Product Overview
Note |
From version 4.21 onwards, Cisco Security Manager terminates whole support, including support for any bug fixes or enhancements, for all Aggregation Service Routers, Integrated Service Routers, Embedded Service Routers, and any device operating on Cisco IOS software, including the following devices:
|
Caution |
From version 4.18, Cisco Security Manager does not support SFR from ASA 9.10(1) onwards for ASA 5512, ASA 5506, ASA 5506H and ASA 5506W models. Therefore, if you upgrade to 9.10(1) through Image Manager, the exiting SFR configuration will be lost. |
Cisco Security Manager (Security Manager) enables you to manage security policies on Cisco security devices. Security Manager supports integrated provisioning of firewall, and VPN (site-to-site, remote access, and SSL) services across ASA security appliances.
For a complete list of devices and OS versions supported by Security Manager, please refer to Supported Devices and Software Versions for Cisco Security Manager on Cisco.com.
Security Manager also supports provisioning of many platform-specific settings, for example, interfaces, routing, identity, QoS, logging, and so on.
Security Manager efficiently manages a wide range of networks, from small networks consisting of a few devices to large networks with thousands of devices. Scalability is achieved through a rich feature set of shareable objects and policies and device grouping capabilities.
Security Manager supports multiple configuration views optimized around different task flows and use cases.
The following topics provide an overview of Security Manager:
Primary Benefits of Cisco Security Manager
These are the primary benefits of working with Security Manager:
-
Scalable network management—Centrally administer security policies and device settings for either small networks or large scale networks consisting of thousands of devices. Define policies and settings once and then optionally assign them to individual devices, groups of devices or all the devices in the enterprise.
-
Provisioning of multiple security technologies across different platforms—Manage VPN, firewall, and IPS technologies on routers, security appliances, Catalyst devices and service modules, and IPS devices.
-
Provisioning of platform-specific settings and policies—Manage platform-specific settings on specific device types. For example: routing, 802.1x, EzSDD, and Network Admission Control on routers, and device access security, DHCP, AAA, and multicast on firewall devices.
-
VPN wizards—Quickly and easily configure point-to-point, hub-and-spoke, full-mesh, and Extranet site-to-site VPNs across different VPN device types. Quickly and easily configure remote access IPsec and SSL VPNs on ASA, IOS, and PIX devices.
-
Multiple management views—Device, policy, and map views enable you to manage your security in the environment that best suits your needs.
-
Reusable policy objects—Create reusable objects to represent network addresses, device settings, VPN parameters, and so on, then use them instead of manually entering values.
-
Device grouping capabilities—Create device groups to represent your organizational structure. Manage all devices in the groups concurrently.
-
Policy inheritance—Centrally specify which policies are mandatory and enforced lower in the organization.
-
Role-based administration—Enable appropriate access controls for different operators.
-
Workflow—Optionally allow division of responsibility and workload between network operators and security operators and provide a change management approval and tracking mechanism.
-
Ticket Management—Associate a ticket ID with policy changes, easily add and update comments pertaining to those changes, and quickly navigate to an external change management system from Security Manager.
-
Single, consistent user interface for managing common firewall features—Single rule table for all platforms (router, PIX, ASA, and FWSM).
-
Image management—Complete image management for ASA devices. Facilitates at every stage of image upgrade of devices by: downloading and maintaining image repository, evaluating images, analyzing impact of upgrades, preparing and planning reliable and stable device upgrades, and ensuring sufficient fallback and recovery mechanisms.
-
Intelligent analysis of firewall policies—The conflict detection feature analyzes and reports rules that overlap or conflict with other rules. The ACL hit count feature checks in real-time whether specific rules are being hit or triggered by packets.
-
Sophisticated rule table editing—In-line editing, ability to cut, copy, and paste rules and to change their order in the rule table.
-
Discover firewall policies from device—Policies that exist on the device can be imported into Security Manager for future management.
-
Flexible deployment options—Support for deployment of configurations directly to a device or to a configuration file. You can also use Auto-Update Server (AUS), Configuration Engine, or Token Management Server (TMS) for deployment.
-
Rollback—Ability to roll back to a previous configuration if necessary.
-
FlexConfig (template manager)—Intelligent CLI configlet editor to manage features available on a device but not natively supported by Security Manager.
