ASK THE EXPERT - CISCO SECURITY MANAGEMENT JUMPSTART

Unanswered Question
Oct 23rd, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get more information on CSM, MARS, ASDM, IME, CCP, and IronPort SMA with Cisco experts Raghu Kasavaraju and Ziad Sarieddine. Raghu, Product Manager for Cisco Security Manager, has 15 years of extensive experience in IT and he has spent the last 10 years in Information Security Operations, Consulting & Engineering roles. Currently, Raghu is the PM Lead for Cisco Security Manager 4.0 release. Ziad (CCIE Security # 23379) is a security management technologist with expertise in security solutions covering Firewall, IPS, and VPN. Prior to joining Cisco in 2006, Ziad spent 10+ years as a Lead Analyst / Senior Network Engineer designing and installing large networks at different companies.

Remember to use the rating system to let Ziad know if you have received an adequate response.

Ziad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jan.nielsen Fri, 10/23/2009 - 13:27

Hi Raghu & Ziad,

First off, i really like CSM, i have been a Cisco consultant for many years and have seen a few different mng. systems from Cisco, and this one is by far the best one.

I have been installing and using CSM for some time now, and one thing that always comes up when doing more than just the basic vpn solution or firewall solution is lack of feature support, mostly on IOS routers. Can you explain what the timeline is for putting in support for new features as well as old features that are not there yet, and if that is even the plan to do so ?

one ex. is the "tag" option on a static route is not supported yet, and i wonder if it ever will be (i can't find it at least) ?

rkasavar Sat, 10/24/2009 - 21:36

Hi Jan,

Nice to hear that you like our product...specific to your question on IOS router support, are there any specific set of features/router platforms that you are looking at?...IOS routers are definitely one of the critical platforms we support and would like to know little more details on it.

jan.nielsen Sun, 10/25/2009 - 05:33

No specific feature set or platform allthough most of the stuff i do on ios are with adv. ip services feat. set and on the 2800/3800/7200 series.

Stuff like IP SLA, routing prot. features like distribute lists, prefix lists, hierarchial QoS, netflow, wccp seems like the main focus is on security features, which is good, but a solution that is managed by CSM, should in my mind support the whole feature set, or a lot of value is gone, since we then have to manage all that via flexconfigs, which gives us little to no flexibility.

rkasavar Sun, 10/25/2009 - 08:09

Yes...you are right...CSM's main focus is on managing security features than platform features. I will take your feedback on supporting whole feature set and see how we can incorporate those in future releases.

I am assuming here that you have used CSM+Cisco Configuration Engine (CE)solution for security+non-security config management needs and you are looking for a single console to handle both aspects.

saursing Mon, 10/26/2009 - 21:13

Hi Raghu and Ziad,

I have some basic questions for you on CSM:

1. Which is the current version of CSM available in the market ?

2. What are some of the key features coming in the next release of CSM ?

3. How do I get a demo or eval version of CSM for lab testing purposes ?

Thanks

Saurabh

rkasavar Tue, 10/27/2009 - 00:04

Good questions Saurabh...find responses below.

1. Current version of CSM available in the market is 3.3

2. On next releases of CSM, there are couple of releases committed for the next 8-9 months.

3. CSM 3.3.1, a minor release, is primarily targetted to provide security management support for ISR G2 platforms. In addition to ISR G2 platform support, this release will enable easier IPS User Credentials management until IPS devices support AAA. CSM 3.3.1 is expected to be released in Nov'09.

4. CSM 4.0, a major release, is a committed program targetted to deliver 'integrated experience' for Policy Management & Event Management. In addition to Event Management, this release will provide

- Seamless co-existence of CSM with other 3rd party management tools in 'hetero-operational' IT environments

- Tighter coupling between ASA<-->CSM via Simplified NAT Management, Interface independent policies, managing rule explosion

- Support for Botnet Traffic Filter & IPS Global Correlation enhancements

- Windows 2008 and 64 bit OS support

5.Demo/Eval version of CSM 3.3 for lab testing purpose is available www.cisco.com/go/csmanager and this CSM image comes with an in-built 90 day eval license.

