as a complementary technology to IDS MC and Security Monitor, the Cisco Security Agent MC is a configuration and deployment tool for the host-based IDS solution, Cisco Security Agent. Cisco Security Agent MC is a web-based application installed on top of Common Services.
6. Cisco Security Agent (CSA)
A Cisco host IDS/IPS application, Cisco Security Agent protects critical servers and hosts by integrating with the operating system. Byintercepting system calls to the kernel, Cisco Security Agent can protect your hosts by identifying attacks and preventing access toresources and unauthorized transactions.
REFERENCE TOPOLOGY
A reference network topology that shows the different aspects of VPN and network security (Figure 1) is provided to describe how best to deploy CiscoWorks VMS. Although it is not identical to most customer environments, it does serve to provide a holistic view of a secured network. By using this reference topology, you can select the components that best represent your topology and understand how best to deploy VMS in your environment.
Figure 1. Reference Security Topology
The Infrastructure Involved
• Enterprise Gateway-This is a Cisco IOS Router with the Cisco IOS Firewall Feature Set. The main purpose of this device is to perform gateway routing and basic frontline firewall functionality.
• PIX Firewall-The Cisco PIX Firewall provides the comprehensive firewall functionality for this enterprise network. Corporate network resources are protected by this firewall by strategically placing these devices at network access points.
• Cisco 800, 1700, 2600, 3600, 7100 or 7200 Series routers-Cisco routers act as site-to-site VPN termination points. In a hub-and-spoke VPNtopology, the high-end VPN routers act as hubs and the small- to medium-sized routers act as spokes.
• VPN 3000-The VPN 3000 Series Concentrator provides scalable remote access VPN termination. In this topology the concentrator terminates VPN connections with a variety of remote access environments, VPN client software, and tunneling protocols (IPSec, L2TP, PPTP).
• Cisco VPN remote access client software-This software allows remote access users to connect to the corporate network through VPNs.
• Network IDS Sensor-This device sits on a network segment and passively "listens" to the traffic, inspecting it against a database of common attack signatures. It forwards IDS event information to the monitoring station.
• Cisco host-based IDS/IPS security agents-This software sits on critical network servers as well as home office PCs and mobile laptops toprotect individual hosts from intrusion and attacks. Events are forwarded to a central monitoring console.
• Network management subnet-This subnet represents a dedicated network segment for the network management servers. The components ofVMS reside in this subnet to manage the different pieces of the infrastructure. All VMS servers are secured by Cisco Security Agents.
• DMZ Servers-This subnet represents a dedicated network segment for publicly accessible network servers. Generally, this includes e-mail, Web, FTP servers, and in our case includes CiscoWorks Auto Update Server Software. All DMZ servers are secured by Cisco Security Agents.
Within these reference topologies, we now focus on several pieces of the infrastructure that VMS manages. Note that the network management applications within VMS can manage other devices (such as Cisco Catalyst switches), but the following are the components that should be the focal point of VMS. These components include:
• Enterprise HQ
– This section includes the network management servers, internal firewalls, VPN termination points (both hub routers and VPN concentrators), and IDS sensors. Access to the DMZ portion of the network is controlled by internal firewalls and also has publicly accessible servers.
• Remote Access Sites
– The remote access sites in our topology contain the remote PIX firewalls, remote Cisco IOS VPN routers, and remote VPN clients. These pieces of the infrastructure are responsible for VPN termination and firewall access policy at the remote site.
OS SUPPORT AND SYSTEM REQUIREMENTS FOR VMS
VMS is composed of a series of tools that reside on a network management server (or servers). This section discusses the prerequisite software you need to install in order to run the components within VMS. Primarily, this refers to OS support. For almost every application inthe VMS bundle, the supported OS is Windows 2000 Server or Advanced Server. This is summarized in Tables 2 and 3.
