This chapter contains the following sections:
•Introduction to Component Applications
•Introduction to Related Applications
•Understanding Security Manager Licensing
Introduction to Component Applications
The Security Manager installer enables you to install certain applications and, when you do, requires that you install certain other applications. This section describes those applications and their interdependencies:
•Auto Update Server
•Cisco Security Agent
•Resource Manager Essentials
CiscoWorks Common Services 3.3 (Common Services) is required for Security Manager 4.0, Resource Manager Essentials 4.3, Auto Update Server 4.0, and Performance Monitor 4.0 to work. You can install Security Manager only if Common Services is already installed on your system or if you select Common Services for installation along with Security Manager.
Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to Security Manager that include the following:
•An embedded SQL database
•The Apache webserver
•The Tomcat servlet engine
•The CiscoWorks home page
•Backup and restore functions
For more information, see the Common Services documentation at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html.
Cisco Security Manager is an enterprise-class management application designed to configure firewall, VPN, and intrusion prevention system (IPS) security services on Cisco network and security devices. Cisco Security Manager can be used in networks of all sizes—from small networks to large networks consisting of thousands of devices—by using policy-based management techniques. Cisco Security Manager works in conjunction with the Cisco Security Monitoring, Analysis, and Response System (MARS). Used together, these two products provide a comprehensive security management solution that addresses configuration management, security monitoring, analysis, and mitigation.
Note For more information about Security Manager, visit http://www.cisco.com/go/csmanager. For more information about Cisco Security MARS, visit http://www.cisco.com/go/mars.
To use Security Manager, you must install server and client software.
Security Manager offers the following features and capabilities:
•Service-level and device-level provisioning of VPN, firewall, and intrusion prevention systems from one desktop
•Device configuration rollback
•Network visualization in the form of topology maps
•Predefined and user-defined FlexConfig service templates
•Integrated inventory, credentials, grouping, and shared policy objects
•Convenient cross-launch access to related applications:
–When you install the server software, you also install read-only versions of the following device managers: Adaptive Security Device Manager (ASDM), PIX Device Manager (PDM), Security Device Manager (SDM), and IPS Device Manager (IDM).
–You can configure a cross launch to RME.
–You can collect data from Performance Monitor and display it in an inventory status window.
–You can add ASA and PIX devices from Security Manager to Auto Update Server (AUS).
•Integrated monitoring of events generated by ASA and IPS devices--You can selectively monitor, view, and examine events from ASA and IPS devices by using the Event Viewer feature, introduced in Security Manager 4.0.
Auto Update Server
If you choose to install AUS, you can install it on the same server where you install Security Manager or on a different server, such as a server in your DMZ. AUS and Security Manager can share device inventory information and other data. AUS uses a browser-based user interface and requires Common Services.
AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition, supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.
AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.
For more information about AUS you can refer to the AUS documentation located at the Security Manager site: http://www.cisco.com/go/csmanager.
Cisco Security Agent
Cisco Security Agent provides host-based intrusion prevention. Regarding Security Manager, there are two versions of Cisco Security Agent—external and bundled:
•External Cisco Security Agent—Cisco Security Agent that is not installed as part of the Cisco Security Manager installation.
•Bundled Cisco Security Agent—Cisco Security Agent that is installed as part of the Cisco Security Manager installation. Bundled Cisco Security Agent is sometimes referred to as a "customized, standalone agent" because it is customized for Security Manager and because Management Center for Cisco Security Agents is not installed; thus, it is standalone.
If the server on which you install Security Manager does not already have the external version of Cisco Security Agent installed, the Security Manager installation program takes the following actions:
•On Windows 2003 R2 Enterprise Server (Service Pack 2)—32 bit, the installation program asks you whether or not you want to install Cisco Security Agent; if you do, the Security Manager installer installs the bundled version on your server; this version has pre-defined policies that you cannot change. To learn more about this bundled version, see "Bundled Cisco Security Agent: Overview."
•On Windows 2008 Enterprise Server (Service Pack 2)—32 bit and Windows 2008 Enterprise Server (Service Pack 2)—64 bit, the installation program does not install Cisco Security Agent.
If the server on which you install Security Manager does already have the external version of Cisco Security Agent installed, the installation program does not ask you whether or not you want to install Cisco Security Agent.
Cisco Security Manager includes the companion application Performance Monitor 4.0. Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPNs, site-to-site VPNs, firewall, web server load-balancing, and SSL termination. Performance Monitor uses a browser-based user interface.
You can install Performance Monitor only after you install Common Services. Performance Monitor is installed by using a separate installation program, which is available after you install and then start Common Services.
The Security Manager media kit contains a combined Software License Claim Certificate for Performance Monitor and RME. To obtain Performance Monitor, go to http://www.cisco.com/go/csmanager, then locate and click Download Software. The downloadable binary package for Performance Monitor includes detailed documentation to help you install and use the software.
For more information about Performance Monitor, you can refer to the Performance Monitor documentation located at the Security Manager site: http://www.cisco.com/go/csmanager.
Resource Manager Essentials
Cisco Security Manager includes the companion application CiscoWorks Resource Manager Essentials (RME). RME provides lifecycle management of Cisco network devices. To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, and software images as well as syslog analysis. RME uses a browser-based user interface.
The Security Manager media kit contains a combined Software License Claim Certificate for Performance Monitor and RME. To obtain RME, go to http://www.cisco.com/go/csmanager, then locate and click Download Software. The downloadable binary package for RME includes detailed documentation to help you install and use the software.
RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution Deployment Guide 3.0, although be aware that some information does not apply in the case of RME bundled with Security Manager. For more information, you can refer to http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_eol_series_home.html.
