|
|
As software users with limited time on our hands, we all want to jump right into the installation process by popping in the CD-ROM and loading the setup program. Before you do this with Cisco Security Manager, however, you need to have a working knowledge of the different installation options available to you. You then need to take your network configuration into account to determine which installation is right for you. Understanding the hardware and software requirements for each installation is also essential.
This chapter explains what you need to know about the different installation options before you actually install Cisco Security Manager. In particular, it discusses the following:
Cisco Security Manager provides centralized policy management for the PIX Firewall. Through Policy Manager, which is the native Windows NT graphical user interface, you can create and enforce security policies on any managed PIX Firewall. Policy Manager also runs on Windows 98.
Besides providing the tool for graphical policy development and tree-based network viewing, Cisco Security Manager monitors the system and notifies you about certain system events according to conditions that you define. You can configure the system so that these notifications are carried out via pop-up window, e-mail messaging, or pager service. Cisco Security Manager also generates on-demand and user-scheduled activity reports that you can view using the integrated Microsoft Internet Explorer web browser.
Cisco Security Manager can be installed to fit the particular needs of your network(s). You can install it as a standalone system operating on one computer, or you can distribute the system so that the different feature sets operate on separate computers. The following two sections describe the standalone and distributed Cisco Security Manager systems.
The standalone Cisco Security Manager is ideal for organizations with smaller networks that probably will not generate an overload of data traversing the Cisco Security Manager system. Also, this installation is ideal if you do not have the resources available to dedicate multiple computers to a distributed Cisco Security Manager system.
The distributed Cisco Security Manager enables you to install the different feature sets on separate computers. These features sets include the following:
In a distributed system, the computer on which you install the Primary Policy Database feature set is called a primary server (as is the computer in a standalone system). The computers on which you install all other feature sets are called secondary servers.
When you are distributing the system, you must first install the Primary Policy Database feature set because the database key is needed for all other installations. Other than that, you are restricted only by the parameters of your network topology. As long as the primary and secondary servers on which you are installing the distributed feature sets are properly configured and can reliably pass traffic between them, you should be able to manage the PIX Firewalls on your network.
This is not to say, however, that all traffic passing between distributed feature sets is secure, or that a particular configuration of distributed components is either efficient or recommended. You should access the "Getting Started" section of the online HTML Help for more information about setting up and working with the system.
 | Caution Only data passed between different parts of the Cisco Security Manager system are secured by encryption. Other types of data may not be secure. For example, Syslog data originating from a firewall to a Policy Monitor Point is not encrypted; therefore, you should ensure that unencrypted data does not travel across an unknown or untrusted network, such as the Internet. |
You should ensure that the computer on which you plan to install Cisco Security Manager meets the minimum hardware requirements. Also, the target computer must have the requisite software installed and properly configured, including an NTFS file partition, Service Pack 4 for Windows NT, Microsoft Internet Explorer version 4.01 SP1, and HTML Help 1.2a support. The Autostart utility makes fulfilling the software requirements easier by checking the target computer for all requisites and then enabling you to install any missing requisites before continuing with the setup program. You cannot proceed with the setup program unless you install all requisite software.
Cisco Security Manager was extensively tested to determine minimum and recommended hardware requirements. A distinction must be drawn here between minimum hardware requirements and recommended hardware requirements. The computer or computers on which you install Cisco Security Manager must meet the minimum hardware requirements; otherwise, we cannot guarantee the integrity and functionality of the system that you install. To ensure optimal performance, though, you should install Cisco Security Manager on computers that meet or exceed the recommended hardware requirements.
You can install Cisco Security Manager on any computer that meets the minimum hardware requirements and that also runs Windows NT 4.0 using an NTFS file partition. You can also install Policy Manager on a computer that runs Windows 98.
Cisco Security Manager also requires several pieces of requisite software to operate as intended, including Service Pack 4 for Windows NT (to update files in the operating system), Microsoft Internet Explorer version 4.01 SP1 (for displaying generated system reports), and HTML Help 1.2a support (for viewing online HTML-based Help topics). You must also have the TCP/IP protocol stack installed and operating correctly on each computer before you begin installation.
The following sections discuss the software requirements for Cisco Security Manager.
You cannot access the setup program unless the target computer on which you are installing Cisco Security Manager has Service Pack 4, Microsoft Internet Explorer version 4.01 SP1, and HTML Help 1.2a update properly installed. The Autostart utility automatically searches the target computer for these requisites and lists the ones that you must install before proceeding with the setup program. You can install all three requisite pieces of software from the Autostart panel.
