Which of the following statements are true regarding policies in Cisco Security Manager? (Select 2 choices.)
- Rule-based policies can contain hundreds of rules containing values for the same set of parameters.
- Settings-based policies can define only one set of parameters for each settings based policy defined on a device.
- Local policies are well-suited to smaller networks and to devices requiring standard configurations.
- Any changes that you make to a shared policy are not automatically applied to all the devices to which it is assigned.
- The Default section of a shared policy contains rules that cannot be overridden by local rules.
In Cisco Security Manager (CSM), rulebased policies can contain hundreds of rules containing values for the same set of parameters and settingsbased policies can define only one set of parameters for each settingsbased policy defined on a device. CSM is a graphicsbased management application that can be used to configure a wide variety of Cisco devices, such as routers, switches, firewall appliances, Intrusion Prevention System (IPS) appliances, and Catalyst service modules. One of the advantages of CSM is its ability to centralize the administration of security policies across a large number of Cisco devices. CSM categorizes policies into two general types: rulebased policies and settingsbased policies. Rulesbased policies, such as access control lists (ACLs) and inspection rules, are stored in a tabular fashion and can contain many different values for the same set of parameters. These policies are processed in order and the first matching table entry will be applied, even if there are other matching table entries farther down the table. Because of the nature in which rulesbased policies are processed, they can contain hundreds of rules with values for the same set of parameters. By contrast, settingsbased policies can define only a single set of parameters for each settingsbased policy defined on a device. Settingsbased policies, such as Quality of Service (QoS) policies and IP Security (IPSec) policies, contain a set of parameters that, as a whole, define a particular hardware or security configuration feature.
CSM policies can be either local or shared. A local policy is specific to a particular device, and any changes affect only its associated device. By contrast, a shared policy is applicable to a group of devices and any changes are automatically applied to all of its associated devices. Because local policies are specific to individual devices, it can become cumbersome to manage the policies in a network with a large number of devices? therefore, local policies are better suited to smaller networks and shared policies are better suited to larger networks.
Shared policies use an inheritance hierarchy to determine which policy rules are implemented on a particular device. There are two kinds of shared policy rules: mandatory and default. Mandatory rules cannot be overridden by either child policy rules or local rules. By contrast, default rules can be overridden by both child policy rules and local rules. Inheritance enables you to nest multiple shared rules and ensure that certain policies cannot be overridden while still maintaining the flexibility to override some default settings.