Guest

Cisco IOS Software Releases 12.4 Mainline

Cisco IOS Software Release 12.4: Security Features and Hardware

Table Of Contents

Cisco IOS Software Release 12.4: Security Features and Hardware support

1) Introduction: Cisco IOS Software Release 12.4

1.1) Migration Guide

1.2) Cisco IOS Packaging: Secure Management Access

1.3) Release 12.4 Additional Information

2) Release 12.4 Feature Technology Highlights

2.1) Security and VPN


Product Bulletin No. 2853

Cisco IOS Software Release 12.4: Security Features and Hardware support


1) Introduction: Cisco IOS Software Release 12.4

Cisco IOS® Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, ranging from the small home office router to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

One of the most significant delivery milestones for Cisco IOS Software is the introduction of a new major release, which ships once every two years, delivers hundreds of advanced capabilities, and aggregates multiple prior releases into a synergistic whole.

Developed for wide deployment in the world's most demanding Enterprise, Access, and Service Provider Aggregation networks, Major Release 12.4 is a comprehensive portfolio of Cisco technologies, including the leading-edge functionality and hardware support introduced in Release 12.3T, anchored by an intensive stability and testing program.

Major Release 12.4 introduces more than 700 industry-leading features across the widest range of hardware in the industry. These key innovations span multiple technology areas, including Security, Voice, High Availability, IP Routing, Quality of Service (QoS), IP Multicast, IP Addressing, IP Mobility, Multiprotocol Label Switching (MPLS), and VPNs.

Figure 1

Major and Technology Release Relationship

1.1) Migration Guide

Cisco recommends that customers who need to deploy Release 12.3T features upgrade to Cisco IOS Software Major Release 12.4. Release 12.3T is scheduled for End of Sales in Q4CY'05.

While customers can no longer order software releases that reach End of Sales, they can download such releases from Software Center if they have a maintenance contract.

The following Cisco IOS Software releases identify the current recommended migration into Release 12.4.

Figure 2

Release 12.4 Migration Recommendation

Major Release 12.4 undergoes testing and review cycles to continuously improve and increase reliability and quality. As per Cisco's policies, no new technologies or features are added. Cisco updates Release 12.4 via regular maintenance releases to include minor improvements based upon customer experiences.

Maintenance for Release 12.3T ceases upon this introduction of Release 12.4. Users of Release 12.3T should migrate to Major Release 12.4 in order to receive maintenance.

For additional information about Cisco IOS Software Product Lifecycle Dates & Milestones, please visit:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

1.2) Cisco IOS Packaging: Secure Management Access

Cisco IOS Software Release 12.4 will introduce support for management access using Secure Shell (SSH), HTTPS and Simple Network Management Protocol version 3 (SNMPv3) on the Cisco 1800, 2800, and 3800 Series Access Routers. These three features work with other device management features (ie: image verification, role-based CLI views, user authentication, and VTY access control lists) to provide flexible and secure management access to any remote router, regardless of which Release 12.4 feature set it is configured on the router.

SSHv2 client and server functionality provides a secure, encrypted alternative to traditional telnet for router configuration and administration.

SSL Server functionality provides an HTTPS-based secure, encrypted complement to access graphical user interfaces (ie: Router and Security Device Manager).

SNMPv3 Server functionality includes authPriv mode, which provides authentication and encryption of SNMP messages.


Note: Export controls on strong encryption vary according to type, strength, territory, end-use, and end-user. Visit the Cisco Encryption Sales Support Tool to determine eligibility for Cisco strong encryption solutions. Send an email to Export Compliance ( export@cisco.com) for clarification. Encryption-free versions of IP Base, IP Voice, Enterprise Base, and Enterprise Services feature sets will continue to be available.


1.3) Release 12.4 Additional Information

Release 12.4

http://www.cisco.com/go/release124/

Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

Cisco IOS Software Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

Cisco Feature Navigator

A web-based application that allows users to quickly match Cisco IOS Software releases to features to hardware.

http://www.cisco.com/go/fn/

Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

Cisco IOS Software Questions and Feedback

http://www.cisco.com/warp/public/732/feedback/release/

2) Release 12.4 Feature Technology Highlights

2.1) Security and VPN

Table 1  Security & VPN Feature Highlights

Sections

2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:

The administrator will specify an optional number of attempted logins before lockout. The default value will be 3 (and configurable).

When a user makes the specified (as configured in the preceding item) number of unsuccessful attempts to log in, that user will be locked out of the system until the administrator unlocks that user.

Only the administrator or users with administrator-equivalent privileges are able to unlock users.

Local AAA will maintain a list of locked-out users.

This configuration is not user specific but is device (per-box) specific.

Exception: The system does not allow the administrator to be placed on the locked-out list.

The locked-out list will not be maintained by an external server such as a RADIUS server.

The command-line interface (CLI) can be used to display a list of locked-out users by use of a show command.