-
Integrated device monitoring and reporting—Features for monitoring events on IPS, ASA, and FWSM devices and correlating them to the related configuration policies, and for creating security and usage reports. These features include the following stand-alone Security Manager applications:
-
Event Viewer—Event Viewer monitors your network for system log (syslog) events from ASA and FWSM devices, as well as security contexts and SDEE events from IPS devices and virtual sensors. Event Viewer collects these events and provides an interface by which you can view them, group them, and examine their details in near real time.
-
Report Manager—Report Manager lets you collect, display and export a wide variety of network usage and security information for ASA and IPS devices, and for ASA-hosted remote-access IPsec and SSL VPNs. These reports aggregate security data such as top sources, destinations, attackers, victims, as well as security information such as top bandwidth, duration, and throughput users. Data is available for hourly, daily, and monthly periods. (Report Manager aggregates information collected from devices monitored by the Event Manager service. Thus, to view reports about a device, you must be monitoring that device in Event Viewer.)
-
Note |
Report Manager does not report FWSM events even though Event Viewer works with FWSM. |
-
Health and Performance Monitor—Health and Performance Monitor (HPM) periodically polls monitored ASA devices, IPS devices, and ASA-hosted VPN services for key health and performance data, including critical and non-critical issues, such as memory usage, interface status, dropped packets, tunnel status, and so on. This information is used for alert generation and email notification, and to display trends based on aggregated data, which is available for hourly, daily, and weekly periods.
Note |
Health and Performance Monitor does not monitor FWSM devices. |
-
Dashboard—The Dashboard is a configurable launch point for Security Manager that makes IPS and FW tasks more convenient for you. In addition to the original dashboard, you can create new, additional dashboards, and you can customize all dashboards. By using the dashboard, you can accomplish in one place many tasks that are found in several other areas of Security Manager, such as the IPS Health Monitor page, Report Manager, Health and Performance Monitor, and IP Intelligence Settings. For detailed information on the dashboard, see Dashboard Overview.
Additional features let you monitor devices from Security Manager using other closely related applications, including Cisco Security Monitoring, Analysis and Response System (CS-MARS), Cisco Performance Monitor, and device managers such as ASDM (read-only versions of which are included with Security Manager).
Security Manager Policy Feature Sets
Security Manager provides the following primary feature sets for configuration policies:
Firewall Services
Configuration and management of firewall policies across multiple platforms, including IOS routers, ASA/PIX devices, and Catalyst Firewall Service Modules (FWSMs). Features include:
-
Access control rules—Permit or deny traffic on interfaces through the use of access control lists for both IPv4 and IPv6 traffic.
-
Botnet Traffic Filter rules—(ASA only.) Filter traffic based on known malware sites and optionally drop traffic based on threat level.
-
Inspection rules—Filter TCP and UDP packets based on application-layer protocol session information.
-
AAA/Authentication Proxy rules—Filter traffic based on authentication and authorization for users who log into the network or access the Internet through HTTP, HTTPS, FTP, or Telnet sessions.
-
Web filtering rules—Use URL filtering software, such as Websense, to deny access to specific web sites.
-
ScanSafe Web Security—(Routers only.) Redirect HTTP/HTTPS traffic to the ScanSafe web security center for content scanning and malware protection services.
-
Transparent firewall rules—Filter layer-2 traffic on transparent or bridged interfaces.
-
Zone-based firewall rules—Configure access, inspection, and web filtering rules based on zones rather than on individual interfaces.
For more information, see Introduction to Firewall Services.
Site-to-Site VPN
Setup and configuration of IPsec site-to-site VPNs. Multiple device types can participate in a single VPN, including IOS routers, PIX/ASA devices, and Catalyst VPN Service Modules. Supported VPN topologies are:
-
Point to point
-
Hub and spoke
-
Full mesh
-
Extranet (a point-to-point connection to an unmanaged device)
Supported IPsec technologies are:
-
Regular IPsec
-
GRE
-
GRE Dynamic IP
-
DMVPN
-
Easy VPN
-
GET VPN
For more information, see Managing Site-to-Site VPNs: The Basics.
Remote Access VPN
Setup and configuration of IPsec and SSL VPNs between servers and mobile remote workstations running Cisco VPN client or AnyConnect client software. For more information, see Managing Remote Access VPNs: The Basics.
Intrusion Prevention System (IPS) Management
Management and configuration of Cisco IPS sensors (appliances and service modules) and IOS IPS devices (Cisco IOS routers with IPS-enabled images and Cisco Integrated Services Routers).
