Cisco Security Device Manager Overview

Cisco IOS routers support many features (including security features) that require complex configurations. To aid in a number of these configuration tasks, Cisco introduced the Cisco Security Device Manager (SDM) interface. This section introduces SDM, discusses how to configure and launch SDM, and how to navigate the SDM wizards.

Introducing SDM

Cisco SDM provides a graphical user interface (GUI) for configuring a wide variety of features on an IOS router, as shown in Figure 3-3. Not only does SDM offer multiple "smart wizards," but configuration tutorials also are provided. Even though SDM stands for Security Device Manager, several nonsecurity features also can be configured via SDM, such as routing and quality-of-service (QoS) features.

Example 3-18 Creating a Message-of-the-Day Banner R1# conf term

Enter configuration commands, one per line. End with CNTL/Z. R1(config)# banner motd $

Enter TEXT message. End with the character '$'. WARNING: This router is the private property of Cisco Press. Disconnect now if you are not an authorized user. Violators will be prosecuted.

R1(config)#end

Figure 3-3 SDM Home Screen

Figure 3-3 SDM Home Screen

Some newer Cisco routers come with SDM preinstalled, but SDM needs to be installed on other supported platforms. Go to http://www.cisco.com/pcgi-bin/tablebuild.pl/sdm to download the current version of SDM and its release notes. Cisco SDM offers the following benefits:

SDM's smart wizards use Cisco TAC best-practice recommendations for a variety of configuration scenarios.

SDM intelligently determines an appropriate security configuration based on what it learns about a router's configuration (for example, a router's interfaces, NAT configuration, and existing security configuration).

SDM supports multiple security features such as wizard-based VPN configuration, router security auditing, and One-Step Lockdown configuration.

SDM, which is supported in Cisco IOS 12.2(11)T6 and later, does not impact a router's DRAM or CPU.

Preparing to Launch Cisco SDM

If you plan to run SDM on a router that does not already have SDM installed, you need to install SDM either from a CD accompanying the router or from a download from the Cisco IOS Software Center. The installation is wizard-based. You are prompted to install SDM either on an administrator's PC, in the router's flash, or both.

SDM can connect to the managed router using secure HTTP (that is, HTTPS). The commands shown in Table 3-10 can be used to configure the router for HTTP support. Example 3-20 illustrates the use of these commands.

Table 3-10 HTTPS Configuration Commands

Command

Function

Router(config)# ip http server

Enables an HTTP server on a router

Router(config)# ip http secure-server

Enables a secure HTTP (HTTPS) server on a router

Router(config)# ip http authentication local

Configures a local authentication method for accessing the HTTPS server

Router(config)# username name privilege 15 secret 0

password

Configures a username and password to be used for authentication local to the router

Example 3-20 HTTPS Server Configuration for R1

R1(config)# ip http server

R1(config)# ip http secure-server

R1(config)# ip http authentication local

R1(config)# username kevin privilege 15 secret 0 cisco

Example 3-20 HTTPS Server Configuration for R1

R1(config)# ip http server

R1(config)# ip http secure-server

R1(config)# ip http authentication local

R1(config)# username kevin privilege 15 secret 0 cisco

To verify that the required SDM files are installed on a router, you can issue the show flash command. The output of this command should show, at a minimum, the following SDM files:

■ sdmconfig-router_platform.cfg

If you run SDM from a router's flash, as opposed to running SDM from a PC, the first time you connect to the router via a browser, you are taken to the Cisco SDM Express interface. Specifically, on a new router that has SDM installed, you point your browser to http:// 10.10.10.1. Alternatively, on an existing router, you point your browser to an active IP address on the router. Cisco SDM Express guides you through the initial SDM configuration on a router. Subsequent connections to your router via a browser take you directly to SDM, as opposed to Cisco SDM Express. However, if you run SDM from a PC, you can launch Cisco SDM by choosing Start > Programs > Cisco Systems > Cisco SDM.

Exploring the Cisco SDM Interface

Notice the toolbar across the top of the SDM page, as highlighted in Figure 3-4. You can use this toolbar to navigate between the Home, Configure, and Monitor views.

Figure 3-4 SDM Toolbar

Figure 3-4 SDM Toolbar

The Home view provides summary information about the router platform. For example, this summary information shows you the router model, memory capacity, flash capacity, IOS version, and an interface summary.

After clicking the Configure button, you see a screen similar to the one shown in Figure 3-5. Notice the wizards available in the Tasks bar. Available configuration wizards are described in Table 3-11.

Figure 3-5 Configuration Tasks Bar

Tasks Bar

Figure 3-5 Configuration Tasks Bar

Tasks Bar

Table 3-11 Cisco SDM Wizards

Table 3-11 Cisco SDM Wizards

Cisco SDM Wizard

Description

Interfaces and Connections

Helps you configure LAN and WAN interfaces

Firewall and ACL

Supports the configuration of basic and advanced IOS-based firewalls

VPN

Helps you configure a secure site-to-site VPN, Cisco Easy VPN Server, Cisco Easy VPN Remote, and DMVPN

Security Audit

Identifies potential security vulnerabilities in a router's current configuration and tweaks the router's configuration to eliminate those weaknesses

continues continues

Cisco SDM Wizard

Description

Routing

Allows an administrator to modify and view routing configurations for the RIP, OSPF, or EIGRP routing protocols

NAT

Helps you configure Network Address Translation (NAT)

Intrusion Prevention

Walks an administrator through the process of configuring an IOS-based IPS

Quality of Service

Provides wizards for configuring Network Admission Control (NAC) features such as Extensible Authentication Protocols (EAP)

NAC

Helps you configure NAC

In addition to the configuration wizards, notice the Additional Tasks button, as shown in Figure 3-6.

Figure 3-6 Additional Tasks Button

Figure 3-6 Additional Tasks Button

Additional Tasks Button

Advanced administrators can use graphical interfaces to configure these additional tasks. Examples of these tasks are DHCP configuration, DNS configuration, and AAA configuration.

After clicking the Monitor button, you see a screen similar to the one shown in Figure 3-7. Clicking the various buttons in the Tasks bar allows you to monitor the status of various router features. Examples are firewall status, VPN status, and IPS status.

Figure 3-7 Monitoring Tasks

Figure 3-7 Monitoring Tasks

Monitor Firewall Switch Ips

This chapter has introduced SDM. Subsequent chapters will detail how you can leverage SDM to configure a variety of security options. For exam purposes, you should be comfortable with navigating the various SDM screens and performing basic configuration tasks.

0 0

Post a comment