Benefits

Improves the security of the networking device.

Helps the network administrator to prevent potential unwanted access to the networking device.

Offers flexibility for the network administrator to allow networking device access that meets the security policies and industry standards of individual corporations.

Provides audit trail of locked-out users for security risk assessment.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.2) Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.

Benefits

Defines and enforces security policies for port 80.

Controls misuse of port 80 by rogue applications that tunnel traffic inside HTTP and use port 80 to avoid scrutiny.

Performs protocol anomaly detection services.

Detects misuse of HTTP and Web connectivity.

Prevents protocol masquerading.

Provides strict RFC compliance enforcement.

Allows RFC command control (for example, get or put).

Enforces URL-length and header-length policy.

Supports real-time alarms and audit trail messages.

Provides MIME-type filtering and content validation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.3) Cisco IOS Firewall: Granular Protocol Inspection

With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.

IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.

Benefits

Greater flexibility by allowing more granularity in the selection of protocols to be inspected.

Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword.

Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined port ranges.

Improved performance and reduced CPU load resulting from focused inspection selections.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

A single port can only be mapped to one application.

Port ranges cannot be specified directly in the ip inspect name command; the PAM table should be used instead.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.4) Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).

Benefits

Inspects SMTP, ESMTP, POP3, and IMAP.

Detects misuse of email connectivity.

Prevents protocol masquerading.

Enforces strict RFC compliance.

Performs protocol anomaly detection services.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Users will need to have sufficient free memory.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.

Benefits

Cisco IOS Firewall policy can now be applied to router local traffic.

The inspection of local H.323 connections enables the deployment of Cisco CallManager Express and Cisco IOS Firewall on the same router with a simplified access control list (ACL) configuration of the Cisco CallManager Express interface through which H.323 connections are made.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Inspection of Router-Generated Traffic is supported only on the following protocols: H.323, TCP, and UDP.

Cisco IOS Firewall supports only Version 2 of the H.323 protocol.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).

Benefits

Allows users to configure a per-VRF firewall. The firewall inspects IP packets that are sent and received within a VRF.

Allows service providers to deploy the firewall on the provider edge (PE) router.

Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same IP address.

Supports per-VRF (not global) firewall command parameters and denial-of-service (DoS) parameters so that the VRF-aware firewall can run as multiple instances (with VRF instances) allocated to various VPN customers.

Performs per-VRF URL filtering.

Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit trail messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect malicious sources and attacks, add security policies, and so on.

Supports the ability to limit the number of firewall sessions per VRF.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

VRF-Aware Cisco IOS Firewall is not supported on MPLS interfaces.

If two VPN networks have overlapping addresses, VRF-aware NAT is required for them to support VRF-aware firewalls.

When crypto tunnels belonging to multiple VPNs terminate on a single interface, per-VRF firewall policies cannot be applied.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.7) Intrusion Prevention Systems Signature Enhancements

This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:

String TCP Worm and Virus Support

Agobot

ANTS

Apache/mod_ssl Worm

Bagle

Blaster

GaoBot

Klez

Minmai

MyDoom

Netsky

Norvag

Phatbot

Sober

Worm Slapper (Buffer Overflow)

ZAFI.D

String UDP Worm and Virus Support

Agobot

Blaster

GaoBot

Phatbot

Slammer

String ICMP Worm and Virus Support

Nachi

       

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.

Benefits

Support for more than 400 more signatures for a total of more than 1275 from which to choose.

Increased efficiency for traffic blocking with shun action.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)

2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.

SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.

In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.

Figure 3

SDP Administrative Introducer

Benefits

Allows an IT administrator or security management solution to provision multiple devices.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.

Figure 4

SDP Hierarchical Certificate Server

Benefits

Allows for hierarchical certificate servers, ensuring better scalability and availability.

Simplifies PKI deployment in geographically distributed VPN installations where each location could have its own certificate server handling the network beneath it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.

Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.

Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.

Figure 5

USB Token: PKI

Benefits

Simplifies secure initial deployment. Router can be drop-shipped by distributor, while the token containing configuration and private keys is distributed by other means.

Simplifies replacement of failed routers. The user just needs to remove the spare from the closet or have it drop-shipped and plug in the token from the failed router, and it should work. This method assumes that the token contains the configuration and keys.

Helps in securing a VPN connection. The router may have access to the Internet at all times, but it can only use the VPN when the token is present, because the keys on the token are used to set up the tunnel, and the tunnel is torn down when the token is removed.

Hardware

Routers

Cisco 1841 Routers, and Cisco 2800 and 3800 Series


Cisco IOS Packaging

OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.11) Persistent Self-Signed Certificates

Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.

If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.

Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.

Figure 6

Persistent Self-Signed Certificates

Benefits

Ease of use: a persistent self-signed certificate stored in the router's startup configuration eliminates need for manual user intervention to accept a certificate every time the router reloads.

Improved performance: as user intervention is no longer necessary to accept the certificate, the secure connection process is faster.