You must have the TCP/IP network protocol installed, properly configured, and operational before you begin the setup program. This section defines the procedures that you must perform to install TCP/IP, if you have not already installed TCP/IP on the target computer.
To install TCP/IP on the target computer:
Step 1 To access the Network dialog box, right-click Network Neighborhood on the desktop, and then click Properties on the shortcut menu.
You can also access this dialog box by double-clicking the Network icon in Control Panel.
Result: The Network dialog box appears.
Step 2 Click the Protocols tab in the Network dialog box.
Result: The Protocols tab appears at the forefront.
Step 3 To add the TCP/IP protocol stack to the list of installed protocols in the Network Protocols box, click Add, and then select TCP/IP Protocol by clicking it in the Network Protocol list of the Select Network Protocol dialog box. Then, click OK.
Result: You are prompted for the location of the Windows NT CD-ROM.
Step 4 Click Continue on the Windows NT Setup dialog box after you specify the directory path to the Windows NT CD-ROM.
Result: After the appropriate files are copied, you must reboot the computer.
To verify that TCP/IP is functioning properly:
Step 1 To access the command prompt, click Start, point to Programs, and then click Command Prompt on the shortcut menu.
Result: The Command Prompt window appears.
Step 2 To verify that the computer on which you installed TCP/IP can communicate using that protocol suite, type ping at the command prompt followed by a space and then a valid IP address of another computer on the network.
Result: If TCP/IP is not functioning properly, a request timeout message appears. Otherwise, the computer receives a response from the IP address that you pinged.
Step 3 To verify that other computers can communicate with the computer on which you installed TCP/IP, repeat the previous step on another computer by trying to ping the IP address of the computer on which you installed TCP/IP.
Result: If TCP/IP is not functioning properly, a request timeout message appears. Otherwise, the computer receives a response from the IP address that you pinged.
To receive e-mail and pager notifications, you must configure TAPI (Telephony Application Programming Interface) and MAPI (Messaging Application Programming Interface) on any computer on which you have installed a standalone Cisco Security Manager system, the Policy Distribution / Monitor Point, or the Policy Monitor Point.
TAPI is a collection of software features built into Windows NT that gives users and developers access to telephony services. TAPI is automatically configured when you install a modem on a Windows NT-based computer. If you have properly installed and configured your modem, you do not need to do anything else for TAPI functionality.
To set up Windows Messaging:
Step 1 To check for Windows Messaging, double-click the Inbox icon on the Windows NT desktop.
Result: If Windows Messaging is not installed, a dialog box displays a message asking if you want to install it.
Step 2 If you receive this dialog box, click Yes. Otherwise, skip to Step 5.
Result: A dialog box prompts you to insert the Windows NT CD-ROM disc into the local CD-ROM drive.
Step 3 To install the requisite files, insert the Windows NT CD-ROM disc, and then ensure that the correct path appears in the Copy File From box. If not, type the correct path to the Windows NT disc. Then, click Next.
Result: The required files are copied from the Windows NT disc to the target computer.
Step 4 To initiate the Windows Messaging Setup Wizard, double-click the Inbox icon again.
Result: The Windows Messaging Setup Wizard starts and prompts you to choose the type of mail service for your user profile.
Step 5 Select Internet Mail. Then, click Next.
Result: A dialog box prompts you to choose the type of connection for your user profile.
Step 6 Select Network. Then, click Next.
Result: A dialog box prompts you to specify either the name or the IP address of the mail server.
Step 7 Type the name or IP address of the mail server. Then, click Next.
Result: A dialog box prompts you to choose whether to have mail automatically downloaded to the inbox.
Step 8 To have mail automatically downloaded to the inbox, click Automatic. Then, click Next.
Result: A dialog box prompts you to specify the e-mail address from which messages on the system originate.
Step 9 Type the e-mail address from which messages on the system should originate in the E-mail Address box. Also, type the name that should appear on all messages originating from the system in the Full Name box. Then, click Next.
Result: A dialog box prompts you to specify the mailbox name on the mail server.
Step 10 Type the name of the e-mail account on the mail server in the Mailbox Name box. Also, type the password associated with this account in the Password box. Then, click Next.
Result: A dialog box prompts you to choose whether to accept the default personal address book.
Step 11 Accept the default personal address book and default personal folders. Then, click Next.
