This data sheet provides an overview of the hardware and software security features available on Cisco® 800, 1800, 2800, and 3800 Series Integrated Services Routers.
Product Overview
Cisco Integrated Services Routers ship with the industry's most comprehensive security services, intelligently embedding data, security, voice, and wireless in the platform portfolio for fast, scalable delivery of mission-critical business applications. The Cisco 800, 1800, 2800, and 3800 Series routers are ideal for small businesses and enterprise branch offices, delivering a rich, integrated solution for connecting remote offices, mobile users, and partner extranets or service provider-managed customer premises equipment (CPE).
By combining proven Cisco IOS® Software functions and industry-leading LAN and WAN connectivity with world-class network security features, integrated router security solutions offer customers the following benefits:
• Use existing infrastructure: The solutions take full advantage of existing network infrastructure, helping enable new security features on the router through Cisco IOS Software without deploying additional hardware.
• Offer perimeter-wide security: The solutions provide the flexibility to apply security functions, such as firewall, intrusion prevention system (IPS), and VPN, anywhere in the network to maximize security benefits.
• Protect gateways: The solutions allow deployment of best-in-class security functions at all entry points into the network.
• Protect the infrastructure: The solutions protect the router, defending against attacks that are targeted directly at the network infrastructure such as distributed denial-of-service (DDoS) attacks.
• Cost-effective with both capital and operating expenses: The solutions reduce the number of devices, lowering training, manageability, power, and service contract cost.
Cisco Self-Defending Network
Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers and the Cisco 7200 Series and Cisco 7301 headend routers are integral components of the Cisco Self-Defending Network (SDN), an architectural solution designed for the evolving security landscape. Security is integrated everywhere and with the help of a lifecycle services approach, enterprises can design, implement, operate, and optimize network platforms that defend critical business processes against attack and disruption, protect privacy, and support policy and regulatory compliance controls. Using the network as the platform keeps people and IT assets safe, makes the organization more resilient and reliable, and allows maximum business effect from IT investment.
With Cisco IOS IP Security (IPSec) and Secure Sockets Layer (SSL) VPN, firewall, and IPS, as well as options for additional hardware acceleration for many of those security features, Cisco Integrated Services Routers provide a robust and adaptable security solution for the branch office.
Cisco SDN Integrated Security revolutionized network security by making every network element a point of defense, including routers, switches, appliances, and endpoints. For more information about the Cisco Self-Defending Network, visit http://www.cisco.com/go/sdn.
Security Features and Benefits of Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers
Engineered for delivering secure services, the integrated services routers offer a unique blending of both hardware-accelerated and software security features. To enable network security features on the Cisco 800, 1800, 2800, and 3800 Series routers, the following Cisco IOS Software feature sets are available:
Table 1 lists select hardware security features of the Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers.
Table 1. Hardware Accelerated Security Features of Cisco 800, 1800, 2800, and 3800 Series Routers
Feature
Cisco 3800
Cisco 2800
Cisco 1800
Cisco 800
Built-in VPN Encryption Acceleration
• Comes standard with every model
• Also requires Cisco IOS Software Advanced Security or higher feature set to enable
• Comes standard with every model
• Also requires Cisco IOS Software Advanced Security or higher feature set to enable
• Comes standard with every model
• Also requires Cisco IOS Software Advanced Security or higher feature set to enable
• Comes standard with every model
• Also requires Cisco IOS Software Advanced Security or higher feature set to enable
IPSec Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES) 128, 192, and 256
Advanced VPN Encryption Acceleration
Optional enhancement for additional performance and tunnel scalability (Part number AIM-VPN/SSL-3)
Optional enhancement for additional performance and tunnel scalability (Part number AIM-VPN/SSL-2)
Optional enhancement for additional performance and tunnel scalability on modular Cisco 1800 Routers (Part number AIM-VPN/SSL-1)
-
SSL VPN Acceleration
Advanced IPS Acceleration
Optional enhancement for additional IPS performance (Part number AIM-IPS-K9)
Optional enhancement for additional IPS performance (Part number AIM-IPS-K9)
Optional enhancement for additional IPS performance (Part number AIM-IPS-K9)
-
NAC
Optional enhancement for NAC at the branch (Part number NME-NAC-K9)
Optional enhancement for NAC at the branch (Part number NME-NAC-K9)
-
-
Table 2 provides a high-level listing of the integrated security features and benefits of the Cisco 800, 1800, 2800, and 3800 Series. Many of these features are also available on the complementary Cisco 7200 and 7301 headend routers. For additional details about these security features, please reference Cisco Network Security Features for the Enterprise Headquarters.
