Installation Guide for Cisco Security Manager 3.0.2 - Overview [Cisco Security Manager]

Table Of Contents

Overview

Introduction to Component Applications

Effects of Licensing on Installation

Locations of Installed Files on Servers

Locations of Installed Files on Client Systems

Overview

This chapter contains the following major sections:

•Introduction to Component Applications

•Effects of Licensing on Installation

•Locations of Installed Files on Servers

•Locations of Installed Files on Client Systems

Introduction to Component Applications

The Security Manager installer enables you to install certain applications and, when you do, requires that you install certain other applications. This section describes those applications and their interdependencies:

•Common Services

•Security Manager

•IPS Manager

•Auto Update Server

•Resource Manager Essentials

•Cisco Security Agent

•Performance Monitor

Common Services

CiscoWorks Common Services 3.0.5 (Common Services) is required for Security Manager to work. You install Common Services automatically when you install Security Manager.

Common Services provides the framework for data storage, login, user role definitions, access privileges, security protocols, and navigation. It also provides the framework for installation, data management, event and message handling, and job and process management. Common Services supplies essential server-side components to Security Manager that include:

•SSL libraries.

•An embedded SQL database.

•The Apache webserver.

•The Tomcat servlet engine.

•The CiscoWorks home page.

•Backup and restore functions.

For more information, see the Common Services online help.

Security Manager

Cisco Security Manager (Security Manager) enables you to configure, deploy, and manage services and policies on Cisco security devices. With Security Manager, you can provision VPN and firewall services across multiple, different device types, including IOS routers, firewall devices (PIX and ASA), Catalyst 6500/7600 devices, and Catalyst security services modules (VPN, FWSM, and so on). On some device types, you can also provision platform-specific settings such as QoS, SNMP, and routing, even though these settings are not necessarily security settings.

To use Security Manager, you must install server and client software.

Security Manager offers the following features and capabilities:

•High ease of use.

•Service-level and device-level provisioning of VPN, firewall, and intrusion-prevention systems from one desktop.

•Device configuration rollback.

•Network visualization in the form of topology maps.

•Workflow mode.

•Predefined and user-defined FlexConfig service templates.

•Integrated inventory, credentials, grouping, and shared data building blocks.

•Convenient cross-launch access to related applications.

In addition, the Catalyst 6500/7600 Device Manager (DM 6500/7600) GUI in Security Manager offers many of the same features that CiscoView Device Manager offers. DM 6500/7600 enables you to configure and manage Catalyst 6500 series switches and Catalyst 7600 series routers, as well as the security services modules that you install in supported Catalyst devices.

Caution You cannot upgrade from Security Manager 3.0.2 to 3.1. You will have to wait for the next 3.1.x release of Security Manager to be able to upgrade from 3.0.2 to 3.1.x.

IPS Manager

IPS Manager enables you to configure, deploy, and manage services for individual IPS sensors or groups of sensors. IPS Manager is installed automatically when you install Security Manager.

IPS Manager requires Common Services 3.0.5 and Security Manager.

To import your archived data from a prior IPS MC installation, you must complete the procedures in Chapter 4, "Installing, Upgrading, Downgrading, Uninstalling, and Reinstalling Server Applications."

For more information about IPS Manager, see the IPS Manager online help.

Auto Update Server

If you choose to install Auto Update Server (AUS), you can install it on the same server where you install Security Manager or on a different server, such as a server in your DMZ. AUS and Security Manager can share device inventory information and other data. AUS requires Common Services 3.0.5.

AUS enables you to upgrade device configuration files and software images on PIX Security Appliance (PIX) and Adaptive Security Appliance (ASA) devices that use the auto update feature. AUS supports a pull model of configuration that you can use for device configuration, configuration updates, device OS updates, and periodic configuration verification. In addition:

•Supported devices that use dynamic IP addresses in combination with the Auto Update feature can use AUS to upgrade their configuration files and pass device and status information.

•Cisco IOS routers that use dynamic IP addresses can use AUS in combination with the CNS Gateway protocol to retrieve device IP addresses.

AUS increases the scalability of your remote security networks, reduces the costs involved in maintaining a remote security network, and enables you to manage dynamically addressed remote firewalls.

For more information, see the AUS online help.

Resource Manager Essentials

When you purchase Security Manager, your license grants you the right to install and use Resource Manager Essentials 4.0.5 (RME), with which Security Manager can share device inventory and credentials data. RME 4.0.5 requires Common Services 3.0.5.

Tip The installation utilities for RME are not included in the Security Manager evaluation version that you can download from Cisco.com. To learn how you can obtain the evaluation version of Security Manager on a DVD that includes RME installation utilities, log in to your Cisco.com account at http://www.cisco.com/go/csmanager.

Your RME license file is on the Security Manager installation DVD, in license_files\RME.lic. You are licensed to use the same number of devices in RME that you license for Security Manager.

RME provides network monitoring and fault information that you can use to track devices critical to network uptime and application availability. RME also provides tools that you can use to rapidly and reliably deploy Cisco software images and view configurations of Cisco routers and switches. RME automates software maintenance to help you maintain and control your network.

RME 4.0.5 is available only as an upgrade to RME 4.0.3. Therefore, to install RME, you must:

1. Have or obtain the Security Manager installation DVD.

2. Insert the DVD into the drive, then:

a. Install Common Services 3.0.5.

b. From the rme4_0_3 folder, run setup.exe to install RME 4.0.3.

c. From the rme4_0_5 folder, run setup.exe to upgrade to RME 4.0.5.

For detailed information about installing RME, see: http://www.cisco.com/en/US/products/sw/cscowork/ps2073/prod_installation_guides_list.html.

Cisco Security Agent

Cisco Security Agent 5.0.0.187 provides host-based intrusion prevention.