Better security: having a persistent self-signed certificate stored in the router's startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.12) Easy VPN Remote Phase 4.1: Enhancements

Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.

Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.

This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.

Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.

backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup.

   crypto ipsec client ezvpn <ezvpn-cfg-name>
     backup <ezvpn-cfg-name> track <tracked-object-number>

Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.

Benefits

Allows flexibility to track an object and initiate dial backup.

Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Figure 7

Activation Triggered by Easy VPN Remote Traffic

Benefits

Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.13) IPsec Preferred Peer

IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.

Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.

This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.

Benefits

Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

The set a peer with default option must be used in conjunction with DPD. It is most effective on a remote site running DPD in periodic mode. DPD will detect the failure of the other device quickly and reset the peer list to try the default peer again on the next attempt.

Only one peer may be designated the default on a crypto map.

The default peer must be the first peer in the list.

Use with the crypto map set peer default feature.

Idle timers with the default keyword are only available on a per-crypto-map basis. This command will not work with the global idle timer command.

If a global idle timer is set, the crypto map idle timer value must be different from the global value; otherwise it will not be added to the crypto map.

Cisco IOS Packaging

The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.14) IPsec Antireplay Window Expansion and Disable Options

IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.

Figure 8

IPsec Antireplay

Benefits

Allows an IT administrator flexibility to control antireplay window size or disable it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.15) IPsec Virtual Tunnel Interface

VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.

With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.

Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.

Figure 9

IPsec Static Virtual Tunnel Interfaces Between Two Sites

Benefits

Simplified management—Customers can use Cisco IOS Software virtual tunnel constructs to configure an IPsec VTI, thus simplifying VPN configuration complexity, which translates into reduced costs as the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

Support for multicast encryption—Customers can use Cisco IOS Software IPsec VTIs to transfer the multicast traffic, control traffic, or data traffic-for example, many voice and video applications,-from one site to another securely.

Routable interface—Cisco IOS Software IPsec VTIs can support all types of IP routing protocols. Customers can use these capabilities of VTI to connect larger office environments, such as branch offices, complete with a PBX extension.

Improved scaling—IPsec virtual interfaces need fewer security associations to be established to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

Flexibility of defining features—An IPsec virtual interface is an encapsulation within its own interface. This arrangement offers flexibility of defining features to run on either the physical or the IPsec interface.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.16) Reverse Route Injection

Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.

RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.

Figure 10

Reverse Route Injection

Benefits

Saves the user from statically defining routes.

Considerations

Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.17) Easy VPN Remote Web-Based Activation

Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.

Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.

Figure 11

Easy VPN Remote Web-Based Activation

Benefits

Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.18) WebVPN

WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.

The first release of WebVPN in Cisco IOS Software supports two functional modes:

The first mode (clientless) provides secure access to private Web resources and will provide access to Web content. This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web browsing, databases, or online tools that employ a Web interface.

The second functional mode (thin client) extends the capability of the cryptographic functions of the Web browser to enable remote access for email applications using POP3, SMTP, and IMAP.

Benefits

Uses a standard Web browser to access the corporate network and does not require a client to be installed on the client machine.

SSL encryption native to browser provides transport security.

Has granular access control.

Additional client and server applications are accessed using a Java applet.

Allows access from noncorporate machines such as airport kiosks.

Allows easy firewall and network traversal from any location.

Allows transparent wireless roaming.

Integrated Cisco IOS Firewall provides enhanced security.

Hardware

Routers

Cisco 1800, 2800, 3700, 3800, and 7200 Series; Cisco 7301 Router


Considerations

If WebVPN needs to be enabled on the router that is running HTTP Secure Server, the administrator must configure an IP address for WebVPN using the gateway-addr keyword option of the webvpn enable command.

The browsing of URLs that are referred by Macromedia Flash is not modified for secure retrieval by the WebVPN gateway.

This feature in Cisco IOS Software Release 12.3(14)T supports SSL Version 3. Transport Layer Security (TLS) is not supported.

Thin client used for TCP port-forwarding applications requires administrative privileges on the computer of the end user.

Cisco IOS Packaging

WebVPN is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)

2.1.19) Cisco Router and Security Device Manager 2.1

Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Benefits

New hardware support

Cisco Small Business 100 Series

Cisco VPN Acceleration Module 2+ (VAM2+)

High-speed WAN interface card 4T (HWIC-4T), HWIC-4A/S, HWIC-8A/S, HWIC-8A, and HWIC-16A

Provides ability to recognize, configure, and monitor the new hardware

Localized in six languages

Cisco SDM user interface and online help translated into Japanese, simplified Chinese, French, German, Spanish, and Italian (available in May 2005)

Microsoft Windows OS support for these languages (available now)