Table 2. Supported OS for VMS 2.3 Modules
VMS Module
Windows Support
Solaris Support
Common Services
X
X
Management Center for Firewalls
X
X
Auto Update Server
X
X
Management Center for VPN Routers
X
X
Management Center for IDS Sensor
X
X
Monitoring Center for Security
X
X
Management Center for CSA
X
Resource Manager Essentials
X
X
Monitor Center for Performances
X
X
Table 3. Minimum Hardware and OS Requirement for VMS Server
Windows
Hardware
IBM PC compatible with 1GHz or faster Pentium CPU
1 GB memory
9 GB free hard drive space*
CD-ROM drive
Color monitor with video card capable of 16-bit colors
10/100 BaseT or faster network connection
Operating System
Windows 2000 Server**
Windows Advanced Server**
Service Pack 4
NTFS file system
2 GB virtual memory
Solaris
Hardware
Sun UltraSPARC 60MP with 440 MHz or faster CPU or
Sun UltraSPARC III (Sun Blade 2000 Workstation or Sun Fire 280R Server)
CD-ROM drive
Color monitor with video card capable of 16-bit colors
10/100 BaseT or faster network connection
Operating System
Sun Solaris 2.8 full installation
Required patches:
108528-13
108527-15
* The actual amount of hard drive space required depends on the number of VMS components you are installing and the number of devices you are managing and monitoring.
** Terminal Services in application mode cannot be installed on the server while installing VMS 2.3. Instead it can be on the server at installation time if in other modes, but it has to e disabled during installation.
Note: If Virus Scan is turned on, the installation can be longer due to the Virus scan operations. We recommend that Virus Scan be turned off for a faster installation.
Server Sizing
Based on these factors, the recommend server sizing for each of these configurations should be more closely examined. Note that these specifications are minimum requirements for individual applications and are frequently exceeded in many deployments. The general rule is:If you must choose one metric that will have the greatest affect on performance, increase the amount of RAM. It is also necessary to pay attention to the scale limits of each application. If you are approaching some of those theoretical limits, consider increasing the horsepower of your VMS server(s). For example, it is not unreasonable to see a P4 2.2 GHz CPU with 4 GB of RAM running VMS applications. See Table4for a general guideline.
Table 4. Server Recommendations (Minimum) for VMS Configurations
Configuration
Small
Medium
Large
Extra Large
CPU
P4 1 GHz
P4 2.5 GHz
Xeon 2 GHz
Dual/Quad Xeon,
RAM
1 GB
2 GB
2+ GB
2-8 GB RAM
Virtual Memory
2 GB
3 GB
4 GB
4 GB
Hard Disk Space
9 GB
20 GB
40 GB with SCSI Hard Drive
40 GB with SCSI RAID 5
Server Deployment-General Rules
In terms of application compatibility, there are several rules to follow:
• Common Services must be installed first
• All other applications must be installed on top of Common Services
Given these conditions, VMS can have extremely flexible deployments. All of the components can be installed and run on a single server-or, each component can be installed on its own individual server. In general, both extreme is not recommended and the deployment will generally depend on a number of factors:
1. Which applications do you actually need?
Although VMS provides a rich, comprehensive management solution, it is possible that not every component will be used. The first question that should be asked is: which applications will I use? Once this has been answered, you can choose to install only the modules that are needed. Figure 2 provides a table that defines the installation order based upon the different management options, when they are installed on a single server.
Figure 2. VMS Module Installation Matrix (components included in ( ) are optional)
Note: This table provides basic guidelines. Obviously, not all combinations and tools within VMS are covered-only those with installation order dependencies.
• Installation option 1: For VPN management, the monitoring component is handled by Monitoring Center for Performance. If monitoring isnecessary, MCP needs to be installed.
• Installation option 2: For firewall management, AUS is only necessary if you want to take advantage of the auto-update feature for PIX Firewall configuration and software deployment.
• Installation option 3: For network and host-based IDS management, Security Monitor is necessary to monitor the events from all these components unless you plan to use other security information-management applications. Is always good practice to install Security Monitor on a separate server than the configuration server.
