Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Where's my gigabit Internet, anyway?
How a cyber cop patrols the underworld of e-commerce
For Red Hat, it's RHEL and then…?
Will the Internet of Things Become the Internet of Broken Things?
Kill switches coming to iPhone, Android, Windows devices in 2015
Israeli start-up, working with GE, out to detect Stuxnet-like attacks
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Symantec, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues

Cisco VMS Version 2.0

Cisco upgrades security management suite, but tool integration lags.

Related linksToday's breaking news
Send to a friendFeedback

VPN/Security Management Solution Version 2.0 (VMS 2.0) is Cisco's latest foray into security and VPN management. It's four Cisco management tools in one box, with coordinated installation and release notes.

Cisco's last attempt at bundling these tools had limited success. In this release, each stand-alone product performs well. We were impressed with the progress Cisco made in firewall and VPN tools that we previously reviewed.

However, the individual products are far from integrated.

VMS Version 2.0 has four components:

1. Cisco Secure Policy Manager (CSPM) Version 3.0 is a new version of the company's firewall and VPN configuration tool that generates and downloads configurations into Cisco IOS and PIX devices.

2. Intrusion detection is managed through CSPM Version 2.3, which has been enhanced to support both network- and host-based intrusion detection systems.

3. VPN monitoring, alerting and reporting are covered in a separate tool, CiscoWorks2000 VPN Monitor.

4. All other management functions are part of CiscoWorks2000, which includes device inventory, logging, availability, software management and configuration control.

How we did it
Scorecard and Net Results

CSPM 3.0 is easy to use, both with new and existing devices. (For details on the products we used to test VMS 2.0, click here.) First, you define your network topology by drawing a map and putting in Cisco (and non-Cisco) devices. Then, you use a simple tool to define rules: what traffic is allowed and what is not.

CSPM 3.0 uses the rules you create to generate commands for all the affected devices, automatically computing which ones need to be changed and how. CSPM 3.0 downloads the changed configurations to each device (either automatically or after you approve the changes) and you're done.

CSPM 3.0 understands your network topology, so it knows which devices need to be updated and how. Once you've taught CSPM 3.0 your network topology, you don't have to worry about which devices are in the path between different kinds of traffic.

CSPM 3.0 supports fully meshed and hub-and-spoke VPNs. The VPN topology is a virtual one, layered on top of the physical network topology. You define VPNs by adding nodes to VPN tunnel groups and checking a box on any firewall rule to send that traffic through the VPN.

This style of VPN brings Cisco up to speed with other VPN management vendors, such as Avaya, NetScreen Technologies and Nokia, but there's a catch. It's quite difficult to simply say 'tunnel everything between every VPN node.' CSPM 3.0 is much more focused on firewalling traffic, with VPN an option, than on building VPNs and firewalls in parallel.

Some pieces of VPN management are still missing. Although CSPM 3.0 lets you select from the three Internet Key Exchange authentication schemes, there is no help for the difficult task of defining and managing certification authorities, certificate authority trust relationships, or requesting and managing digital certificates.

Cisco has greatly simplified the job of building complex access lists and network address translation configurations in its IOS and PIX systems, something network managers have hoped for.

Not so much integration

In this release of VMS, network- and host-based intrusion detection system devices are managed using a different version of CSPM, Version 2.3, which must run on a different server from CSPM 3.0. While the functions of managing firewall/VPN and intrusion detection are generally separate, this separation can be a problem for network managers who implement Cisco's 'shunning' feature.

With shunning, intrusion detection system alerts actually cause configuration changes in firewalls and routers, and block traffic from those networks. Because shunning is handled through different configuration tool, network managers trying to debug and analyze configurations using CSPM 3.0 aren't looking at the whole picture.

A second functionality gap occurs between the VPN Monitor and VPN configuration tools in CSPM 3.0. VPN Monitor is a Web-based tool built into CiscoWorks2000. With VPN Monitor, you can track, report and alert on VPN tunnels. More than a dozen statistics, including throughput, resource consumption and failure rates, can be logged and graphed. VPN Monitor also generates alerts when network manager-defined thresholds are crossed.

CSPM 2.3, CSPM 3.0 and CiscoWorks2000 maintain separate device inventories. This means that if you define a VPN in CSPM 3.0, you must redefine the topology in VPN Monitor by hand. If you want devices on CSPM 3.0 to participate in the intrusion detection system configuration, you also have to redefine the topology in CSPM 2.3. In this case, the integration that VMS 2.0 provides simply means that all the pieces shipped in the same box.

With VMS 2.0, Cisco has released an outstanding suite of applications. CSPM 3.0 is what network managers have been waiting for, CSPM 2.3 adds host-based intrusion detection system functionality to the existing network-based intrusion detection system, and CiscoWorks2000 comes with tools no Cisco manager should be without. It would be nice if they all worked together a little better.

VPN/Security Management Solution Version 2.0
Company: Cisco Systems, Cost: A license for 10 managed devices is $8,000. Pros:Offers simplified management of security policy across multiple networks; defines both mesh and hub-and-spoke VPNs within one GUI; PIX configurations with new security policies. Cons: Lack of coordination and central directory between product components; CSPM Version 3.0 still too complex; canít build VPNs without thinking in firewall terms and traffic flows.  
VPN/Security Management Solution Version 2.0
Enterprise-quality configuration 30% 4.0  
Ease of use/documentation 25% 3.0  
Scalability 20% 3.5  
Management 15% 4.0  
MPerformance 10% 4.0  
Individual category scores are based on a scale of 1 to 5. Percentages are the weight given each category in determining the total score. Scoring Key: 5: Exceptional showing in this category. Defines the standard of excellence; 4: Very good showing. Although there may be room for improvement, this product was much better than the average; 3: Average showing in this category. Product was neither especially good nor exceptionally bad; 2: Below average. Lacked some features or lower performance than other products or than expected; 1: Consistently subpar, or lacking features being reviewed.

Back to top


Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz. He can be reached at

How we did it
Our testing methods explained.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.