Cisco recently announced an update to its CiscoWorks VPN/Security Management Solution (VMS) that makes it easier to manage and configure network security devices across the network. VMS 2.1 adds five new features to its arsenal and improves on the functionality of the previous release.
The new release's integrated interface promises to be a useful security management package, especially for companies with large, complex, and widely distributed networks.
VMS's strength is that it combines many administrative tasks—including configuration, monitoring, and maintenance of Cisco PIX firewalls, VPNs, and IDSs—that would typically be handled separately. VMS 2.1 offers the following key features:
- Centralized management
- Security monitoring
- Change management
New with version 2.1 are Management Centers for PIX firewalls, VPN routers and IDS sensors, a security monitoring center, and the Auto Update Server.
“The enhancements we’ve made fall under the umbrella of multifaceted scalability," Cisco Product Manager Bob Yee said. "When customers usually think about scalability, they usually think just about the number of devices you can support. Given what’s going on in the industry, scalability has gone well beyond that definition.”
Yee gave two examples of how the traditional definition of scalability no longer fits.
Insurance companies and retail stores, he said, now find themselves needing to deploy firewalls at many remote sites to secure their data. That can mean thousands of locations with additional hardware devices, each with their own IP addresses. If the devices obtain IPs via DHCP, as Cisco recommends for some firewalls, a net admin would have a nightmare keeping track of all those changing addresses.
Another example Yee offered was the increasing trend among small and medium businesses (SMBs) to use wireless networking and VPN solutions. “You’re introducing additional [access] points to the Internet that you didn’t have to worry about before. Now you also have to worry about how you’re going to harden those areas,” Yee said.
One of the ways VMS 2.1 meets the challenge of multifaceted scalability, he said, is that it has a consistent look and feel across all its components. Yee compared the common interface design to that of the Microsoft Office suite. Regardless of which tool you’re using—firewall, VPN or IDS—the look and feel of the product remains the same. This means that once you become familiar with navigating one tool, you essentially understand how to navigate and use all other components. Overall, this makes the products much easier to use.
Another major update to the product is the Auto Update Server, which can update all security devices on a network automatically either at specified times or upon wake-up. Admins no longer have to manually push new security configurations to the devices; VMS 2.1 lets the devices update themselves.
Policy inheritance is another important scalability feature of the product. It allows organizations to cascade standard policies to all sites. “Policy inheritance,” Yee said, “gives companies the ability to [make] cookie cutter policies [for] all sites around the world.”
The final aspect of VMS 2.1's multifaceted scalability is what Yee referred to as comprehensive identity management. VMS adds AAA (authentication, authorization, accounting) security services for VPNs and wireless connections. These areas were not a primary concern until recently, Yee added.
Yee added that VMS addresses the migration of network security from simply placing safeguards at the WAN edge to being more pervasive throughout the network.
“You also need to worry about implementing security at the cat 6 cage if you’ve got switches, your SAN, wireless remote access, VPNs—all of these issues must be considered," he said. "You have to provide security at these additional points.”
VMS 2.1 provides an integrated set of management tools to make it easier for admins to configure and update many security devices across the entire network. Yee said VMS 2.1 improves management of Cisco security devices through a three-prong approach:
- Securing the command line interface into devices
- Automation of embedded device management programs via a Web interface.
- Integration of management features
VMS supports embedded device management programs such as PIX Device Manager (PDM), VPN Device Manager (VDM), and IDS Device Manager (IDM), which are device specific, but also provides an integrated interface for managing multiple devices. VMS also supports multiple administrators, who can be assigned different roles in the product.
VMS 2.1 introduces Management Centers for configuring security policies on PIX firewalls, IDS sensors, and VPNs. Through these Management Centers, admins can create standard sets of security policies to deploy to all such devices on the network. Management Centers work with the Auto Update Server to push updates to devices.
Version 2.1 also adds security-monitoring capabilities. Through an integrated console, admins can view information about network and host-based events. Admins can also use the console to view syslogs from PIX firewalls and routers and to monitor VPNs.
Yee said the security-monitoring module provides correlation across devices to better detect possible attacks.
The most important feature of VMS 2.1 is that it provides a central console for managing all Cisco security devices and policies and for performing security monitoring. The management console also allows admins to configure policies for individual devices or groups and to deploy them easily throughout the network.
Security just got easier
Cisco’s VMS 2.1 introduces some new features that promise to give admins a powerful set of tools for configuring and maintaining Cisco security devices. With its central management and automation features, VMS 2.1 streamlines and simplifies security monitoring, configuration, and administration.