Hope this addresses your queries.

Kevin Xiong Thu, 10/29/2009 - 21:01

1. Will CSM 4.0 have the same GUI(look and feel) as the ASDM/IME?

2. Will CSM 4.0 provide same function as the CheckPoint SmartCenter in future. (like HA design/mgmt in geographically distributed mode rather than central managed mode with only one single Active CSM in a single location.)

rkasavar Fri, 10/30/2009 - 01:27

Hi Kevin,

Please find responses below.

1. CSM 4.0 will have minor changes in UI from look and feel standpoint but it won't be same as ASDM/IME

2. A distributed deployment scenario is something we are considering for our future releases.

Can you please help me understand if you are looking at this distributed deployment architecture due to any scalability challenges?...

Kevin Xiong Sun, 11/01/2009 - 13:01

No. Not scalability challenges. It's more of the performance and redundancy. The current CSM is in Active/Pasive HA mode meaning all Cisco network security components have to talk to this central mgmt server. This architect is not optimized for the mgmt traffic flow. For example, for a global security deployment in different geographical locations, security admin/engr in different regions have to connected to the central CSM(assuming it's located in the US) to push the policy across WAN/continents. In my opinion, all Cisco MGMT software(CSM/NAC/CSA/MARS) should go with the distributed HA mode/direction - each region has it's own regional/local MGMT in HA or Non-HA mode, but all regional MGMT servers will sync up with a Central DB. so any single regional CSM fails, the security policy can still be managed from the other regional CSM.

rkasavar Sun, 11/01/2009 - 21:27

Hi Kevin,

Got it...today in CSM, we support manual export/import of policy objects by which you can share objects among multiple instances of CSM thereby your devices can be segregated and managed based on geography.

We are working towards a more elegant solution to address redundancy aspects you mention above.

Help me understand...do you see this requirement coming from large enterprises?..

zsariedd Wed, 10/28/2009 - 15:38

Please look into extraxi 3rd party application. They provide a tool to handle historical reports, which should also cover SSLVPN reports for the ASA.

Here is the link for extraxi.

http://www.extraxi.com

Also I will take your feedback on the need to natively support this feature in the future.

Thanks

Ziad

peggyjackson Wed, 10/28/2009 - 16:14

I am trying to find out if CSM version 3.3 will support IPS Sensors running 7.0 and up?

zsariedd Wed, 10/28/2009 - 18:20

Hi Peggy,

Yes. CSM version 3.3 does support IPS sensors running ver 7.0.

Ziad

j.miller_32 Thu, 10/29/2009 - 09:18

I have the "CSMPR50-3.2-K9" license for Cisco Security Manager. This is for one installation on one server. Do we required another license for a back-up or HA Server?

zsariedd Thu, 10/29/2009 - 14:59

Since the backup server or the server that will be used in an HA scenario will be considered as a standby server there is no requirement for another license. So you only need license for the primary Active server.

Regards,

Ziad

Eduardo Aliaga Thu, 10/29/2009 - 21:58

Hi. I've using MARS for almost a year now and I find it's a very interesting tool with so many features that I'm still discovering them.

But, on the other side, it takes forever to configure MARS using the web portal to configure even simple tasks. Now I'm parsing non-native devices, and it takes really a long time to create the first position of a pattern, wait for the page to refresh, then create the second position, wait to refresh , and so on... and this only for parsing one log !!! Also I wish to copy the patterns in order to reuse them in other logs (cause now we have to parse every log from scratch)

In future versions, do you plan to change the MARS web management portal into an ASDM-like tool?? ASDM is by far the best management tool that Cisco has.

Another drawback is the "pink" screen of death. I've seen like four times the "pink screen" saying to contact Cisco TAC, and I wasn't configuring anything, only looking the configuration !!! Most of the times the problem seems to go away, but still I have doubts about the stability of the solution.

anikapur Fri, 10/30/2009 - 14:59

Hi Eduardo,

We are always striving to improve our user interface. Please feel free to contact me with specific changes to the UI.

