Cisco® Security Manager is an enterprise-class security management solution that helps organizations easily configure and troubleshoot any Cisco security deployment. Cisco Security Manager can be used to manage network services such as firewall, intrusion prevention system (IPS), and site-to-site virtual private network (VPN), as well as remote-access VPN services.
Cisco Security Manager supports security features on a wide range of Cisco devices, including firewalls, IPS sensors, integrated services routers (ISRs), and aggregation services routers (ASRs), as well as Cisco Catalyst® switches and service blades such as the Firewall Services Module (FWSM) and the Intrusion Detection System Services Module (IDSM).
Cisco Security Manager 4.0 is a major release that delivers integrated event management and enhanced troubleshooting tools. For more information, please visithttp://www.cisco.com/go/csmanager.
New Features in Cisco Security Manager 4.0
• Enterprise-class integrated policy and event management for better control and visibility into security devices. Supports syslog messages for Cisco ASA appliances and Security Device Event Exchange (SDEE) events for Cisco IPS sensors.
• Easy troubleshooting of operational issues using intuitive, event-to-policy linkages, and tools such as Cisco Packet Tracer.
• Selective management of Cisco ASA appliance policies and detection of out-of-band (OOB) changes to enable Cisco Security Manager to operate in heterogeneous IT environments.
• Simplified policy definition paradigms for Cisco ASA appliances for Network Address Translation (NAT); global access rules for improved management efficiency.
• Enhanced support for Cisco's latest IPS and firewall features, including a Botnet Traffic Filter and a Global Threat Correlation engine, providing comprehensive threat response.
• Support for 32-bit and 64-bit versions of Microsoft Windows 2008.
Cisco Security Manager 4.0 Hardware and Operating System Requirements
Cisco Security Manager 4.0 requires modern server hardware and software in order to deliver an optimized user experience. While some customers may be able to upgrade their existing Cisco Security Manager 3.x server to run Version 4.0, the majority of customers will benefit greatly by deploying Cisco Security Manager 4.0 on a modern server. Table 1 lists the requirements for Cisco Security Manager 4.0.
Table 1. Server Hardware and Software Requirements for Cisco Security Manager 4.0
Recommended Server Hardware for Cisco Security Manager 4.0
Recommended server
Cisco UCS C200
CPU
Intel Quadcore Xeon 5500 Series
Memory
8 GB
HDD
2 x 1 TB minimum
HDD partitioning
Windows + Cisco Security Manager: 500 GB
Log storage: 1.5 TB
HDD RAID
RAID 10
Network adapter
1 Gbps
Recommended Server Software
Operating system
Windows 2008 Server R1, 64-bit
Disk optimization
Diskeeper 2010 Server
Antivirus
Real-time protection disabled
Physical and eDelivery Licenses
Cisco Security Manager 4.0 and associated licenses are available for both physical and electronic delivery to customers. Customers can continue to order traditional physical delivery part numbers and will be shipped the appropriate DVD or paper license keys. In addition, a new eDelivery option is now available that enables customers to download Cisco Security Manager directly from Cisco.com and receive license keys via email. The eDelivery option can greatly reduce the time between the customer ordering and deploying Cisco Security Manager.
Cisco Security Manager Server Licenses
Cisco Security Manager 4.0 is available in two feature levels: Standard and Professional. Enterprise customers will greatly benefit from the scalability and broader device support offered by Cisco Security Manager 4.0 Professional. Meanwhile, small commercial customers will find Cisco Security Manager 4.0 Standard to be an exceptional value. Device managers such as Adaptive Security Device Manager (ASDM) for the Cisco ASA 5500 Series best serve small business customers who do not need to manage security policies across multiple devices. Table 2 lists basic part numbers for Cisco Security Manager 4.0 Standard and Professional.
Table 2. Part Numbers for Cisco Security Manager 4.0 Standard and Professional
Physical Part Number
eDelivery Part Number
Description
CSMST5-4.0-K9
L-CSMST5-4.0-K9
Cisco Security Manager 4.0 Standard - 5-Device License
CSMST10-4.0-K9
L-CSMST10-4.0-K9
Cisco Security Manager 4.0 Standard - 10-Device License
CSMST25-4.0-K9
L-CSMST25-4.0-K9
Cisco Security Manager 4.0 Standard - 25-Device License
CSMPR50-4.0-K9
L-CSMPR50-4.0-K9
Cisco Security Manager 4.0 Professional - 50-Device License
Note: Device Count for Licensing
The management software consumes a device license for:
• Each added physical device
• Each added Cisco Catalyst 6500 Series services module
• Each security context
• Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIMs) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) are counted.
In the case of a FWSM, the module itself consumes a license and then an additional license for each added security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it too will consume a license.
Device-counting logic in Cisco Security Manager 4.0 is the same as for Cisco Security Manager 3.x releases.
