Cisco® Security Manager is an enterprise-class security management solution that helps organizations easily configure, monitor, and troubleshoot any Cisco security deployment. Cisco Security Manager can be used to manage network services such as firewall, intrusion prevention system (IPS), site-to-site virtual private network (VPN), and remote-access VPN services.
Cisco Security Manager also supports security features across a wide range of Cisco devices, including firewalls, IPS sensors, integrated services routers (ISRs), and aggregation services routers (ASRs), as well as Cisco Catalyst® switches and service blades such as the Firewall Services Module (FWSM) and the Intrusion Detection System Services Module (IDSM).
In addition to the policy provisioning and security event management features available in CSM 4.0, Cisco Security Manager 4.1 delivers integrated operational reports. For more information, please visit http://www.cisco.com/go/csmanager.
New Features in Cisco Security Manager 4.1
• Enterprise-class integrated Firewall, IPS, and VPN reporting functionality for improved visibility into security devices. Custom reports can be created using advanced filters, and reports can be viewed on-demand and scheduled for email delivery.
• Provisioning and troubleshooting support for IPv6 based Network/Host Objects and Firewall Access Rules for ASA
• Advanced troubleshooting of operational issues using Packet Capture, ping, traceroute, and other tools, in addition to Event-to-Policy linkages and Cisco Packet Tracer tools
• Significantly streamlined and guided IPSec VPN configuration for partner/extranet VPN scenarios
• New Policy Export and Policy Import features to address larger enterprise needs of transferring policies across multiple instances of CSM, to ensure multi-instance scalability and deployment
• Support for the latest ASA 8.4 feature set, including Bridge Groups, KCD, and IKEv2.
• Support for 64-bit versions of Microsoft Windows 2008 Release 2.
Cisco Security Manager 4.1 Hardware and Operating System Requirements
Cisco Security Manager 4.1 requires modern server hardware and software to deliver an optimized user experience. While some customers may have the ability to use their existing hardware and system software to run Version 4.1, review of the Cisco Security Manager 4.1 hardware and software requirements is highly recommended. Table 1 lists the requirements for Cisco Security Manager 4.1.
Table 1. Server Hardware and Software Requirements for Cisco Security Manager 4.1
Recommended Server Hardware for Cisco Security Manager 4.1
Recommended server
Cisco UCS C210 M2 or above
CPU
Intel Quadcore Xeon 5500 Series or above
Memory
16 GB or above
HDD
4 x 500 GB
HDD partitioning
Windows + Cisco Security Manager: minimum 500 GB
Log storage for events
Minimum 1 TB
HDD RAID
RAID 10
Network adapter
1 Gbps
Recommended Server Software
Operating system
Windows 2008 Enterprise Server R2, 64-bit
Disk optimization
Diskeeper 2010 Server
Antivirus
Real-time protection disabled
Physical and eDelivery Licenses
Cisco Security Manager 4.1 and associated licenses are available for both physical and electronic delivery. Customers can continue to order traditional physical delivery part numbers, and will be shipped the appropriate DVD or paper license keys. In addition, a new eDelivery option is now available. This option enables customers to download Cisco Security Manager directly from Cisco.com and receive license keys via email. The eDelivery option can greatly reduce the time between the ordering and deployment of Cisco Security Manager.
Cisco Security Manager Server Licenses
Cisco Security Manager 4.1 is available in two feature levels: Standard and Professional. Enterprise customers will greatly benefit from the scalability and broader device support offered by Cisco Security Manager 4.1 Professional. Meanwhile, small commercial customers will find Cisco Security Manager 4.1 Standard to be an exceptional value. Device managers such as Adaptive Security Device Manager (ASDM) for the Cisco ASA 5500 Series best serve small business customers who do not need to manage security policies across multiple devices. Table 2 lists basic part numbers for Cisco Security Manager 4.1 Standard and Professional.
Table 2. Part Numbers for Cisco Security Manager 4.1 Standard and Professional
The management software consumes a device license for:
• Each added physical device
• Each added Cisco Catalyst 6500 Series services module
• Each security context
• Each virtual sensor
Advanced Inspection and Prevention Security Services Modules (AIP-SSMs), IDS Network Modules, and IPS Advanced Integration Modules (IPS AIMs) installed in the host device do not consume a license; however, additional virtual sensors (added after the first sensor) are counted.
In the case of an FWSM, the module itself consumes a license, and then an additional license is required for each added security context. For example, an FSWM with two security contexts would consume three licenses: one for the module, one for the admin context, and one for the second security context. If the Cisco Catalyst chassis itself is added to Cisco Security Manager, it too will consume a license.
Device counts are computed in the same manner as with Cisco Security Manager 3.x releases. There has been no change to this logic in CSM 4.1.
Cisco Security Manager Professional Incremental Device Licenses
Customers with large security estates can increase the number of devices supported by Cisco Security Manager Professional, using incremental device licenses. (These licenses cannot be used with Cisco Security Manager Standard). Incremental device licenses are stackable, and several licenses may be activated on a single Cisco Security Manager Professional server. For instance, a CSMPR50-4.1-K9 customer who also purchases CSMPR-LIC-100 will have the ability to manage a total of 150 devices. Incremental device licenses that were purchased for Cisco Security Manager 3.x will continue to work with Cisco Security Manager 4.1. Table 3 lists the incremental part numbers.
