The following text is excerpted from CCSP Self-Study: Securing Cisco IOS Networks (SECUR), 1-58705-151-6, published in April 2004 by Cisco Press. All Rights Reserved.
Security Device Manager
SDM is an easy-to-use, browser-based device management tool that is used to configure single Cisco IOS routers. It is embedded within the Cisco IOS 800 through 3700 series routers at no additional cost. The SDM software files reside in the router’s Flash Memory alongside other router operating system files.
SDM simplifies router and security configuration through the use of several intelligent wizards to enable efficient configuration of key router VPN and Cisco IOS Firewall parameters. This capability permits administrators to quickly and easily deploy, configure, and monitor Cisco access routers.
SDM is designed for resellers and network administrators of small- to medium-sized businesses who are proficient in LAN fundamentals and basic network design, but have little or no experience with the Cisco IOS CLI or may not be a security expert.
SDM is designed to help you secure your Cisco routers and their associated networks without having to memorize multiple CLI commands or having to be an expert in network security. For more advanced users, SDM provides several time-saving tools, such as an ACL Editor, a VPN Crypto Map Editor, and a preview of Cisco IOS CLI commands.
SDM Features
SDM contains a unique Security Audit Wizard that provides a comprehensive router security audit. SDM uses security configurations recommended by the Cisco Technical Assistance Center (TAC) and International Computer Security Association (ICSA) as its basis for comparisons and default settings.
SDM also provides:
· An Autodetect Wizard for finding misconfigurations and for proposing fixes.
· Strong security defaults and configuration entry checks.
· Router- and interface-specific defaults that reduce configuration time.
SDM wizards help to provide faster VPN and firewall deployments. SDM contains a suggested workflow (located in the lower part of the browser pages) to guide untrained users through router configuration.
A typical process flow proceeds as follows:
1. Configure LAN parameters.
2. Configure WAN parameters.
3. Configure firewall parameters.
4. Configure VPN parameters.
5. Perform a security audit.
Although SDM is designed for users with little to no CLI experience, it is just as useful to advanced users. Advanced CLI users use SDM to quickly fine-tune configurations (using the ACL Editor) or to diagnose problems (using the VPN tunnel quality monitor).
In addition to the configuration wizards already mentioned, you can use SDM to discover and configure existing LAN and WAN interfaces.
SDM contains an intuitive embedded online help system.
You should always read SDM warning messages and consider following the recommendations to repair the original condition. Warnings messages usually allow you to choose either to let SDM fix the configuration conflict automatically or to fix the conflict manually yourself.
SDM User Profiles
SDM was designed with the following users in mind:
· Small office/home office (SOHO)—These SDM users usually have a working knowledge of networking and security, but no significant Cisco IOS CLI experience. SOHO users typically use the Cisco Router Web Setup (CRWS) tool for general router configuration tasks, and then use SDM for router security configuration.
· Small-to-medium business (SMB) and branch office—These SDM users typically possess basic technical system administrator level knowledge. These users may have a rudimentary knowledge of networks and security, but no significant Cisco IOS CLI experience.
· Enterprise branch office—These SDM users are typically network site administrators with a modest knowledge of the Cisco IOS CLI and basic security.
· Enterprise headquarters—These SDM users are typically very knowledgeable of the Cisco IOS CLI and are capable in both networking and security.
All of these users can benefit from SDM features.
SDM Feature Details
SDM 1.0 comes with the following main features:
Security configuration:
· SDM contains an ACL Editor to configure both standard and extended ACLs. You can add, edit, and delete an ACL and the entries within a list.
· SDM allows you to configure Network Address Translation (NAT) and Port Address Translation (PAT).
· SDM allows you to configure Context-Based Access Control (CBAC) for both simple and advanced firewalls (including firewalls with demilitarized zones [DMZs]).
· SDM contains a VPN Wizard and advanced configuration for:
- Site-to-site VPNs
- Easy VPN Phase II (remote client only)
- Generic routing encapsulation (GRE) tunneling
· SDM contains interface configuration for Ethernet, T1/E1 (serial only), and DSL (Point-to-Point Protocol over Ethernet [PPPoE]) router interfaces.
· SDM contains system configuration tools for Dynamic Host Configuration Protocol (DHCP), Telnet setup, and passwords.
