|
|
This chapter describes how to configure your primary Cisco Security Manager server to encrypt the network traffic passing between the reporting agent and a web browser that requests access to the reports generated by Cisco Security Manager. In addition, this chapter describes how to back up your system and how to restore your system from a backup copy.
Cisco Security Manager supports secure communications between independent web browsers and the reporting agent. Before access to the reports is granted, all communication requests made from a web browser require the user to use a Cisco Security Manager administrative account with appropriate privileges to authenticate to the reporting agent. This required authentication is also enforced for requests originating from Cisco Policy Manager. However, the encryption mechanisms used between Cisco Policy Manager and the reporting agent are different from those used between a web browser and the reporting agent.
All Cisco Policy Manager sessions, whether between the reporting agent or another Cisco Security Manager component, are encrypted using a symmetric algorithm for bulk encryption. Cisco Policy Manager relies on the Microsoft Crypto API to perform encryption.
However, a session between a web browser and the reporting agent is encrypted using the Secure Sockets Layer (SSL) protocol. The SSL protocol uses 40-bit bulk encryption based on the RSA BSAFE SSL-C library.
The following section describes how you can configure and use your web browser to use secure communications when communicating with the reporting agent.
In addition to viewing scheduled and on-demand reports from within Cisco Policy Manager, you can view Cisco Security Manager reports from any standard web browser. To view the reports over an encrypted SSL connection, you must install a certificate and you must use https:// rather than the standard http:// to request the reports.
The first time that you attempt to connect to the primary server, you will be prompted to download the certificate provided with Cisco Security Manager. Once you accept the certificate, your communications for that session will be encrypted.
You can replace the digital certificate/RSA private key pair provided by Cisco Systems with one that you get from a third-party certificate provider, such as Entrust Technologies, Security Dynamics, Inc., and VeriSign, Inc. This certificate/key pair is used to encrypt the communications between the reporting agent and a web browser client that requests report data from the Cisco Security Manager server. The private key is used for the session handshake and encrypting the negotiated session key, which is randomly generated for each session and used to encrypt that session only.
Such encrypted communications are optional. This feature is provided to enhance the overall security of the system and its data, thereby preventing eavesdropping on the data contained within the reports that you generate. To encrypt this traffic is good security practice, but you are not required to do so.
You will want to replace this certificate (Examiner.crt) if your company supports another certificate authority (CA) or has its own certificate server (public key infrastructure). A weakness in the RSA private key (Examiner.crt) provided by Cisco Systems is that it is the same private key provided to all Cisco customers who purchase Cisco Security Manager. In addition, the provided Examiner.crt is a self-signed certificate, which means that it is vulnerable to man-in-the-middle attacks.
In other words, attackers can create the same certificate, catch your requests to the reporting agent, and communicate with the browser as if they are the reporting agent. Because the certificate is not assigned by a reliable CA, your web browser cannot determine if it is communicating with the actual reporting agent. Because of this inability, the web browser will prompt you to accept the certificate.
However, if you replace the Examiner.crt with a real certificate signed by a reliable CA, and you ensure that the CA is identified in the web browser's certificate accept list, you will not be prompted to accept the certificate, even on the first use. In addition, such a configuration prevents a man-in-the-middle attack as long as the CA is not compromised.
To replace the existing certificate/key pair, perform the following tasks:
Step 1 Obtain a new certificate and RSA private key. These files must be formatted as PEM files (Privacy Enhanced Mail, RFC1421-1424). In addition, the private key should not be pass-phrase encrypted and cannot exceed 2048 bits in length
Step 2 Rename the new certificate and key files to Examiner.crt and Examiner.key, respectively.
Step 3 Replace the Examiner.crt and Examiner.key files that reside in the Cisco Security Manager bin folder on your primary server (or standalone server) with the newly renamed files.
Step 4 Update the file signatures on the primary server. If you fail to update the file signatures, the Cisco Controlled Host Component service will not start.
The following procedure explains how to update the file signatures on the primary server.
Step 1 To access the Update File Signatures dialog box, point to Product Updates, and click File Signatures on the Help menu.
Result: The Update File Signatures dialog box appears.
Step 2 To specify the target hosts for which you want to update the file signatures, click the primary server host in the Target Machine(s) box.
Step 3 To submit this information, click OK.
Result: A Cisco Security Manager message box displays, prompting you to allow five minutes for the file signature update to complete on the selected host.
The Backup command writes a backup copy of your Primary Policy Database to a safe location on the Primary Policy Database server. In the event that your Primary Policy Database experiences data corruption problems or you want to revert to a previously known state, you can use this backup copy in conjunction with the fmrestore command at a command prompt to restore the Policy Database to its "last known good" state.
 | Caution You can only back up the Primary Policy Database from the computer on which it resides. You cannot back up the Policy Database from a secondary server or a remote Cisco Policy Managerr interface. Attempting to back up from a remote interface can corrupt the Primary Policy Database. |
The backup copy contains a copy of your entire network configuration, defined policies, and administrative accounts that you have added. More importantly, the backup copy includes the history of your system and audit events up to the time the backup operation was started. This history includes details regarding traffic that has occurred across your network and any reports that have been generated regarding the status and use of your network.
Whenever you make a major change to the Cisco Security Manager configuration, you should back up the Policy Database to ensure that you have a safe copy of an operating system. In addition, you should back up Cisco Security Manager after you initially install and configure Cisco Security Manager.
The following procedure explains how to back up the Policy Database on the primary server.
Step 1 To back up the Policy Database, point to Policy Database, and click Backup on the File menu.