2. How many devices will each application manage?
If one of the applications you are using is approaching its theoretical scale limits (Table 5), it is a good idea to dedicate a server to that application. For obvious reasons of resource allocation and task distribution, it is best not to have other applications using valuable CPU resources if you are trying to manage a large number of devices.
For example, if you have an instance of Firewall MC installed that is managing 800 PIX firewalls, and you are also trying to roll out a hub-and-spoke VPN deployment across 600 router spokes, it is recommended to break these applications apart onto dedicated servers.
3. How many administrators will be using these applications?
In some multi-administrator environments, it makes sense to explore different deployment options for VMS. Since there are several VMScomponents involved, and each has a very distinct purpose, it is possible that there will be different security administrators using different applications. In this case, consider splitting these applications onto dedicated servers. This way, if one application is busy with a resource-intensive task such as generating configuration files, the second application will not suffer any degradation in performance.
4. What cost restrictions exist in terms of server procurement?
Does the organization using VMS have (or have the ability to get) multiple servers? In some cases, there may only be enough in thebudget for one server. If this is the case, then it is always better to acquire a high-end server that exceeds the minimum system requirements. This allows room for growth, as well as improved performance.
More is Better
Ultimately, it is best to use multiple servers and split the applications across them in a way that makes sense, if at all possible. Generally, for better scalability, resource allocation, task distribution, and room for growth, more is better as long as it doesn't become cumbersome and unmanageable. Also keep in mind that, should you decide to combine multiple applications onto a single server, you will need to pay special attention to the hardware requirements of each application and adjust accordingly.
The following section discusses some basic deployment options and provides some general guidelines that cover most user scenarios (Figure 3). Keep in mind that these are simply recommendations and do not necessarily indicate that VMS must be deployed in this manner.
Figure 3. Server Deployment Options
Option 1-Single Server Deployment
For small-scale security environments with a single network security administrator, we recommend a single-server deployment. This has thebenefit of low cost to the organization as well as ease of administration.
Option 2-2 Servers: Configuration and Monitoring
This deployment option breaks down the VMS applications across function: One server is dedicated for monitoring and the second server isdedicated for configuration.
1. Server 1: Monitoring
The first server in this deployment option is dedicated for monitoring. MCP is used for IPsec MIB monitoring and performance monitoring for Firewalls, while Security Monitor is used for consolidated event viewing of PostOffice IDS, Remote Data Exchange Protocol (RDEP) IDS, Cisco Security Agent, PIX, and Cisco IOS Syslog messages. The applications for this server are:
• Common Services
• MCP
• Security Monitor
• CSA (to protect the VMS server)
2. Server 2: Configuration and Inventory
This security management server is used to combine all of the VMS applications that assist in configuration. Regardless if the infrastructure is VPN router, PIX Firewall, IDS sensor, or Cisco Security Agent, this server's primary function is configuration. Therelevant applications are:
• Common Services
• RME
• Firewall MC
• AUS*
• Router MC
• IDS MC
• CSA MC
Option 3-3 Servers: Recommended for most environments
Since AUS server is intended to manage to remote firewalls, it can be resource consumptive when many remote devices are contacting AUS for configuration, or OS and PDM updates. Also, AUS should be positioned on the DMZ of the network, so AUS could use one server by itself.
1. Server 1: Monitoring
• Common Services
• MCP
• Security Monitor
• CSA for protection
2. Server 2: Configuration/Inventory
• Common Services
• RME
• Firewall MC
• Router MC
• IDSMC
• CSA MC
3. Server 3: Auto Update
• Common Services
• AUS
• CSA for protection
* The primary purpose of AUS to provide configuration and software updates to remote PIX firewalls. As such, it is frequently recommended to place the AUS within the organization's DMZ. If this is the case, we recommend using a dedicated server for AUS.