For more information, see Overview of IPS Configuration and Overview of Cisco IOS IPS Configuration.
Features Specific to Firewall Devices (PIX/ASA/FWSM)
Configuration of advanced platform-specific features and settings on PIX/ASA devices and Catalyst FWSMs. These features provide added value when managing security profiles and include:
-
Interface configuration
-
Identity-aware firewall settings
-
Device administration settings
-
Security
-
Routing
-
Multicast
-
Logging
-
NAT
-
Bridging
-
Failover
-
Security contexts
For more information, see Managing Firewall Devices.
Features Specific to IOS Routers
Configuration of advanced platform-specific features and settings on IOS routers. These features provide added value when managing security profiles and include:
-
Interface configuration
-
Routing
-
NAT
-
802.1x
-
NAC
-
QoS
-
Dialer interfaces
-
Secure device provisioning
For more information, see Managing Routers.
Features Specific to Catalyst 6500/7600 Devices and Catalyst Switches
Configuration of VLAN, network connectivity, and service module features and settings on Catalyst 6500/7600 devices and on other Catalyst switches.
For more information, see Managing Cisco Catalyst Switches and Cisco 7600 Series Routers.
FlexConfigs
Flexconfig policies and policy objects enable you to provision features that are available on the device but not natively supported by Security Manager. They enable you to manually specify a set of CLI commands and to deploy them to devices using Security Manager’s provisioning mechanisms. These commands can be either prepended or appended to the commands generated by Security Manager to provision security policies.
For more information, see Managing Flexconfigs.
Security Manager Applications Overview
The Security Manager client has six main applications and one application designed for mobile devices:
-
Configuration Manager—This is the primary application. You use Configuration Manager to manage the device inventory, create and edit local and shared policies, manage VPN configurations, and deploy policies to devices. Configuration Manager is the largest of the applications and most of the documentation addresses this application. If a procedure does not specifically mention an application, the procedure is using Configuration Manager. For an introduction to Configuration Manager, see Using Configuration Manager - Overview.
-
Event Viewer—This is an event monitoring application, where you can view and analyze events generated from IPS, ASA, and FWSM devices that you have configured to send events to Security Manager. For information about using Event Viewer, see Viewing Events.
-
Report Manager—This is a reporting application, where you can view and create reports of aggregated information on device and VPN statistics. Much of the information is derived from events available through Event Viewer, but some of the VPN statistics are obtained by communicating directly with the device. For information about using Report Manager, see Managing Reports.
-
Health & Performance Monitor—The HPM application lets you monitor key health and performance data for ASA (including ASA-SM) devices, IPS devices, and VPN services by providing network-level visibility into device status and traffic information. This ability to monitor key network and device metrics lets you quickly detect and resolve device malfunctions and bottlenecks in the network. See Health and Performance Monitoring for more information about this application.
-
Image Manager—The Image Manager application provides complete image management of ASA devices. It facilitates downloading, evaluating, analyzing, preparing, and planning image updates. It assesses image availability, compatibility, and impact on devices and provides scheduling, grouping, and change management of device updates. In addition, Image Manager includes capabilities for maintaining an image repository as well as for ensuring stable fallback and recovery mechanisms for image updates on ASA devices. For information about using Image Manager, see Using Image Manager.
-
Dashboard—The Dashboard is a configurable launch point for Security Manager that makes IPS and FW tasks more convenient for you. In addition to the original dashboard, you can create new, additional dashboards, and you can customize all dashboards. By using the dashboard, you can accomplish in one place many tasks that are found in several other areas of Security Manager, such as the IPS Health Monitor page, Report Manager, Health and Performance Monitor, and IP Intelligence Settings. For detailed information on the dashboard, see Dashboard Overview.
You can open any of these applications directly from the Windows Start menu or a desktop icon, or you can open them from within any of these applications through the application’s Launch menu. For information on opening applications, see Logging In to and Exiting Security Manager.
The Security Manager client has an additional application, CSM Mobile, which is designed specifically for mobile devices:
-
CSM Mobile—CSM Mobile allows you to access device health summary information from mobile devices. The information available to you in this way is the same as that available in the Device Health Summary widget in the Dashboard: current high or medium severity active alerts generated by HPM. Alerts can be grouped by Alert-Description, Predefined-Category, Device, or Alert Technology. For more information on CSM Mobile, see CSM Mobile. For more details on device health summary information, see Dashboard Overview. For information on enabling or disabling CSM Mobile, see CSM Mobile Page.
