Security

SolutionBase: Use the free Cisco Security Device Manager to work with routers

Learn how to install and use Cisco's Java-based Security Device Manager (SDM) to manage and monitor Cisco routers.

If you think the Cisco IOS command line is difficult to use, and you would just like to be able to point and click to monitor and configure your Cisco routers, then Cisco's new Security Device Manager (SDM) may be just what you're looking for. Plus, if you already have a router and a licensed IOS, you can use the SDM for free.

What is the Security Device Manager?
Cisco's Security Device Manager is a Java application that allows you to do a vast number of tasks on a Cisco router—well beyond just security configuration. The latest version of SDM (at the time this article was written) is version 1.1. As you would expect with any 1.x version of an application, SDM has just scratched the surface on what it will eventually be able to do, and it still has a few bugs. However, SDM is powerful enough at version 1.1 that I definitely look forward to seeing what it will be able to do when it reaches later revisions.

SDM is based on Cisco PIX Device Manager (PDM). Both are Java applications that are installed on their respective devices, PIX or router, and provide graphical configuration, security audit, and graphical statistics. I'm going to show you how to install it, what it can do, and point out the good and bad of SDM.

Features and requirements
Here are some things you should know about SDM (this list includes some of the caveats):
  • Cisco's site for all Security Device Manager information (including download) is here.
  • SDM works only on the following routers: Cisco 831, 836, 837, 1701, 1710, 1711, 1712, 1721, 1751, 1751-v, 1760, 1760-v, 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM, 2691, 3620, 3640, 3640A, 3661, 3662, 3725, 3745, 7204VXR, 7206VXR, and 7301. Don't pull out the old 2501 and try to load SDM on it because it won't work. One negative point is that SDM won't work on one of the most popular Cisco routers available—the standard 2610. (I can see my Cisco rep saying with a smile, "All the more reason to buy a new router!")
  • On routers with lots of interfaces and/or routers that are doing lots of processing, SDM can be intermittently slow. Sometimes, you'll click on something, and the screen will freeze for a period of time. Don't close the application because you think it has hung—it hasn't. This is annoying but "normal" for SDM. I hope that Cisco can somehow make the slow tasks respond faster in later releases. Or, at minimum, they could put a little progress indicator to tell you that the SDM application is "working" and in the process of doing something. It might even be nice to know how long it will take or how far along it is (like a software installation progress indicator).
  • To run SDM, you must have a fairly current version of the IOS somewhere in the 12.2 or 12.3 range, depending on your router's model. Consult the SDM release notes for the specific version of IOS required for your router.
  • There is no client application that needs to be installed on your PC, since the SDM is Java-based.
  • You have to run SDM from a Windows client (the complete list of operating systems supported is in the release notes), and you must have IE 5.5 or later with the Sun Java Runtime Environment (JRE) 1.3.1 or later.
  • Three to four megabytes of available flash is required to install SDM.
  • SDM is included with Cisco 830, 1700, 2600XM, 3600, 3700, and select 7200 and 7300 series routers. This means you may already have it and not know it.
  • SDM is free. No license is required.

Installation
Let me show you how the basic installation goes:
  1. Download the SDM installation package. There are five files that make up SDM: home.html, home.shtml, home.tar, sdm.shtml, and sdm.tar.
  2. TFTP these files to your router's flash directory.
  3. Configure the router to use an authentication mechanism, either AAA or local. You must have a level 15 user account that is authenticated through one of these methods. Assuming you are using local authentication, configure a local user like this:
    user root level 15 password Se!cret921
  4. I recommend disabling HTTP and using HTTPS for security with the following commands:
    no ip http server
    ip http secure-server
  5. Configure your HTTP/HTTPS to use the local authentication method, like this:
    ip http authentication local
  6. Open the Web browser on your client and enter the following URL (assuming the name of your router is "central"):
    https://central/flash/sdm.shtml
  7. In the process of bringing up SDM, you'll probably get the message that there is a problem with the site's security certificate. Click Yes to indicate that you want to continue.
  8. You'll get a pop-up login prompt. Log in with the level 15 username and password. You'll see a message saying Cisco SDM is loading and asking you to wait. The message also tells you not to close this window until you log out of Cisco SDM.
  9. Most likely, a Java login box will come up. With this, you'll need to log in again with the level 15 account.
  10. Your original browser will have some information about SDM on it with a message that says the window can be closed.
  11. You may get some Java security messages about whether you want the applet to run. I would select Always to eliminate that message the next time.
  12. A Java application window will appear. This is the Cisco SDM application. It will go through a few phases where it discovers information about your router, and this process can take a full minute or two.

