|Managing Security with SDM|
|Monday, 08 March 2004 11:26|
IntroductionLast month we took at look at PIX Device Manager, the graphical interface for configuring the PIX. The article can be found at Managing a Cisco PIX with PDM. The PDM documentation is at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/index.htm.
There are also full sets of screen captures posted in Adobe PDF form, in the hopes they may shed light on the user interface for you. View these along with the PDM user guide and you'll be mostly set. The PDM screen captures can be found at PDM 3.0 Screen Captures.The counterpart to PDM for routers is SDM. The Cisco pages for SDM can be found at http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html. The full set of my SDM screen captures is at SDM 1.1 Screen Captures.
As I noted last month, I hope these are useful to those who are curious about these tools, but don't have time or equipment to take a quick look. I'd like to have annotated the screen captures, but that's really the role of somebody who is documenting them in detail.
What Is SDM?From the SDM Getting Started Guide:
Cisco Security Device Manager (SDM) is an easy-to-use Internet browser-based software tool designed for configuring LAN, WAN, and security features on a router. SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design.
A caution about the last. Auto-security is a bit stringent in what it considers a secure router. SDM appears to share some of the same predilections. Following recommendations like turning off SNMP only make sense if you're not using SNMP. If you are, "fixing" the issue will render the router harder to manage (until you unfix the fix, so to speak).As far as routers supported, the Guide says [SDM] "configures Cisco 830, 1700, 2600, 3600, 3700, 7200 and 7300 series routers". See http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_release_note09186a00801e7fef.html#wp16941 for details. The short version appears to be roughly 12.2(13) ZH or T3 or later, or 12.3(2) or (3) XA or T or M or later.
Show Me the CapturesWithout further ado, let's take a look at some captures from SDM. After you have successfully installed SDM, when you first browse to your router, you'll see something like the following:
Click on Security Device Manager. After the Java downloads to your PC and browser, you should see something like the following screen.
Note the modes. Wizard mode provides helpful dialogs to walk you through tasks. The wizards available show below "Wizard Mode" to the left of the screen in the following capture.
I hate to admit it, but I sometimes actually do what I'm told. The following screen shows what the LAN Wizard looks like:
Note at the bottom there are contextually based tips on how to use the tool. The documentation online (see above URL) also appears to be very complete, and does include images.
Some people like the idea of the Security Audit wizard. Here's the starting screen for it:
After you complete the few steps, it shows the tests applied and whether the router passed or not. As you can see from the following screen capture, I have a grossly insecure lab router (not surprising). Bear in mind the above caveat: this audit is pretty strict. As far as I'm concerned, I want CDP and SNMP enabled, except at the edge of my network. They're both far too useful for network management. (Yes you can manage the network with no tools, but your boss might have to hire extra staff to help you do so with low productivity.)
By the way, if you use CiscoWorks Campus Path Trace tool, it does require that source routing be enabled on the interior of your network. If you worry about hacking from within, then you might want to turn source routing off and forego the use of the Path Trace (L2 and L3 trace) tool.
You can then use the Fix It boxes to fix selected security "issues'. Please be very careful about clicking that "Fix All" button.
Let's take a look at Advanced Mode, shown in the following capture. Note the things you can do (main screens you can visit and use) are listed below where it says "Advanced Mode" on the left of the screen.
The next capture shows what Interfaces and Connections looks like. Note the nice summary for each interface, and the list of interface properties at the bottom (for the selected interface).
When you select an interface and click on Edit, you get a dialog box like the one shown in the following capture. This lets you configure the items applied to the interface (shown at the bottom of the previous screen capture).
Rules leads to Access Lists (ACL's) of various kinds, as shown in the next capture.
Dialog boxes let you build up the ACL, just as in PDM.
I clicked on System Properties, just to see what's under there. Note that you can configure a number of global and line properties on the router from this screen! (Click on a "Property", click on Edit, and you can change it.)
I didn't have an IPSec capable image installed on the router I took screen captures on, so I do not have captures of that. As you can see however, the screens are rather similar to PDM.
The other major mode is Monitor Mode, shown in the following capture. This mode is for status screens, showing what the firewall router and VPN endpoint is doing.
That concludes our quick screen capture survey of SDM. If it whets your appetite for more, please see the online screen capture images file. Apologies about no VPN (IPSec) captures, but I ended up a bit squeezed on time when doing the captures. I also had no IDS module available in the test router. Oh well!
SummaryThe version of SDM shown above is early, version 1.1. However, the application appeared rather functional. I did encounter some odd behavior with WAN interfaces, giving me the impression they needed to be given addresses outside the Advanced Mode, perhaps using the intial setup Wizard. I hope you're as impressed with SDM as I was. It provides a tool for smaller shops, VAR's, and folks who have diverse responsibilities to get routers installed without a whole lot of classroom time, learning the Cisco Command Line Interface (CLI).
I'd like to thank Michelle Cormier and the Cisco office in Columbia, Maryland for allowing me to use their equipment for these screen captures.
By the way, do you have more than 5-10 Cisco routers and switches, are you contemplating building a network with new ones, or does your network just keep growing? If so, you might want to talk to us or someone in your area about some design consulting. A quick design for the smaller scale networks like that can be done in somewhere between a couple of hours to a couple of days. If you want detailed equipment list, configuration templates, or help implementing the details, yeah, that takes longer.
Sure, that's a plug for our services (or somebody's consulting design services). But it's also based on what we're seeing when we get called in to fix the things people built that didn't turn out so well. Books don't tell you everything. Experience teaches you what the good ideas are, and what things you can do but would be better off not doing. For example, I like to say that Spanning Tree Protocol is good, but like beer, too much will give you a headache. Routing redistribution ditto. Good migration technique, bad to be redistributing at more than a couple of places in your network. The other saying that's floating around is that Cisco provides you rope. You can do many useful things with rope. But you can also hang yourself if you do the wrong thing with it. The experienced consultant has seen many more networks than their customer probably has, especially some of the ways good networks can go bad. That experience might just save you from having to learn at the school of hard knocks!If you have questions, comments, or suggestions for future articles, please do email me (address below).