Cisco Security Manager Professional Incremental Device Licenses
Customers with large security estates can increase the number of devices supported by Cisco Security Manager Professional using incremental device licenses. (These licenses cannot be used with Cisco Security Manager Standard.) Incremental device licenses are stackable and several licenses may be activated on a single Cisco Security Manager Professional server. For instance, a Cisco Security Manager 4.0 Professional customer who also purchases CSMPR-LIC-100 will be able to manage a total of 150 devices. Incremental device licenses that were purchased for Cisco Security Manager 3.x will continue to work with Cisco Security Manager 4.0. Table 3 lists incremental part numbers.
Table 3. Incremental Part Numbers for Cisco Security Manager 4.0 Professional
Physical Part Number
eDelivery Part Number
Description
CSMPR-LIC-50
L-CSMPR-LIC-50
Cisco Security Manager 4.0 Professional - Incremental 50-Device License
CSMPR-LIC-100
L-CSMPR-LIC-100
Cisco Security Manager 4.0 Professional - Incremental 100-Device License
CSMPR-LIC-250
L-CSMPR-LIC-250
Cisco Security Manager 4.0 Professional - Incremental 250-Device License
Please note that the CSMPR-LIC-500 and CSMPR-LIC-1000 licenses will be reaching end-of-sale status.
Upgrade Licenses
Existing Cisco Security Manager 3.x customers can upgrade to Cisco Security Manager 4.0 using the part numbers listed below. Please note that the upgrade from Version 3.x to Version 4.0 is not covered under the Cisco Software Application Support (SAS) Service. We highly encourage customers to stay current with Cisco Security Manager, as new feature and device support is only available in the latest release. Incremental device licenses purchased for Cisco Security Manager 3.x will continue to work with Cisco Security Manager 4.0. Table 4 lists part numbers for upgrading from Cisco Security Manager 3.x to Version 4.0.
Table 4. Part Numbers for Upgrading from Cisco Security Manager 3.x to Version 4.0
Physical Part Number
eDelivery Part Number
Description
CSMST5-U-4.0-K9
L-CSMST5-U-4.0-K9
Upgrade from Cisco Security Manager 3.x Standard to 4.0 Standard - 5-Device Limit
CSMST25-U-4.0-K9
L-CSMST25-U-4.0-K9
Upgrade from Cisco Security Manager 3.x Standard to 4.0 Standard - 25-Device Limit
CSMPR50-U-4.0-K9
L-CSMST50-U-4.0-K9
Upgrade from Cisco Security Manager 3.x Professional to 4.0 Professional
Upgrading from Cisco Security Manager Standard to Professional
Occasionally, customers will find they have outgrown the capabilities of Cisco Security Manager Standard and will need to upgrade to Cisco Security Manager Professional. This is typical for customers who originally purchased Cisco Security Manager Standard but over time need to manage Catalyst security blades, or whose deployment grows beyond the 25-device limit of Cisco Security Manager Standard. Table 5 lists part numbers for upgrading from Cisco Security Manager Standard to Professional.
Table 5. Part Numbers for Upgrading from Cisco Security Manager Standard to Cisco Security Manager Professional
Physical Part Number
eDelivery Part Number
Description
CSMSTPR-U-4.0-K9
L-CSMSTPR-U-4.0-K9
Upgrade from Cisco Security Manager Standard 25-Device Limit to Cisco Security Manager Professional
Please note that this license is not for upgrading from Cisco Security Manager 3.x to Version 4.0
Cisco Security Manager Support Service Licenses
Customers are highly encouraged to purchase the appropriate Cisco Software Application Support (SAS) Service entitling them to receive technical support and minor software updates for Cisco Security Manager 4.0. See Table 6 for part numbers.
Table 6. Part Numbers for Cisco Security Manager Support Service Licenses
Physical Part Number
eDelivery Part Number
Support Part Number
CSMST5-4.0-K9
L-CSMST5-4.0-K9
CON-SAS-CSMST54
CSMST10-4.0-K9
L-CSMST10-4.0-K9
CON-SAS-CSMST104
CSMST25-4.0-K9
L-CSMST25-4.0-K9
CON-SAS-CSMST254
CSMPR50-4.0-K9
L-CSMPR50-4.0-K9
CON-SAS-CSMPR504
CSMPR-LIC-50
L-CSMPR-LIC-50
CON-SAS-CSMPRI50
CSMPR-LIC-100
L-CSMPR-LIC-100
CON-SAS-CSMPRI1C
CSMPR-LIC-250
L-CSMPR-LIC-250
CON-SAS-CSMPR250
CSMST5-U-4.0-K9
L-CSMST5-U-4.0-K9
CON-SAS-CSMST5U
CSMST25-U-4.0-K9
L-CSMST25-U-4.0-K9
CON-SAS-CSMST25U
CSMPR50-U-4.0-K9
L-CSMPR50-U-4.0-K9
CON-SAS-CSMPR40U
CSMSTPR-U-4.0-K9
L-CSMSTPR-U-4.0-K9
CON-SAS-CSMSTPRU
Choosing the Right Cisco Security Manager License: New Customer Scenario
1. Selection of Cisco Security Manager Base Product Version
• If you need to manage Catalyst 6500 or FWSM/IDSM blades, choose CSMPR-50-4.0-K9 or its eDelivery version.