Simplifies router management for native language users

Cisco SDM Express

Wizard-based deployment of router

Offers quick and easy router deployment for basic WAN access configurations

Ideal router deployment tool for nonexpert users

PC-based SDM

Cisco SDM installed on Windows-based PC instead of router flash memory

No extra flash memory space required on router for SDM

Great tool to manage the installed base of Cisco routers

PPP over ATM (PPPoA)

Offers quick and easy deployment of xDSL router interfaces for PPPoA configurations

Three new Intrusion Prevention Systems (IPS) engines

STRING.TCP, STRING.UDP, STRING.ICMP

Allows deployment of 500+ additional IPS signatures through SDM

Dial-backup improvements

Support for dial-back for dynamically addressed primary WAN interface

Offers several fixes to make the configuration process more user friendly

Hardware

Routers

Cisco 830, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200VXR, and 7301 Series Routers


Cisco IOS Packaging

Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers.

Product Management Contacts: ask-stg-ios-pm@cisco.com, sdm-feedback@cisco.com

2.1.20) Role-Based CLI Access—Granular Interface Control

Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the network device administrator to set up views that define the set of CLI commands that can be accessed by each user. With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and slots on a router.

Figure 12

Role-Based CLI Access—Granular Interface Control

Benefits

With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands based on their operational roles in the organization.

Security: Enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

Availability: Prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

Operational efficiency: Users will only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex and commands are easier to identify when using on device help.

Hardware

Routers

Cisco 7200 Series

Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.21) 802.1x Supplicant

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have the ability to authenticate itself against another network device.

The 802.1x supplicant support functionality provides the following solutions:

Extensible Authentication Protocol (EAP) framework: supplicant can "understand" and "respond" to EAP requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

Two network devices that are connected through an Ethernet link can act as simultaneously as supplicant and authenticator, thus providing mutual authentication capability.

A network device that is acting as a supplicant can authenticate itself with more than one authenticator (ie: a single port on a supplicant can connect to multiple authenticators).

Figure 13

802.1x Supplicant

Benefits

Consistent, standards-based technology for insertion into any mixed multimedia, multi-vendor network.

Enforcing corporate policy for network access at Layer 2.

Single supplicant can connect to multiple authenticators, so different connectivity and security policies can be implemented for different users.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.22) Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from known network attacks without disrupting router functions or other embedded security capabilities, such as protocol anomaly detection.

The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the following actions:

Send an alarm

Drop the packet

Reset the connection

Figure 14

Cisco IOS Intrusion Prevention System

Benefits

Ubiquitous protection of network assets

Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and assets deep into the network architecture. The router is a security enforcer.

Inline deep packet inspection

Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the payload of a packet and uncover the known malicious activity.

IDS signature support

Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to mitigate today's known network attacks. As attacks are identified in the Internet, these signatures are updated and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3 or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.

Customized signature support

Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.

Hardware

Routers

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.23) Cisco IOS Security Device Event Exchange

Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol format for all vendors to communicate with network management applications. SDEE uses a pull mechanism: requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.

Figure 15

Cisco IOS Security Device Event Exchange

Benefits

Vendor Interoperability

SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.

Secured transport

The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network.

Hardware

Routers

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.24) Cisco IOS Firewall IPv6 FTP Support

Cisco IOS Software now performs stateful packet inspection of the IPv6 File Transfer Protocol (FTP). Cisco IOS Firewall creates dynamic data channel monitors for FTP session RFC compliance and alerts the network about any protocol anomalies performed by the end user trying to perform a malicious act as a result of stateful inspection of FTP in order to allow return traffic traversing Cisco IOS Firewall back to the FTP client. Cisco IOS Firewall tracks the initial FTP hand-shaking and session termination by ensuring that all users have been authenticated before any data traverses the Cisco IOS Firewall. This enables Cisco IOS Firewall to prevent network intrusion by unauthorized users who attempt to initiate a connection across the network or leverage the session of an authorized user. When the user logs off or initiates other forms of session termination (abort), the Firewall immediately closes all open data and control channels associated with the authorized user.

Additionally, Cisco IOS Firewall now supports Port to Address Mapping (PAM) for IPv6. PAM correlates TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations not defined by well-known ports.

Benefits

Investment Protection

A wide range of Cisco routers, from the Cisco 1700 Series through the Cisco 7200 Series, support Cisco IOS Firewall. This further enhances the total return of investment in Cisco routers by providing a broad range of network enforcement points, while coexisting in IPv4 and IPv6 environments.

Protocol Anomaly Detection for FTP

Cisco IOS Firewall maintains the integrity of the network by monitoring it for network attacks that leverage protocol RFC non-compliance.

Authorized FTP users allowed

Only allows users who have been authorized by an end ftp server to initiate session creation. Cisco IOS Software ensures that unauthorized users do not take advantage of data and control channels left open by a previous user. This decreases network vulnerability to unauthorized users.

