Cisco Security refresh: Cisco Security Manager 3.2

This Month Cisco added some blockbuster features to its GUI security software, Cisco Security Manager (CSM). In fact, a recent Network World test rated a previous version of Cisco Security Manager higher than Checkpoint for UTM management (a 4.0 vs. a 3.75 score). That's right Cisco security management beat out Checkpoints security management in an independant review. Now that’s a first! If you haven’t heard of CSM yet or had played with an early release of CSM it might be a good time to take a look at it.

The two new features I think you’ll want the most are the ability to manage ACLs on both desktop and chassis Cisco switches and the ability to integrate/link MARS logging data with CSM IPS and FW configuration data. The greatly enhanced MARS/CSM integration is a definite step in the right direction. Let’s take a look at that first.

One of the big issues with creating new ASA FW rules is figuring out if they are working correctly. This is especially true of new permit rules where the hits are not logged by default. The CSM/MARs solution is pretty straight forward; you right click on a FW rule in CSM and go to show events. You then have two choices real-time or historical events. For historical you will be able to set the time frame you want to use. You can then pick either to see all matching flow or all matching rules from MARS. A matching flow means anytime the ASA FW sets up or tears down a connection that matches. A matching rule matches anytime the ASA sends a syslog to MARS indicating it has denied or permitted an traffic due to an ACL rule. In my opinion the flow based match is more verbose and accurate. This is because the ASA will fast path ACL permited flows and thus will not report an ACL hit every time. Whereas, a setup/teardown message will get generated every time, regardless of fastpath. See the figure below for a screen shot of the CSM to MARS linkages.
Figure 1: Cisco Security Manager 3.2 screenshot of show events



Figure 2: Cisco MARS 4.3 screenshot of the query results



In the reporting device column in MARS you can see a blue icon. This icon will link the MARS event to the Cisco Security Manager FW/IPS rule that it corresponds to. See figure 3 for a screenshot.
Figure 3: Cisco MARS 4.3 event linkage to CSM rule configuration



You can also click on any of the CSM groups to see what they include (as shown in the figure for ftp). To edit any of the rules shown you simply click on the rule number. At that point, MARS will cross-launch CSM bringing you right to the rule in question so you can edit it.
The same process we just went through for ASA firewall rules and events also works for Cisco IPS rules and events.

Let’s move on to some of the other new features of CSM. Another useful new feature of CSM is having the ability to manage the ACL’s (among other things) on almost all of Cisco’s switches. Here is the list of supported switches:

• Catalyst 3550
• Catalyst 3560
• Catalyst3560E
• Catalyst 3750
• Catalyst 3750E
• Catalyst 4500
• Catalyst 4900
• Catalyst 6500

CSM 3.2 is not intended to be a comprehensive switch management system. Instead it is designed to manage the ACLs and other related items on Cisco switches.

Other devices and software updates are included in the 3.2 release as well. These include the ASA 5580 series, 3251 & 3270 MAR, 2600XM series, 1861, 7201, IPS AIM for ISR routers, IPS 4270 sensor. As for software support added this includes ASA 7.2.3, 8.x, Catalyst 6500 12.2(33)SXH, FWSM 3.2(3) and earlier. For a complete list see the CSM 3.2 release notes.

Here are some of the other new features that CSM 3.2 released:

• Firewall rule expiry – This allows you to set a date when a rule will be removed automatically from your firewall. It also allows you to send out reminder emails alerting you before the rule expires and an email when the rule has expired. This feature should help the fight against firewall policy bloat that results in a less secure posture.




• Scheduled Deployments – This allows you to set a time and date when you want to run a deployment job in CSM. You can also set recurring jobs like the one shown below.
  




• Copy Policies Enhancements - The enhancement allows you to copy security policies between like device types. For example between an ASA and an ISR router. Before this enhancement you could always create a shared policy between different device types but now you can copy policies between devices when you don’t want to share a policy between them.




• Device Inventory Import/Export changes- CSM 3.2 removes the old database that was based on the Ciscoworks DCR and common services. It is replaced with a new inventory database that allows you to import a CSV text file.




• Switch VTP support updated - CSM 3.2 now allows you to manage switches that have VTP in mode client or server. Previously, you could only manages switches in VTP mode transparent.




• New client support- The CSM 3.2 client can now run on Vista and browser support now includes IE 7.0 and Firefox 2.0.

The linkages between CSM and MARS are pretty cool and I think the most important update in this release. I’d like to hear from those of you that are using Cisco Security Manager. What features do you want in a future release? Is Cisco on the right track with CSM? For more CSM info see http://www.cisco.com/go/csmanager. If you'd like me to write more on CSM and what it can do just ask.



The opinions and information presented here are my personal views and not those of my employer.