• Based on the number of devices you need to manage using Cisco Security Manager (after accounting for future growth prospects), obtain:
– CSMST5-4.0-K9 or its eDelivery version for networks of five or fewer devices.
– CSMST10-4.0-K9 or its eDelivery version for networks of 10 or fewer devices.
– CSMST25-4.0-K9 or its eDelivery version for networks of 25 or fewer devices.
– CSMPR50-4.0-K9 or its eDelivery version for larger networks. In addition, consider incremental licenses.
• If you obtained CSMST25-4.0-K9 but need to manage Catalyst switches or blades, or need to manage more than 25 devices, obtain CSMSTPR-U-4.0-K9 or its eDelivery version to upgrade to the Professional version of the product.
2. Incremental licenses allow you to manage more devices. Based on the size of the network you need to manage, obtain:
• CSMPR-LIC-50 or its eDelivery version to add management of 50 additional devices.
• CSMPR-LIC-100 or its eDelivery version to add management of 100 additional devices.
• CSMPR-LIC-250 or its eDelivery version to add management of 250 additional devices.
• For larger networks:
– Purchase multiple units of incremental licenses if you want to install these on the same Cisco Security Manager server.
– Purchase base licenses and/or incremental licenses if you want to install multiple Cisco Security Manager servers to obtain better performance.
3. In addition to the base and incremental licenses, you must purchase equivalent support contracts.
Choosing the Right Cisco Security Manager License: Existing Customer Scenario
1. When you are ready to upgrade from Cisco Security Manager 3.x to Cisco Security Manager 4.0, obtain:
• CSMST5-U-4.0-K9 or its eDelivery version if you currently own CSMST5-3.3-K9 or a similar license for earlier 3.x versions.
• CSMST25-U-4.0-K9 or its eDelivery version if you currently own CSMST25-3.3-K9 or a similar license for earlier 3.x versions.
• CSMPR50-U-4.0-K9 or its eDelivery version if you currently own CSMPR50-3.3-K9 or a similar license for earlier 3.x versions.
2. Any incremental licenses you already own for Cisco Security Manager 3.x will be applicable for Cisco Security Manager 4.0. You do not need to obtain new incremental licenses to manage the same number of devices. If you intend to enable event management for larger networks, you may need to deploy multiple Cisco Security Manager servers, which involves obtaining additional base product licenses.
3. Cisco Security Manager 3.x support contracts will not support Cisco Security Manager 4.0. You may need to purchase a Cisco Security Manager 4.0-specific support contract. Once the production system is completely transitioned to Cisco Security Manager 4.0, you may choose to discontinue Cisco Security Manager 3.x support.
Cisco Services
Cisco takes a lifecycle approach to services and, with its partners, provides a broad portfolio of security services so enterprises can design, implement, operate, and optimize network platforms that defend critical business processes against attack and disruption, protect privacy, and support policy and regulatory compliance controls.
Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, visit: http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html
• Cisco Security Intelligence Operations (SIO) service provides a central location for early warning threat and vulnerability intelligence and analysis, Cisco IPS signatures, and mitigation techniques. Visit and bookmark Cisco SIO at http://www.cisco.com/security.
• Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.
• Cisco Software Application Support (SAS)Service keeps Cisco Security Manager up and running with around-the-clock access to technical support and software updates.
• Cisco Security Optimization Service helps organizations maintain peak network health. The network infrastructure is the foundation of an agile and adaptive business. The Cisco Security Optimization Service supports the continuously evolving security system to meet ever-changing security threats through a combination of planning and assessments, design, performance tuning, and ongoing support for system changes.
Cisco Security Manager software is eligible for technical support service coverage under a Cisco SAS service agreement, which features:
• Unlimited access to the Cisco Technical Assistance Center (TAC) for award-winning support. Technical assistance is provided by Cisco software application experts trained in Cisco security software applications. Support is available 24 hours a day, 7 days a week, 365 days a year worldwide.
• Registered access to Cisco.com, a robust repository of application tools and technical documents that can assist you in diagnosing network security problems, understanding new technologies, and staying current with innovative software enhancements. Utilities, white papers, application design data sheets, configuration documents, and case management tools help expand your in-house technical capabilities.
• Access to application software bug fixes and maintenance, as well as minor software releases.
Customers requiring Cisco technical support and minor updates to Cisco Security Manager will need to purchase a Cisco SAS service agreement.
Availability
Customers can purchase Cisco Security Manager 4.0 through regular sales channels after the first customer shipment of the product. The product is also available for evaluation by downloading it from http://www.cisco.com/go/csmanager or by ordering an evaluation kit from the Collateral and Subscriptions Store at Cisco Marketplace at http://www.cisco.com/pcgi-bin/marketplace/welcome.pl.