Regarding the pink screen, please report the problem to TAC. They should be able to resolve the matter.

Warmest regards,

Anil

Kevin Xiong Sun, 11/01/2009 - 13:36

Hi, Anil

I sold some CSMARS in the past 1-2 years and deployed 5 of them in production(GC+LC). Every single one of my customers hope Cisco MARS/CSM BU can make the GUI of MARS and CSM the SAME LOOK AND FEEL as the ASDM/IME. This will absolutely increase a lot more sales on both of the security mgmt products. And customer love to use the SAME GUI(Local/Central) to manage/monitor the security components in a consistent manner.

Thanks.

Eduardo Aliaga Tue, 11/03/2009 - 12:10

Hello. About specific changes:

1) The interface should be like ASDM/IDM

2) In "Query Reports/Query" menu, it could be very useful if we could construct the query using SQL language.

3) In "Query Reports/Query" menu,

in order to build a query we have to open many different web pages (to select time, events, etc) and it takes a lot of time and effort. It would be easier if all options could be editable from within the same web page instead of opening a lot of pages.

4) In "Query Reports/Reports" menu, there should be a way to select multiple reports to delete them. Right now we can only delete reports one at a time.

5) In "Management menu" there should be a "Patterns management" submenu, so we could create "template" patterns and reuse them in different network devices.

6)To create a new "event type group" we have to create previously an "event type" for that "event type group". But to create/edit an "event type" we have to create previously an "event type group". So the result is that we have to create new "event type groups" and assign them bogus events. Only then we can create/edit actual "event types" and assign them the recently created "event type groups".

7) The ability to "mass" create "event type groups"

And I have many more. I'd be happy if you're interested in hearing more ideas for Cisco MARS

gspadden Sat, 10/31/2009 - 09:46

Does CSM 3.3 support the ACL optimization feature found in FWSM 4.0 so that only the delta change is pushed to the FWSM. I ask because when CSM currently checks with the running config and it would be different from what CSM pushed to the FWSM. This could be supported in CSM if CSM does the same algorithm as the FWSM before the push and check with the FWSM.

zsariedd Mon, 11/02/2009 - 13:06

When you turn on optimization on the FWSM, the FWSM will then be able to display the ACL in two ways.

1- Sh access-list (Original ACL)

2- show access-list [] optimization (Optimized ACL)

CSM uses the original ACL on the FWSM and not the optimized one when computing the diff to be deployed. So turning on ACL optimization on the FWSM should not be an issue for CSM and hence it is supported today. In other words there is no need to run similar optimization algorithm on the CSM side.

Running optimization algorithm in CSM and displaying the optimized table in CSM is not supported today. Is this what you had in mind please let me know??

thaar.altaiey Sat, 10/31/2009 - 12:57

Dear all

Does ASA 5520 support bandwidth management and proxy server (not only for voice, but i mean complete proxy server) like cyberoam and blue Coat. I want to manage the using of the internet connection per user, limit their bandwidth and their download like the services in blue coat and cyberoam. if these services are not found in ASA which CISCO Software (like LSM)can do these services. If these services can be applied by QoS, can you explain?

best regards

thaar al_taiey

rkasavar Sun, 11/01/2009 - 21:09

Hi Thaar,

Help me understand your question better...are you asking if ASA can act as Proxy Server?...it yes, what kind of statistics it can provide from Per User Bandwidth management?..

thaar.altaiey Mon, 11/02/2009 - 09:19

Dear rkasavar,

thanks for your response.

Regarding Proxy server , Yes i want ASA to operate as Proxy server, can you give me a link to any document the describe this.

Regarding Per-user management, i want to manage my local users (2000 users), their bandwidth (ex. i want to give some of them a 10KB BW) and their download (ex. limit the download for each user to 100 MB)also i want to monitor my users internet using (ex. i want to know their chating details).

