Re: ASK THE EXPERT - CISCO SECURITY MANAGEMENT JUMPSTART - Page 4

ciscomoderator · ‎10-23-2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get more information on CSM, MARS, ASDM, IME, CCP, and IronPort SMA with Cisco experts Raghu Kasavaraju and Ziad Sarieddine. Raghu, Product Manager for Cisco Security Manager, has 15 years of extensive experience in IT and he has spent the last 10 years in Information Security Operations, Consulting & Engineering roles. Currently, Raghu is the PM Lead for Cisco Security Manager 4.0 release. Ziad (CCIE Security # 23379) is a security management technologist with expertise in security solutions covering Firewall, IPS, and VPN. Prior to joining Cisco in 2006, Ziad spent 10+ years as a Lead Analyst / Senior Network Engineer designing and installing large networks at different companies.

Remember to use the rating system to let Ziad know if you have received an adequate response.

Ziad might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

zsariedd · ‎11-03-2009

@wyan

I believe you are referring to the following link on the CSM 3.2.2 user guide.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.2/user/guide/pxchap.html#wpmkr343038

This appears to be a documentation bug and the configuration option is not available in CSM for FWSM device type.

Thanks for bringing it to your attention, we will follow up with the documentation team to address it.

Regards,

Ziad

wyan · ‎11-05-2009

Thank you Ziad.

After deploying a new version of image into an ASA and reloading it, the ASA is running the new code but the running OS showed in the device property is still the old one. The only way to update the running OS version showed in the device property is do a "discovery policies on device" again. Am I right on this? The problem with "discovery policies on device" is all the rule table sections will be replaced with rules only without sections. Is there a fix to this?

Thanks.

Weidong

zsariedd · ‎11-05-2009

@wayan

This has been a pain for some of our users and we are looking to address it in the future. For a workaround however you could the following:

1-Rename the device for backup.

2-Clone the device and give it the same IP address and name as the upgraded ASA (EX: ASA123) so at this point you will have 2 devices in CSM (Ex: ASA123_BK and ASA123).

3-Rediscover policies on the new cloned device (ASA123) also make sure to uncheck â€œFirewall Servicesâ€ on re-discovery

4-The upgraded OS and any Platform Setting changes due to device upgrade should be updated after the import in CSM.

5-Delete old device (Suggest doing this at a later time after verifying that the everything is working properly)

Also I suggest testing the procedure in a lab to get familiar with it and to make sure you do not run into any unforeseen caveats.

Regards,

Ziad

hariprasad_n · ‎11-03-2009

Hello Raghu & Ziad,

We primarily use CSM for managing IPS devices and would like to use it to manage other devices as well, can you please respond to the following questions I have related to CSM version 4

- Can non-admin users in CSM 4.0 local database change login passwords on their own?

- Does CSM 4.0 have the ability to indicate device health (CPU, memory etc) and license status?

- Is is possible to use CSM 4.0 in HA (active/standby) with standby in DR?

- Is there ability to use custom naming conventions for Access-lists, vpn crypto maps etc instead of the default name as CSM_XXXX?

rkasavar · ‎11-04-2009

Hi Hari,

Let me address your queries in the order you asked above.

1. CSM non-admin users can change their login passwords

2. Device health and license status are the features we are planning for future releases.

3. CSM 4.0 will continue to support HA mode as it was in previous releases i.e. using Veritas mode. When you say DR, I am assuming it will be in a different location.

4. We don't have this ability as yet.

Specific to point 4, help me understand the driving factor to support custom naming convention. Is it from a Ease of Use standpoint?

hariprasad_n · ‎11-04-2009

Thanks for responding, related to query for point 4, we manage number of firewalls (PIX/ASA) for multiple clients, each firewall config is unique. Although the config can be imported to CSM there is no way to make changes while maintaining the current ACL name, crypto map names etc that were already defined by the client per their standard naming conventions. If this limitation did not exist CSM would really be a nice tool for MSSPs for firewall management.

rkasavar · ‎11-04-2009

Got it Hari...as I explore internally on the plan to implement this feature, what do you think are the other features that would help you, as an MSSP, for Firewall management?

m.reay · ‎11-05-2009

Hi Raghu and Ziad.

Cisco documentation states:

Beginning with version 8.0(2), the ASA supports both clientless SSL VPN (WebVPN) sessions and ASDM administrative sessions simultaneously on Port 443 of the outside interface.

Is this correct and how do I go about doing this.

Thanks

Mick.

zsariedd · ‎11-06-2009

@m.reay

we fixed this behavior after 8.0.(2). I am attaching 3 screenshots of how to do this using 8.2(1).

Please reference the following attachements:

1- Asdm_443.png - Shows how to enable ASDM on port 443

2- Webvpn.png - Shows how to enable Clientless ssl on port 443

3- Asdm_vpn_client.png - Shows how to enable ASDM access for administrators connecting from outside using VPN client.