Introduction to Related Applications
Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:
•Cisco Security Monitoring Analysis and Response System (MARS)—Security Manager supports cross linkages between policies and events with MARS for firewall and IPS. Using the Security Manager client you highlight specific firewall rules or IPS signatures and request to see the events related to those rules or signatures. Using MARS you can select firewall or IPS events and request to see the matching rule or signature in Security Manager. These policy-event cross-linkages are especially useful for network connectivity troubleshooting, identifying unused rules, and signature tuning activities. The policy-event cross-linkage feature is explained in detail in the User Guide for Cisco Security Manager. For more information about MARS you can visit http://www.cisco.com/go/mars.
•Cisco Secure Access Control System (ACS)—You can optionally configure Security Manager to use ACS for authentication and authorization of Security Manager users. ACS supports defining custom user profiles for fine-grained role based authorization control and ability to restrict users to specific sets of devices. For details on configuring Security Manager and ACS integration, see Integrating Security Manager with Cisco Secure ACS. For more information about ACS, visit http://www.cisco.com/go/acs.
•Cisco Configuration Engine—Security Manager supports the use of the Cisco Configuration Engine as a mechanism for deploying device configurations. Security Manager deploys the delta configuration file to the Cisco Configuration Engine, where it is stored for later retrieval from the device. Devices such as Cisco IOS routers, PIX Firewalls, and ASA devices that use a Dynamic Host Configuration Protocol (DHCP) server, contact the Cisco Configuration Engine for configuration (and image) updates. You can also use Security Manager with Configuration Engine to manage devices that have static IP addresses. When using static IP addresses, you can discover the device from the network and then deploy configurations through Configuration Engine. For information about the Configuration Engine releases you can use with Security Manager, see the release notes for this version of the product at http://www.cisco.com/en/US/products/ps6498/prod_release_notes_list.html. For more information about the Configuration Engine, visit http://www.cisco.com/en/US/products/sw/netmgtsw/ps4617/index.html.
Understanding Security Manager Licensing
It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. The following topics explain Security Manager licensing and provide some specific license examples:
•Effects of Licensing on Installation and Obtaining a License
There are four base versions of Cisco Security Manager Enterprise Edition:
These base versions provide management for 5, 10, 25, and 50 devices, respectively.
The Professional version supports incremental device license packages available in increments of 50, 100, and 250 devices. The Professional version also includes support for the management of Cisco Catalyst 6500 Series switches and associated services modules; the Standard versions do not include this support.
Security Manager consumes a device license when you add any of the following to the device inventory:
•Each physical device
•Each security context
•Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, IPS Advanced Integration Modules (IPS AIM), and any other modules supported for devices other than the AIP-SSC 5 and the Catalyst 6500 installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.
In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FWSM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context.
The following are some additional special cases you should understand with respect to device licensing:
•Unmanaged Devices—In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager in the device properties. An unmanaged device does not consume a license.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object command to add different types of objects on the map such as network clouds, firewalls, hosts, networks, and routers. These objects do not appear in the device inventory and do not consume a device license.
•Active and Standby Servers—The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.
•Licensing for RME and Performance Monitor—Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices that you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.
Effects of Licensing on Installation and Obtaining a License
All customers need to procure a new license (or licenses) for Security Manager 4.0 irrespective of whether they have a valid license for any of the (older) Security Manager 3.x releases. With the exception of incremental licenses, existing Security Manager 3.x licenses are not valid for Security Manager 4.0.
Note For complete information on the types of licenses available and the various supported upgrade paths, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see the product bulletin for this version of Security Manager at http://www.cisco.com/en/US/products/ps6498/prod_bulletins_list.html.
Two license types, Standard and Professional, are available, in addition to a free 90-day evaluation period that is restricted to 50 devices.
•Security Manager has one base license file and as many other additional licenses as you might purchase. To obtain the base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package.
–If you are a registered Cisco.com user, start here:
–If you are not a registered Cisco.com user, start here:
After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.
•Common Services does not require a license file.
•Auto Update Server does not require a license file.
•The Security Manager media kit contains a combined Software License Claim Certificate for Performance Monitor and RME. When you register Security Manager, you should also obtain the combined license file for Performance Monitor and RME. You can install the applications from the product DVD, or you can obtain the software by going to http://www.cisco.com/go/csmanager, clicking Download Software, and downloading the applications.
License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. You must register Security Manager as soon as you can within the first 90 days and for the number of devices that you need to ensure uninterrupted use of the product. Each time you start the application, you are reminded of how many days remain on your evaluation license and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you cannot log in until you upgrade your license.
To learn how to install a license files, see Updating Security Manager, Performance Monitor, and RME Licenses.
Note When installing a license, you must stage the license file on a disk that is local to your Security Manager server. Security Manager does not see mapped drives if you use it to browse directories on your server. Windows imposes this limitation, which serves to improve Security Manager performance and security.
Getting Help with Licensing
For licensing problems with Security Manager, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):
•Phone: +1 (800) 553-2447
Effect of Enabling Event Management
If you enable Event Management on your Security Manager server, you cannot use that server for any of the following services:
•Syslog on CiscoWorks Common Services
•Syslog on CiscoWorks Resource Manager Essentials (RME)
•Syslog on Performance Monitor
During the installation or upgrade of Security Manager, the Common Services syslog service port is changed from 514 to 49514. Later, if Security Manager is uninstalled, the port is not reverted to 514. Additional information regarding ports is available in Table 2-1 and in Table A-1.
If the amount of RAM available to the operating system is insufficient, Event Viewer is disabled (see details in Table 2-3); however, the Common Services syslog service port is still changed.