In summary i want the functions of Websense , Cybroam and Blue Coat to be implemented from ASA 5520 , please give me a link to any document the describe these in ASA or any other CISCO products.

Also I have another Q. Can i implement ASA 5520 functions in addtion to above services in the Core Switch (6509 and 4510R-E).

best regards

thaar

thaar.altaiey Sun, 11/01/2009 - 05:06

Thanks for your help.

Can i configure this on ASA 5520? can i configure the bandwidth (ex: 20KB)and the download (example 100MB)for specific local user in my network?

However, this service is only for CLI and not for web interface?

best regards

thaar al_taiey

zsariedd Mon, 11/02/2009 - 15:37

Thaar,

This is not supported on the ASA today. QoS can be applied based on Source / destination traffic match but not user. Will take your request as feedback to product management team

Regards,

Ziad

zsariedd Mon, 11/02/2009 - 16:53

Can you please provide more information on your request.

Regards,

Ziad

thaar.altaiey Tue, 11/03/2009 - 09:50

Dear zsariedd

Regarding Proxy, i know that ASA can work as Voice Proxy and in previous comment by rkasavar state that ASA can work as Proxy server, i want a link to this.

Regarding web content security, we know that ASA 5520 can has CSC module, what are the differences between this in ASA and IronPort web Content Security appliance (dont take number of user in your consideration).

regarding QoS i know that it is possible to manage the users bandwidth using Qos in ASA using ip address. is this OK?

Regarding websense, Cybroum and blue Coat, i need to know if ASA can do their function even with limited capabilites.

As i said before i want to manage my local users (2000 users), their bandwidth (ex. i want to give some of them a 10KB BW) and their download (ex. limit the download for each user to 100 MB)also i want to monitor my users internet using (ex. i want to know their chating details).

In summary i want the functions of Websense , Cybroam and Blue Coat to be implemented from ASA 5520 , please give me a link to any document the describe these in ASA or any other CISCO products. Please give me links.

best regards

thaar al_taiey

zsariedd Tue, 11/03/2009 - 16:02

@thaar.altaiey

Thank you for your interest in Cisco Security - you have many great questions. Please refer to the NetPro Firewall conversations for questions on ASA

http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=74EADD4072F7E8AED6DE317B22CAEABD.SJ4B?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_messages%26mode%3Dnew%26location%3D.ee6e1fa

or feel free to contact your local Support or reseller contact. If you have any additional questions for Cisco Security Management, I am available to answer to them.

Regards,

Ziad

thaar.altaiey Wed, 11/04/2009 - 05:16

Dear Ziad

If I found the answers to my Q's in NetPro ASA or from others iam not asking The Expert. I post a message in NetPro before about one week and nobody reply.

So please if you could answer my Q's with liks in Cisco.com

best regards

thaar al_taiey

zsariedd Tue, 11/03/2009 - 16:06

@dzingirai

Can you please provide more information on your request.

Regards,

Ziad

pengfang Sun, 11/01/2009 - 20:31

Hi Raghu and Ziad,

I couldn't find any details how to use RADIUS Vendor-Specific Attributes (VSA)26 , cisco av-pair but only some samples like:

cisco-avpair= "shell:priv-lvl=15"

Is there a FULL list of these attributes with correct syntax explained for IOS 12.4 and ASA 8.x anywhere? Much appreciated your response.

Peng

Greetings!

I interested in receiving feedback on the following information sourced from Gartner and where there is any truth to the direction Cisco is taking on MARS:

FINDINGS

Cisco has begun to quietly inform its customers of a decision to freeze support for most non-

Cisco event sources within its Security Monitoring, Analysis, and Response System (MARS).

New versions of non-Cisco vulnerability assessment and firewall technologies will not be

supported by MARS, but maintenance (e.g., updates for new signatures) for currently supported

versions will continue. Cisco also plans to release MARS support for Windows Server 2007 and

Windows Server 2008. Although Cisco has not formally announced its intention to exit the SIEM

market, the Cisco sales force is encouraging its MARS customers to find an alternative for log

collection and event analysis of non-Cisco event sources.

