|
|
Proper planning is the key to a successful installation. The discussions in this chapter introduce you to issues that you should consider and provide an orientation to the tasks that you should perform prior to installing Cisco Secure Policy Manager. This chapter includes the following sections:
A Cisco Secure Policy Manager system is composed of hardware and software elements that interact to give you management, monitoring, and reporting capability for devices through the generation and distribution of command sets derived from high-level security policies and VPN tunnel settings that you define. A Cisco Secure Policy Manager system will consist of the following:
The defining element of a Cisco Secure Policy Manager system is the Cisco Secure Policy Manager software. This software is a system of its own, composed of multiple subsystems, each of which provides a set of related functionality within the overall system. A feature set is a collection of these subsystems. Feature sets are offered as installable options via the installation process.
Depending on the installation option you choose, the feature sets that follow may all reside on the same target host or be distributed among various hosts on the network.
Each subsystem within a feature set can be broken down further into the specific Windows NT services and processes that run as a result of Cisco Secure Policy Manager. Table 1-1 lists the Windows NT services and processes and describes the role each service or process plays in the Cisco Secure Policy Manager system.
Cisco Controlled Host Component (chc.exe) The Cisco Controlled Host Component (CHC) operates in the application layer. The CHC performs system integrity checks and starts and authenticates all agents that compose Cisco Secure Policy Manager as they are loaded on an as-needed basis.
cfmi.exe The GUI client executable. This process only runs on a host when the GUI client is running. fms.exe The Policy Database provides a common communication interface for the agents within the Cisco Secure Policy Manager system. This common interface reduces the complexity of the security system and enables new agents to be added to the system without affecting the existing agents. generator.exe These three agents are used by the Reporting Subsystem. combiner.exe These three agents are used by the Monitoring Subsystem. conAg.exe The control agent is responsible for communicating with a particular managed device (like the PIX Firewall) on behalf of Cisco Secure Policy Manager and vice versa. policyserver.exe The policy server agent is responsible for deriving the high-level network policy based on the definition of the Network Topology tree and the Network Policy tree. update.exe The update agent, active only in distributed installations, is responsible for synchronizing the configuration and audit event record data between the Policy Databases found on a primary host and any secondary hosts.
Table 1-1: Windows NT Services and Processes for Cisco Secure Policy Manager
Windows NT Service / Process
Description
examiner.exe
scheduler.exe
notifier.exe
reclamator.exe
Note For a more detailed description of each service or process,
see the Cisco Secure Policy Manager help file.
Managed gateway devices, though managed by Cisco Secure Policy Manager, are not part of the installed system. Therefore, before you can manage a PIX Firewall or Cisco router, you must ensure that it has a basic configuration that enables it to receive commands from Cisco Secure Policy Manager. These basic configuration settings are called bootstrap settings. The checklists included in "Reference Sections," guide you through bootstrapping procedures for the supported devices. You should follow the checklists for any supported device you intend to manage with Cisco Secure Policy Manager.
Table 1-2 lists the Cisco Secure PIX Firewall and Cisco IOS software versions (for Cisco router/firewalls and Cisco VPN Gateways) currently supported by Cisco Secure Policy Manager. Certain versions of the PIX Firewall require the Policy Proxy host to connect to the inside interface of the firewall. These dependencies are listed in Table 1-2. You should refer to the Release Notes for Cisco Secure Policy Manager for any updates to this table.
| Managed Gateway Device | Supported Version | Managed Interface Dependency |
|---|---|---|
Cisco Secure PIX Firewall | 4.2(4) | Inside |
4.2(5) | Inside | |
4.4(x) | Inside | |
5.1(x) | (none) | |
Cisco router/firewall and Cisco VPN Gateway | Cisco IOS Release 12.0(5)T | (none) |
Cisco IOS Release 12.0(5)XE | (none) | |
Cisco IOS Release 12.0(7)T | (none) | |
Cisco IOS Release | (none) |
You have the option of installing additional hardware and software components that can extend the functionality of your Cisco Secure Policy Manager system. Table 1-3 lists these components and describes the functionality afforded by each option. Installation procedures for the Videoex.exe and Cisco Secure VPN Client are covered in Appendix A.