Table 2. Primary Integrated Security Features and Benefits of Cisco 800, 1800, 2800, and 3800 Series Routers
GET VPN offers IPSec encryption over private WAN connections without the use of tunnels. This security model introduces the concept of "trusted" group member routers that use a common security methodology that is independent of any point-to-point relationship.
DMVPN provides a scalable and flexible way to establish virtual full-meshed IPSec tunnels from branch to branch. No configuration is necessary at the hub when adding new spokes.
This feature eases administration and management of point-to-point VPNs by actively pushing new security policies from a single headend to remote sites.
MPLS VPN Support
This feature offers branch office optimized customer edge functions plus a mechanism to extend customers' MPLS VPN networks out to the customer edge with Multi-Virtual Route Forwarding (VRF)-aware firewall, and IPSec.
Multi-VRF and Multiprotocol Label Switching (MPLS) Secure Contexts
The multi-VRF feature supports multiple independent contexts (addressing, routing, and interfaces) at the branch location for separation of departments, subsidiaries, or customers. All contexts can share a single uplink connection to the core (for example, IPSec VPN or Frame Relay/ATM), while still maintaining secure separation between them.
This single-device security and routing solution protects the WAN entry point into the network. This feature offers IPv6 support and zone-based policy mapping for easier administration.
Advanced Application Inspection and Control (Application Firewall)
This feature uses inspection engines to enforce protocol conformance and prevent malicious or unauthorized behavior such as port 80 tunneling or misuse of email connectivity.
Transparent Firewall
This feature segments existing network deployments into security trust zones without making address changes. It supports subinterfaces and VLAN trunks as well as simultaneous transparent and Layer 3 firewall.
VRF-Aware Firewall
A firewall is included in the list of services available at the individual context level for VRF deployments.
This inline, deep packet inspection-based solution works to effectively mitigate network attacks. IPS can drop traffic, send an alarm, locally shun, or reset the connection, allowing the router to respond immediately to security threats to protect the network.
Transparent IPS
This feature provides Layer 3 IPS for Layer 2 connectivity.
This feature complements Cisco IOS IPS by supporting custom filters that can be defined and deployed more rapidly, before IPS signatures or antivirus patterns are updated.
AutoSecure simplifies router security configuration and allows for rapid implementation of security policies with a "one-touch" device lockdown process.
Control Plane Policing
This feature protects against a DoS attack by policing the incoming rate of traffic to the control plane, helping to maintain network availability even when under attack.
CPU or Memory Thresholding
By reserving CPU and memory, this feature allows the router to stay operational under high loads, such as those created by attacks.
Network-Based Application Recognition (NBAR)
This classification engine in Cisco IOS Software can recognize a wide variety of applications. When the application is recognized, the network can invoke specific services for that particular application, providing the proper level of control it needs.
NetFlow technology efficiently provides the metering base for a critical set of applications, including network traffic accounting, usage-based network billing, network planning, and DoS monitoring and network monitoring capabilities. Cisco NetFlow applications collect NetFlow export data, perform data volume reduction, perform postprocessing, and give end-user applications easy access to NetFlow data.
Role-Based CLI Access
This feature provides role-based access to command-line interface (CLI) commands, allowing highly secure, logical separation of the router between network operations groups, security operations groups, and end users.
Secure Shell (SSH) Protocol Version 2
SSHv2 provides powerful new authentication and encryption capabilities with options for tunneling additional types of traffic over the encrypted connection, including file-copy and e-mail protocols.
Simple Network Management Protocol Version 3 (SNMPv3)
This interoperable standards-based protocol for network management provides secure access to devices by authenticating and encrypting packets over the network.
NAC stops the spread of viruses and worms in the network by providing access to only trusted devices that match established access and security policies.
Additional Security Features
Authentication, Authorization, and Accounting (AAA)
AAA allows administrators to dynamically configure the type of authentication and authorization they want on a per-line (per-user) or per-service (for example, IP, Internetwork Packet Exchange [IPX], or virtual private dialup network [VPDN]) basis.
Cisco IOS Certificate Server and Client
This feature allows the router to act as a certificate authority on the network.
Standard 802.1x Support on Integrated Switching
Standard 802.1x applications require valid access credentials that make unauthorized access to protected information resources and deployment of unsecured wireless access points more difficult.
This feature helps enable the Cisco IOS Firewall to interact with the Websense or N2H2 URL filtering software, thereby preventing users from accessing specified Websites on the basis of company security policies.
This intuitive, easy-to-use, Web-based device management tool is embedded within the Cisco IOS Software of Cisco routers and can be accessed remotely using HTTPS and SSH.