Hardware

Routers

Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.25) Cisco Easy VPN 4.0

Release 12.3(11)T introduces several enhancements to the Easy VPN Remote:

Easy VPN Remote with IEEE 802.1x Authentication

Cisco Easy VPN 4.0 adds support for configuration of 802.1x port-based authentication on the private interfaces of the Easy VPN Remote router. This was not available in previous instances of Easy VPN Remote.

Cisco Easy VPN 4.0 also supports Public Key Infrastructure (PKI)/certificates. Previously, only pre-shared keys could be used as key material for the Internet Key Exchange (IKE) (IPsec Phase 1) connection. Configuration is the same as for standard site-to-site IPsec. When configuring PKI on the remote router, it is critical that the subject-name command is set to the subject name in the certificate or PKI will fail.

Easy VPN Remote Backup Server List Auto-Configuration

Easy VPN Remote allows the configuration of multiple servers (concentrators) to which the remote router will attempt to connect. With this enhancement, the Easy VPN Server can "push" this server list to Easy VPN Remote clients, eliminating the requirement to manually configure the list of servers on the Easy VPN Remote. Instead, only one server needs to be preconfigured on the remote, and the rest of the server list will be pushed from the server at connect time.

Easy VPN Remote Management Enhancements

This feature simplifies the remote management of a Cisco IOS Router acting as an Easy VPN Remote. It does this by making the IP address pushed from the server at connect time fully manageable. The pushed address is automatically assigned to a loopback interface that is dynamically created. This enables ping, Telnet, SNMP, and even dynamic routing to use the pushed address as the address to reach the router. The user can design central site management solutions that use the pushed address as the address to reach the remote routers. This feature can be enabled in both client and network extension modes; it is possible to push an address in NEM, although users can manage the static IP address assigned to the private interface.

Easy VPN Remote Load Balancing

When configured for load balancing, the Cisco VPN 3000 Series Concentrator with Easy VPN, accepts an incoming request from the Easy VPN Remote router on its virtual IP address, and if required (for instance, if the server is heavily loaded), it sends a "notify" message to the remote that contains an IP address that represents the new peer to which the client should connect. The Easy VPN Remote router can receive this "redirect" message and it attempts to connect a different server at the address contained in the notify message. Syslog messages indicate when a transition from one peer to another occurs.

Easy VPN Remote VLAN Support

It is now possible to define a VLAN as an Easy VPN Remote inside (private) interface. This may be an internal VLAN on the remote router (for instance, switch ports in a Cisco 1711 Router). This means that upon definition, IPsec Service Adapters will be established for the VLAN inside interface just as they are for the physical inside interfaces.

Easy VPN Remote Multiple Subnet Support

This enhancement allows multiple subnets on a single inside interface on the Easy VPN Remote router to be defined to Easy VPN. Previously, only a single subnet could be defined for Easy VPN on each inside interface. The subnets can be multiple hops away (cascaded) off the inside interface LAN (for example, the Easy VPN router private interface is connected to a router that has a subnet behind it). The subnets must be configured manually; they cannot be learned by dynamic routing.

Easy VPN Remote and Server on Same Interface

Easy VPN Remote and server functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server, while it acts as a server for local software clients. Such a router typically would have a single public interface to the Internet, and both the server and client functions would be configured on this interface.

Easy VPN Remote and Site-to-Site on Same Interface

Easy VPN Remote and site-to-site (standard IPsec) functions now can be configured on the same interface. A typical application would be a remote router that acts as a client to the headquarters Easy VPN server while it also has a site-to-site tunnel that is used strictly for management.

Easy VPN Perfect Forward Secrecy (PFS) Using Policy Push

The PFS setting for the Easy VPN connection now can be dynamically set at connect time using MODCFG policy push from the server. Previously, PFS had to be configured manually on the Easy VPN Remote.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

Cisco 3640 and 3660 Routers


Additional Information: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.26) Cisco Security and Router Device Manager 2.0

Cisco Security and Router Device Manager (SDM) 2.0 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize the routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Key new features in Cisco SDM 2.0 includes support for:

Inline IPS with updatable signatures and customization Dynamic Signature update and signature customization (see Cisco IOS IPS)

Role-Based Router Access

Easy VPN Server and AAA

Digital Certificates for IPsec VPNs

VPN and WAN connection troubleshooting

QoS policy configuration and NBAR-based application traffic monitoring

Hardware

Routers

Cisco 800, 1700, 1800, 2600, 2800, 3700, 3800, 7200, and 7500 Series Routers

Cisco 3640, and 3660 Routers


Additional Information: http://www.cisco.com/go/sdm

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.27) Dynamic Multipoint VPN Spoke to Spoke Functionality

Dynamic Multipoint VPN (DMVPN) Spoke to Spoke Functionality allows dynamic on-demand direct spoke to spoke tunnels to be created between two DMVPN spoke CPEs without traversing the hub. This feature enables production-ready spoke-to-spoke functionality in a single hub and multi-hub environment in a DMVPN network. It also incorporates increased spoke to spoke resiliency and redundancy in multi-hub configurations.

