topic Re: Managa All FW centrally in Network Security

Managa All FW centrally

ray_stone — Mon, 11 Mar 2019 12:36:57 GMT

Hi, we want to manage all ASA FW centrally. Please suggest abt any softwrae or tool. Thansk

Re: Managa All FW centrally

Brian Conklin — Fri, 25 Apr 2008 19:00:51 GMT

Hi Ray,

Cisco recommends the Cisco Security Manager for all security device management including firewalls. It supports IPS appliances, and security features on routers too, such as VPN, access-lists, and AAA.

Here is a link to the product page:

http://www.cisco.com/en/US/products/ps6498/index.html

Cisco splits Management and Monitoring. The above software is used for Management.

For Monitoring, Cisco recommends the CS-MARS appliance. Especially for networks where there are multiple security devices. CS-MARS can actually correlate security information (like syslogs and IDS events) into a "big picture". It presents the information as what is going on in the network as a whole, in addition to any particular device.

Here is the product page for CS-MARS:

http://www.cisco.com/en/US/products/ps6241/index.html

Hope that helps!

-Brian

Re: Managa All FW centrally

ray_stone — Fri, 25 Apr 2008 19:13:07 GMT

Hi, Is it required any license to use or its free of cost.

Re: Managa All FW centrally

cisco24x7 — Fri, 25 Apr 2008 21:19:26 GMT

Here is mine 2c about Cisco CSM.

I used to work for a Managed Security Service

Provider, MSSP, and we managed a lot of

Checkpoint firewalls running on Nokia

appliances

and SecurePlatform, over 1000 firewalls.

We approached Cisco about two years for a

centralized management tools that will be able

to manage hundreds of Cisco Pix/ASA and FWSM

firewalls. The requirement is that it is

easy to use, fast and flexible. In other

words, we want the tool to be as good, if not

better than Checkpoint Provider-1.

Cisco recommended CSM 3.0 beta so I went

ahead and tested the product. It was

absolutely and very slugglish. It did not

come close to Checkpoint Provider-1

centralized management. Cisco then introduced

me to Solsoft, which is a cisco partner.

Solsoft, on the other hand, is a much better

product than Cisco. It can run on both

Linux or Windows whereas Cisco CSM can only

run on Windows platform. Solsoft also has

a lot of limitations as well but if you have

to pick between Solsoft and Cisco CSM, I

definitely pick solsoft over CSM any days.

Even Cisco SEs will admit that to you, off-the

record ofcourse.

Re: Managa All FW centrally

Brian Conklin — Fri, 25 Apr 2008 21:48:54 GMT

CSM requires a license.

CSM 3.2 (the latest version that came out this month) is far improved from the CSM 3.0 beta. CSM 3.0 was the first version of CSM and it was built off the remnants of VMS 2.3.

The latest CSM 3.2 is better and faster than the 3.0 and worth another try. I haven't experimented with Solsoft yet.

Re: Managa All FW centrally

cisco24x7 — Fri, 25 Apr 2008 23:51:12 GMT

When you say faster and better, does it mean

that the CSM can have 100+ users logging into

the CSM at the same time, and making constant

changes at the same time? I wondered what

the response time will be.

How good is the CSM Java applet works across

the VPN?

Those are the questions that I asked Cisco SEs

about 2 years ago and could not get a

straight answer from them.

Re: Managa All FW centrally

Brian Conklin — Sat, 26 Apr 2008 00:29:31 GMT

I can't say for sure on the 100+ users. We're typically at about 10 users here. But considering the robust workflow mode it has, I wouldn't be surprised if it could handle that. It would probably depend on the servers hardware specifications. I have seen deployments of CSM that contain more than 1500 devices. But yeah, can't say for sure on the number of concurrent users.

The CSM Java Applet should have no problem across a VPN tunnel. To be more accurate, it is a java based application that installs on the client side. That CSM client application uses https (or http) protocol to communicate with the CSM server, so it is encrypted and lightweight.

The CSM runs for 90 days without a license, you can grab the software here if you have a CCO account:

http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/csm-app/fcs-csm-320-w2k-k9.exe&app=Tablebuild&status=showC2A

The minimum system requirements are 2 GB of ram. You can run it on less also, but for 100+ users concurrently you'd probably need more then 2GB ram.

If you do end up trial running it with 100+ users, let me know what your results are.

-Brian

Re: Managa All FW centrally

cisco24x7 — Sat, 26 Apr 2008 02:42:14 GMT

I tested CSM on a 4x "quad-core" Processors with 32GB RAM Dell Server.

This is a very fast box.

I tested version 3.1 last year and it was still slow, especially over

VPN. Others also experienced the same thing.

The problem I see with CSM is scalability. I don't know how familiar

you are with Checkpoint Provider-1 or Juniper NetScreen Security Manager,

NSM, is that these things are very scalable. You can install multiple

Managers & Containers across multiple physical servers and link them

together which allow large environment the ability scale. Therefore,

as you add more devices to manage and more users, you just add more

hardware to scale the infrastructure. For both Checkpoint P-1 and

Netscreen NSM, you need a dedicate server just to handle 100+ users,

in case all of them decide to log into the system at the same time,

and that the server has at least 8GB of RAM for this.

Can CSM do this? Is it possible with CSM? From what I can tell,

CSM is more suited for enterprise environment. CSM does not scale

well in service provider environment.