Downloads |
 Feedback
|
Solutions Guide
Cisco Secure
Policy Manager 2.3
The Cisco Secure Policy Manager (CSPM) allows you to configure, manage, and monitor their end-to-end Cisco Systems security networks. CSPM is a policy-based product that enables you to abstract the complexities of security networking. With CSPM you can create high-level security policies that are independent of underlying device platforms and software releases. CSPM is the Cisco strategic security management platform for Cisco Secure PIX Firewalls, Cisco Secure IOS Firewalls, Cisco IOS® virtual private networking (VPN) routers, and Cisco Secure Intrusion Detection System (IDS) sensors.
CSPM provides the following benefits:
- Enables small IT organizations to save time by using a configuration GUI, not complicated command-line interfaces (CLIs) that differ for multiple platforms
- Enables large IT organizations to scale large security networks by using policy inheritance
- Saves money by enabling the configuration and monitoring of remote security devices from a central location
- Provides an easy mechanism to monitor security devices, create notification via e-mail, page, and generate basic reports
- Facilitates a single security networking management console for firewalls, VPNs, and IDS sensors
CSPM 2.3 incorporates many of the network operations features that are used in LAN and WAN environments.
New CSPM 2.3 features include:
- Firewall and VPN (2.3F)
-
- CLI policy mapping
- Policy query
- Topology graph
- CiscoWorks2000 topology import
- Windows 2000 GUI/demo
- PIX 535/version 5.3x
- PIX access lists
- PIX failover
- AAA IOS/PIX
- Cisco IOS Software Release 12.1(4), 12.1(4)E, 12.1(4)T, 12.1(5), and 12.1(5)T
- Version Management Utility
- Command diff
- Improved distribution performance
- Cisco IOS dynamic routing
- Interface Port Address Translation (PAT)
- IPSec/generic routing encapsulation (GRE)
- IPSec syslog
- No NAT IPSec tunnel
- Intrusion Detection System (2.3i)
Getting Started with CSPM
CSPM can be installed on any system running on Windows NT 4.0 with Service Pack 6a. Advanced installed modes with distributed servers on multiple NT 4.0 systems and separate client/server installations are also available. The GUI in client/server installations can be installed on Windows 95, 98, 2000, and NT 4.0 systems. Report viewing is available through Netscape or Microsoft Web browsers and Secure Socket Layer (SSL). In addition, a demo mode of CSPM is available on Windows 98, 2000, and NT 4.0 platforms.
To run CSPM for PIX/IOS, the following steps are required:
Step 1. Define network topology
Step 2. Define CSPM host
Step 3. Define application hosts
Step 4. Create security policies
Step 5. Generate configuration files
Step 6. Distribute configuration files
For additional click-by-click instructions, refer to the product literature at http://www.cisco.com/go/policymanager.
Step 1. Define network topology
The Topology Wizard enables you to define network topology and discover firewalls that are active on the network. CSPM 2.3 also lets you import the network topology from CiscoWorks 2000.
Figure 1 Using the Topology Wizard
Step 2. Define CSPM host
You define the hosts after you define network topology. The CSPM host must be defined. Make sure that a network exists in the network topology that contains the CSPM host. Select this network on the left side of the network topology. Right-click to select New and Host from this network. A pop-up appears and asks if you want to use the following host as the CSPM host.
Figure 2 Selecting the CSPM Host
Step 3. Define application hosts
Application hosts are often the destination objects in security policies. Examples of application hosts include e-mail servers, Web servers, and so forth. You create application hosts by selecting the network in the network topology and right-clicking the New Host option described above.
Step 4. Generating Security Policies
You can drag networks that are protected by firewalls from the network topology to the Trusted Networks folder. These networks can either be the source or destination of security policies.
Figure 3 Dragging Networks from Network Topology to Trusted Networks
Right-click Policy and New on the highlighted network under Trusted Network to create a security policy for that network.
Figure 4 Select Policy - New to Create a Policy
The sample policy uses this trusted remote network as the source network. Our destination network will be the 161.44.x.x network behind the PIX Firewall. You can right-click on the "if source =" icon to select the continue, and If Destination is option.
Figure 5 Configuring the Destination Network
A drop-down list of options for the destination network appears.
Figure 6 Source/Destination Lists
Right-click on the destination object to select the "continue" and "If service is" options.
Figure 7 Service Option
A drop-down list with predefined service categories appears. In this example, the standard network services bundle is selected.
Figure 8 Standard Network Services
The final step is to right-click the "continue", "then", and "permit" options. You do not need to explicitly deny services because CSPM defaults to deny all until a service is explicitly permitted.
Figure 9 Permit
Step 5. Generate config files
Click the "OK" check button at the top of the screen to generate the configuration files for all of the managed security devices. Any configuration inconsistencies can be displayed by clicking the "OK" check button. Click on any device icon to be presented with the properties panel.
Figure 10 Device Properties Panel
Select the command and command viewer option to view the generated configuration file for that managed device. Simply select the Approve button on the command panel to manually distribute the configuration file to the device. In addition, an "automatic" option on the command panel enables you to automatically distribute the generated configuration files to the device.
Figure 11 Command Viewing
New Features in Cisco Secure Policy Manager 2.3
CSPM 2.3 has the following new features:
Firewall and VPN
- CLI policy mapping—Map any CLI line back to the originating policy, then select the command viewer/mode option to access policy mode.
- Policy query—Interactive query to display polices active between any two devices or any two networks at any time.
- Topology graph—Displays the network topology as a graph for display and printing.
- CiscoWorks2000 topology import—Import existing network topology from CiscoWorks2000/RME. Allows users to support existing networks without redefinition with the Topology Wizard.
- Windows 2000 GUI/demo—Demo CSPM on Windows 2000
- Support Windows 2000 client GUI in
- Client/server mode
- PIX 535/v5.3x
- PIX access lists—Generate PIX access-lists instead of static/conduits
- PIX Failover—Natively support PIX failover in CSPM
- Reduced configuration distribution time for failover pairs
- AAA IOS/PIX—Generate AAA commands on PIX/IOS for authentication. Allow CSPM to use device credentials in external AAA server for device authentication.
- Cisco IOS Software Release 12.1(4) and 12.1(5)
- Version Management Utility—Allow CSPM to support new PIX/IOS versions by mapping any version to a previous version
- Command Diff—Show differences between active and generated configuration files
- Improved configuration distribution performance—Distribute configuration deltas. PIX access lists are more efficient than conduits. Failover configurations have faster performance
- IOS Dynamic Routing—Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP)
- Interface PAT—PAT with the interface IP address
- IPSec/GRE—GRE in IPSec tunnel;
- IPSec failover
- IPSec syslog—Secure syslog between IOS/PIX and CSPM
Intrusion Detection System
Ordering Information
|
For more information on CSPM, go to: http://www.cisco.com/go/policymanager