Figure 16

Dynamic Multipoint VPN Spoke to Spoke Functionality

Benefits

Direct Spoke-to-Spoke Tunnels

This functionality allows direct spoke to spoke tunnel creation between two branch offices without the traffic having to go through the hub. Spokes can take advantage of an internet connection directly available between them. This leads to reduced latency and jitter for spoke to spoke traffic and improved bandwidth utilization. DMVPN networks deliver a lower cost per MByte of Bandwidth than native IPsec networks because the spoke to spoke traffic is not restricted by hub bandwidth utilization and at the same time it does not add any additional overhead to the hub bandwidth utilization.

Avoids Dual Encrypts and Decrypts

Native IPsec and IPsec + GRE networks are organized as hub and spoke networks. This results in all spoke to spoke traffic going through the hub and requiring a dual encrypt and decrypt for all traffic putting an additional burden on the hub CPU. DMVPN alleviates the problem by creating direct on-demand spoke to spoke tunnels.

Smaller Spoke CPEs can Participate in a Virtual On-Demand Full Mesh

DMVPN allows smaller spoke CPE to participate in a virtual on demand full mesh. Creating and managing a full mesh is often not possible for smaller spoke CPE which cannot handle more than a dozen IPsec tunnels. DMVPN allows the spokes to create tunnels to other spokes on demand and tear down the tunnels after use.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7400 Series Routers

Switches

Cisco Catalyst 6000 Series Switch with MWAM Card and VPNSM Module


Additional Information:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml

Product Management Contact: IOS-Security-PM@cisco.com

2.1.28) Cisco IOS Network Admission Control

Cisco IOS Network Admission Control (NAC) adds vital access router support for the Cisco NAC solution, which empowers organizations to contain security threats before they cause damage. Cisco IOS NAC, the software-based portion of this solution, enables Cisco access routers to detect a user's compliance with anti-virus policies, and thus enforce network access privileges appropriately. Non-compliant devices can be denied access, placed in a quarantined area, or given restricted access to computing resources. The access decision can be based on information such as the endpoint's anti-virus state and operating system patch level.

Cisco NAC now enables Cisco IOS Software devices to identify and isolate unprotected or infected hosts as they connect to the network, thereby preventing them from potentially spreading viruses in the network. Network administrators can define and enforce posture validation of endpoint devices connecting to the network.

The initial release of Cisco NAC consists of four components:

Cisco Trust Agent: software that resides on the endpoint system. Cisco Trust Agent collects security state information from multiple security software clients such as anti-virus clients and then communicated this information back to the Cisco IOS network access device which enforces admission control.

Network Access Devices: network devices (Cisco IOS Software routers) enforce admission control policy. These devices demand host security "credentials" and relay the information to policy servers where network admission control decisions are made. Decisions could include permit, deny, quarantine, or restrict.

Policy Server (Cisco Secure Access Control Server [ACS]): evaluates the endpoint security information relayed from the Cisco IOS Software device and determines the appropriate policy to implement. Cisco ACS is the foundation of the policy server system.

Management System: CiscoWorks VPN/Security Management Solution (VMS) provisions Cisco NAC elements, while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools.

This release of Cisco NAC addresses the two most pressing compliance tests required: anti-virus software state and operating system information. These tests include anti-virus vendor software version, engine level, and signature file levels as well as the operating system type and patch levels. Anti-virus vendors, such as Network Associates, Symantec and Trend Micro, are integrating their applications with Cisco NAC.

Figure 17

Cisco IOS Software Router Support for Cisco IOS NAC

Improved Security

Cisco NAC helps ensure that all hosts comply with the latest corporate anti-virus and operating system patch policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and assigned reduced access until they are patched and secured, preventing them from being the targets of or the sources for worm and virus infections.

Investment Protection

Cisco NAC is supported on a broad range of Cisco IOS Software routers, ranging from the Cisco 800 Series to the Cisco 7200 Series Routers. This solution integrates and increases the value of investments in the Cisco network infrastructure, Cisco endpoint security, and anti-virus technology.

Deployment Scalability

Cisco NAC provides comprehensive access control across all access methods that hosts use to connect to the network. It also supports heterogeneous vendor scenarios. This solution also allows the setting of differentiated access policy for responsive hosts (those running the Cisco trust agent) and non-responsive hosts.

Increased Resilience and Availability

By taking information about endpoint security status and combining it with network admission enforcement, Cisco NAC enables customers to dramatically improve the security of their computing infrastructures.

Multiple Vendor Compatibility

In addition to the initial list of partners, Cisco will continue to work with more anti-virus and host-based application vendors to allow customers greater flexibility in the choice of anti-virus vendors.