· SDM allows you to enable static or dynamic routing for Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Enhanced Interior Gateway Routing Protocol(EIGRP).
· SDM contains several help options, including online help, “how to?” help, and
tooltips.
· SDM includes a security audit tool for defining “at risk” problems and for suggesting howto lock down the router.
· SDM contains a “one-click” router lockdown feature.
· SDM contains both graphical monitoring and logging configuration.
Understanding SDM Software
This topic provides an overview of SDM software functions. This section discusses the sup-ported Cisco IOS releases and devices. For supported systems that are not preloaded with SDM, thissection explains where to obtain SDM, how to install the application, and how to verify installation on the router. This section also discusses the software requirements for interacting with SDM from a management workstation and talk about the communication protocols used.
Supported Cisco IOS Releases and Devices
SDM 1.0 supports Cisco routers and their associated Cisco IOS software versions, as shown this table:
SDM Supported Platforms / Supported Cisco IOS Versions831, 836, and 837 / · 12.2(13)ZH or later
1710, 1721, 1751, and 1760 / · 12.2(13)ZH or later
· 12.2(13)T3 or later
· 12.3(1)M or later
1711 and 1712 / · 12.2(15)ZL or later
2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM, and 2691 / · 12.2(11)T6 or later
· 12.3(1)M or later
· 12.2(15)ZJ
3620, 3640, 3640A, 3661, and 3662 / · 12.2(11)T6 or later
· 12.3(1)M or later
3725 and 3745 / · 12.2(11)T6 or later
· 12.3(1)M or later
Note: For the 1710, 1721, 1751, and 1760 series of routers, release 12.2(11)T6 is not supported because of a missing Cisco IOS CLI command that is required for SDM to operate correctly.
Always consult the latest documentation on Cisco.com for information on SDM device and Cisco IOS software version support.
Obtaining SDM
SDM comes preinstalled on all Cisco 1700, 2600XM, 3600, and 3700 routers that were manufactured in June 2003 or later and were purchased with the VPN bundle.
SDM is also available as a separate option on all supported routers with Cisco IOS software security features manufactured in June 2003 or later.
If you have a router that does not have SDM installed and you would like to use SDM on that router, you must download SDM from Cisco.com and install it on your router.
Installing SDM on Existing Routers
If you choose to install SDM on an existing (SDM-supported) Cisco router, you must obtain the sdm-vXX.zip file from Cisco.com and copy its unzipped contents to your router Flash Memory file system.
When you install SDM on an existing router, use the “Downloading and Installing Cisco Security Device Manager (SDM)” document.
Follow the procedure for your specific router to download the SDM files. SDM contains two procedures for accomplishing this, depending on the type of Cisco router you have:
· Cisco 1700, 2600, 3600, or 3700 series router procedure.
· Cisco 831, 836, or 837 router-specific procedures. This procedure is slightly different because these routers use the CRWS tool as the default device manager. Reference the“Switching Between Cisco Security Device Manager (SDM) and Cisco Router WebSetup Tool (CRWS) on Cisco 83x Series Routers” document for more detailed information.
Once you download the SDM files, there are two processes to replace the router configuration in Flash Memory:
You can retain your existing configuration file and configure the router to be an HTTP/ HTTP Secure (HTTPS) router using local authentication. Configure a local user with a privilege level of 15. Configure vty connections to use local login with a privilege level of 15. An optional recommended step is to turn on local logging.
If you use your existing configuration file, SDM will not display the Startup Wizard the first time you run SDM. It is assumed that you have already done basic network configuration.
If the router does not contain a preexisting configuration and you want to start from a fresh (SDM-provided) default configuration file, you can copy one of the default configuration files included in the zipped bundle that you downloaded from Cisco.com. The packaged files contain a default configuration file for each type of supported router.
If you use the SDM default configuration file, SDM will display the Startup Wizard, letting you enter basic network configuration information, the first time you runSDM.
Note: SDM requires approximately 2.3 MB of free router Flash Memory.
Displaying Router Flash Memory
If you are not sure if SDM is loaded into Flash Memory or need to know how much Flash Memory is available, use the show flash CLI command.
SDM contains several show commands. The show flash command is executed and displays the same information as the CLI command but in a GUI window.
