Cisco 2013 Annual Security Report
Read breaking analysis with a global perspective into evolutionary threats.
Meet Escalating Security Needs
Learn how next-generation encryption (NGE) is setting an industry trend in cryptography.
Enhance Next-Generation Firewalls
Application Control and Web Security now available on Cisco ASA 5500-X.
Read this white paper to learn about cryptography and next-generation encryption.
Cisco Next-Generation Encryption evolves traditional encryption technology. (54:25 min)
Enhance Cisco Integrated Services Router performance with hardware-accelerated VPNs.
Meet escalating security and performance requirements with the new algorithms and protocols for encryption, authentication, digital signatures, and key exchange in Cisco Next-Generation Encryption (NGE).
Many of the algorithms that are currently in extensive use cannot effectively scale to meet today's changing security and performance needs. For example:
- RSA signatures and Diffie-Helman (DH) key exchange are increasingly inefficient as security levels rise.
- Cipher Block Chaining (CBC) encryption performs poorly at high data rates.
- IPsec VPNs use numerous component algorithms, limiting security to the lowest security level of each component.
What you need is the complete algorithm suite in Cisco NGE. In this suite, each component provides a consistently high level of security, and can effectively scale to high throughput and large numbers of connections.
Advances in Cryptography
Cisco NGE technology offers a complete algorithm by using:
- Elliptic curve cryptography (ECC) to replace RSA and DH
- Galois/Counter Mode (GCM) of the Advanced Encryption Standard (AES) block cipher for high-speed authenticated encryption
- SHA-2 for Hashing operations to replace MD5 and SHA-1
The algorithms that make up NGE are the result of more than 30 years of global advances and evolution in cryptography. Each component of NGE has its own history, depicting the diverse history of the NGE algorithms, and their longstanding academic and community review. NGE comprises globally created, globally reviewed, and publicly available algorithms.
"Suite B" Algorithms
The U.S. National Security Agency (NSA) has also identified a set of cryptographic standards for public networks. Together, these algorithms are the preferred method to help ensure the security and integrity of information passed over public networks such as the Internet. The NSA calls this set of algorithms "Suite B," and several of these algorithms are also used in NGE.
In addition, NGE algorithms are integrated into IETF, IEEE, and other international standards. As a result, NGE algorithms have been applied to the most recent and highly secure protocols for protecting user data, such as Internet Key Exchange Version 2 (IKEv2)Transport Layer Security (TLS) Version 1.2.
Cisco Next-Generation Encryption (NGE) evolves traditional encryption technology to meet today's increasing security needs while improving scalability and efficiency. The following figure shows a list of technologies that are included in NGE.
Increase Security While Improving Scalability
Cisco is leading the market with a breadth of products, including entire architectures, that incorporate Next-Generation Encryption (NGE). Cisco NGE offers the following features and benefits:
- Uses upgraded algorithms, key sizes, protocols, and entropy to meet security requirements
- Offers a complete algorithm suite in which each component provides a consistently high level of security
- Can effectively scale to meet high throughput and large numbers of connections
- Can scale down to meet the security needs of low-power devices while being efficient in battery use
NGE is also compatible with existing security architectures including:
- Remote Access VPN
- Site to Site VPN
- Secure Unified Collaboration
It is also compatible with a number of government standards, including:
- U.S. Suite B
- U.S. Federal Information Processing Standards 140 Series (FIPS-140)
- Health Insurance Portability and Accountability Act (HIPAA)
The VPN Internal Service Module brings Next-Generation Encryption (NGE) technologies to IP Security (IPsec) VPNs. This module provides a security level of 128 bits or more. In addition, the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco AnyConnect Secure Mobility Solution provide NGE capabilities for remote-access security using IPsec.
- ASA products
- ASA 5585
- Nexus 7000
- Catalyst 4500
- Catalyst 3750
- Catalyst 3560
- Catalyst 6500
- ISRG2 2900
- ISRG2 800
- ISRG2 1900
- ISRG2 3900
*ISRG2, ASA, AnyConnect, and ASR support NGE in IPsec VPN
**Nexus 7k, Cat6k, 45xx and 35xxx support MACSec, which uses NGE for wire-rate authenticated encryption
These technologies are comprehensive, and the use of NGE helps a system:
- Meet security requirements
- Operate with products that use NGE to meet scalability requirements
In addition, NGE is integrated into IETF standards and meets many global government requirements for cryptography.