Enterprise Security Management
• Cisco Security Manager is a powerful but easy-to-use solution to centrally provision all aspects of device configuration and security policies for Cisco firewalls, VPNs, and IPSs.
• Cisco IP Solution Center (ISC) 3.0 is a service provider MPLS IPSec management tool.
Hardware Security Features of Cisco 800, 1800, 2800, and 3800 Series Routers
USB Port and Removable Credentials
The Cisco 800, 1800, 2800, and 3800 Series Integrated Services Routers were designed with onboard USB 1.1 ports, enabling important security and storage capabilities. These capabilities help to secure user authentication, store removable credentials for establishing secure VPN connections, securely distribute configuration files, and provide bulk flash memory storage for files and configuration.
Taking advantage of these USB ports, USB E-Tokens can provide secure configuration distribution and allow users to store VPN credentials for deployment. USB flash memory allows users to store images and configurations.
Secure Wireless LAN Services
The modular Cisco 1800, 2800, and 3800 Series, as well as the fixed-configuration Cisco 850, 870, and 1800 Series Integrated Services Routers, offer a comprehensive suite of secure, enterprise-class wireless services to enable productivity enhancements at wireless enterprise branch offices, small and medium-sized businesses, Wi-Fi hotspots, and teleworker locations.
Benefits include the following:
• Integrated wireless LAN access point option (802.11b/g or 802.11a/b/g) available across the entire portfolio of integrated services routers
• Extensive wireless security, including support for Wi-Fi Protected Access (WPA) and a variety of authentication types, and survivable local authentication for wireless clients at remote sites
• Access zone routing and customizable subscriber services for secure public access at Wi-Fi hotspots
• Mobile IP services for mobility across wireless LAN and cellular networks
Cisco Security Modules: Additional Security Options for Cisco 1841, 2800, and 3800 Series Routers
For customers seeking additional hardware-based acceleration, several security-based modules are available for the Cisco 1841, 2800, and 3800 Series routers.
Cisco IPSec VPN Advanced Integration Module
The VPN Advanced Integration Module (AIM) for the Cisco 1841, Cisco 2800 and 3800 Series Integrated Services Routers optimizes VPN performance for both IPSec and SSL VPN deployments. It provides up to 40 percent better performance for IPSec VPN over the built-in IPSec encryption, and up to twice the performance for SSL Web VPN encryption.
Cisco Intrusion Prevention System Advanced Integration Module
The Cisco Intrusion Prevention System Advanced Integration Module (IPS AIM) for the Cisco 1841 and Cisco 2800 and 3800 Series Integrated Services Routers brings hardware-based intrusion prevention to branch offices and small businesses. With the ever-increasing complexity and sophistication of security threats, every point of the network can be at risk. Cisco IPS can accurately identify, classify, and stop malicious traffic, including worms, spyware, adware, network viruses, and application abuse. Vigilant protection helps ensure business continuity and minimizes the effect of costly intrusions. Running Cisco IPS Sensor Software, the Cisco IPS AIM can monitor up to 45 Mbps of traffic and is suitable for T1/E1 and T3 environments. Cisco IPS AIM interoperates with a variety of Cisco IOS security features such as VPN, firewall, Network Address Translation (NAT), and Web Cache Control Protocol (WCCP).
Cisco NAC Network Module
The Cisco NAC Network Module brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers. The Cisco NAC Appliance (formerly Cisco Clean Access Server) is a rapidly deployable NAC product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network.
The integration of Cisco NAC Appliance Server capabilities into a network module for Integrated Services Routers allows network administrators to manage a single device in a branch office for data, voice, and security requirements, reducing network complexity, IT staff training, equipment sparing requirements, and maintenance costs.
Embedded Services Management: Cisco Router and Security Device Manager
Every Cisco 800, 1800, 2800, and 3800 Series router comes with factory-installed Cisco Router and Security Device Manager (SDM), which is also available on the Cisco 7200 and Cisco 7301 security bundles. Cisco SDM is an intuitive, Web-based device manager for deployment and management of Cisco routers (refer to Figure 1). Cisco SDM allows easy router configuration and monitoring through the use of a startup wizard for quick deployment and router lock-down, smart wizards to help enable security and routing features, Cisco Technical Assistance Center (TAC)-approved router configurations, and subject-related educational content.
Cisco SDM combines routing and security services management with ease of use, smart wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can synchronize routing and security policies throughout the network, have a more comprehensive view of their router services status, and reduce their operating expenses.