Option 4-3 Servers: Security Application Function (Not shown in Figure 3)
The fourth deployment option centers around splitting up the VMS application according to the security technology (or infrastructure) managed. The first server deals with VPNs, which generally covers Cisco IOS Software-based VPN routers. The second server contains the applications used to manage Cisco PIX firewalls. Finally, the third server is dedicated to the management and monitoring of IDS-both network-based and host-based IDS.
1. Server 1: VPN
• Common Services
• RME
• MCP
• Router MC
• CSA for protection
2. Server 2: Firewall
• Common Services
• Firewall MC
• AUS
• CSA for protection
3. Server 3: IDS
• Common Services
• IDS MC
• Security Monitor
• CSA MC
Option 5-4 Servers: Granular Management Control (Not Shown in Figure 3)
For even more granularity and scalability benefits, we recommend you further divide your deployment. The most important difference with this option is the use of a dedicated server for AUS since it is placed within a different subnet of the network.
1. Server 1: Configuration
• Common Services
• Firewall MC
• Router MC
• IDS MC
• CSA MC
2. Server 2: Inventory
• Common Services
• RME
• CSA for protection
3. Server 3: Monitoring
• Common Services
• MCP
• Security Monitor
• CSA for protection
4. Server 4: Remote Management (placed in DMZ)
• Common Services
• AUS
• CSA for protection
Keep in mind that these are only recommendations. There are numerous combinations and deployment options available and each caseshould be considered on an individual basis. There will also be many cases where customers don't want to use all of the possible applications within VMS.
SCALING AND DEPLOYMENT CONSIDERATION
It is necessary to be aware of the hardware requirements for the VMS bundle as well as the software. There is also the inherent challenge of deciding how best to deploy the different applications in the solution. Since we have eleven installable software applications, there are numerous combinations in which to deploy them.
Keeping the minimum requirements in mind, the difference in recommended system specifications based upon different sized networks and configurations must also be examined. We will discuss three different sized configurations: small, medium, and large. The first consideration is scalability, or how many devices equate to a small, medium, or large configuration (see Table 6, 7 and 8).
Scaling
Each application within VMS has a different scalability metric. Table 5 provides the theoretical maximum for each application.
Table 5. Theoretical Scale Limits for VMS Applications
VMS Module
Scalability Metric (tested up to*)
IDS MC
300 IDS sensors or IOS IPS
Security Monitor
50 events/sec** (500ev/sec for burst)
Firewall MC
1000 PIX firewalls & FWSM (is suggested not to generate or deploy for more than 300 devices at the same time in case of simple config, i.e. 501. If the configuration is medium to complex the performances will be lower, therefore is suggested to deploy in a smaller number of devices at the time)
AUS
1000 PIX firewalls
Router MC
1000 routers
CSA MC
100.000 Cisco Security Agents
RME
5000 devices inventory, 1000 devices availability
MCP
1000 devices (1000 Routers & 4000 tunnels with 25 min polling cycle, if the Routers/Tunnels are reduced then the polling cycle is reduced also.
For 1000 pix a 25 min polling cycle is needed and if the number of device is less then the polling cycle also is reduced.
Polling cycle is the time taken to poll all the devices in MCP).
* The theoretical scale limits are the limits the tools have been tested to. The numbers are stated as a guideline to guarantee reasonable performance and user experience. Although possible, it is not recommended to exceed these metrics.
** The volume of security events can arrive up to 500 per second only for a limited period of time, it is recommended that users consider a monitoring product from apartner-vendor that can handle higher event volumes.
In general, these are not software-imposed limits, but rather the scale limitations based on software testing. For example, if you are using Router MC and want to add device number 1001, the software will still allow you to do so, but from a support standpoint it is not recommended.
Also note that the specifications for the minimum hardware requirements for VMS are provided based upon testing and performance statistics for just ONE (not all) of the applications in the bundle. For example, if you are using IDS MC to manage 300 sensors (the theoretical maximum), we do