Wizard mode
Once you have the SDM window up, it will be in Wizard mode (Figure A).

Figure A


You'll notice that along the top are the three boxes where you can select the different modes of SDM:
  • Wizard
  • Advanced
  • Monitor

To the right of those are the Refresh and the important Deliver buttons. Note that no changes made with SDM will actually be configured on the router until you click the Deliver button. At that time, the configuration changes are actually applied ("delivered") to the router. Down the left of the screen are the different things you can do in Wizard mode:
  • Overview
  • LAN
  • WAN
  • Firewall
  • VPN
  • Security Audit
  • Reset to Factory Defaults

To me, the name Security Device Manager is misleading as to what the SDM application can really do. Yes, it can do a great deal of security configuration. On the other hand, it can do just about any possible configuration you'd want to do on the router. Therefore, SDM is not really a very good name for the tool.

Feature summary
According to the Cisco Datasheet on SDM, its features are:

Ease of configuring new routers for LAN and WAN
One-step router security
Preview IOS software commands to help build expertise
No separate management station required
Secure using SSL
Quick status updates—summaries, interfaces up/down, firewall denials
Security audit
Wizard configuration
Graphical view of ACL results for each interface
Monitoring of stats and view logs
Online help and tutorials


Security audit
Besides being able to use a wizard to configure VPN, one of the coolest features of this application is the Security Audit. With this, SDM will audit your router to make sure that it is secured properly. When you click on Security Audit, you'll see the screen in Figure B.

Figure B


As you can see, you can select either One-Step Lockdown or Perform A Security Audit. The One-Step Lockdown will lock down the router with Cisco's recommended configuration. This may be good for a new router. The security audit option will audit your current settings and report on whether they meet the recommended configuration (Figure C).

Figure C


Once you see what the results are, you can go one step further and have SDM automatically fix the router to be more secure by selecting the Fix It check box for selected recommendations (Figure D).

Figure D


Advanced mode
By clicking the Advanced Mode button in SDM, you're brought to the screen in Figure E. This mode doesn't have wizards, but allows somewhat more experienced administrators to make configuration changes directly.

Figure E


One of the cool new additions to Advanced mode in version 1.1 of SDM is the graphical configuration of access control lists. You can see the router, its interface, your access control list, the application that will be permitted or denied, and in what direction on the interface these will be applied (Figure F).

Figure F


This is great for an intermediate admin who is trying to grasp access control list configuration or for an advanced admin who just likes to monitor what has been configured.

Here are two more examples of what you can configure in Advanced mode.
  • Routing protocols RIP, OSPF, and EIGRP—Most options can be edited via the graphical interface (Figure G).

  • Figure G

  • Advanced interface properties—You actually get an explanation of each of the features you can enable on each interface (Figure H). This saves time if you've forgotten what exactly "no ip directed-broadcast" or "no ip proxy-arp" can do.

  • Figure H


    Monitor mode
    The final mode is Monitor mode (Figure I), which is all about seeing the status of the router. For instance, you can see how many interfaces are up and down, the number of firewall denials, CPU and RAM utilization, VPN status, and router logs.

    Figure I


    Final analysis
    For anyone who is new at the IOS, or who would just like to get more familiar with the commands, SDM is an excellent learning tool. Besides just being able to point and click to configure a router, you can view the IOS commands before they are applied. This way, you get to see what commands you would need to use if you were at the IOS command line. By doing this, you'll gain familiarity with the IOS commands and may be able to issue the commands from the command line next time. To turn this feature on, go to Edit | Preferences and click Preview Commands Before Sending To Router In Wizard Mode.

    SDM doesn't support everything that you can do on a router. There are a number of unsupported interfaces that must still be configured via the command line. SDM also can be slow to respond at times and, from my use, it seems to have a few bugs left in it. SDM does have a very comprehensive help interface with detailed information on just about everything you can do with it.

    In summary, SDM is a handy tool to finally give Cisco routers the graphical interface they've lacked. The 1.x version does have some bugs, and there are some features that it lacks, such as the ability to configure certain types of interfaces. However, since SDM is free (with an IOS license), you can't complain that you aren't getting what you paid for. If you're looking at deploying new Cisco routers or already have some of the supported routers, I think it's worth giving SDM a try.

    Editor's Picks