Device Monitoring Overview
Security Manager includes several facilities for monitoring devices:
-
Event Viewer—This integrated tool allows you to view events on ASA, FWSM, and IPS devices and correlate them to the related configuration policies. This helps you identify problems, troubleshoot configurations, and then fix the configurations and redeploy them. For more information, see Viewing Events.
-
Report Manager—This is a reporting application, where you can view and create reports of aggregated information on device and VPN statistics. Much of the information is derived from events available through Event Viewer, but some of the VPN statistics are obtained by communicating directly with the device. For information about using Report Manager, see Managing Reports.
For information on all of the types of reports available in Security Manager, see Understanding the Types of Reports Available in Security Manager.
-
Health & Performance Monitor—The HPM application lets you monitor key health and performance data for ASA (including ASA-SM) device Health and Performance Monitoring for more information about this application.
-
Dashboard—The Dashboard is a configurable launch point for Security Manager that makes IPS and FW tasks more convenient for you. In addition to the original dashboard, you can create new, additional dashboards, and you can customize all dashboards. By using the dashboard, you can accomplish in one place many tasks that are found in several other areas of Security Manager, such as the IPS Health Monitor page, Report Manager, Health and Performance Monitor, and IP Intelligence Settings. For detailed information on the dashboard, see Dashboard Overview.
-
Packet Tracer—You can use this tool to test whether certain types of packets will be allowed to go through an ASA device. For more information, see Analyzing an ASA or PIX Configuration Using Packet Tracer.
-
Ping, Trace route, and NS Lookup—You can use ping and traceroute on a managed device to check whether there is a route between the device and a specific destination. You can use NS lookup to resolve addresses to DNS names. For more information, see Analyzing Connectivity Issues Using the Ping, Trace Route, or NS Lookup Tools.
-
Cisco Prime Security Manager (PRSM) Integration—You can “cross launch” PRSM from the Configuration Manager application. The PRSM application is used to configure and manage ASA CX devices. For more information, see Launching Cisco Prime Security Manager or FireSIGHT Management Center.
-
Device Manager Integration—Security Manager includes read-only copies of the various device managers, such as Adaptive Security Device Manager (ASDM). You can use these tools to view device status, but not to change the device configuration. For more information, see Starting Device Managers.
-
Cisco Security Monitoring, Analysis and Response System (CS-MARS) Integration—If you use the CS-MARS application, you can integrate it with Security Manager and view events in CS-MARS from Security Manager, and conversely, Security Manager policies related to events from CS-MARS. For more information, see Integrating CS-MARS and Security Manager.
IPv6 Support in Security Manager
Security Manager provides increasing support for IPv6 configuration, monitoring, and reporting.
Beginning with version 4.12, Security Manager supports communication from Security Manager server to the managed devices over either IPv6 address or IPv4 address. This feature is available only for firewall devices, that is, those devices where the OS type is either ASA or FWSM. To enable communication over IPv6 addresses, you must first enable IPv6 address on the Security Manager server. See Configuring IPv6 on Security Manager Server for more information.
Note |
The communication between Security Manager server and Security Manager client is over IPv4 address only. IPv6 address is not supported for server to client communication. Also, if ACS server is used for authentication, the ACS must have IPv4 address. IPv6 communication to ACS server is not supported. Auto Update Server (AUS) does not support IPv6 addresses. |
For versions prior to 4.12, to manage a device that supports IPv6 addressing with Security Manager, you must configure the device’s management address as an IPv4 address. All communications between the device and Security Manager, such as policy discovery and deployment, use IPv4 transport. If the IPv6 policies are not appearing for a supported device, rediscover the device policies; if necessary, delete the device from the inventory and add it again.
Configuring IPv6 on Security Manager Server
Follow these steps to configure IPv6 on Security Manager server for communicating with a device over IPv6 address.
Procedure
Step 1 |
On the Security Manager server, go to . |
||
Step 2 |
Click the available Network Connection to open the Ethernet Status window. Click Properties. The Ethernet Properties window appears. |
||
Step 3 |
On the Networking tab, check the Internet Protocol Version 6 (TCP/IPv6) check box, and then click Properties. The Internet Protocol Version 6 (TCP/IPv6) Properties window appears. |
||
Step 4 |
Configure the IPv6 static address and DNS servers, and click OK.
|
Configuring IPv6 Policies
In general, you can configure IPv6 policies on the following types of device. In addition, you can monitor IPv6 alerts generated by IPS, ASA, and FWSM devices. For other types of devices, use FlexConfig policies to configure IPv6 settings. For more specific information on IPv6 device support, see the Supported Devices and Software Versions for Cisco Security Manager document on Cisco.com.