ANALYSIS

Cisco had widely sold MARS as a SIEM solution that was primarily oriented to network security,

and had built the largest SIEM customer base. The technology provides network security

monitoring and host activity monitoring, but Cisco had not provided integration for third-party

network devices. MARS has supported the major operating system platforms, and it has provided

limited third-party security device and application support. Many customers have been using

MARS for a combination of network and host activity monitoring to satisfy both network security

and compliance use cases.

Cisco's recent decision to freeze support for most non-Cisco event sources means that MARS

will become ineffective as a general SIEM solution as new versions of non-Cisco event sources

are implemented. Gartner believes Cisco will focus its efforts on improving Cisco's native security

management capabilities, long a weak spot across Cisco's product line. MARS customers that

require a fully functional SIEM solution will need to transition to an alternative product, while those

that were only integrating MARS to Cisco devices should actually see improved focus by Cisco

on security management across the Cisco security product line.

WHAT YOU NEED TO KNOW

• Organizations Evaluating SIEM Solutions: Organizations that require host activity

monitoring (i.e., monitoring of system, database, and application logs) or monitoring of

non-Cisco network or security devices should not consider Cisco MARS.

• Current MARS Customers That Require General SIEM Capabilities: Organizations

that are currently using MARS to monitor host activity and non-Cisco security devices

and applications should begin planning for a transition to a fully functional SIEM solution.

• Current MARS Customers That Are Focused on Cisco Event Sources:

Organizations that are currently using MARS primarily for Cisco event sources can

continue to apply MARS to this use case.

RECOMMENDED READING

"Magic Quadrant for Security Information and Event Management"

"Critical Capabilities for Security Information and Event Management Technology"

anikapur Mon, 11/02/2009 - 13:13

The BU's official response is below.

Regards,

Anil

October 30, 2009

Cisco response to Gartner Research Memo entitled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution”

Summary

• Gartner has alerted its customers that as Cisco continues to focus its security management efforts on Cisco devices, MARS appliances may become less viable for the broad set of “general” SIEM use cases.

• Gartner concludes that Cisco's focus on native management capabilities for our devices is a positive direction.

• For customers with primarily Cisco event sources on their network, Gartner recommends that MARS still provides a strong platform for security threat management (STM) and network behavior analysis (NBA) capabilities.

Details

On October 29th, 2009, Gartner released a research note titled “Cisco MARS Is Becoming Less Viable as a General SIEM Solution.” This note is in response to Cisco's stated direction to focus CS-MARS development on supporting Cisco-built network security devices and critical host operating systems. Non-Cisco network device data and signature updates continue to be supported in CS-MARS for the current versions of these 3rd-party systems.

In the memo, Gartner concludes that “Cisco will focus its efforts on improving Cisco's native security management capabilities,” which they note as a positive direction for Cisco's overall Security portfolio.

In the past, we have encouraged Gartner to break up this crowded space as it encompasses a vast array of use cases spanning compliance reporting, log aggregation, threat identification, and mitigation. While MARS has been placed in the SIEM market, it has never fully covered all aspects of the Gartner-defined space. Over the last year, as we have focused on the core Security Threat Management use cases for Cisco products, Cisco has de-emphasized compliance reporting and non-Cisco devices.

In particular for Cisco customers, it is important to note Gartner's recommendation that MARS continues to provide strong STM and NBA capabilities for Cisco event sources.

stevej4373 Tue, 11/03/2009 - 03:26

I have a very simple issue. My vpn client 4.1 software conects to my ADSL router and I can see/access the drives at the remote location. However it won't conect to the exchange server, can you help?

tech_trac Tue, 11/03/2009 - 09:22

Hello Raghu/Ziad,

I would like to know that unlike Cisco why is it so difficult to find User/Configuration/Administration guides for Cisco IronPort devices. I spent hours searching IronPort configuration guides on the Net but didn't find one. Does IronPort have any proprietary laws which restrict them from publishing such information.