Additional features in Cisco SDM include:
• Inline IPS with updatable and customizable signatures
• Role-based router access
• Integrated Cisco IOS SSLVPN management
• Easy VPN server and AAA support
• Digital certificates for IPSec VPNs
• VPN and WAN connection troubleshooting
• QoS policy configuration and NBAR-based application traffic monitoring
Figure 1. Cisco Router and Security Device Manager
For management of firewall and VPN features, the Cisco Security Management Suite is an integrated security-event manager that includes the new Cisco Security Manager and Cisco CS-MARS. For more information about the Cisco Security Manager and Cisco CS-MARS, visit: http://www.cisco.com/go/mars.
Certifications
Cisco is committed to maintaining an active product security certification and evaluation program for customers worldwide. Cisco recognizes that these validations are a critical component of its integrated security strategy and is dedicated to the ongoing pursuit of FIPS, ICSA, and Common Criteria certifications. For more information, please visit: http://www.cisco.com/go/securitycert.
FIPS
The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Commerce Department's Technology Administration that develops and promotes measurement, standards, and technology. The Cisco 800, 1800, 2800, and 3800 Series routers are designed to meet NIST's FIPS certification.
ICSA
ICSA Labs, formerly known as the International Computer Security Association, manages and sponsors security consortia that provide a forum for intelligence sharing among the leading vendors of security products. ICSA is a commercial security certification body that offers ICSA IPSec and ICSA Firewall certification for various types of security products. Cisco participates in ICSA's IPSec program as well as its firewall program.
Common Criteria
Common Criteria is an international standard for evaluating IT security developed by a consortium of countries to replace numerous existing country-specific security assessment processes. It was intended to establish a single standard for international use. Currently, 14 countries officially recognize the Common Criteria. Several versions of Cisco IOS Software IPSec and Cisco routers have been evaluated under the Australasian Information Security Evaluation Program (AISEP) against the ITSEC or the Common Criteria.
To place an order, visit the Cisco Ordering Home Page. Table 4 gives ordering information for the Cisco 800, 1800, 2800, and 3800 Series router security bundles. The breadth of Cisco security bundles can be found at the following link: http://www.cisco.com/go/securitybundles.
Table 4. Ordering Information for Cisco 800, 1800, 2800, and 3800 Series Routers
Product Name
Part Number
Cisco 851 Secure Ethernet Router
CISCO851-K9
Cisco 876 Security Bundle with Plus ISDN Feature Set
CISCO876-SEC-I-K9
Cisco 876 Security Bundle with Plus Feature Set
CISCO876-SEC-K9
Cisco 877 Security Bundle with Plus Feature Set
CISCO877-SEC-K9
Cisco 878 Security Bundle with Plus Feature Set
CISCO878-SEC-K9
Cisco 871 Secure Ethernet Router
CISCO871-K9
Dual Ethernet Security Router with V.92 Modem Backup
CISCO1811/K9
Dual Ethernet Security Router with ISDN S/T Backup
CISCO1812/K9
Cisco 1841 Security Bundle with Advanced Security Cisco IOS Software
CISCO1841-SEC/K9
Cisco 2801 Security Bundle with Advanced Security Cisco IOS Software
CISCO2801-SEC/K9
Cisco 2811 Security Bundle with Advanced Security Cisco IOS Software
CISCO2811-SEC/K9
Cisco 2821 Security Bundle with Advanced Security Cisco IOS Software
CISCO2821-SEC/K9
Cisco 2851 Security Bundle with Advanced Security Cisco IOS Software
CISCO2851-SEC/K9
Cisco 3825 Security Bundle with Advanced Security Cisco IOS Software
CISCO3825-SEC/K9
Cisco 3845 Security Bundle with Advanced Security Cisco IOS Software
CISCO3845-SEC/K9
Cisco 1841 Enhanced Security Bundle with AIM-VPN/SSL-1, Advanced IP Cisco IOS Software
CISCO1841-HSEC/K9
Cisco 2801 Enhanced Security Bundle with AIM-VPN/SSL-2, Advanced IP Cisco IOS Software
CISCO2801-HSEC/K9