Result: A message signals that you are done configuring Windows Messaging.
Step 12 Click Finish to complete the process.
Result: The computer is now configured to use MAPI for e-mail notifications.
To ensure the integrity and security of the computer on which you install Cisco Security Manager, you must install the product on an NTFS file partition. If the computer on which you want to install the product currently runs a FAT file partition, you can convert it to NTFS by performing the following procedure.
To convert FAT to NTFS:
Step 1 To access a command prompt, click Start, point to Programs, and click Command Prompt on the shortcut menu.
Result: The Command Prompt window appears.
Step 2 To convert the drive, type convert driveletter /FS:NTFS, and then press Enter.
Result: The volume is converted to NTFS.
Cisco Security Manager is licensed according to the number of firewalls that you can manage with the system instead of functionality or features. A single-PIX Firewall license is free of charge and is distributed with every PIX Firewall, while multi-PIX Firewall licenses (for managing up to 10 or up to 100 firewalls) must be purchased separately. If you purchase a new license, you can upgrade it by accessing the Product Updates command on the Help menu.
During installation, the setup program prompts you to insert the floppy disk on which the product license is stored so that it can access the license key. This license key should not be confused with the database key that is used to install all feature sets (except for the Primary Policy Database, which generates the database key).
To preserve the original Cisco Security Manager license key, we recommend that you back up your license disk and use this working copy during every installation. You should then store your original license disk in a secure place. Follow the directions below to make a backup copy of the license disk.
To make a backup copy of the original license disk:
Step 1 Use the information that is provided on the original Cisco Security Manager disk label to prepare a label for the disk that you intend to copy.
Step 2 To access the command prompt, click Start, point to Programs, and then click Command Prompt on the shortcut menu.
Result: The Command Prompt window appears.
Step 3 To initiate the disk copying procedure, type the following command at the prompt:
diskcopy a: a:
where a: is the drive letter of your 3.5" floppy disk drive.
Result: The following message appears:
C:\diskcopy a: a:
Insert SOURCE disk in drive A:
and press ENTER when ready...
Step 4 To have the files read from the source disk, insert the original Cisco Security Manager license disk into your 3.5" floppy disk drive. Then, press Enter.
Result: The following message appears after the source disk has been accessed:
Insert TARGET disk in drive A:
and press Enter when ready...
Step 5 To have the files written to the target disk, remove the source disk and insert the blank formatted target disk into your 3.5" floppy disk drive. Then, press Enter.
Result: The following message appears after the files have been written to the target disk:
Copy another disk? [Y/N]
Step 6 To make another copy, repeat the same procedure, or type N to quit.
Result: You are either prompted to insert another disk or you are returned to the command prompt.
Step 7 Remove the target disk from the drive and place the label on it. Store the original license disk in a secure, dry, cool location. Use the backup disk for all installations.
If the computer you are connecting to runs either Windows 95 or Windows NT, the Windows HyperTerminal accessory provides easy-to-use software for communicating with the firewall. If you are using UNIX, refer to your system documentation for a terminal program.
HyperTerminal also lets you cut and paste configuration information from your computer to the firewall console.
To configure HyperTerminal for use as the PIX Firewall console:
Step 1 Connect the serial port of your PC to the console port of the PIX Firewall with the serial cable supplied in the PIX Firewall accessory kit.
Step 2 To start HyperTerminal, click Start, point to Programs, and then point to Accessories, and then point to HyperTerminal, and click HyperTerminal.
Result: The HyperTerminal windows opens, and the Connection Description dialog box appears.
Step 3 To specify that this connection description is for the PIX Firewall console, type a unique name in the Name box and click OK.
Result: The Connect To panel appears.
Step 4 To designate the COM port to which the PIX Firewall serial cable is attached, click that port number in the Connect using box, and then click OK.
Step 5 To specify the required connection settings in the COM Properties dialog box, select the following values, and then click OK:
Result: The HyperTerminal window is now ready to receive information from the PIX Firewall console. If the serial cable is connected to the firewall, turn on the firewall and you should be able to view the console startup display.
Step 6 To save your terminal configuration settings, click Save on the File menu.
Step 7 To exit HyperTerminal, click Exit on the File menu.
Result: HyperTerminal prompts you to be sure you want to disconnect.
Step 8 To disconnect and close the HyperTerminal window, click Yes.
