Transcription
Cisco Routerand SecurityDevice ManagerC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential1
Agenda Cisco Security Technology and Management SDM v2.5 Features and Benefits SDM Availability and OrderingC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential2
Cisco Security TechnologiesCisco Integrated Service RoutersSecure Network anceMobilityIntegrated Threat Defense011111101010101AdvancedURLFirewall FilteringIntrusionPreventionSecure ConnectivityGET VPNC97-449123-00DMVPNEasy VPN SSL VPN 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialFlexiblePacketMatchingNetworkAdmission 802.1xControlNetworkFoundationProtectionManagement and InstrumentationSDMRole-BasedAccessNetFlowIP SLA3
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco Easy VPN Configures password expiry via AAA—12.4(6)T and onwards featureCisco Easy VPN Configures split DNS—12.4(9)T andonwards featureC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Cisco Routers running Cisco IOS VPN Servertoday support password aging where the useris prompted to change his password if it hasexpired rather than receive an authenticationfailure with no clear reason code as before Split-DNS enables the Cisco Easy VPN Clientto act as a “DNS proxy,” directing Internetqueries to the DNS server of the ISP anddirecting corporate DNS requests to thecorporate DNS servers4
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco Easy VPN Configures Cisco Tunneling ControlProtocol (cTCP)—12.4(9)T andonwards featureCisco Easy VPN Configures per-user AAA policy downloadwith PKI—12.4(4)T and onwards feature When Cisco Tunneling Control Protocol isenabled on client and head end devices, IKEand Encapsulating Security Payload (ESP)traffic will be encapsulated in the TCP header,so that the firewalls in between the client andthe head end device would simply permit thistraffic, perceiving it as TCP traffic The Easy VPN server can download userspecific attributes for a remote client from theAAA server and push them to the client duringmode configuration The username to get the attributes fromAAA server will be obtained from digitalcertificate of the client. The attributescan be ACLs, QoS policies, etc. Theseattributes are configured on theRADIUS serversC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential5
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco Easy VPN Configures identical addressing—12.4(11)T and onwards feature ‘EasyVPN Remote Identical Addressing’feature combines NAT with EasyVPN in orderto allow remotes with overlapping internal IPAddressing to connect to the Server Identical IP feature works only withEasyVPN Remote configured in‘Network-Extension’ mode This feature is an EasyVPN Remoteside functionality enhancement. Itsimplementation involves no change on theexisting EasyVPN Server configuration EasyVPN Remote is configured withVirtual Tunnel InterfaceC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential6
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco SSL VPN Configures port forwarding (Thin-Client)—Auto applet download functionality andPort-Forward Enhancements To use the port forwarder, the end usersimply points the application he wants torun at his own system rather than the realapplication server Port forwarding requires a very smallapplication that runs on the end user’ssystem, often in the form of Java or ActiveX The client application is a port forwarderthat listens for connections on a port thatare defined for each application. Whenpackets come in on that port, they aretunneled inside of an SSL connection to theSSL VPN device, which unpacks them andforwards them to the real application serverC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential7
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco SSL VPN Configures RADIUS accounting RADIUS accounting allows for a session to beaccounted for by indicating when the sessionstarts, and when it stops Additionally, session identifying informationand session usage information will be passedto the RADIUS server via RADIUS attributesand VSA (Vendor Specific Attributes) Integrate RADIUS accounting for SSLVPNsessionsCisco SSL VPN Configures application ACL supportC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Provides greater granularity of control thantraditional network layer ACLs8
