 Feedback
|
Table Of Contents
Deployment Planning Guide for Cisco Security Manager 3.3
Cisco Security Manager 3.3 Applications
Understanding Security Manager Licensing
Licensing for RME and Performance Monitor
Factors which Affect Application Performance
Effect of Number of Processors/Cores on Performance
Effect of Memory Size on Performance
High-Availability/Disaster Recovery
Small Enterprise Reference Network
Medium Enterprise Reference Network
Large Enterprise Reference Network
Server and Client Hardware Recommendations
Deployment Planning Guide for Cisco Security Manager 3.3
Revised: September 30, 2009, OL-20258-01Introduction
This document provides guidance on planning a deployment of Cisco Security Manager 3.3.x. It includes these topics: recommended server and client sizing based on reference networks, deployment options for the set of applications included with Security Manager, licensing, advanced Security Manager tuning options, and case studies.
This document complements other Security Manager user documentation such as the User Guide for Cisco Security Manager 3.3 and the Installation Guide for Cisco Security Manager 3.3.
Cisco Security Manager 3.3 Applications
Cisco Security Manager 3.3 includes the following applications:
•
Common Services 3.2
Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to applications that include:
–
–
–
–
–
–
Common Services is required for all the applications included with Security Manager listed below.
For more information about Common Services, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps3996/tsd_products_support_series_home.html.
•
Cisco Security Manager is an enterprise-class management application designed to configure firewall, VPN, and intrusion prevention system (IPS) security services on Cisco network and security devices. Security Manager uses a rich-client graphical user interface and requires Common Services 3.2.
For more information about Security Manager, refer to the documentation located at http://www.cisco.com/go/csmanager.
•
AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition:
–
–
AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls. AUS uses a browser-based, graphical user interface and requires Common Services 3.2.
For more information about AUS, refer to the documentation located at http://www.cisco.com/go/csmanager.
•
To support life cycle management, RME provides the ability to manage device inventory and audit changes, configuration files, software images—as well as syslog analysis. RME uses a browser-based graphical user interface. RME is also included with the CiscoWorks LAN Management Solution (LMS). There is useful deployment information about RME included in the CiscoWorks LAN Management Solution — Deployment Guide 3.0, although be aware that some information does not apply in the case of RME bundled with Security Manager.
For more information about RME, refer to the documentation located at http://www.cisco.com/en/US/products/sw/cscowork/ps2073/tsd_products_support_series_home.html.
•
Performance Monitor is a health and performance monitoring application with a special emphasis on security devices and services. Performance Monitor supports the ability to proactively detect network performance issues before they become critical; helps identify portions of the network which are overloaded and potentially require extra resources; and provides rich historical health and performance information for after-the-fact investigations and analyses. Performance Monitor supports monitoring remote-access VPNs, site-to-site VPNs, firewall, web server load-balancing, and SSL termination. Performance Monitor uses a browser-based, graphical user interface and requires Common Services 3.2.
For more information about Performance Monitor, refer to the documentation located at http://www.cisco.com/go/csmanager.
Related Applications
Other applications are available from Cisco that integrate with Security Manager to provide additional features and benefits:
•
•
•
Installers
Security Manager includes four different installers:
•
–
–
–
–
–
•
•
•
Detailed use of the Security Manager installer and RME installer is included in the Installation Guide for Cisco Security Manager 3.3, while use of the Performance Monitor installer is covered in the Installation and Release Notes for Cisco Performance Monitor 3.3.
Understanding Security Manager Licensing
It is important to understand Security Manager licensing when planning a deployment of Security Manager to ensure that you have the correct base license and number of device licenses for the number and type of devices you intend to manage. This section provides an overview of Security Manager licensing and some specific license examples.
Licensing Overview
There are three base versions of Cisco Security Manager Enterprise Edition:
•
•
•
The versions provide management for 5, 25, and 50 devices, respectively.
The Professional version supports incremental device license packages available in increments of 50, 100, 500, and 1000 devices. The Professional version also includes support for the management of Cisco Catalyst® 6500 Series switches and associated services modules; the Standard versions do not include this support.
Security Manager consumes a device license for the following:
•
•
•
•
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIM) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) do consume a license.
In the case of a Firewall Services Module (FWSM), the module itself consumes a license and then consumes an additional license for each additional security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it, too, will consume a license.
Unmanaged Devices
In Security Manager you can add unmanaged devices to the device inventory. An unmanaged device is a device for which you have deselected Manage in Cisco Security Manager under Device Properties. An unmanaged device does not consume a license.
Another class of unmanaged device is an object that is added to a topology map. You can use the Map > Add Map Object to add different types of objects on the map such as Clouds, Firewalls, Host, Network, and Router. These objects do not appear in the device inventory and do not consume a device license.
Active and Standby Servers
The license allows the use of the software on a single server. A standby Cisco Security Manager server, such as used in a high-availability or disaster recovery configuration, does not require a separate license if only one server is active at any one time.
