Managing Security with SDM


  Peter J. Welcher
 
   


 

Introduction

Last month we took at look at PIX Device Manager, the graphical interface for configuring the PIX. The article can be found at http://www.netcraftsmen.net/welcher/papers/pdm.html. The PDM documentation is at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/index.htm.

There are also full sets of screen captures posted in Adobe PDF form, in the hopes they may shed light on the user interface for you. View these along with the PDM user guide and you'll be mostly set. The PDM screen captures can be found at  http://www.netcraftsmen.net/welcher/papers/pdm-3.0-cap.pdf

The counterpart to PDM for routers is SDM. The Cisco pages for SDM can be found at http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html. The full set of my SDM screen captures is at http://www.netcraftsmen.net/welcher/papers/sdm-1.1-cap.pdf.

As I noted last month, I hope these are useful to those who are curious about these tools, but don't have time or equipment to take a quick look. I'd like to have annotated the screen captures, but that's really the role of somebody who is documenting them in detail.

What Is SDM?

From the SDM Getting Started Guide:

Cisco Security Device Manager (SDM) is an easy-to-use Internet browser-based software tool designed for configuring LAN, WAN, and security features on a router. SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design.

The Getting Started Guide goes on to list what SDM can do. My abbreviated version of what SDM lets you do:
  • SDM allows you to provide a basic connectivity configuration to the router
  • It provides Wizards to configure LAN, WAN, firewall, and IPSec VPN
  • SDM allows you to configure the routing protocol on the router (RIP, OSPF, EIGRP, static)
  • It will let you graphically configure Network Address Translation (NAT) and DHCP server functionality
  • SDM lets you view and print the router configuration
  • SDM conducts a security assessment of the router (configuration), and lets you automatically "fix" selected security issues

A caution about the last. Auto-security is a bit stringent in what it considers a secure router. SDM appears to share some of the same predilections. Following recommendations like turning off SNMP only make sense if you're not using SNMP. If you are, "fixing" the issue will render the router harder to manage (until you unfix the fix, so to speak).

As far as routers supported, the Guide says [SDM] "configures Cisco 830, 1700, 2600, 3600, 3700, 7200 and 7300 series routers". See http://www.cisco.com/en/US/products/sw/secursw/ps5318/prod_release_note09186a00801e7fef.html#wp16941 for details.  The short version appears to be roughly 12.2(13) ZH or T3 or later, or 12.3(2) or (3) XA or T or M or later.

Show Me the Captures

Without further ado, let's take a look at some captures from SDM. After you have successfully installed SDM, when you first browse to your router, you'll see something like the following:

sdm fig 01

Click on Security Device Manager. After the Java downloads to your PC and browser, you should see something like the following screen.

Note the modes. Wizard mode provides helpful dialogs to walk you through tasks. The wizards available show below "Wizard Mode" to the left of the screen in the following capture.


sdm fig 02

I hate to admit it, but I sometimes actually do what I'm told. The following screen shows what the LAN Wizard looks like:

sdm fig 03

Note at the bottom there are contextually based tips on how to use the tool. The documentation online (see above URL) also appears to be very complete, and does include images.

Some people like  the idea of the Security Audit wizard. Here's the starting screen for it:



sdm fig 04

After you complete the few steps, it shows the tests applied and whether the router passed or not. As you can see from the following screen capture, I have a grossly insecure lab router (not surprising). Bear in mind the above caveat: this audit is pretty strict. As far as I'm concerned, I want CDP and SNMP enabled, except at the edge of my network. They're both far too useful for network management. (Yes you can manage the network with no tools, but your boss might have to hire extra staff to help you do so with low productivity.)

By the way, if you use CiscoWorks Campus Path Trace tool, it does require that source routing be enabled on the interior of your network. If you worry about hacking from within, then you might want to turn source routing off and forego the use of the Path Trace (L2 and L3 trace) tool.


sdm fig 05

You can then use the Fix It boxes to fix selected security "issues'. Please be very careful about clicking that "Fix All" button.


sdm fig 06

Let's take a look at Advanced  Mode, shown in the following capture. Note the things you can do (main screens you can visit and use) are listed below where it says "Advanced Mode" on the left of the screen.


sdm fig 07

The next capture shows what Interfaces and Connections looks like.  Note the nice summary for each interface, and the list of  interface properties at the bottom (for the selected interface).

sdm fig 7b

When you select an interface and click on Edit, you get a dialog box like the one shown in the following capture. This lets you configure the items applied to the interface (shown at the bottom of the previous screen capture).

sdm fig 7c


Rules leads to Access Lists (ACL's) of various kinds, as shown in the next capture.

sdm fig 7d

Dialog boxes let you build up the ACL, just as in PDM.

I clicked on System Properties, just to see what's under there. Note that you can configure a number of global and line properties on the router from this screen! (Click on a "Property", click on Edit, and you can change it.)

sdm fig 08

I didn't have an IPSec capable image installed on the router I  took screen captures on, so I do not have captures of that. As you can see however, the screens are rather similar to PDM.

The other major mode is Monitor Mode, shown in the following capture. This mode is for status screens, showing what the firewall router and VPN endpoint is doing.

sdm fig 09

That concludes our quick screen capture survey of SDM. If it whets your appetite for more, please see the online screen capture images file. Apologies about no VPN (IPSec) captures, but I ended up a bit squeezed on time when doing the captures. I also had no IDS module available in the test router. Oh well!

Summary

The version of SDM shown above is early, version 1.1. However, the application appeared rather functional. I did encounter some odd behavior with WAN interfaces, giving me the impression they needed to be given addresses outside the Advanced Mode, perhaps using the intial setup Wizard. I hope you're as impressed with SDM as I was. It provides a tool for smaller shops, VAR's, and folks who have diverse responsibilities to get routers installed without a whole lot of classroom time, learning the Cisco Command Line Interface (CLI).

I'd like to thank Michelle Cormier and the Cisco office in Columbia, Maryland for allowing me to use their equipment for these screen captures.

By the way, do you have more than 5-10 Cisco routers and switches, are you contemplating building a network with new ones, or does your network just keep growing? If so, you might want to talk to us or someone in your area about some design consulting. A quick design for the smaller scale networks like that  can be done in somewhere between a couple of hours to a couple of days. If you want detailed equipment list, configuration templates, or help implementing the details, yeah, that takes longer.

Sure, that's a plug for our services (or somebody's consulting design services). But it's also based on what we're seeing when we get called in to fix the things people built that didn't turn out so well. Books don't tell you everything. Experience teaches you what the good ideas are, and what things you can do but would be better off not doing. For example, I like to say that Spanning Tree Protocol is good, but like beer, too much will give you a headache. Routing redistribution ditto. Good migration technique, bad to be redistributing at more than a couple of places in your network. The other saying that's floating around is that Cisco provides you rope. You can do many useful things with rope. But you can also hang yourself if you do the wrong thing with it. The experienced consultant has seen many more networks than their customer  probably has, especially some of the ways good networks can go bad. That experience might just save you from having to learn at the school of hard knocks!

If you have questions, comments, or suggestions for future articles, please do email me (address below).

Dr. Peter J. Welcher (CCIE #1773, CCSI #94014, CCIP) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eight CCIE's, with expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, IPSec VPN, wireless LAN and bridging,  network management, security, IP multicast, and other areas. See http://www.netcraftsmen.net for more information about NetCraftsmen. Pete's links start at http://www.netcraftsmen.net/welcher . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to pjw <at> netcraftsmen <dot> net.

3/8/2004

Copyright (C)  2004  Peter J. Welcher