SDM Software Requirements
SDM uses an industry-standard Java client application to minimize the impact of the SDM application on router performance.
You access SDM by executing an HTML file in the router, which then loads the SDM Java file.Always use a supported browser to launch SDM from a PC. SDM currently supports the following browsers:
· Netscape Navigator version 4.79 or later.
· Microsoft Internet Explorer version 5.5 or later.
Note: Java and JavaScript must be enabled on the selected browser. The supported browsers contain Java plug-ins with Java Virtual Machine (JVM). SDM also supports Java Runtime Engine (JRE) versions 1.3.1 or later.
The SDM client is compatible with the Microsoft Windows operating system, including Windows 98, NT 4.0 (SP4), 2000, XP, and Me.
SDM Router Communications
SDM communicates with the router when accessing the SDM application for download tothe PC, when reading and writing the router configuration, and when checking router status.
SDM uses different communications methods based on the Cisco IOS software version of the target routers:
· For Cisco IOS Software Releases 12.3M or later and 12.2(13)ZH or later, SDM uses a secure HTTP transport method (HTTPS). For earlier Cisco IOS versions, SDM uses HTTP as the transport method. In both cases, SDM relies on Telnet access for communication to the routers.
Note: Because SDM can deny certain types of traffic, and lock down router access, it is very important for you to know how SDM communicates with your router. If you lock the router down too tightly, you may notbe able to use SDM to administer the router.
· For Cisco IOS Software Releases 12.2(11)T, 12.2(13)T, and 12.2(15)T, SDM uses Secure Shell (SSH) and Telnet:
-When configuration changes are made in SDM, Cisco IOS commands are transferred to the router’s Flash Memory as a temporary file using RCP.
- The temporary file is copied to the router’s running configuration and then is deleted.
- SDM uses a “squeeze” process to reclaim router Flash Memory. You use the squeeze function in two instances:
- Whenever you are removing an older SDM version and adding a newer one
- Whenever SDM prompts you to perform a “squeeze”
Using the SDM Startup Wizard
SDM is a tool for configuring, managing, and monitoring a single Cisco access router.
Each Cisco access router is accessible by its own copy of SDM, which is located in the router’s Flash Memory.
A common scenario that SDM supports is to have one user monitoring the router while anotheruser is simultaneously using SDM to modify the configuration of the router. It is notrecommended that multiple users use SDM to modify the configuration at the same time. Although SDM will permit this scenario, it does not assure consistent or predictable results.
Users now have the flexibility to configure the router with both SDM and the CLI. Because the SDM user interface does not support all the Cisco IOS software functionality (for example, QoS), you can augment the SDM-generated configuration with some CLI commands.
For unsupported interfaces, such as ISDN interfaces, SDM automatically detects whether the interfaces support security features, such as firewalls, crypto maps, and NAT. If the security features are supported, users can use SDM to configure the security features to the unsupported interfaces. However, the user still needs to configure the unsupported interface parameters directly through the CLI.
First-Time SDM Access
Use the following process when you access SDM for the first time. This procedure assumes that either an out-of-box router with SDM was installed or a default SDM configuration was loaded into Flash Memory.
1. Connect a PC to the router’s lowest-numbered LAN Ethernet port using a crossover cable.
2. Assign a static IP address to the PC. Cisco recommends using 10.10.10.2 with a 255.255.255.0 subnet mask.
3. Launch a supported browser.
4. Enter the URL https://10.10.10.1/flash/sdm.shtml. You will be prompted to log in.
5. Log in using the default user account:
Username: sdm
Password: sdm
The SDM Startup Wizard opens, requiring you to enter a basic network configuration.
Note: The Startup Wizard information needs to be entered only once and will appear only when a default configuration is detected.
6. Click Next. The Basic Configuration window opens.
Basic Configuration and Changing Default Username and Password
On the Basic Configuration window, you should enter the router Host Name and Domain Name. These fields are optional but it is recommended that you change the defaults.
(Optional) Enter the router host name in the Host Name field.
(Optional) Enter the router domain name in the Domain Name field.
1. The user must enter a new enable secret password with a minimum length of six characters. SDM will not allow you to proceed until a valid password is entered andreentered.