5-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter5 Managing Policies
Understanding Policies
For example, the firewall policy domain contains policies for access rules, inspection rules, and
transparent rules, among others. The site-to-site VPN policy domain contains policies for IKE proposals,
IPsec proposals, and preshared keys, among others. Service policies can be applied to any kind of device,
regardless of platform, although there may be some variation in policy definition depending on the
device type.
Platform-specific policy domains contain policies that configure features that are specific to the selected
platform. Not all platform-specific policies are directly related to security. For example, the Router
policy domain contains routing policies, identity policies (Network Admission Control and 802.1x),
policies related to device administration (DHCP, SNMP, device access), and other policies such as QoS
and NAT.
For routers and firewalls (ASA, PIX, FWSM), you can choose which platform-specific policies to
manage. For more information, see Customizing Policy Management for Routers and Firewall Devices,
page 5-10.
Local Policies vs. Shared Policies
The policies that you configure on devices can either be local or shared. Local policies refer to policies
that are defined for a single device. Any changes that you make to a local policy affect only that device.
Local policies are well-suited to smaller networks and to devices requiring nonstandard configurations.
For example, you might configure a local policy on a router that requires a different OSPF routing policy
than the one used by the other routers in your network. For more information about the actions you can
perform on local policies, see Performing Basic Policy Management, page 5-29.
As your network grows, maintaining local policies on each device greatly increases the effort required
to manage these policies in a comprehensive and efficient manner. To meet this challenge, Security
Manager features policy sharing. With policy sharing, you can create a single policy and assign it to
multiple devices. For more information, see Sharing a Local Policy, page 5-38.
Figure 5-1 Local vs. Shared Policies
For example, if you want all the Cisco IOS routers in your network to implement the same Network
Admission Control (NAC) policy, you need only define a single NAC policy and share it. You can then
assign the shared policy to all the routers in your network with a single action. For more information,
see Modifying Shared Policy Assignments in Device View or the Site-to-Site VPN Manager, page 5-46.
Shared
policy 1
Policy 1
Policy 2
Policy 3
181944
Local Policy Shared Policy