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco SSL VPN Configures RADIUS accounting RADIUS accounting allows for a session to beaccounted for by indicating when the sessionstarts, and when it stops Additionally, session identifying informationand session usage information will be passedto the RADIUS server via RADIUS attributesand VSA (Vendor Specific Attributes) Integrate RADIUS accounting for SSLVPNsessionsCisco SSL VPN Configures application ACL supportC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential Provides greater granularity of control thantraditional network layer ACLs9
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco SSL VPN URL Obfuscation (Clientless mode)C97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential A user can connect in with little requirementsbeyond a basic web browser. The user wouldhave the ability to reach web servers orwebified resources like file shares10
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCisco SSL VPN Transcend Client Support—Phase 1 Support for additional client-side platformssuch as Apple-Mac, Linux and PDAs The VPN client could also use additionaltransport mechanism such as DTLS which ismore suitable for real time traffic as well as thecases when the underlying network is jittery(due to TCP over TCP issues) The transcend client can also be installed in astandalone mode instead of being GWdownloadable. In this mode, transcend clientwill work like a browser for authentication withthe GW; saving the download time/bandwidthC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential11
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsWAAS Hardware Supported NME-WAE-502-K9 A single user interface to configure the routerand also provide for initial configuration andmonitoring of the WAAS network module NME-WAE-522-K9 NME-WAE-302-K9 Configures WCCP and an IP address onthe WAE module. Registers the WAEmodule with the WAAS central managerC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential12
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsCable Hardware Supported Cisco c815 router HWIC-CABLE-D-2 Allows easy configuration of the cableinterface including setting IP address on thecable interface HWIC-CABLE-E/J-2 Allows monitoring of key statistics likebandwidth on upstream and downstreamtrafficWireless Hardware Support Allows configuration of a rich set of features ina single UI Airlink Phase IIC97-449123-00 2007 Cisco Systems, Inc. All rights reserved. Advanced Encryption Service (AES), IEEE802.1x Local authentication service for EAPFAST, SSID globalization, Multiple BasicService Set ID (BSSID), wireless root, nonroot bridge and universal client mode, multipleencrypted VLANs, VLAN assignment by name,Wi-Fi multimedia required elementsCisco Confidential13
SDM v2.5 Features and BenefitsAvailableDecember 2007FeatureBenefitsAdditional Hardware Supported 18xx SKUs supportedC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential CISCO1801-M/K9, CISCO1801W-AG-E/K9,CISCO1801W-AG-C/K9, CISCO1801WMAGE/K9, CISCO1801W-AG-A/K9,CISCO1801W-AG-N/K9, CISCO1802W-AGE/K9, CISCO1803W-AG-A/K9, CISCO1803WAG-E/K9, CISCO1811W-AG-A/K9,CISCO1811W-AG-C/K9, CISCO1811W-AGN/K9, CISCO1812/K9, CISCO1812-J/K9,CISCO1812W-AG-P/K9, CISCO1812W-AGC/K9, CISCO1812W-AG-E/K9, CISCO1812WAG-J/K9, CISCO1801, CISCO1801/K9,CISCO1801W-AG-B/K9, CISCO1802,CISCO1802/K9, CISCO1802, CISCO1903/K9,CISCO1803G-B/K9, CISCO1811/K9,CISCO1811W-AG-B/K914
SDM Supported VPN TechnologiesIndustry-Leading VPN SolutionsSolutionStandardIPSecKey Technologies Full standards compliance for interoperability withother vendors Hub-and-Spoke VPNEnhanced Easy VPN—Dynamic Virtual Tunnel Interfaces,Reverse Route Injection, dynamic policy push and highscalabilityAdvanced Siteto-Site VPNRouted IPSec GRE or DMVPN with dynamic routing Spoke-to-Spoke VPN: Dynamic Multipoint VPN (DMVPN)—On-demand VPNs (partial mesh)AdvancedRemoteAccess VPNC97-449123-00 Easy VPN (IPSec): Cisco dynamic policy push and FREEVPN Clients for Windows, Linux, Solaris and Mac platforms SSL VPN: No client pre-installation required and providesend-point security through Cisco Secure Desktop 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential15
Cisco Routers andCisco IOS Release SupportSB 101, SB 106, SB 107831, 836, 837851, 857, 871, 876, 877, 8781701, 1711, 1712Minimum SupportedCisco IOS Versions12.3(8)YG12.2(13)ZH, 12.3.2XA, 12.3(2)T12.3(8)YI12.2(15)ZL, 12.3.2XA1710, 1721, 1751, 1751-v, 1760, 1760-v1801, 1802, 1803, 1811, 181212.2(13)ZH, 12.2(13)T312.3(8)YI18412610XM, 2611XM, 2620XM, 2621XM,2650XM, 2651XM, 26912801, 2811, 2821, 28513620, 3640, 3640A, 3661, 36623725, 37453825, 38457204VXR, 7206VXR, 730112.3(8)T412.2(11)T6, 12.3(1)M, 12.3(2)TSDM-Supported PlatformsC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential12.3(8)T412.2(11)T6, 12.3(1)M, 12.3(2)T12.2(11)T6, 12.3(1)M, 12.3(2)T12.3(11)T12.3(2)T, 12.3(3)M16