Licensing for RME and Performance Monitor
Cisco Security Manager also includes a separate license file for RME and Performance Monitor. You are entitled to use these applications for the same number of devices you have purchased for Cisco Security Manager. When you order a Security Manager base product you receive a second Product Authorization Key (PAK) for the RME and Performance Monitor license.
Licensing Examples
This section provides some representative licensing examples to help better understand Security Manager licensing.
Example 1
Description of Managed Network: 15 Cisco Integrated Services Routers.
Required Licensing: Fifteen device licenses are required. Since there are no Catalyst 6500 services modules involved and there are fewer than 50 devices, order Standard-25 (CSMST25-3.3-K9).
Example 2
Description of Managed Network: 5 IDSM-2 modules, where each module has two virtual sensors.
Required Licensing: Ten licenses are required (10 virtual sensors split between five modules). Although Standard-25 might appear to be sufficient, because a Catalyst 6500 services module is involved, Pro-50 (CSMPR50-3.3-K9) as a minimum is required.
Example 3
Description of Managed Network: 350 ASAs operating in single-mode.
Required Licensing: 350 device licenses are required. You can order exactly 350 licenses by ordering Pro-50 (CSMPR50-3.3-K9) and 3 Inc-100s (CSMPR-LIC-100). However, it is less expensive to order Pro-50 and 1 Inc-500 (CSMPR-LIC-500), because the larger the incremental the lower the average cost per device license. Therefore, in some cases it is less expensive to order more licenses than actually required.
Example 4
Description of Managed Network: You have Security Manager Standard Edition - 5 device, but now you need to manage 20 ASAs operating in single-mode.
Required Licensing: Order CSMST25-3.3-K9 and optionally CON-SAS-CSM33SM for SAS coverage. There is no upgrade part number from Standard Edition - 5 device; however, you do not lose your original investment in the Standard Edition - 5 device, because you can combine the Standard 5 license with the Standard 25 license for a net result of Standard Edition - 30 device.
Example 5
Description of Managed Network: 20 ASAs deployed in a combination of active/standby and active/active pairs each with 5 security contexts.
Required Licensing: When deploying a pair of devices for redundancy, you only need to add the active device or context into Security Manager. As such the number of required device licenses is 10 devices x (5 contexts plus 1 chassis each) for a total of 60 licenses. Order Pro-50 and one Inc-50.
Note
Factors which Affect Application Performance
There are many factors that affect application performance. These include, but are not limited to the following:
•
•
•
•
•
•
•
•
•
Large geographic distances between a Security Manager client and server results in poor client responsiveness due to the latency introduced. For example, it is not recommended to use a client in India with a server located in California because of the large latency involved. In such cases, we recommend that you employ a remote desktop or terminal server arrangement, where the running clients are co-located in the same datacenter as the server or nearby at least.
Effect of Number of Processors/Cores on Performance
Performance improvements with Security Manager have been observed when going from a single processor/core to a dual/quad processor/core server.
Effect of Memory Size on Performance
Performance improvements with Security Manager have been observed with servers having 4 GB or more RAM installed on the system. Please see Table 1for additional hardware sizing recommendations.
Deployment Scenarios
There are various deployment scenarios possible for Security Manager applications. When deciding on a deployment scenario you should consider the following items:
•
•
If one of the applications you are using is approaching its scale limits (Table 5), it is a good idea to dedicate a server to that application. For obvious reasons of resource allocation and task distribution, it is best not to have other applications using valuable CPU and memory resources if you are trying to manage a large number of devices.
•
Active user sessions also place a load on the server and should be factored in when deciding on the deployment configuration. For example, an application may not have reached its limit due to the number of devices, but could be nearing maximum load due to simultaneous user sessions, which may warrant dedicating a server to the application.
•
If you reach the scale limits of a specific application installed on a dedicated server, you need to consider deploying multiple instances of the application on different servers. Each running instance of the application needs to be separately purchased and licensed.
Single Server
A single server is the simplest deployment scenario, where you install all Security Manager applications of interest on the same server. For small-scale security environments with one or two network security administrator, a single-server deployment is usually adequate.
Multiple Servers
For performance reasons you may choose to deploy the Security Manager applications of interest across multiple servers. One possible distribution of the applications is as follows:
•
–
–
–
•
–
–
•
–
–
Server A is dedicated for the Configuration and Inventory Management applications, namely Security Manager and RME. Server B is dedicated for monitoring. Monitoring tends to place a continuous and potentially heavy load on a server, so there are advantages to using a dedicated set of resources for monitoring. Server C is dedicated for AUS. Since AUS is intended to manage remote firewalls, it can be resource intensive when many remote devices are contacting AUS for configuration, OS, or DM updates. Also, AUS should normally be placed in the DMZ of the network, so this recommendation alone can lead to dedicating a server for AUS.
For situations where you are reaching the scale limits of either Security Manager or RME, you may also need to split these applications onto dedicated servers. For example, RME also includes a syslog analyzer that can be performance intensive depending on the rate of syslog messages directed at the server. If you intend to use the RME syslog analyzer function you may want to dedicate a server to RME.
