Cisco Releases substantial update to its Enterprise Security Management Platform

Tons of new platform support plus performance boosts

Last week Cisco posted the 3.3 version of its enterprise class Cisco Security Manager (CSM) product. All sorts of new features were introduced, most especially are performance improvements throughout, ASA 8.2 support, IPS 7.0 support, ASR router support, and finally full support for IOS zone-based firewall. Another notable feature is the bulk import/export functionality. This allows you to work with objects, devices, and device overrides in bulk instead of the previous per device method. Here is a list of all the new features added (according to release notes):

• Support for Cisco Firewall Services Module (FWSM) Version 3.1.(13), 3.1(14), 3.2(9), 3.2(10), 4.0(3), and 4.0(4) • Support for Cisco ASA Software Releases 7.2.5, 8.0.5, and 8.1.2 • Support for new Cisco ASA Software Release 8.2-related features, such as Botnet Traffic Filter, SSL VPN AnyConnect Essentials, and SSL VPN RAS shared license • Support for Cisco 861, 861W, 887, 888SRST, 891, and 892 Integrated Services Router platforms • Support for Cisco 1002, 1004, and 1006 Aggregation Services Router platforms • Support for Zone-Based Firewall (ZBF) on Cisco integrated services routers and aggregated services routers • Support for Group Encrypted Transport VPN (GET VPN) on Cisco integrated services routers and aggregated services routers • Support for Cisco IPS Sensor Software Version 6.2 (IPv4 only) and Version 7.0 on Cisco IPS 4200 Series Sensors • Support for Cisco IPS Sensor Software Version 7.0 global correlation features, including network participation and reputation subscription • Support for the Cisco Advanced Inspection and Prevention Security Services Card 5 (AIP-SSC-05) on the ASA 5500 Series platform • Support for Cisco IPS Network Module (NME IPS) on the integrated services router platforms • Support for Cisco IOS® Software Release 12.4(15)T, 12.4(20)T, and 12.4(22)T on the integrated services router platforms • Support for Cisco IOS Software Release 12.2(33)XNA, 12.2(33)XNB, and 12.2(33)XNC on the aggregated services router platforms • Support for Cisco IOS Software Release 12.2(33)SXI on Cisco Catalyst® switches • Support for content filtering for Cisco IOS Software-based platforms • Support for Cisco NT LAN Manager (NTLMv2)-based authentication • Bulk import/export of policy objects • Bulk add for offline devices • Bulk import for device-level overrides • Performance enhancements for policy navigation and policy object manager
For a minor release this is a notable list of new functionality added to CSM 3.3. Here are some tips for using the bulk Policy Object import/export Perl Script: • File type is common CSV format. A CSV file can only contain a single object type. Object type can be one of the following: Network, Service or Portlist • Security Manager creates only new objects, it does not update existing objects when you do a bulk policy object import Watch out for an awkward CSM caveat that exists when upgrading to 3.3 from a previous release. As stated in the Cisco release notes, "If you have a device that uses commands that were unsupported in previous versions of Security Manager, these commands are not automatically populated into Security Manager as part of the upgrade to Security Manager 3.3. If you deploy back to the device, these commands are removed from the device because the commands are not part of the target policies configured in Security Manager."

So in a nutshell if you have configured non-natively supported commands on your gear and those commands now become supported in CSM 3.3 then they will be deleted by CSM if you don't first add them to your CSM policy. You can either manually add them into your CSM 3.3 device policy or re-import your device into CSM. Some newly supported features you should plan for might be:

  • Zone-based FW configs on existing CSM managed IOS devices
  • Get-VPN configs on existing CSM managed IOS devices
  • Any ASA 8.2 features you might have configured
The day-to-day activity performance improvements that were made in CSM 3.3 are pretty significant as well. In some cases, improvements of 100% or better were achieved. Specifically for loading the device deployment for a job with 6000 devices improved 1000%! If you are running CSM 3.3 in a VM be sure to set number of vCPU's to 2. It will greatly improve you CSM backup times. All-in-all CSM 3.3 is a solid improvement over 3.2 and worthy of your upgrade consideration. Let me know your thoughts on the upgrade and CSM in general. Release Notes 3.3 here: http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/release/notes/csmrn33.html Download 3.3 here: http://www.cisco.com/cgi-bin/tablebuild.pl/csm-app CSM 3.3 documentation here: http://www.cisco.com/en/US/products/ps6498/products_user_guide_list.html

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)