IINS 210-260

IINS 210-260

Security Functions in Cisco Configuration Professional

In my opinion, the best thing about Cisco Configuration Professional is no more SDM that we have to use to manage individual devices, plus the SDM had lots of issues that we don't have time for here. We've got some features that we can get to here in the CCP by going to Home, that'll display the Community View page summarizing our information of our community, which is the devices we're going to manage. We can add, edit, and discover devices and view the discovery and router status of each device.

Cisco Configuration Professional Navigation

We can click on Configure to display the configuration features in a particular device. The features are then displayed in the left navigation pane. Now if a feature, for example a router feature or security or voice, isn't supported on a device, that will not be displayed in the navigation pane.

You got the Monitor to display the router and security features that you can monitor for a particular device and managed community. Click that icon to open the Manage Community dialog box where you can add a new community or edit an existing community.

There is a Refresh button, that'll rediscover and a roll of menus across the top that shows the Application services, Manage community, Set up new device, Create user profile, Import user profile. There is Options, Template, there is a Work Offline and Exit. And then the main parts of the interface will be the menu bar, the toolbar, the left navigation pane, the content pane, and the status bar.

Interface and SRE module management

In this menu we can configure the interface and SRE Module Management. We're going to support LAN, WAN, Wireless LAN interfaces, as well as Cellular WAN 3G. There is Power Management with energy-wise analog trunks and digital trunks. As far as module configuration goes, we have support for SRE management, also application install or uninstall, and applications image upgrade.

Routing

Here we can see we're in the Router area, and in the Router area, we can configure hostname, username, and password.

Cisco Configuration Professional Router Menu

We can setup DHCP, and DNS, and NAT. We can also configure our static routing or dynamic routing RIP, OSPF, and EIGRP. We also have advanced functionality with quality-of-service and Cisco Performance Routing - PfR.

Security

Here we are in the Security area, which is obviously one of the main reasons why we're looking at the Cisco Configuration Professional. Of course, we've got device hardening, a One-Step Lockdown feature along with Security Audit Wizards. You've got VPN options for IPsec and SSL site-to-site as well as remote access. We have Zone-Based Firewall Wizards, you can also do the classic Cisco IOS firewall if you want backward compatibility. There is Cisco IOS Intrusion Prevention System or IPS Wizards, and overall security management options, AAA services – authentication, authorization, and accounting, management access, logging and more.

CCP Security Menu

The Security Audit feature will examine your router configuration and then make updates to keep your router and network more secure. The Audit feature is based on the IOS AutoSecure feature. It'll do checks, and it'll provide assistance in the configuration of almost all the AutoSecure functions. Security audit functions in two modes. The first is the Security Audit Wizard, which allows you to choose what potential security configuration change you want to make. The second mode is One-Step Lockdown which basically, well, just in one fell swoop, make all the recommended best practice security-related configuration changes.

CCP Security Audit and One-step lockdown

The Firewall option has two smart wizards. It has the Basic Firewall, which basically uses default rules, and the Advanced Firewall, which leads you to the steps to configuring a DMZ, for example, and specified inspection rule.

Cisco Configuration Professional provides preconfigured application and security policies that you can use to protect your environment. By using the slider bar, you can choose the security level that you want – kind of like in Internet Explorer, for example. You can also view the description of the security it provides. A wizard summary screen will show the policy name and configuration statements in the policy. There are also editing tools that are available to help you maintain your firewall ruleset with some quick edit options and a graphical view of the ruleset. You can also view the details of the policy by clicking the Application Security tab and selecting the name of the policy. Application and inspection rules are available for Deep Packet Inspection, otherwise known as Application Inspection and Control.

The Intrusion Prevention System option is basically IOS IPS, and it will also allow you, with the Configuration Professional, to use a wizard-based approach for configuration. It will simplify the initialization, the update, and the management of IPS signatures. It also includes intuitive options for tuning your signatures, to improve the accuracy and sensitivity of your IPS which will help to improve the chances of managing false positives and false negatives. The IPS also has a Security Dashboard which will show threat information in the form of top threats in a table form, also allows you to visualize the events and incidents generated by the IOS IPS.

You can also use the CCP to do comprehensive configuration of your virtual private networking. You have a wizard like VPN Design Guide that helps you figure out which kind of VPN you should use – site-to-site, remote access, either SSL or IPsec using Easy VPN, and VTI (Virtual Tunnel Interfaces), as well as dynamic multipoint VPN (DMVPN) and GET VPN (Group Encrypted Transport) – lots of options. The VPN Guide will recommend a VPN type and then let you launch the wizard to allow you to configure that type of VPN. To make configuration easier, the CCP offers a VPN option to generate a text file that captures the VPN configuration of your local router. You can then use that text file to configure remote routers by changing just a few variables and establish a VPN connection very easily and effectively.

Configuration Professional also has excellent selection of monitoring and troubleshooting options in the Monitor area. You have convenient tools that'll let you troubleshoot including connectivity tools, the ability to generate real traffic, and it provides visual clues as the potential problems or connectivity issues.