Table 3. Incremental Part Numbers for Cisco Security Manager 4.1 Professional
Upgrading from Cisco Security Manager 4.0 to CSM 4.1
CSM 4.0 customers with a valid Smartnet SAS contract can upgrade to CSM 4.1 for free. To view upgrade options, enter the contract number in the product upgrade tool. CSM 4.0 customers who do not have SAS support for the product are required to purchase the Server upgrade licenses listed in Table 4.
Table 4. Part Numbers for Upgrading from Cisco Security Manager 4.0 to 4.1
Physical Part Number
eDelivery Part Number
Description
CSMST5-4.1-M-K9
L-CSMST5-4.1-M-K9
Cisco Security Manager 4.1 STD-5 Minor Upgrade License
CSMST10-4.1-M-K9
L-CSMST10-4.1-M-K9
Cisco Security Manager 4.1 STD-10 Minor Upgrade License
CSMST25-4.1-M-K9
L-CSMST25-4.1-M-K9
Cisco Security Manager 4.1 STD-25 Minor Upgrade License
CSMPR50-4.1-M-K9
L-CSMPR50-4.1-M-K9
Cisco Security Manager 4.1 PRO-50 Minor Upgrade License
CSMP100-4.1-M-K9
L-CSMP100-4.1-M-K9
Cisco Security Manager 4.1 PRO-100 Minor Upgrade License
CSMP250-4.1-M-K9
L-CSMP250-4.1-M-K9
Cisco Security Manager 4.1 PRO-250 Minor Upgrade License
Please note that these licenses are not for upgrading from earlier versions of CSM to version 4.1.
Upgrading from Cisco Security Manager 3.x to CSM 4.1
There is no direct upgrade path for customers using Cisco Security Manager 3.x. It is recommended that customers using 3.x migrate to Cisco Security Manager 4.0 and purchase a SAS contract, which will include a free upgrade to Cisco Security Manager 4.1. For more details on upgrading to CSM 4.0, please see the CSM 4.0 Product Bulletin.
Upgrading from Cisco Security Manager 4.1 Standard to 4.1 Professional
Occasionally, customers will find that they have outgrown the capabilities of Cisco Security Manager Standard, and will need to upgrade to Cisco Security Manager Professional. This is typical for customers who originally purchased Cisco Security Manager Standard, but over time need to manage Catalyst security blades, or whose deployment grows beyond the 25-device limit of Cisco Security Manager Standard. The professional license obtained using this upgrade mechanism will be equivalent in functionality to a CSMPR50-4.1-K9 license. Table 5 lists part numbers for upgrading from Cisco Security Manager Standard to Professional.
Table 5. Part Numbers for Upgrading from Cisco Security Manager Standard to Cisco Security Manager Professional
Physical Part Number
eDelivery Part Number
Description
CSMSTPR-U-4.1-K9
L-CSMSTPR-U-4.1-K9
Upgrade from Cisco Security Manager Standard 25-Device Limit to Cisco Security Manager Professional
Please note that this license is not for upgrading from earlier versions of CSM to version 4.1.
Cisco Security Manager Support Service Licenses
Customers are highly encouraged to purchase the appropriate Cisco Software Application Support (SAS) Service, which entitles them to receive technical support and minor software updates for Cisco Security Manager 4.1.
Physical Part Number
eDelivery Part Number
Support Part Number
CSMST5-4.1-K9
L-CSMST5-4.1-K9
CON-SAS-CSMS541
CSMST10-4.1-K9
L-CSMST10-4.1-K9
CON-SAS-CSMS1041
CSMST25-4.1-K9
L-CSMST25-4.1-K9
CON-SAS-CSMS2541
CSMPR50-4.1-K9
L-CSMPR50-4.1-K9
CON-SAS-CSMPC41
CSMPR100-4.1-K9
L-CSMPR100-4.1-K9
CON-SAS-CSMPL41
CSMPR250-4.1-K9
L-CSMPR250-4.1-K9
CON-SAS-CSMP2541
CSMPR-LIC-50
L-CSMPR-LIC-50
CON-SAS-CSMPRI50
CSMPR-LIC-100
L-CSMPR-LIC-100
CON-SAS-CSMPRI1C
CSMPR-LIC-250
L-CSMPR-LIC-250
CON-SAS-CSMPR250
CSMSTPR-U-4.1-K9
L-CSMSTPR-U-4.1-K9
CON-SAS-CSMSTPRU
Choosing the Right Cisco Security Manager License: New Customer Scenario
1. Selection of Cisco Security Manager Base Product Version
a. If you need to manage Catalyst 6500 or FWSM/IDSM blades, choose CSMPR-50-4.1-K9 or its eDelivery version.
b. Based on the number of devices you need to manage using Cisco Security Manager (after accounting for future growth prospects), obtain:
i. CSMST5-4.1-K9 or its eDelivery version for networks of five or fewer devices.
ii. CSMST10-4.1-K9 or its eDelivery version for networks of 10 or fewer devices.
iii. CSMST25-4.1-K9 or its eDelivery version for networks of 25 or fewer devices.
iv. CSMPR50-4.1-K9 / CSMPR100-4.1-K9 / CSMPR250-4.1-K9 or their eDelivery versions for larger networks. In addition, consider incremental licenses.
c. If you obtained a standard license for 25 devices, but need to manage more than 25 devices, obtain CSMSTPR-U-4.1-K9 or its eDelivery version to upgrade to the Professional version of the product with the ability to manage 50 devices.