High-Availability/Disaster Recovery
You can deploy Security Manager in a high-availability or disaster recovery configuration to significantly improve application availability and survivability in the event of a server, storage, network, or site failure. These deployment options are covered in detail the High Availability Installation Guide for Cisco Security Manager 3.3.
VMware Deployments
Security Manager supports running in VMware ESX Server 3.5 beginning with Security Manager 3.2.1. Other VMware environments such as VMware Server and VMware Workstation are not supported. You can use any server operating system supported by Security Manager as guest operating system for VMware.
The VMware qualification effort involved running the same set of performance and durability tests that are performed on Security Manager running on a regular non-virtualized server. Test results have shown that running Security Manager in VMware ESX Server 3.5 introduces a modest amount of application performance degradation which varies based on the size of the reference network involved and the specific test case. In a few test cases the performance actually improved, but this was more the exception than the rule. One area where the performance degradation was unusually large was the case of performing a deployment to a PIX or ASA device with a large number of rules (on the order of 5 to 50 thousands rules). In this case the deployment took roughly twice as long.
You should allocate 4 GB of memory to the virtual machine you use with Security Manager for all reference network sizes. In general you should follow the best practices documented in the VMware document: Performance Tuning Best Practices for ESX Server 3. However, you should avoid tuning any of the advanced VMware parameters, as the default values or settings are generally optimum.
It is also recommended to use one of the later generation servers with a processor that includes technology specifically designed to improve the efficiency of virtualization. For example, good results were obtained when testing Security Manager running in VMware ESX Server 3.5 on an Intel® Xeon® X5500 series Quad-core processor, which includes Intel® Virtualization Technology (IVT). AMD offers 64-bit x86 architecture processors with virtualization extensions, which they refer to as AMD Virtualization (AMD-V).
Client Deployment
The normal and recommended practice is to install and run the Security Manager client on a separate client machine. Security Manager only supports installing a single version of the client on a given machine, so you cannot, for example, have the client for both Security Manager 3.2 and 3.3 on the same machine. You can install and use the client on the server; however, this practice is suitable only for an SE size network and is not recommended for the larger ME or LE size networks.
As mentioned in Factors which Affect Application Performance, it may be necessary to deploy the client on a terminal server located near to the server to maintain acceptable performance, in the event that end users are located a large distance from the server which introduces significant latency (for example, intercontinental distances).
Reference Networks
Application performance and server and client sizing recommendations are affected by the size and composition of the network under management. Application performance was characterized for three different reference network configurations: Small Enterprise (SE), Medium Enterprise (ME), and Large Enterprise (LE) and a corresponding server and client specification. The characteristics of the three reference networks are defined below.
These reference networks consist of a mixture of dedicated firewall devices (for example, PIX, FWSM), dedicated IPS devices (for example, IPS 4200 Series), and multi-service (firewall, VPN, and IPS) routers. You should understand the following when you compare these reference networks to the makeup of your own network.
•
•
•
Small Enterprise Reference Network
The Small Enterprise Reference Network has the following makeup:
•
–
•
–
–
•
–
•
–
–
•
•
•
The Small Enterprise (SE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 55 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Medium Enterprise Reference Network
The Medium Enterprise Reference Network has the following makeup:
•
–
•
–
•
–
–
•
–
•
–
–
•
•
•
The Medium Enterprise (ME) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 65 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Large Enterprise Reference Network
The Large Enterprise Reference Network has the following makeup:
•
–
•
–
•
–
–
•
–
•
–
–
–
–
–
–
•
•
•
•
The Large Enterprise (LE) Reference Network database file sizes were recorded as approximately 2.5 MB for the Common Services database (Cmf.db) file and 800 MB for the Cisco Security Manager database (Vms.db) file. These files are located under the $NMSROOT\databases directory on the server.
Disclaimer: The above numbers are for inventory sizing only.
Note
Number of Simultaneous Users
Security Manager supports multiple concurrent user sessions and has been specifically tested for 15 simultaneous users where:
•
•
•
Server and Client Hardware Recommendations
This section provides recommendations for the server and client hardware sizing based on the three reference network configurations.
Server Sizing
Table 1 provides basic recommendations on server sizing for Security Manager 3.3 based on the reference networks.
Note
Security Manager has only been performance characterized on servers with up to dual processors/quad cores. While adequate performance can be obtained using the server specifications noted in Table 1 for the Small Enterprise and Medium Enterprise reference networks, test results show you can obtain improved performance by using the Large Enterprise server specification also for the Small Enterprise and Medium Enterprise reference networks.
Client Sizing
Table 2 provides basic recommendations on client sizing for Security Manager based on the reference networks and assuming a single client running on the machine.
Security Manager Tuning
Security Manager includes several advanced parameters that you can modify to tune the application performance. For more information, please contact Cisco TAC.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2008-2009 Cisco Systems, Inc. All rights reserved.