Thanks,

Ziad

clausonna · ‎11-05-2009

May I please suggest the following features for consideration in a future CSM release:

- ACL hit-count monitoring: since ACL hit counts are not persisted over reboots, it would be nice for CSM to periodically (once a day?) query the devices for their current hits and store that locally. I will often tune-out a particular rule if I see that there have been no hits on it over the past 6-12 months, but of course if there has been a reboot I won't have accurate data. Also the ability to aggregate that across all devices that share that rule, and then drill-down to see which particular sites are generating the hits.

- Ability to import object groups: I use various blacklists from sites like EmergingThreats.net. I parse them with a Perl script on a linux box into a CSM-friendly format, but then must manually cut-and-paste them into the object groups in CSM, which is very time consuming. It would be nice to just click a 'reload/import' button to bring them in quickly.

In MARS:

The ability to 'right-click' on a (for example) IP address involved in a particular incident and send that to any external link that I may have predefined. Right now I click on an offending external IP address to see more details about it, but more often that not MARS can't even determine its rDNS name. I want to define my own external links (e.g. http://www.projecthoneypot.org/ip_$IP_ADDRESS_FROM_MARS, or any of the WHOIS, GeoIP, or malware sites, heck even just a plain old Google query) and then have MARS pop-up a browser window and make the HTTP request. This will tremendously improve the ability to research and resolve incidents in MARS. For example, quite often the 'attacker' IP may just be in a Yahoo, Microsoft, or Google-related IP Block, and other times you'd know just by the GeoIP (e.g. anything in the Ukraine(!)) I don't expect that data to be parsed by and/or stored in MARS, but instead used as a live, ad-hoc investigation tool. This would also allow me to tie into other internal monitoring systems, such as a QIP or InfoBlox IPAM database ('oh look, someone just stood-up a new server with the name mailsvr009.mycompany.com, but didn't ask for a FW rule to permit it to send mail. let me call him') or query my Antivirus platform to see what a/v engine the host is on (and then kick off an On Demand Scan), or query a s/w and h/w inventory platform to see what apps are installed on a particular system ('yup, they've somehow installed LimeWire, thats why I'm seeing FW denies on port 6881'), or send it to a NetFlow monitoring platform to see what other network traffic a host is generating, etc. Right now this is all done manually via cut-and-paste. In short, please facilitate allow MARS to dynamically interact with other platforms (of my choosing) using the data it collects, with nothing more than a simple http://servername/query=$MARS_VARIABLE external link. Preferred variables would be IP Address, HostName, FQDN, and Port/Protocol.

Thanks for listening!

zsariedd · ‎11-05-2009

@clausonna

On the Policy Object import function if you are not aware there are already couple of features that can be used to import objects into CSM.

1-You could use import rules which can be accessed from the Tool menu located in the bottom of any device rule table. This feature will allow you to import objects as well as ACLs that are created using CLI.

2-CSM 3.3 shipped with an import / export utility which allows you to bulk import / export object. Here is the link on that.

http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/obman.html#wp523782

Thank you for the great ideas with respect to CSM and MARS features will forward your input to product management team.

Regards,

Ziad

rkasavar · ‎11-05-2009

Thanks Clausonna for detailed inputs on CSM & MARS.

Specfic to your second point on Ability to import object groups, can you please help me understand what you mean by CSM-friendly format?...

clausonna · ‎11-10-2009

What I meant was a comma-delimited format, all on one line, etc. However, thanks to Ziad's post referring me to the Perl CLI import/export script, I'm now able to do _exactly_ what I was asking for (import large lists of blacklisted IP addresses into pre-existing CSM Network Objects.)

This is a perfect solution; many thanks for providing this functionality - it will be a huge time saver.

juancarlosorellana · ‎01-10-2010

Hi, Raghu and Ziad, im new in NAC implementation my question is:

1. is possible to have wired and wireless LAN clients on the same CAS in an OOB NAC design and implementation, if possible considerations should I take and there is some documentation?

2. in an implementation for clients in a wired network support the implementation SSO is Radius, which I need to do configurations in the switches?

3.I have a CAS in-band mode for users of VPN between ASA and my router and only want VPN traffic to pass through the CAS, and my normal Internet traffic directly to the ASA will not be reviewed in the CAS, it is necessary that a second implemnte ASA interface that connects directly to my router if I need to be configured on the router or ASA?
There are some maera that this traffic passes through without being checked CAS

I hope you help me with this question since there is no documentation on these cases in the Cisco web site.

juancarlosorellana · ‎02-05-2010

there any mechanism to disconnect users whose connection time expired, as the system leaves them connected, reflecting inaccurate information in the reports of security incidents, my device is an ASA 5510, I expect prompt response, thanks.