Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Report: US FCC to allow payments for speedier traffic
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs

Cisco VMS Version 2.0

Cisco upgrades security management suite, but tool integration lags.

Related linksToday's breaking news
Send to a friendFeedback

VPN/Security Management Solution Version 2.0 (VMS 2.0) is Cisco's latest foray into security and VPN management. It's four Cisco management tools in one box, with coordinated installation and release notes.

Cisco's last attempt at bundling these tools had limited success. In this release, each stand-alone product performs well. We were impressed with the progress Cisco made in firewall and VPN tools that we previously reviewed.

However, the individual products are far from integrated.

VMS Version 2.0 has four components:

1. Cisco Secure Policy Manager (CSPM) Version 3.0 is a new version of the company's firewall and VPN configuration tool that generates and downloads configurations into Cisco IOS and PIX devices.

2. Intrusion detection is managed through CSPM Version 2.3, which has been enhanced to support both network- and host-based intrusion detection systems.

3. VPN monitoring, alerting and reporting are covered in a separate tool, CiscoWorks2000 VPN Monitor.

4. All other management functions are part of CiscoWorks2000, which includes device inventory, logging, availability, software management and configuration control.

How we did it
Scorecard and Net Results

CSPM 3.0 is easy to use, both with new and existing devices. (For details on the products we used to test VMS 2.0, click here.) First, you define your network topology by drawing a map and putting in Cisco (and non-Cisco) devices. Then, you use a simple tool to define rules: what traffic is allowed and what is not.

CSPM 3.0 uses the rules you create to generate commands for all the affected devices, automatically computing which ones need to be changed and how. CSPM 3.0 downloads the changed configurations to each device (either automatically or after you approve the changes) and you're done.

CSPM 3.0 understands your network topology, so it knows which devices need to be updated and how. Once you've taught CSPM 3.0 your network topology, you don't have to worry about which devices are in the path between different kinds of traffic.

CSPM 3.0 supports fully meshed and hub-and-spoke VPNs. The VPN topology is a virtual one, layered on top of the physical network topology. You define VPNs by adding nodes to VPN tunnel groups and checking a box on any firewall rule to send that traffic through the VPN.

This style of VPN brings Cisco up to speed with other VPN management vendors, such as Avaya, NetScreen Technologies and Nokia, but there's a catch. It's quite difficult to simply say 'tunnel everything between every VPN node.' CSPM 3.0 is much more focused on firewalling traffic, with VPN an option, than on building VPNs and firewalls in parallel.

Some pieces of VPN management are still missing. Although CSPM 3.0 lets you select from the three Internet Key Exchange authentication schemes, there is no help for the difficult task of defining and managing certification authorities, certificate authority trust relationships, or requesting and managing digital certificates.

Cisco has greatly simplified the job of building complex access lists and network address translation configurations in its IOS and PIX systems, something network managers have hoped for.

Not so much integration

In this release of VMS, network- and host-based intrusion detection system devices are managed using a different version of CSPM, Version 2.3, which must run on a different server from CSPM 3.0. While the functions of managing firewall/VPN and intrusion detection are generally separate, this separation can be a problem for network managers who implement Cisco's 'shunning' feature.

With shunning, intrusion detection system alerts actually cause configuration changes in firewalls and routers, and block traffic from those networks. Because shunning is handled through different configuration tool, network managers trying to debug and analyze configurations using CSPM 3.0 aren't looking at the whole picture.

A second functionality gap occurs between the VPN Monitor and VPN configuration tools in CSPM 3.0. VPN Monitor is a Web-based tool built into CiscoWorks2000. With VPN Monitor, you can track, report and alert on VPN tunnels. More than a dozen statistics, including throughput, resource consumption and failure rates, can be logged and graphed. VPN Monitor also generates alerts when network manager-defined thresholds are crossed.

CSPM 2.3, CSPM 3.0 and CiscoWorks2000 maintain separate device inventories. This means that if you define a VPN in CSPM 3.0, you must redefine the topology in VPN Monitor by hand. If you want devices on CSPM 3.0 to participate in the intrusion detection system configuration, you also have to redefine the topology in CSPM 2.3. In this case, the integration that VMS 2.0 provides simply means that all the pieces shipped in the same box.

With VMS 2.0, Cisco has released an outstanding suite of applications. CSPM 3.0 is what network managers have been waiting for, CSPM 2.3 adds host-based intrusion detection system functionality to the existing network-based intrusion detection system, and CiscoWorks2000 comes with tools no Cisco manager should be without. It would be nice if they all worked together a little better.

VPN/Security Management Solution Version 2.0
Company: Cisco Systems, Cost: A license for 10 managed devices is $8,000. Pros:Offers simplified management of security policy across multiple networks; defines both mesh and hub-and-spoke VPNs within one GUI; PIX configurations with new security policies. Cons: Lack of coordination and central directory between product components; CSPM Version 3.0 still too complex; canít build VPNs without thinking in firewall terms and traffic flows.  
VPN/Security Management Solution Version 2.0
Enterprise-quality configuration 30% 4.0  
Ease of use/documentation 25% 3.0  
Scalability 20% 3.5  
Management 15% 4.0  
MPerformance 10% 4.0  
Individual category scores are based on a scale of 1 to 5. Percentages are the weight given each category in determining the total score. Scoring Key: 5: Exceptional showing in this category. Defines the standard of excellence; 4: Very good showing. Although there may be room for improvement, this product was much better than the average; 3: Average showing in this category. Product was neither especially good nor exceptionally bad; 2: Below average. Lacked some features or lower performance than other products or than expected; 1: Consistently subpar, or lacking features being reviewed.

Back to top


Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at

How we did it
Our testing methods explained.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.