-
ASA—Release 7.0+ when running in router mode; release 8.2+ when running in transparent mode. Both single and multiple security context devices are supported.
-
FWSM—Release 3.1+ when running in router mode. Not supported in transparent mode. Both single and multiple security context devices are supported.
-
IPS—Release 6.1+.
Following is a summary of the Security Manager features that support IPv6 addressing:
-
Policy Objects—The following policy objects support IPv6 addresses:
-
Networks/Hosts. See Understanding Networks/Hosts Objects.
-
Services. This object includes predefined services for ICMP6 and DHCPv6, which you can use only with IPv6 policies. The other services apply to both IPv4 and IPv6. For more information on service objects, see Understanding and Specifying Services and Service and Port List Objects.
-
-
Firewall Services Policies—The following Firewall Services policies and tools support IPv6 configurations:
-
AAA Rules. See Managing Firewall AAA Rules.
-
Access Rules. See Configuring Access Rules.
-
Inspection Rules. See Managing Firewall Inspection Rules.
Control. See -
Tools:
-
Hit Count. See Viewing Hit Count Details.
Find and Replace. See Finding and Replacing Items in Rules Tables.
-
ASA and FWSM Policies—The following ASA and FWSM policies support IPv6 configurations:
-
(ASA 7.0+ routed mode; ASA 8.2+ transparent mode; FWSM 3.1+ routed mode.) Interfaces: IPv6 tab of the Add Interface and Edit Interface dialog boxes. See Configuring IPv6 Interfaces (ASA/FWSM).
-
(ASA only.) Managing the IPv6 Neighbor Cache.
. See -
(ASA 5505 8.2/8.3 only.) Management IPv6 Page (ASA 5505).
. See -
(ASA 8.4.2+ only.) DNS Page.
. See
-
-
FlexConfig Policies—There are two Firewall system variables that you can use to identify IPv6 ACLs on a device. For more information, see FlexConfig System Variables.
There is also a predefined FlexConfig policy object that uses these variables, ASA_add_IPv6_ACEs.
-
Event Viewer—Events that include IPv6 addresses are supported, and the addresses are displayed in the same columns as IPv4 addresses: Source, Destination, and IPLog Address (for IPS alerts). However, you must configure the device to use IPv4 for sending events to the Security Manager server. All event communications use IPv4 transport. For more information on Event Viewer, see Viewing Events.
-
Dashboard—On the Dashboard, all the widgets that use IP addressing support IPv6 addresses. However, as is true elsewhere in Security Manager, you must configure the device to use IPv4 for sending events to the Security Manager server. All event communications use IPv4 transport. For more information on the Dashboard, see Dashboard Overview.
-
Report Manager—Reports include statistics for IPv6 events collected by Event Management. For more information on Report Manager, see Managing Reports.
Policy Object Changes in Security Manager 4.4
Certain changes were made to a few policies and policy objects in Security Manager 4.4, in order to unify previously separate IPv4 and IPv6 elements. The most important of these changes are to the Networks/Hosts object (which itself represents a unification of the Networks/Hosts and the Networks/Hosts-IPv6 objects):
-
The new Networks/Hosts object “All-IPv4-Addresses” replaces the IPv4 “any” network policy object. If you upgrade to Security Manager 4.4 from a previous version, all references to the IPv4 “any” network policy object will be changed to “All-IPv4-Addresses.”
-
The new Networks/Hosts object “All-IPv6-Addresses” replaces the IPv6 “any” network policy object. If you upgrade to Security Manager 4.4 from a previous version, all references to the IPv6 “any” network policy object will be changed to “All-IPv6-Addresses.”
-
The new Networks/Hosts object “All-Addresses” does not have a corresponding policy object in earlier versions of Security Manager. It is a new global “any” policy object, and it encompasses all IPv4 and IPv6 address ranges.
Other related changes include unification of IPv4 and IPv6 versions of device-specific policies such as Access Rules, Inspection Rules, and so on.
Further, when editing policies and objects, IPv4, IPv6, or mixed-mode (both IPv4 and IPv6) entries are automatically filtered in elements, such as dialog boxes, in which one or more of those entries is not appropriate to that element.