2. Incremental licenses allow you to manage more devices. Based on the size of the network you need to manage, obtain:
a.CSMPR-LIC-50 or its eDelivery version to add management of 50 additional devices.
b.CSMPR-LIC-100 or its eDelivery version to add management of 100 additional devices.
c.CSMPR-LIC-250 or its eDelivery version to add management of 250 additional devices.
d. For larger networks:
i. Purchase multiple units of incremental licenses if you want to install these on the same Cisco Security Manager server.
ii. Purchase base licenses and/or incremental licenses if you want to install multiple Cisco Security Manager servers to obtain better performance.
3. In addition to the base and incremental licenses, you must purchase equivalent support contracts.
Choosing the Right Cisco Security Manager License: Existing Customer Scenario
There is no direct upgrade path for customers on Cisco Security Manager 3.x. It is recommended that customers with CSM 3.x migrate to Cisco Security Manager 4.0, then purchase a SAS contract. This will enable a free upgrade to Cisco Security Manager 4.1. For more details on upgrading to CSM 4.0, please see the CSM 4.0 Product Bulletin.
1. If you are a CSM 3.x customer, upgrade to the equivalent CSM 4.0 version first, and then upgrade to 4.1. Please refer to the CSM 4.0 Product Bulletin for more details about upgrading from version 3.x to version 4.0.
2. If you have CSM 4.0 and have a valid SAS support for that version, you are entitled to upgrade to CSM 4.1 at no additional cost.
3. If you are upgrading from Cisco Security Manager 4.0/4.0.1 to Cisco Security Manager 4.1 and you have not purchased a SAS contract, then obtain:
a.CSMST5-4.1-M-K9 or its eDelivery version if you currently own CSMST5-4.0-K9.
b.CSMST10-4.1-M-K9 or its eDelivery version if you currently own CSMST10-4.0-K9.
b.CSMST25-4.1-M-K9 or its eDelivery version if you currently own CSMST25-4.0-K9.
c.CSMPR50-4.1-M-K9 / CSMP100-4.1-M-K9 / CSMP250-4.1-M-K9 or its eDelivery version if you currently own CSMPR50-4.1-K9 / CSMPR100-4.1-K9 / CSMPR250-4.1-K9.
4. Any incremental device licenses you already own for Cisco Security Manager 3.x or 4.0 will be applicable for Cisco Security Manager 4.1. You do not need to obtain new incremental licenses to manage the same number of devices. If you intend to enable event management for larger networks, you may need to deploy multiple Cisco Security Manager servers, which involves obtaining additional base product licenses.
Cisco Services
Cisco takes a lifecycle approach to services and, with its partners, provides a broad portfolio of security services so enterprises can design, implement, operate, and optimize network platforms that defend critical business processes against attack and disruption, protect privacy, and support policy and regulatory compliance controls.
Cisco services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Cisco services, visit: http://www.cisco.com/en/US/products/svcs/ps2961/ps2952/serv_group_home.html
• Cisco Security Intelligence Operations (SIO) provides a central location for early warning threat and vulnerability intelligence and analysis, Cisco IPS signatures, and mitigation techniques. Visit and bookmark Cisco SIO at http://www.cisco.com/security.
• Cisco Security IntelliShield Alert Manager Service provides a customizable, web-based threat and vulnerability alert service that allows organizations to easily access timely, accurate, and credible information about potential vulnerabilities in their environment.
• Cisco Software Application Support (SAS) Service keeps Cisco Security Manager up and running with around-the-clock access to technical support and software updates.
• Cisco Security Optimization Service helps organizations maintain peak network health. The network infrastructure is the foundation of an agile and adaptive business. The Cisco Security Optimization Service supports the continuously evolving security system to meet ever-changing security threats through a combination of planning and assessments, design, performance tuning, and ongoing support for system changes.
Cisco Security Manager software is eligible for technical support service coverage under a Cisco SAS service agreement, which features:
• Unlimited access to the Cisco Technical Assistance Center (TAC) for award-winning support. Technical assistance is provided by Cisco software application experts trained in Cisco security software applications. Support is available 24 hours a day, 7 days a week, 365 days a year worldwide.
• Registered access to Cisco.com, a robust repository of application tools and technical documents that can assist you in diagnosing network security problems, understanding new technologies, and staying current with innovative software enhancements. Utilities, white papers, application design data sheets, configuration documents, and case management tools help expand your in-house technical capabilities.
• Access to application software bug fixes and maintenance, as well as minor software releases.
Customers requiring Cisco technical support and minor updates to Cisco Security Manager will need to purchase a Cisco SAS service agreement.