| Optional Component | Description |
|---|---|
Cisco Secure VPN Client | Cisco's virtual private networking software. Enables a Cisco Secure Policy Manager host to act as an IPSec tunnel endpoint for secure command distribution to an IPSec-enabled managed gateway device. |
TSCC.exe | TechSmith's decompression software. You have the option of installing this component during Cisco Secure Policy Manager installation. TSCC.exe enables you to view the tutorial videos that accompany the Cisco Secure Policy Manager software. |
Videoex.exe | Installs the tutorial videos for Cisco Secure Policy Manager. If you install Cisco Secure Policy Manager from a CD-ROM disc, you do not have to run the Videoex.exe file, the videos are already installed in the proper folder. However, if you download Cisco Secure Policy Manager, you must also download and run Videoex.exe to install the videos. |
Third-party syslog servers | You can install a third-party syslog server to study data streams alongside the Policy Monitor host. This feature enables both the Policy Monitor host and a third-party server to study the data streams even though both the Policy Monitor host and the server reside on the same primary or secondary host. This feature is useful if you use a centralized system to track application and network activity. |
You have the option of installing Cisco Secure Policy Manager in one of four ways, depending on the topology of your network, the number of devices you will manage, and your security stance. This section includes the following:
| Installation Option | Description |
|---|---|
| Standalone System | The Policy Server feature set is installed on a single host. This single host carries out all database, generation, proxy, monitoring, and reporting functionality, as well as local administration of the standalone system. |
| Client-Server System | The Policy Server feature set is installed on a single host, just like it is in a standalone system. However, with the client-server system, the Policy Administrator feature set may be installed on one or more hosts in the network. This arrangement enables you to administer the client-server system locally or from any Policy Administrator host on your network. |
| Distributed System | The Policy Server feature set is installed on a single computer that serves as a central point for administration of your network. The Policy Proxy, Policy Proxy-Monitor, and Policy Monitor feature sets can be installed on any number of additional computers that serve as secondary and tertiary hosts spread across a physical network. Each secondary and tertiary host assumes responsibility for monitoring and proxy functionality for a portion of an enterprise network. The Policy Administrator feature set can be installed on one or more hosts for remote administration. |
| Demo Mode | The Demo enables you explore the GUI client without installing a fully functional system. The Policy Administrator feature set and demo files are installed on a single host. See Appendix A for procedures. |
|
Note For procedures to upgrade from a previous version of Cisco Secure Policy Manager, see "Upgrading and Licensing Your System." |
After you understand the different installation options, you must decide which option is the most practical for your network(s). To make this decision, you should consider the current topology of your network and compare it to the three topology scenarios in this section. Each scenario represents a general network topology and the optimal Cisco Secure Policy Manager installation for that scenario.
Figure 1-1 depicts a small office environment composed of several internal networks with Internet access. Shared resources, such as web servers, are placed in a publicly accessible isolated services network (DMZ network) and are protected by a firewall. Each floor network is also protected by a firewall/gateway. Another firewall protects the internal server farm network containing web, e-mail, FTP, file, and print servers. A standalone Cisco Secure Policy Manager system is used to manage security services throughout the network.
Figure 1-2 depicts a multi-office environment composed of several internal networks that are dispersed across three locations. Office connectivity is provided through a service provider network. Internet access is provided only through the headquarter's network with a firewall in place to support an isolated network and general protection. Each office is also protected by a company-owned firewall/gateway. IPSec VPN tunnels are established between the office locations. A client-server Cisco Secure Policy Manager system enables 24x7 management support of security services throughout the corporate network.
Figure 1-3 depicts a multi-office environment composed of several internal networks that are dispersed across many locations. Office connectivity is provided through a company-owned intranet network. Internet access is provided only through corporate headquarters. Publicly accessible server resources are placed in an isolated network (DMZ) and are protected by a firewall. Each office is also protected by a firewall/gateway. IPSec VPN tunnels are established between all office locations. A distributed Cisco Secure Policy Manager system enables 24x7 management of security services throughout the corporate network from multiple locations. The distributed installation also provides better performance of the Cisco Secure Policy Manager system by off-loading critical functions to different servers. In offices that contain several managed devices and larger networks, dedicated Policy Monitor and Policy Proxy hosts are deployed. Policy Monitor hosts provide enhanced firewall/gateway monitoring while Policy Proxy hosts assist in distributing policies to the appropriate managed devices.
You should keep in mind the following guidelines as you decide how to deploy your Cisco Secure Policy Manager system.
After you have decided which installation option best suits your network, you should ensure that each element of the Cisco Secure Policy Manager system is properly prepared before you begin the installation process. This section includes the following:
You should ensure that any supported device you intend to manage with Cisco Secure Policy Manager is installed and properly functioning on your network. In addition, you should be able to Telnet to the device from the Cisco Secure Policy Manager host(s) and log on using the enable password for the device. If you are unable to Telnet to a device, you should follow the procedures in Appendix A to bootstrap the device.
If the managed device supports IPSec and you will be using IPSec tunnels for command distribution, you will be required to perform additional IPSec bootstrapping procedures from within the Cisco Secure Policy Manager GUI client. These procedures are covered in the Cisco Secure Policy Manager Administrator's Guide: Policy Development and Enforcement.
You should ensure that any host on which you intend to install some component of Cisco Secure Policy Manager meets the following hardware and software requirements and settings.
The target host(s) for your Cisco Secure Policy Manager system must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. However, you should always consider your network topology, the number of devices you intend to manage, and your performance requirements for command distribution and monitoring when reviewing the minimum hardware requirements. For example, the Policy Server is a multi-threaded application that would benefit from multiple CPUs and available memory on a single host, whereas enhancing the Policy Administrator host would not necessarily optimize GUI client performance. The minimum hardware requirements may be sufficient for a standalone or client-server system, but they are not optimal for a distributed system. To ensure optimal performance, you should install Cisco Secure Policy Manager on hosts that exceed the minimum hardware requirements.
You cannot access the setup program unless the target host on which you are installing Cisco Secure Policy Manager has the following requisite software properly installed:
Refer to Appendix A for procedures on implementing any of the following settings.
The following settings are required:
The following settings are recommended:
The following list outlines the installation task flow you should follow to ensure each element is properly prepared prior to installing a Cisco Secure Policy Manager system on your network. You should read the discussions presented in this chapter and refer to the sections in Appendix A to ensure all requirements are met before attempting to install Cisco Secure Policy Manager.
| Installation Task Flow | |
|---|---|
|
Decide what type of Cisco Secure Policy Manager system you want to install |
|
Prepare the supported devices you intend to manage |
|
Prepare the target host(s) on which you will install the Cisco Secure Policy Manager system |
|
Follow the installation procedures corresponding to the type of Cisco Secure Policy Manager system you wish to install.
|
Posted: Tue Jun 20 14:01:01 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.
