Sunday, February 10, 2008

Cisco SDM (Security Device Manager)

What is SDM?
Cisco SDM is short to acronym that stands for Security Device Manager. Cisco at the first time want to come up with a way to secure Cisco devices by having a little walkthrough using wizard without having all the knowledge of security to lock a Cisco device down. Later on they keep adding features to this SDM like monitor, see the traffic all that kind of stuffs but it still called SDM.

It is web based, a java based applicaton and it works in all mainline Cisco Routers.
What it means by mainline is mainstream routers that usually used by organizations like the 2800, 2600, 3600, 2800, 1800, 800 series. The non mainstream one are the extremely advanced series one like in Service Providers. By that point they usually won't need GUI and will prefer console one or in old routers. The SDM is designed to allow IOS configuration without extensive knowledge.

How to get SDM?

SDM is typically shipped with all Cisco routers on the flash when you buy it from Cisco or Cisco Resellers, so whenever you point you browser to that Cisco router it will automatically open up the SDM. But if it doesn't come up with the SDM you can actually get it at and available free of charge.

SDM can be installed on your computer/PC, on the router in the flash, or on both.
If you installed ONLY it on the flash of the router, you can open the SDM from other PC that doesn't have the SDM and later the PC will download the SDM from the router and start running it from there. The disadvantage of doing that is anything that running from the flash of the router is going to be slow and will take longer to load up, not as smooth as the PC.
If you installed the SDM ONLY on the PC and not on the flash of router you actually run the program locally from PC. Then you can point to any IP address of any router that you want to manage without have to install SDM on the router and this is very cool options.

How to configure a Cisco router to support SDM?
  1. Put a domain name
  2. Generate Encryption Keys (used in SSH and HTTPS)
  3. Turn on the HTTP/HTTPS Servers & telnet/SSH for the router
  4. Create a privilege level 15 user account
  5. Enabling the telnet/SSH
  6. Configure vty & http access ports for privilege level 15 and to use the local user database
  7. Install java on your PC and access the router using a web browser (if SDM is installed on router) or open up the Cisco SDM software (if SDM is installed on PC)
In order to generate the cryptography / encryption keys, first we must put domain name
R1(config)#ip domain-name [domain name]
Generate encryption RSA keys, RSA is a key that is used to secure SSH and HTTPS and in this example I generate 1024 bit encryption
R1(config)#crypto key generate rsa general-keys ... How many buts in the mudulus [512]: 1024 % Generating 1024 ...
Turn on the HTTP (80)/HTTPS (443) Servers & telnet/SSH for the router
R1(config)#ip http server
R1(config)#ip http secure-server
Create a privilege level 15 user account, the highest (also called the enable mode)
R1(config)#username [name] privilege 15 password [password | secret]
Enabling the telnet/SSH, configure vty & http access ports for privilege level 15 and to use the local user database
R1(config)#line vty 0 4
R1(config)#privilege level 15
R1(config)#login local
R1(config-line)#transport input [all | none | telnet | ssh]
(Optional) Enable local logging to support the log monitoring function:

Router(config)# logging buffered 51200 warning

Open up the SDM

Access the router using a web browser (if SDM is installed on router) or open up the Cisco SDM software (if SDM is installed on PC) by navigating:
Start Menu>All Programs>Cisco Systems>Cisco SDM> Cisco SDM

An SDM launcher will come up

A window for level 15 user authentication will come up

When loading, again a window for authentication will come up but this one is from the java applicaton

The SDM will be looked like below

One good features is enabling the commands preview from Edit Menu>Preferences

After enabling the commands preview, a window of commands preview will be popped up if we make a change to the configuration like below

1 comment:

Anonymous said...

Great story you got here. It would be great to read more concerning this matter. The only thing I would like to see on that blog is a few pictures of any devices.
Kate Flouee
Cell phone jammer