Hardware

Routers

Cisco 831, 836 and 837 Routers

Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Routers

Cisco 2600XM and 2691 Routers

Cisco 3640, 3640 A, and 3660-ENT Series Routers

Cisco 3825 and 3745 Routers

Cisco 7200, 7301, and 7401 Routers

Access Servers

Cisco AS5350, AS5400, AS5850 Access Servers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.29) Quality of Service per VPN Group

Quality of Service (QoS) per VPN Group allows the application of Cisco IOS QoS mechanisms to group of IPsec flows. Application of QoS per VPN session group means that all flows that belong to an ISAKMP profile, can be classed together and may be policed on the interface with crypto map and service policy applied to it.

The QoS per VPN session group feature is well suited for situations where a head-end device has large groups of IPsec peers. For e.g. in Figure 16, the IPsec peers of the head-end router are executives, engineers and sales. Each of these groups are identified by an IPsec Security Association (SA). The QoS policies, applied to IPsec flows, are based on a QoS group ID. The IDs are mapped to a QoS group, which is used in the definition of class maps for QoS. From there, the QoS policies are applied on group level.

Figure 18

QoS with Cisco IOS VPN

Benefits

QoS per VPN session group feature can provide several benefits to the user. This feature can be used to:

Enable allocation of QoS policies on per group basis.

Ensure equal access to available bandwidth across multiple links in a service provider environment.

Guarantee certain customers a minimal amount of bandwidth.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.30) Cisco AutoSecure Rollback & Logging

Cisco AutoSecure, originally introduced in Cisco IOS Software Major Release 12.3 (May 2003), enables rapid implementation of security policies and procedures to ensure secure networking services by offering a single CLI command to lock down the device.

Cisco AutoSecure Rollback enhances the feature by providing a method to restore the system configuration back to its state prior to execution of the autosecure command. This feature takes a snapshot of the current running configuration and stores that in the ATA Disk prior to execution of the autosecure command. When rollback is initiated, the system will be restored to the snapshot configuration.

Rollback could occur in either automated or manual mode. Automated rollback will be initiated if Cisco AutoSecure experiences a failure during its operation. In manual mode, the user simply issues the standard CLI rollback command and the rollback process will be initiated.

Cisco AutoSecure Logging initiates a syslog message when the autosecure set of commands are executed.

Benefits

Simplifies Device Lockdown

With Cisco AutoSecure Rollback & Logging, users will feel more confident using the Cisco AutoSecure. If the command was accidentally issued, one can easily restore the configuration back to its original state.

Tracking of Cisco AutoSecure Execution

With the Cisco AutoSecure logging feature, a system administrator can track when autosecure has been executed.

Hardware

Routers

Cisco 2691 Router

Cisco 1700 and 3700 Series Routers

Cisco 7200 Series with ATA Disk


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a008017d101.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.31) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

Easy Secure Device Deployment (SDD) Authentication, Authorization, and Accounting (AAA) Integration allows an end device to connect to another end device using Trusted Transitive Introduction (TTI) to deploy Public Key Infrastructure (PKI) without having to be "introduced" by a third device, such as a system administrator. If the first end device has an account on an AAA server, it can obtain authentication and authorization directly from the server database, which eliminates the need to obtain an access password from the third device.

Figure 19

Easy SDD AAA Integration

Benefits

User does not need to enable passwords for devices, because AAA verifies the credentials.

Simplified PKI enrollment and deployment, because the two end devices can now connect directly without the intervention from a system administrator.

User authentication and configuration update occurs through AAA.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.32) Cisco IOS Resilient Configuration

Cisco IOS Resilient Configuration provides a safeguard to restore the configuration after unwanted erasure of the Cisco IOS Software configuration.

After an accidental or hostile intentional erasure of the configuration, the device will not be able to operate normally resulting in network downtime. By using Cisco IOS Resilient Configuration feature as a precautionary measure, administrators can quickly restore the system to a running state.

Cisco IOS Resilient Configuration CLI command operates by taking a snapshot of the running router configuration and securely archives it in persistent storage. The archived file is hidden and cannot be viewed or removed but can only be over-written. The restore option simply reproduces a copy of the secure configuration archive and the system is restored.

This feature requires devices that support a PCMCIA ATA disk.

Benefits

Enhances Protection of the Cisco IOS Software Configuration

Because the archived configuration file is not removable and it is hidden, even if the running configuration is erased, whether accidental or intentional, a backup copy is stored on the device.

Rapid Recovery of the System Configuration

Since a copy of the configuration is stored right on the device and Resilient configuration feature provides a quick restore command, system administrators can quickly restore a system to a running state.

Hardware

Routers

Cisco 2691 Router

Cisco 1700 and 3700 Series Routers

Cisco 7200 Series with ATA Disk


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008022a7ce.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.33) Call Admission Control for Internet Key Exchange

This feature helps VPN tunnel stability and router resource usage by rate limiting the number of concurrent incoming and outgoing Internet Key Exchange (IKE) requests to be processed depending on the available resources on the router. The feature also allows for a hard limit to be applied for the number of IKE requests handled by a device.

