Cisco upgrades security management suite, but tool integration lags.
VPN/Security Management Solution Version 2.0 (VMS 2.0) is Cisco's latest foray into security and VPN management. It's four Cisco management tools in one box, with coordinated installation and release notes.
Cisco's last attempt at bundling these tools had limited success. In this release, each stand-alone product performs well. We were impressed with the progress Cisco made in firewall and VPN tools that we previously reviewed.
However, the individual products are far from integrated.
VMS Version 2.0 has four components:
1. Cisco Secure Policy Manager (CSPM) Version 3.0 is a new version of the company's firewall and VPN configuration tool that generates and downloads configurations into Cisco IOS and PIX devices.
2. Intrusion detection is managed through CSPM Version 2.3, which has been enhanced to support both network- and host-based intrusion detection systems.
3. VPN monitoring, alerting and reporting are covered in a separate tool, CiscoWorks2000 VPN Monitor.
4. All other management functions are part of CiscoWorks2000, which includes device inventory, logging, availability, software management and configuration control.
CSPM 3.0 is easy to use, both with new and existing devices. (For details on the products we used to test VMS 2.0, click here.) First, you define your network topology by drawing a map and putting in Cisco (and non-Cisco) devices. Then, you use a simple tool to define rules: what traffic is allowed and what is not.
CSPM 3.0 uses the rules you create to generate commands for all the affected devices, automatically computing which ones need to be changed and how. CSPM 3.0 downloads the changed configurations to each device (either automatically or after you approve the changes) and you're done.
CSPM 3.0 understands your network topology, so it knows which devices need to be updated and how. Once you've taught CSPM 3.0 your network topology, you don't have to worry about which devices are in the path between different kinds of traffic.
CSPM 3.0 supports fully meshed and hub-and-spoke VPNs. The VPN topology is a virtual one, layered on top of the physical network topology. You define VPNs by adding nodes to VPN tunnel groups and checking a box on any firewall rule to send that traffic through the VPN.
This style of VPN brings Cisco up to speed with other VPN management vendors, such as Avaya, NetScreen Technologies and Nokia, but there's a catch. It's quite difficult to simply say 'tunnel everything between every VPN node.' CSPM 3.0 is much more focused on firewalling traffic, with VPN an option, than on building VPNs and firewalls in parallel.
Some pieces of VPN management are still missing. Although CSPM 3.0 lets you select from the three Internet Key Exchange authentication schemes, there is no help for the difficult task of defining and managing certification authorities, certificate authority trust relationships, or requesting and managing digital certificates.
Cisco has greatly simplified the job of building complex access lists and network address translation configurations in its IOS and PIX systems, something network managers have hoped for.
In this release of VMS, network- and host-based intrusion detection system devices are managed using a different version of CSPM, Version 2.3, which must run on a different server from CSPM 3.0. While the functions of managing firewall/VPN and intrusion detection are generally separate, this separation can be a problem for network managers who implement Cisco's 'shunning' feature.
With shunning, intrusion detection system alerts actually cause configuration changes in firewalls and routers, and block traffic from those networks. Because shunning is handled through different configuration tool, network managers trying to debug and analyze configurations using CSPM 3.0 aren't looking at the whole picture.
A second functionality gap occurs between the VPN Monitor and VPN configuration tools in CSPM 3.0. VPN Monitor is a Web-based tool built into CiscoWorks2000. With VPN Monitor, you can track, report and alert on VPN tunnels. More than a dozen statistics, including throughput, resource consumption and failure rates, can be logged and graphed. VPN Monitor also generates alerts when network manager-defined thresholds are crossed.
CSPM 2.3, CSPM 3.0 and CiscoWorks2000 maintain separate device inventories. This means that if you define a VPN in CSPM 3.0, you must redefine the topology in VPN Monitor by hand. If you want devices on CSPM 3.0 to participate in the intrusion detection system configuration, you also have to redefine the topology in CSPM 2.3. In this case, the integration that VMS 2.0 provides simply means that all the pieces shipped in the same box.
With VMS 2.0, Cisco has released an outstanding suite of applications. CSPM 3.0 is what network managers have been waiting for, CSPM 2.3 adds host-based intrusion detection system functionality to the existing network-based intrusion detection system, and CiscoWorks2000 comes with tools no Cisco manager should be without. It would be nice if they all worked together a little better.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz.
Our testing methods explained.
We installed all of VPN/Security Management Solution Version 2.0 except for Cisco Secure Policy Manager Version 2.3 on a generic, dual-850 MHz CPU server with 512M bytes of RAM running Windows NT SP6a. We installed CSPM 2.3 on an identical system. We built a network of Cisco and non-Cisco devices, including five IOS routers, two PIX firewalls and a Cisco network intrusion-detection system sensor, as well as NetScreen Technologies and Nokia VPN devices. Although CSPM supports most recent versions of IOS and PIX, it doesn't support all versions, so we had to make some minor adjustments to bring every device in the testbed so that VMS 2.0 could support them.
We defined our topology in the various tools and let them autodetect information from the devices wherever possible. Then, we defined firewall rules for traffic between parts of the network and downloaded the configuration to each device. Using both inspections of the defined configuration and simple testing tools from WildPackets NetTools, we verified that the traffic permitted was what we had defined in our rules.
We then defined a VPN mesh and sent all the firewalled traffic through the VPN. Using WildPackets EtherPeek we again verified that traffic was encrypted; we also retested the firewall part of the configuration to check that no illegal traffic was getting through the VPN.
Finally, we used VPN Monitor to check on the status of the VPN. We generated traffic with Spirent Communications' SmartBits testing tools and verified that VPN Monitor was generating alerts and graphs to show traffic load and resource consumption.