Cisco VMS Version 2.0
Cisco upgrades security management suite, but tool integration lags.
VPN/Security Management Solution Version 2.0 (VMS 2.0) is Cisco's latest foray into security and VPN management. It's four Cisco management tools in one box, with coordinated installation and release notes.
Cisco's last attempt at bundling these tools had limited success. In this release, each stand-alone product performs well. We were impressed with the progress Cisco made in firewall and VPN tools that we previously reviewed.
However, the individual products are far from integrated.
VMS Version 2.0 has four components:
1. Cisco Secure Policy Manager (CSPM) Version 3.0 is a new version of the company's firewall and VPN configuration tool that generates and downloads configurations into Cisco IOS and PIX devices.
2. Intrusion detection is managed through CSPM Version 2.3, which has been enhanced to support both network- and host-based intrusion detection systems.
3. VPN monitoring, alerting and reporting are covered in a separate tool, CiscoWorks2000 VPN Monitor.
4. All other management functions are part of CiscoWorks2000, which includes device inventory, logging, availability, software management and configuration control.
How we did it
Scorecard and Net Results
CSPM 3.0 is easy to use, both with new and existing devices. (For details on the products we used to test VMS 2.0, click here.) First, you define your network topology by drawing a map and putting in Cisco (and non-Cisco) devices. Then, you use a simple tool to define rules: what traffic is allowed and what is not.
CSPM 3.0 uses the rules you create to generate commands for all the affected devices, automatically computing which ones need to be changed and how. CSPM 3.0 downloads the changed configurations to each device (either automatically or after you approve the changes) and you're done.
CSPM 3.0 understands your network topology, so it knows which devices need to be updated and how. Once you've taught CSPM 3.0 your network topology, you don't have to worry about which devices are in the path between different kinds of traffic.
CSPM 3.0 supports fully meshed and hub-and-spoke VPNs. The VPN topology is a virtual one, layered on top of the physical network topology. You define VPNs by adding nodes to VPN tunnel groups and checking a box on any firewall rule to send that traffic through the VPN.
This style of VPN brings Cisco up to speed with other VPN management vendors, such as Avaya, NetScreen Technologies and Nokia, but there's a catch. It's quite difficult to simply say 'tunnel everything between every VPN node.' CSPM 3.0 is much more focused on firewalling traffic, with VPN an option, than on building VPNs and firewalls in parallel.
Some pieces of VPN management are still missing. Although CSPM 3.0 lets you select from the three Internet Key Exchange authentication schemes, there is no help for the difficult task of defining and managing certification authorities, certificate authority trust relationships, or requesting and managing digital certificates.
Cisco has greatly simplified the job of building complex access lists and network address translation configurations in its IOS and PIX systems, something network managers have hoped for.
Not so much integration
In this release of VMS, network- and host-based intrusion detection system devices are managed using a different version of CSPM, Version 2.3, which must run on a different server from CSPM 3.0. While the functions of managing firewall/VPN and intrusion detection are generally separate, this separation can be a problem for network managers who implement Cisco's 'shunning' feature.
With shunning, intrusion detection system alerts actually cause configuration changes in firewalls and routers, and block traffic from those networks. Because shunning is handled through different configuration tool, network managers trying to debug and analyze configurations using CSPM 3.0 aren't looking at the whole picture.
A second functionality gap occurs between the VPN Monitor and VPN configuration tools in CSPM 3.0. VPN Monitor is a Web-based tool built into CiscoWorks2000. With VPN Monitor, you can track, report and alert on VPN tunnels. More than a dozen statistics, including throughput, resource consumption and failure rates, can be logged and graphed. VPN Monitor also generates alerts when network manager-defined thresholds are crossed.
CSPM 2.3, CSPM 3.0 and CiscoWorks2000 maintain separate device inventories. This means that if you define a VPN in CSPM 3.0, you must redefine the topology in VPN Monitor by hand. If you want devices on CSPM 3.0 to participate in the intrusion detection system configuration, you also have to redefine the topology in CSPM 2.3. In this case, the integration that VMS 2.0 provides simply means that all the pieces shipped in the same box.
With VMS 2.0, Cisco has released an outstanding suite of applications. CSPM 3.0 is what network managers have been waiting for, CSPM 2.3 adds host-based intrusion detection system functionality to the existing network-based intrusion detection system, and CiscoWorks2000 comes with tools no Cisco manager should be without. It would be nice if they all worked together a little better.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.
How we did it
Our testing methods explained.