If the server on which you install Security Manager is not protected by the fully configurable, commercial version of Cisco Security Agent when you start to install Security Manager, the Security Manager installer automatically installs a customized, standalone agent on your server, with predefined policies that you cannot change. To learn about this standalone agent, see Appendix C, "Cisco Security Agent: Standalone Agent Overview."

If the server has a preexisting installation of the full Cisco Security Agent, the standalone agent is not installed. In this case, we recommend that you import into your full agent version all of the policies that you find on the Security Manager installation DVD (in \csm3_0_2_win_server\CSA\
CSMCSA3.0.2_policies.export). If you import these policies, you must reconcile them with any conflicting policies that your organization configures. To learn more, see the Cisco Security Agent documentation on Cisco.com.

Performance Monitor

When you purchase Security Manager, your license grants you the right to download, install, and use Performance Monitor 3.0, which replaces CiscoWorks Monitoring Center for Performance.

Performance Monitor monitors and troubleshoots the health and performance of services that contribute to network security. It enables you to isolate, analyze, and troubleshoot events in your network as they occur, so that you can increase service availability.

You can install Performance Monitor only after you install Common Services from the Security Manager DVD, or you can choose not to install Performance Monitor.

To obtain Performance Monitor, look for instructions at http://www.cisco.com/go/csmanager. The downloadable binary package for Performance Monitor includes detailed documentation to help you install and use the software.

Your Performance Monitor license file is on the Security Manager installation DVD, in \license_files\mcpULperm.lic. Until you apply it to your copy of Performance Monitor, you are limited to a free 90-day evaluation period.

Effects of Licensing on Installation

The terms of your Security Manager software license determine many things, including the features that are available to you and the number of devices that you can manage. For licensing purposes, the device count includes any physical device, security context, or Catalyst security services module that is in your Security Manager inventory and uses an IP address. Failover pairs count as one device.

When you upgrade from an earlier release, Security Manager does not prompt you for a license; instead, it retains your license and continues to enforce its terms. If you upgrade during a free evaluation, the remaining time in your evaluation period does not change.

Note For a complete list of Cisco part numbers for the Security Manager kits and licenses that you can purchase, as well as information about the Cisco Software Application Support service agreement contracts that you can purchase, see http://www.cisco.com/en/US/products/ps6498/prod_bulletin0900aecd803ffd79.html.

Two license types, Standard and Professional, are available, in addition to a free 90-day evaluation period, restricted to 50 devices.

•Security Manager and IPS Manager share one base license file and share as many other, additional licenses as you might purchase. To obtain the base license, you must have (or obtain) a Cisco.com user ID, and you must register your copy of the software on Cisco.com. When registering, you must provide the Product Authorization Key (PAK) that is attached to the Software License Claim Certificate inside the shipped software package.

–If you are a registered Cisco.com user, start here:
http://www.cisco.com/go/license

–If you are not a registered Cisco.com user, start here:
http://tools.cisco.com/RPF/register/register.do

After registration, the base software license is sent to the email address that you provided during registration. Keep the license in a secure location.

•Common Services does not require a license file.

•Auto Update Server does not require a license file.

•Your license files for Resource Manager Essentials (RME.lic) and Performance Monitor (mcpULperm.lic) are in the \license_files folder on your Security Manager installation DVD.

Standard Edition

If you purchase the Standard Edition, your license supports:

•One installation of Security Manager on one Windows-based server.

•The configuration or management of 5 devices (in the Standard-5 option) or 25 devices (in the Standard-25 option), excluding Catalyst 6500 and 7600 Series devices and their associated service modules.

If you purchase either the Standard-5 or Standard-25 license, you cannot purchase an incremental device license. Your license is fixed at either 5 or 25 devices.

Professional Edition

If you purchase the Professional Edition, your license supports:

•One installation of Security Manager on one Windows-based server.

•The configuration and management of 50 devices of all kinds (including Catalyst 6500 and 7600 Series devices and their associated service modules), with an option to purchase additional device license increments — 50-, 100-, 500-, or 1,000-device licenses.

License limits are imposed when you exceed the allotted time (in the case of the evaluation license), or the number of devices that your license allows you to manage. The evaluation license provides the same privileges as the Professional Edition license. It is important that you register Security Manager as soon as you can within the first 90 days, and for the number of devices that you need, to ensure uninterrupted use of the product. Each time you start the application you are reminded of how many days remain on your evaluation license, and you are prompted to upgrade during the evaluation period. At the end of the evaluation period, you are prevented from logging in until you upgrade your license.

To learn how to install a license file in the Security Manager GUI, see the "Installing License Files" topic in the online help, or go to Cisco.com: http://www.cisco.com/en/US/products/ps6498/products_user_guide_chapter09186a00805ac144.html.

Note You must store your license files on a disk that is local to your Security Manager server. Security Manager does not see mapped drives if you use it to browse directories on your server. Windows imposes this limitation, which serves to improve Security Manager performance and security. For more information, log in to your Cisco.com account, then use Bug Toolkit to learn about CSCsb43414.

Getting Help with Licensing

If an error corrupts your base license file, or if you have trouble using the registration website, contact the Licensing Department in the Cisco Technical Assistance Center (TAC):

•Phone: +1 (800) 553-2447

•E-Mail: licensing@cisco.com

•http://www.cisco.com/tac

Locations of Installed Files on Servers

NMSROOT is the path to the Security Manager installation directory. The default is C:\Program Files\CSCOpx.

The Security Manager installer application creates and stores files on your target server. Some of those files are specific to Security Manager, while others deal with other applications.

Locations of Installed Files on Client Systems

The Cisco Security Manager Client installer application creates and stores files on client systems. The default location for those files is C:\Program Files\Cisco Systems\Cisco Security Manager Client.