Result: HyperTerminal saves a log of your console session that you can access the next time you use it.
 | Tips To restart HyperTerminal, click the connection description name that you specified in the HyperTerminal folder on the Accessories submenu. When HyperTerminal starts, drag the scroll bar up to view the previous session. |
Before you can manage any PIX Firewall, you must ensure that it has a basic configuration that enables it to receive commands from Cisco Security Manager. These basic configuration settings are called bootstrap settings. To connect to and configure the initial settings for the PIX Firewall, you must use a Telnet console, such as the one described in "Configuring a Console Terminal". These bootstrap settings can be discovered automatically by the Topology Wizard provided with Cisco Security Manager, but they are also required before Cisco Security Manager can discover the PIX Firewall on your network.
Table 1-1 contains a worksheet that you can fill out and use to configure your PIX Firewall (if you have not already done so). The following procedures detail the commands entered at the console terminal. The commands use brackets surrounding a capital letter, such as [A], to refer to values that you have written on the worksheet. When you are carrying out a procedure that has a reference to the worksheet, type the value from the field on the worksheet, not the reference letter that we use to point you to the field on the worksheet.
For cases where we cannot use the worksheet to collect the required data, we use the standard command syntax. Do not include the braces <, >, [, or ] in any commands that you type.
If you have already configured your PIX Firewall, you should ensure that its basic configuration matches the following description, specifically the interface names and the settings required for Cisco Security Manager to distribute its generated command sets.
Step 1 Using a console terminal, connect to the PIX Firewall console port.
Step 2 To specify that you want to configure the PIX Firewall using privileged mode, type enable and press Enter
Step 3 Type the enable password for the PIX Firewall, and then press Enter.
Step 4 To enter terminal configuration mode, type configure terminal and press Enter.
Result: You are in the PIX Firewall terminal configuration mode.
Step 5 To name each interface and specify an interface security level between 0 and 100, type nameif <hardware_id> <if_name> <security_lvl>, and then press Enter.
Use the following parameter guidelines to complete the nameif command:
Step 6 For each interface installed in the PIX Firewall, repeat Step 5.
Step 7 To designate the network IP address and network mask for the outside interface, type ip address outside [B] [C], and then press Enter.
Step 8 To designate the network IP address and network mask for the inside interface, type ip address inside [D] [E], and then press Enter.
Step 9 To specify the default gateway for your PIX Firewall, type route outside 0 0 [F] [metric], and then press Enter.
Step 10 If you do not want to perform address hiding, proceed to Step 12. To define a global pool of IP addresses to use for address hiding (NAT), type global (outside) <nat_id> [G]-[H] netmask <global_mask>, and then press Enter.
Step 11 To apply the global pool of IP addresses that you just specified to the inside interface, type nat (inside) <nat_id> <local_ip> [<mask> [<max_conns> [emb_limit>]]] [norandomseq], and then press Enter.
The nat_id value is the same value that you specified in Step 10. The remaining parameters must adhere to the following guidelines:
Step 12 To allow the Policy Distribution Point to distribute commands to the PIX Firewall, type telnet [I], and then press Enter.
Step 13 To specify the route to reach the Policy Distribution Point if it is not located on the network attached to the inside interface, type route inside <network_address> <network_mask> [J] [metric], and then press Enter.
Currently, the PIX Firewall requires you to connect to the inside interface when distributing commands.
Step 14 To save your configuration changes to the flash memory of the PIX Firewall, type write memory, and then press Enter.
Step 15 To exit the enable privileged mode, type exit, and then press Enter.
Result: The terminal console connection closes, and your PIX Firewall is now fully configured to accept commands from Cisco Security Manager.
You should carefully consider the tips and recommendations in the following sections. While overlooking them will not necessarily result in loss of data, you may avoid performance problems, maintenance headaches, or security breaches by following them. You may want to check Cisco's web site from time to time for other informative tips.
We recommend that you use the same Windows NT account (with administrative privileges) whenever you install or uninstall Cisco Security Manager or any of its feature sets. This account can be either a domain account or a local account. Follow the directions in this section to create a new Windows NT account with administrative privileges.
To create a new Windows NT account with administrative privileges:
Step 1 To open the User Manager, click Start, point to Programs and then Administrative Tools, and click User Manager (or User Manager for Domains) on the shortcut menu.
Result: The User Manager appears.
Step 2 To create a new user, click New User on the User menu.
Result: The New User dialog box appears.
Step 3 To specify account parameters, type the username in the Username box and a corresponding password in the Password box. You must confirm the password by retyping it in the Confirm Password box.