Cisco SDM Availability and Ordering830-SDM; Cisco SB 100, 850, and 870 Series1700 and 2600XM Security BundlesSDM Express on Flash,SDM CD bundledCisco 1800 Series Routers (except Cisco1841 Router model with more than 64 MBflash memory)Cisco 1841 Router Model (flash memorygreater than 64 MB)SDM factory-installed (no SDM CD)Cisco 2800 and 3800 Series Routers(all SKUs including Bundles)SDM factory-installed (no SDM CD)2691, 3700, 7204VXR, 7206VXR, 7301Security BundlesSDM factory-installed (no SDM CD)SDM Can Be Downloaded from CCO for Existing /sdmC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential17
SDM LocalizationSix languages to be supportedComingSoon German, French, Spanish, Italian,Japanese and Simplified Chinese Applicable to all user interface, screens, wizards,online help, tutorials and marketing material translated Image upgrade will automatically pick the installedlanguage versionC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential18
C97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential19
Backup SlidesC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential20
Cisco Security Management Suite Cisco SecurityDevice ManagerCisco SecurityManagerQuickest way tosetup a deviceNew solution for configuringrouters, appliances, switchesQuickest way to setup a device Configures alldeviceWizards toparametersconfigure firewall, IPS, ShipsdeviceVPN,withQoS,and wirelessNew user-centered designShips with deviceNew levels of scalabilityCisco SecurityMARSSolution for monitoringand mitigationUses control capabilities withininfrastructure to eliminate attacksVisualizes attack pathsC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential21
Ease of Use and Application IntelligenceCisco Security Device Manager (SDM) Is an Intuitive,Web-Based Tool Ease of Use: Smartwizards, built-in tutorials Application Intelligence:Knowledge base ofTAC-approved CiscoIOS configurations Integrated ServicesManagement: Routing,switching, security,wireless, QoSC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential22
Ease of Initial Configuration Less than 30 minutesto deployWAN and LAN ports,DHCP server, WLAN,Firewall, Auto-security SDM Expressdesigned fornovice usersC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential23
Customer and Partner BenefitsFeaturesGraphical user interfaceBenefitsReduce TCO/enhanced productivityEase of ring andRole-BasedAccessWAN and VPNTroubleshootingC97-449123-00Built-in knowledge ofImprove network uptime throughinteractions betweenreduced instances of configurationdifferent Cisco IOS features, errorsindustry best practices, andTAC-recommendedconfigurationsEasy-to-comprehend chartsof router and networkresource usage; read-onlyuser profileMake effective use of IT staff andremote branch administrators withlimited technical expertiseTroubleshooting integratedwith Cisco TAC knowledgebase of recovery actionsReduce mean time to repair (MTTR) byleveraging integration of routing, LAN,WAN, and security features on therouter for detailed troubleshooting 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialService providers can reduce OpEx byoffering a graphical read-only view of theCPE services to end customers24
SDM Usage Scenarios Cisco router initial deploymentSDM Express wizard for quick LAN, WLAN, WAN,and security setupIntegration with IE2100/CNS for mass deploymentsReduced skill set, faster deployment time Cisco IOS security managementIntegrated routing and security configuration, monitoring,and troubleshootingGraphical firewall and ACL policy view (traffic flows)IPSec VPNs (configuration and monitoring) with QoSNAT wizardsC97-449123-00 2007 Cisco Systems, Inc. All rights reserved.Cisco Confidential25
SDM Usage Scenarios—Value-Added Services Security solutions deploymentIPSec VPN (site-to-site, RA) configuration and monitoringNAT, firewall, IPS, access control policies,
Configures per-user AAA policy download with PKI—12.4(4)T and onwards feature The username to get the attributes from AAA server will be obtained from digital certificate of the client. The attributes can be ACLs, QoS policies, etc. These attributes are configured on the RADIUS servers The Easy VPN server can download user specific attributes for a remote client from the AAA server and push .