Result: The Select Backup Directory dialog box appears.
Step 2 To specify the drive on which you want to store the backup copy, select that drive letter in the Folder box.
You can specify to store the backup copy in a pre-existing folder or you can create a new folder. To select a pre-existing folder, continue with Step 3; to create a new folder, skip to Step 4.
Step 3 To specify a pre-existing folder, select that folder in the Select Backup Directory dialog box, and then skip to Step 6.
Step 4 To create a new folder, click the Create New Folder icon.
Result: A new folder appears with the name New Folder selected.
Step 5 To specify the name of your new folder, type the name in the selected text box, and then press Enter.
Step 6 To accept your selection, click Open.
Step 7 To perform the Backup operation, click OK.
Result: When the backup operation is complete, a message box displays "Backup successful."
Step 8 To close the message box, click OK.
The fmrestore command uses a backup copy of the Policy Database to restore the current Policy Database to a previous state. To create a backup of the Policy Database, you must use the Policy Database Backup command on the File menu. You can back up and restore only the Primary Policy Database. Once you restore a Primary Policy Database, any secondary servers will synchronize their configuration data with that of the Primary Policy Database. While the audit events for the secondary servers are stored on those servers, the configuration information, such as the network topology definition, security policies, etc., is taken from the Primary Policy Database. Therefore, the configuration information retained by the secondary servers will be replaced by the restored version on the primary server.
| Caution You must close all instances of Cisco Policy Manager and stop all the Cisco Security Manager services running on the Primary Policy Database before you can restore the Policy Database. Therefore, all communications between the primary server and any secondary servers will fail until you restart the Cisco Security Manager services on the primary server, which you cannot do until the fmrestore operation has completed. |
The fmrestore command enables you to restore the Primary Policy Database configuration data from the backup directory that you specified during the backup process. You should use the fmrestore command whenever the Policy Database becomes corrupted or whenever you wish to revert the Policy Database to a prior state.
The following procedure explains how to use a previously backed up folder to restore the Policy Database on the primary server.
Step 1 To access the Services applet, double-click Services in Control Panel on the computer that is running the Primary Policy Database (the primary server).
Result: The Services dialog box appears.
Step 2 To safely shutdown the Policy Database and all Cisco Security Manager services on the primary server, select Cisco Controlled Host Component in the Service list, and click Stop.
Result: All Cisco Security Manager services are stopped.
Step 3 To access the fmrestore command, change to the Cisco Security Manager\bin folder in a command prompt window.
The Cisco Security Manager folder is the folder where you chose to install the product on this computer.
Step 4 To revert the current Policy Database to the backup copy, type fmrestore <source folder> at the command prompt, and press Enter.
The source folder should include the folder name and the relative path to that folder from \bin. This folder is the one that you specified when you used Cisco Policy Manager to create the backup. Remember that a folder named "CiscoBackup" is automatically created under the backup folder specified during the backup process; however, you do not need to specify that folder in the path as it is automatically appended to the source folder that you specify. No other parameters are required.
Result: When the fmrestore operation is complete, a message displays "Successfully restored Cisco Policy Database files."
When the command prompt returns, reboot the primary server for all changes to take effect and to restart the Cisco Security Manager services.
If you have a standalone Cisco Security Manager server, you can configure an active standby server that enables you to swap the Cisco Security Manager responsibilities between the two in the event of hardware failures or other technical problems on the main server. This section explains what you must do to create an active standby server.
| Caution You can only create an active standby server for a standalone installation. You cannot create an active standby for a distributed installation because the Cisco Policy Database keys are all unique, and therefore, the communications between primary and secondary servers will fail to authenticate unless they share the same key. In addition, the IP addresses of the primary and secondary servers are required to conduct communications, which rules out the possibility of active standbys due to IP address conflicts on the same network. |
The following list outlines the tasks, and the order in which you must perform these tasks, required to configure an active standby server for a standalone Cisco Security Manager installation:
1. Install the Cisco Security Manager software on the standalone Cisco Security Manager server and the target active standby server. You should perform full installations on each.
2. Configure the standalone Cisco Security Manager server to enforce the desired security policies.
3. Export the *.cpm file from the standalone Cisco Security Manager server.
4. Copy the *cpm file into the root directory for Cisco Security Manager on the target active standby server.
5. Start Cisco Policy Manager on the active standby server in file mode. To start Cisco Policy Manager in file mode, you must create a new shortcut to Cisco Policy Manager that includes the "-file filename" option at the end of the target command. The following is an example value for the Target box: "D:\Program Files\Cisco Systems\Cisco Security Manager\bin\cfmi.exe" -file hotswap.cpm.
In the Start in: box, remove the bin option at the end of the line, for example "D:\Program Files\Cisco Systems\Cisco Security Manager\"
6. Change the name and the IP address of the Cisco Security Manager host in the Network Topology tree and save your changes to the file. This changes all references to the previous host name except for the name of the automatically generated policy, which is orthogonal to the operation of the active standby server.
7. Start Cisco Policy Manager on the active standby server in database mode (do not use the file mode shortcut; instead, use the normal shortcut on the Start menu).
8. Import the edited *.cpm file from the root directory into Cisco Policy Manager on the active standby server and save your changes using the Save command on the File menu.
| Caution Do not perform a Save and Update operation. This operation will switch between the two servers and prevent your standalone Cisco Security Manager server from configuring the Policy Enforcement Points. Instead, you should only perform a Save and Update operation when you actually want to switch between the two servers. |
Posted: Wed Aug 18 19:17:41 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.