Thanks.

zsariedd Tue, 11/03/2009 - 19:07

@tech_trac

We're in the process of adding IronPort documentation to Cisco.com in the mean time, customers and partners can access the files at the IronPort customer support portal.

http://www.ironport.com/support/

If you are unable to find the info you need please contact your Cisco local Support or reseller contact.

Regards,

Ziad

tomhua Tue, 11/03/2009 - 10:17

Hi,

I'm not an expert on Exchange but I believe you need to use a WINS server or LMHOSTS file to specify IP address for the Exchange server's NetBios name. Since your remote PC is not on local LAN, it will need ways to resolve name to IP address.

Hope that helps,

wyan Tue, 11/03/2009 - 11:38

Hi, Raghu and Ziad,

According to the CSM User Guide, we should be able to configure boot image for FWSM. However, this option is not there in V3.2.2. Is it a bug?

Thanks.

Weidong Yan

zsariedd Tue, 11/03/2009 - 15:38

@wyan

I believe you are referring to the following link on the CSM 3.2.2 user guide.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.2/user/guide/pxchap.html#wpmkr343038

This appears to be a documentation bug and the configuration option is not available in CSM for FWSM device type.

Thanks for bringing it to your attention, we will follow up with the documentation team to address it.

Regards,

Ziad

wyan Thu, 11/05/2009 - 13:17

Thank you Ziad.

After deploying a new version of image into an ASA and reloading it, the ASA is running the new code but the running OS showed in the device property is still the old one. The only way to update the running OS version showed in the device property is do a "discovery policies on device" again. Am I right on this? The problem with "discovery policies on device" is all the rule table sections will be replaced with rules only without sections. Is there a fix to this?

Thanks.

Weidong

zsariedd Thu, 11/05/2009 - 15:09

@wayan

This has been a pain for some of our users and we are looking to address it in the future. For a workaround however you could the following:

1-Rename the device for backup.

2-Clone the device and give it the same IP address and name as the upgraded ASA (EX: ASA123) so at this point you will have 2 devices in CSM (Ex: ASA123_BK and ASA123).

3-Rediscover policies on the new cloned device (ASA123) also make sure to uncheck “Firewall Services” on re-discovery

4-The upgraded OS and any Platform Setting changes due to device upgrade should be updated after the import in CSM.

5-Delete old device (Suggest doing this at a later time after verifying that the everything is working properly)

Also I suggest testing the procedure in a lab to get familiar with it and to make sure you do not run into any unforeseen caveats.

Regards,

Ziad

hariprasad_n Tue, 11/03/2009 - 13:39

Hello Raghu & Ziad,

We primarily use CSM for managing IPS devices and would like to use it to manage other devices as well, can you please respond to the following questions I have related to CSM version 4

- Can non-admin users in CSM 4.0 local database change login passwords on their own?

- Does CSM 4.0 have the ability to indicate device health (CPU, memory etc) and license status?

- Is is possible to use CSM 4.0 in HA (active/standby) with standby in DR?

- Is there ability to use custom naming conventions for Access-lists, vpn crypto maps etc instead of the default name as CSM_XXXX?

rkasavar Wed, 11/04/2009 - 01:28

Hi Hari,

Let me address your queries in the order you asked above.

1. CSM non-admin users can change their login passwords

2. Device health and license status are the features we are planning for future releases.

3. CSM 4.0 will continue to support HA mode as it was in previous releases i.e. using Veritas mode. When you say DR, I am assuming it will be in a different location.

4. We don't have this ability as yet.

Specific to point 4, help me understand the driving factor to support custom naming convention. Is it from a Ease of Use standpoint?

hariprasad_n Wed, 11/04/2009 - 06:23

Thanks for responding, related to query for point 4, we manage number of firewalls (PIX/ASA) for multiple clients, each firewall config is unique. Although the config can be imported to CSM there is no way to make changes while maintaining the current ACL name, crypto map names etc that were already defined by the client per their standard naming conventions. If this limitation did not exist CSM would really be a nice tool for MSSPs for firewall management.

Actions

This Discussion