Understanding Device Communication Requirements
Security Manager provides many different ways for you to manage devices. The easiest methods involve Security Manager directly contacting the devices. Security Manager might access a device during inventory or policy discovery, during configuration deployment, or in response to actions you take in Security Manager that request device contact (such as testing connectivity).
Because you can use off-line methods to add devices to the Security Manager inventory or to deploy configuration changes to the devices, configuring device communication settings for Security Manager’s use is optional. However, you typically need to configure basic device communication settings on the devices to implement your off-line or customized configuration deployment tools.
In Security Manager, you can configure which transport protocol to use as the default for a type of device, and change it for specific devices that are configured to respond to a different protocol. Security Manager is configured with default protocols that are the most commonly-used protocols for that type of device. To change the default device communication setting for a type of device, select Tools > Security Manager Administration and select Device Communication from the table of contents (for more information, see Device Communication Page). To change the transport setting for a specific device, modify its device properties as described in Viewing or Changing Device Properties.
Security Manager can use these transport protocols:
-
SSL (HTTPS)—Secure Socket Layer, which is an HTTPS connection, is the only transport protocol used with PIX Firewalls, Adaptive Security Appliances (ASA), and Firewall Services Modules (FWSM). It is also the default protocol for IPS devices and for routers running Cisco IOS Software release 12.3 or later
If you use SSL as the transport protocol on Cisco IOS routers, you must also configure SSH on the routers. Security Manager uses SSH connections to handle interactive command deployments during SSL deployments.
Cisco Security Manager was using OpenSSL for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Beginning with version 4.13, Cisco Security Manager replaced OpenSSL version 1.0.2 with Cisco SSL version 6.x. Cisco SSL enables FIPS compliance over full FIPS Validation which results in fast and cost-effective connectivity. The Common Criteria mode in Cisco SSL allows easier compliance. Cisco SSL is feature-forward when compared to OpenSSL. The product Security Baseline (PSB) requirements for CiscoSSL ensures important security aspects such as credential and key management, cryptography standards, antispoofing capabilities, integrity and tamper protection, and session, data, and stream management and administration are taken care of.
For information on configuring SSL, see Setting Up SSL (HTTPS)
-
SSH—Secure Shell is the default transport protocol for Catalyst switches and Catalyst 6500/7600 devices. You can also use it with Cisco IOS routers.
For information on configuring SSH, see Setting Up SSH.
-
Telnet—Telnet is the default protocol for routers running Cisco IOS software releases 12.1 and 12.2. You can also use it with Catalyst switches, Catalyst 6500/7600 devices, and routers running Cisco IOS Software release 12.3 and later. See the Cisco IOS software documentation for configuring Telnet.
-
HTTP—You can use HTTP instead of HTTPS (SSL) with IPS devices. HTTP is not the default protocol for any device type.
-
SQL Anywhere—Up to version 4.20, Security Manager used SQL Anywhere version 12.x as the database. Beginning with version 4.21, Security Manager uses Sybase SQL Anywhere version 17.0.10.5855.
-
TMS—Token Management Server is treated like a transport protocol in Security Manager, but it is not a real transport protocol. Instead, by configuring TMS as the transport protocol of a router, you are telling Security Manager to deploy configurations to a TMS. From the TMS, you can download the configuration to an eToken, plug the eToken into the router’s USB bus, and update the configuration. TMS is available only for certain routers running Cisco IOS Software 12.3 or later.
For information on deploying configurations to a TMS and downloading them to a router, see Deploying Configurations to a Token Management Server.
Security Manager can also use indirect methods to deploy configurations to devices, staging the configuration on a server that manages the deployment to the devices. These indirect methods also allow you to use dynamic IP addresses on your devices. The methods are not treated as transport protocols, but as adjuncts to the transport protocol for the device. You can use these indirect methods:
-
AUS (Auto Update Server)—When you add a device to Security Manager, you can select the AUS server that is managing it. You can use AUS with PIX Firewalls and ASA devices.
For information on configuring a device to use an AUS server, see Setting Up AUS or Configuration Engine.
-
Configuration Engine—When you add a router to Security Manager, you can select the Configuration Engine that is managing it.
For more information on configuring a router to use a Configuration Engine server, see Setting Up AUS or Configuration Engine.
For information on adding devices that use AUS or Configuration Engine servers to Security Manager, and how to add the servers, see these topics: