Cisco Software

SDM
Secure Device Manager?
IPS Device Manager (“IDM”) and IME

The IPS Device Manager (“IDM”) and IDM Express (“IME”... seems the D got dropped from that abbreviation) are used for configuring IDS/IPS services on devices that are dedicated IDS/IPS devices as well as other devices, like routers, that may provide IPS services.

[#ccsocpsw]: Cisco Configuration Professional (“Cisco CP”/“CCP”)

Used to configure IOS routers.

Requirements

This program uses Java, so a computer that uses CCP will need to have Java installed.

The device will need to support HTTP authentication. In addition to details like setting the desired IP address, the following commands may be used for setting up HTTP with authentication by using a local username:

config terminal
! Lines starting with ! are being treated as comment
! Proceed to make local IOS username
username deviceop privilege 15 secret 0 myPlainTextPassword
! Determine how HTTP(S) will authenticate
ip http authentication local
! Proceed to enable IOS HTTPS server
ip http secure server

Note that some of that might be unnecessary. For instance, Cisco usage notes that a username of “cisco”, and a password that is the same as that username, may be default.

Main buttons

On the main screen, there are some buttons nera the top-left corner. They control what most of the rest of the screen looks like.

“Home” button

This displays the “Community View” page. For more information about CCP communities, see the upcoming section on the “Manage community” icon.

“Configure” button

This is probably where most people will be spending more of their time when they are first learning how to use the software to configure devices. This allows a person to see a device's configuration, and also make adjustments to the configuration.

“Monitor” button

This allows a user to see details about how the device is currently operating, including seeing details about traffic that is going through the device (like how much traffic is being handled).

“Manage community” icon

This icon brings the user to the same screen as using the “Application” menu and selecting “Manage Community”.

“Refresh” icon

This instructions CCP to obtain details from a device. If a device is changed using a method other than CCP, then clicking “refresh” can cause CCP to obtain updated information about how the device is configured.

Other icons
There are some other icons, like the “Provide feedback to Cisco” icon, which is intended for people to be able to leave feedback about CCP.
First actions
Managing Community

A “community” is basically just a group of devices. When CCP is in the “Configuration” screen (accessed by the “Configure” button) or the “Monitor” section (accessed by the “Monitor” button), there will be a drop-down box that can show the IP addresses of multiple devices within a community. That drop-down box provides an easy way for a person to quickly switch which device is being looked at. By placing devices in a community, a person can affect which devices will show up in that drop down list.

This icon allows a person to see what devices are in a “community”, and to make adjustments.

A community in CCP can handle up to ten devices. (For larger networks, a person can use multiple communities. Cisco's intent is probably that people handling much larger networks will use Cisco Security Manager (“CSM”) instead, since Cisco sells that software.)

CCP requires that the user adds a device to a community before CCP will let a user interact with the device. When doing so, there may be an option to connect securely (which will use HTTPS and/or SSH) or insecurely (which will use HTTP and/or Telnet).

When entering details (like an IP address and login information, there is a “down arrow” that allows a person to select secure communications. The screen also allows a person to specify custom TCP port numbers.

On the screen that allows a person to add devices (by filling in IP address and login information), there is a checkbox for discovering devices automatically. The term “discover” refers to being able to obtain the device's configuration. Therefore, a device needs to be discovered in order for CCP to be able to work with the device.

Make sure that CLI Preview is enabled.

Make sure that CCP is using encryption, by making sure that the lock icon in the lower-right (on the status bar) is locked... that is, unless non-encrypted traffic is intentional. In general, encrypted traffic is preferred, simply for reasons of safety and rather low cost.

If desired, implement role-based access control (RBAC) within CCP, which limits a user to certian options within CCP. Doing that is beyond the scope of material designed to cover topics related to Cisco's “CCNA Security” certification, and possibly beyond what is typically covered by an introduction to CCP. However, in practice, if this option is desirable then it seems like doing this early might make more sense than trying to remember to do it later.

One of the great first things to do will be to check that the device is discovered.

If the default user account (which is named “cisco”) still exists, make sure it is not using the default password (which is “cisco”, matching the username).

Available elements

In additition to the main buttons near the upper-left corner, there are some other items to be aware of.

Menu

One of the best things to do, early on, is to enable the CLI preview. Then, after changes are selected, CCP will show the CLI commands that are used to configure the device. This can be very useful for letting someone see what CCP intends to do, and may be useful for letting a person notice a potential problem before CCP completes an update. Also, this preview can help people to gain familiarity with the CLI commands. So, enabling that early is recommended.

To do that, go to the Application menu, and choose Options. Then check the box for “show CLI preview parameters” (or whatever it is called).

Security level icon

In the lower-right corner, an icon will show a locked lock or an unlocked lock. If it is locked, that indicates that CCP should only be using encrypted communications with the device, using SSH and/or HTTPS. If it is unlocked, that indicates that CCP will be using unencrypted communicatin protocols, Telnet and/or HTTP.

Left navigation pane

The left navigation pane shows the name of a section of the CCP software (like “Device Setup”?).

Below that name will be sub-sections of the CCP software. Those are displayed in a tree structure. Choosing these sub-sections can affect what is shown in the main “Content Pane” (which takes up most of the screen).

The left navigation pane will also show names of other sections of the software. Those other sections might be listed below the currently selected section (including a section of the screen that shows options related the currently selected section). Selecting (by clicking on) the name of another section of the software may cause that section to rise to the top of the screen, and then the available options will be related to that section of the software.

Footprints

To the right of the drop-down box (and to the right of the left navigation pane, above the content pane) are “Footprints” that specify what section of the CCP software is being shown in the main “content pane”. CCP understands that decision based on choices made with the left navigation pane.

Content Pane

The contents of this pane will depend on what part of the CCP software a person has decided to work with. CCP understands that decision based on choices made with the left navigation pane. The section of CCP software can be identified by looking at the “Footprints&rdqu; section above this pane.

CCP Express

Some devices may be configured to have CCP Express pre-installed on flash, and may be pre-configured to respond to the http://10.0.0.1 address, using a /24 subnet. So, the device that is connected to the router should use a different address in the 10/24 range: either 10.0.0.254 or 10.0.0.2 or any other address between those two. The router might be an effective DHCP server.

ASA Adaptive Security Device Manager (“ASDM”)

Meant for Cisco ASA devices.

Cisco Security Manager (“CSM”)

A software product that Cisco sells. This software is targeted for “enterprise level” organizations that may have dozens or hundreds of routers. This software is designed with the intent of helping to update configurations of many devices in a consistent way.

Note: To get the “Cisco Certified Network Professional” (“CCNA”) certification, which currently requires achieving the requirements related to the “Cisco Certified Network Professional” (“CCNA”) Routing and Switching certification, people will be expected to learn IOS commands. To quality for the “CCNA Security” certification, additional software, perhaps especially Cisco Configuration Professional (CCP), is something that people will be expected to learn. So, being familiar with a command line interface and also a graphical interface (“GUI”), or even multiple GUIs, will be expected by the time people get the “CCNA Security” certification.