Result: The username and password that you typed become associated with the new account.
You can also provide more information by filling in the Full Name and Description boxes.
Step 4 To assign administrative privileges to the account, click Groups, select Administrators in the Not member of box, and then click Add.
Result: Administrators appears in the Member of box.
Step 5 Click OK in the Group Memberships and New User dialog boxes to close them.
Result: The Windows NT user account becomes active. You can now use this account to log on to the computer.
To change the Windows NT time-out setting:
Step 1 To access the System Properties dialog box, right-click the icon on the desktop that represents the computer, and then click Properties on the shortcut menu.
You can also access this dialog box by double-clicking the System icon in Control Panel.
Result: The System Properties dialog box appears with the General panel at the forefront.
Step 2 Click the Startup/Shutdown tab.
Result: The Startup/Shutdown tab appears at the forefront.
Step 3 In the System Startup box, change the value that appears in the Show list for box to zero. Click Apply, and then click OK.
Result: The dialog box closes, and upon the next reboot the operating system takes control of the computer without any time-out.
You should make sure that each target computer has a permanently assigned IP address before you install Cisco Security Manager. If you chose to disable DHCP, perform the following task to disable DHCP on every computer on which you intend to install Cisco Security Manager.
To disable DHCP and assign a permanent IP address:
Step 1 To access the Network dialog box, right-click Network Neighborhood on the desktop, and then click Properties on the shortcut menu.
You can also access this dialog box by double-clicking the Network icon in Control Panel.
Result: The Network dialog box appears.
Step 2 Click the Protocols tab on the Network dialog box.
Result: The Protocols tab appears at the forefront.
Step 3 To access TCP/IP properties, select TCP/IP Protocol in the Network Protocols list, and then click Properties.
Result: The Microsoft TCP/IP Properties dialog box appears with the IP Address tab at the forefront.
Step 4 To disable DHCP, select Specify an IP address by clicking it.
Result: The IP Address, Subnet Mask, and Default Gateway boxes become available.
Step 5 To assign a permanent IP address to the computer, type an available IP address in the IP Address box, its corresponding subnet mask in the Subnet Mask box, and the default gateway IP address to which all packets should be sent for routing in the Default Gateway box. Click Apply.
Result: The IP address that you specified becomes permanently associated with the computer, unless you change it in the future.
Step 6 To effect your changes against your network settings, click the Bindings tab.
Result: Windows NT recalculates the TCP/IP stack bindings.
Step 7 To exit and reboot your computer, click OK.
Result: You are prompted to reboot your computer. You should reboot before you continue verifying the network connectivity.
Make sure that all computers on which you plan to install Cisco Security Manager are properly configured for your network and that each computer can "talk" on the network. On every computer, you should attempt to ping another computer on the network, and you should attempt to ping every computer from another one on the network. You can find the procedures for pinging in the previous "Software Requirements" section where TCP/IP is discussed.
Also, avoid storing the license key or database key in a location that is accessible by many people. For example, we do not recommend that you store it on a shared network drive. We strongly urge you to export the key to a floppy disk and then store the floppy disks in a secure location, such as a locked drawer or cabinet.
The worksheet in Table 1-1 asks you questions about your PIX Firewall and your network. You should write the answer to each question in the corresponding box. Then, as you are performing the procedures for the PIX Firewall Setup Wizard, you should replace any reference letter within a procedure with the answer corresponding to that reference letter.
t
| Reference | Question | Answer |
|---|---|---|
(procedures display this) | (used to obtain real value) | (this is your real value) |
[A] | If you want to change the enable password for your PIX Firewall, what is the new password? |
|
[B] | What is the outside IP address of your PIX Firewall? |
|
[C] | What netmask is associated with the network connected to the outside of your PIX Firewall? |
|
[D] | What is the inside IP address of your PIX Firewall? |
|
[E] | What netmask is associated with the network connected to the inside of your PIX Firewall? |
|
[F] | What is the default route for your PIX Firewall? |
|
[G] | If you want to set up address hiding, what is the low IP address used for the NAT pool? |
|
[H] | If you want to set up address hiding, what is the high IP address used for the NAT pool? |
|
[I] | What is the IP address of the host on which the Policy Distribution Point that controls the |
|
[J] | If the Policy Distribution Point resides on a network other than the inside network, what is the default gateway for the inside network to use when trying to reach that other network? |
|
Posted: Fri Feb 25 12:50:14 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.