Cisco 2811 Enhanced Security Bundle with AIM-VPN/SSL-2, Advanced IP Cisco IOS Software
CISCO2811-HSEC/K9
Cisco 2821 Enhanced Security Bundle with AIM-VPN/SSL-2, Advanced IP Cisco IOS Software
CISCO2821-HSEC/K9
Cisco 2851 Enhanced Security Bundle with AIM-VPN/SSL-2, Advanced IP Cisco IOS Software
CISCO2851-HSEC/K9
Cisco 3825 Enhanced Security Bundle with AIM-VPN/SSL-3, Advanced IP Cisco IOS Software
CISCO3825-HSEC/K9
Cisco 3845 Enhanced Security Bundle with AIM-VPN/SSL-3, Advanced IP Cisco IOS Software
CISCO3845-HSEC/K9
Cisco 2801 Voice Security Bundle, PVDM2-8, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2801-VSEC/K9
Cisco 2801 Voice Security Bundle with PVDM2-8, Call Manager Express FL-CCME-24, Advanced IP Services Cisco IOS Software , 64 MB Flash, 256 DRAM
C2801-VSEC-CCME/K9
Cisco 2801 Voice Security Bundle with PVDM2-8, SRST FL-SRST-24, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2801-VSEC-SRST/K9
Cisco 2811 Voice Security Bundle,PVDM2-16, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2811-VSEC/K9
Cisco 2811 Voice Security Bundle with PVDM2-16, Call Manager Express FL-CCME-36, Advanced IP Services Cisco IOS Software , 64 MB Flash, 256 DRAM
C2811-VSEC-CCME/K9
Cisco 2811 Voice Security Bundle with PVDM2-16, SRST FL-SRST-36, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2811-VSEC-SRST/K9
Cisco 2821 Voice Security Bundle, PVDM2-32, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2821-VSEC/K9
Cisco 2821 Voice Security Bundle, PVDM2-32, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2821-VSEC-CCME/K9
Cisco 2821 Voice Security Bundle with PVDM2-32, SRST FL-SRST-48, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2821-VSEC-SRST/K9
Cisco 2851 Voice Security Bundle, PVDM2-48, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2851-VSEC/K9
Cisco 2851 Voice Security Bundle with PVDM2-48, Call Manager Express FL-CCME-96, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2851-VSEC-CCME/K9
Cisco 2851 Voice Security Bundle with PVDM2-48, SRST FL-SRST-96, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C2851-VSEC-SRST/K9
Cisco 3825 Voice Security Bundle, PVDM2-64, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C3825-VSEC/K9
Cisco 3825 Voice Security Bundle with PVDM2-64, Call Manager Express FL-CCME-168, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C3825-VSEC-CCME/K9
Cisco 3825 Voice Security Bundle with PVDM2-64, SRST FL-SRST-168, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C3825-VSEC-SRST/K9
Cisco 3845 Voice Security Bundle, PVDM2-64, Adv IP Serv, 64 MB Flash, 256 DRAM
C3845-VSEC/K9
Cisco 3845 Voice Security Bundle with PVDM2-64, Call Manager Express FL-CCME-240, Advanced IP Services Cisco IOS Software4, 64 MB Flash, 256 DRAM
C3845-VSEC-CCME/K9
Cisco 3845 Voice Security Bundle with PVDM2-64, SRST FL-SRST-240, Advanced IP Services Cisco IOS Software, 64 MB Flash, 256 DRAM
C3845-VSEC-SRST/K9
Cisco 2801 V3PN Bundle with AIM-VPN EPII-PLUS, PVDM2-8, Advanced IP Cisco IOS Software, 64 MB Flash, 256 DRAM
CISCO2801-V3PN/K9
Cisco 2811 V3PN Bundle with AIM-VPN EPII-PLUS, PVDM2-16, Advanced IP Cisco IOS Software, FL-SRST-36, 64 MB Flash, 256 DRAM
CISCO2811-V3PN/K9
Cisco 2821 V3PN Bundle with AIM-VPN EPII-PLUS, PVDM2-32, Advanced IP Cisco IOS Software, FL-SRST-48, 64 MB Flash, 256 DRAM
CISCO2821-V3PN/K9
Cisco 2851 V3PN Bundle with AIM-VPN EPII-PLUS, PVDM2-48, Advanced IP Cisco IOS Software, FL-SRST-72, 64 MB Flash, 256 DRAM
CISCO2851-V3PN/K9
Cisco 3825 V3PN Bundle with AIM-VPN HPII-PLUS, PVDM2-64, FL-SRST-168, Advanced IP Cisco IOS Software, 64 MB Flash, 256 DRAM
CISCO3825-V3PN/K9
Cisco 3845 V3PN Bundle with AIM-VPN HPII-PLUS, PVDM2-64, FL-SRST-240, Advanced IP Cisco IOS Software, 64 MB Flash, 256 DRAM
CISCO3845-V3PN/K9
Enhanced Performance DES, 3DES, AES and SSL VPN Encryption and Compression for Cisco 1800
AIM-VPN/SSL-1
Enhanced Performance DES, 3DES, AES and SSL VPN Encryption and Compression for Cisco 2800
AIM-VPN/SSL-2
Enhanced Performance DES, 3DES, AES and SSL VPN Encryption and Compression for Cisco 3800