Benefits

Prevention of poor performance or resource overload.

Protection of the router from Denial of Service (DoS) attacks, with respect to large number of IKE requests.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.34) Certificate to Internet Security Association and Key Management Protocol Profile Mapping

Certificate to Internet Security Association and Key Management Protocol (ISAKMP) Profile Mapping is used in the context of PKI deployment. This feature aids in uniquely identifying a group of users, by mapping the DN field or a part of the DN fields in a certificate to groups of users. When certificates are used for authentication, the identity payload contains the subject name from the certificate. However, some PKI deployments do not allow users to have control on the SubjectName field in the Certificate; therefore, this feature can be used to resort to other fields in the certificate to distinguish a user.

Mapping DN field can be used as an alternative for the identity field. Currently with this feature using the Cisco IOS ISAKMP profiles, there is the ability to match on various fields (i.e.: fqdn, ip address, group name).

Benefits

An alternative means for identifying user authenticating with Certificates.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.35) Crypto Access Check On Clear Text Packet

Crypto Access Check on Clear-Text Packet provides for the removal of the double interface Access Control List (ACL) checking against the outside interface for the inbound clear-text packets that are received as part of an IPsec-encrypted packet.

ACL checking was performed at two spots for inbound packets with IPsec, both on encrypted and unencrypted packets. This feature enables the second ACL checking for customers who require this on the decrypted clear text packet. The command "crypto access checks ACL in" must be configured under the crypto map. This feature enables the second ACL checking on clear text decrypted packets.

Benefits

Enables the easier configuration of ACLs.

Eliminates the configuration problems associated with a double ACL check.

Gives customers the option of enabling/disabling the second ACL checking for more security in their networks.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.36) RADIUS Attribute Screening support for Access-Request

Description

The RADIUS Attribute Screening feature allows users to configure a list of "accept" or "reject" RADIUS attributes on the network access server (NAS) for purposes such as authorization or accounting.

This new enhancement to the attribute screening provides support for filtering on Access-Request in addition to Access-Accept & Accounting-Requested already supported in Cisco IOS Software.

Benefits

Improving Control Manageability—Better control of sending especially called-station ID's in access request to ISP based on the pre-arrangement.

Hardware

Routers

Cisco 7200, Cisco 7400 Series

Cisco 7301


Product Management Contact: IOS-Security-PM@cisco.com

2.1.37) Role-Based CLI Access

Description

This feature enables the network device administrator to set up views defining the set of CLI commands that users may access. It is a new user access control feature in addition to the current privilege feature, but it offers higher degree of customization.

On a single device, up to 16 views can be defined by the network device administrator.

Network administrator can define whether users are in privilege mode or view mode when they log into the device.

Each user can be assigned with one or more views. Each view is associated with a password that is required when user switches between views (if a person is assigned multiple views).

Definition of Views are performed by the network administrator via CLI with keywords such as include (CLI commands accessible by the view) or include-exclusive (CLI commands accessible exclusively by the view).

Either local (on the device) or external (such as TACACS+/RADIUS) AAA server are used for authentication & authorization thus a new VSA addition will be needed to support this feature.

Benefits

With the role-based CLI access control, users can match access to CLI commands based on their operational job roles.

Security—Greatly enhances security of the device by defining the set of CLI command that is accessible by a particular user.

Availability—Prevents unintentional execution of CLI commands by unauthorized personnel resulting in undesirable results. This feature can greatly improve the availability of the device.

Operational Efficiency—Since users will only see the CLI commands that are accessible to them, this greatly improves the operational usability of the device.

Hardware

Routers

Cisco 7200 Series

Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.38) Control Plane Policing Enhancements

Description

Control plane policing feature is a popular feature for many customers to protect the control plane of the device from being overwhelmed with traffic (often from DoS attacks).

New enhancements in this release of Cisco IOS Software include providing SNMP access (by extending cbQos MIB) to the policy applied to the control plane as well as enhancement to the policy descriptor of allowing specification of Packet Per Second (vs. current Bits Per Second) in the policy map.

Benefits

Ease of Management—now users can view control plane policies via SNMP.

Operational Simplicity—with the addition of the Packet Per Second specification in the control plane policy map, it may be easier for network administrators to describe the desired policy.

Hardware

Routers

Cisco 7200 Series


Product Management Contact: IOS-Security-PM@cisco.com

2.1.39) IP Source Tracker

Description

The IP Source Tracker feature allows you to gather information about the traffic flowing to a host that is suspected of being under attack. This feature also allows you to easily trace an attack back to its entry point into the network.

To trace attacks, NetFlow and access control lists (ACLs) are used together to determine the source. To block attacks, committed access rate (CAR) and ACLs are been used.

Normally, when you identify the host that is subject to a DoS attack, you must determine the network ingress point to effectively block the attack. This process starts at the router closest to the host.

The IP Source Tracker feature provides an easy, more scalable alternative to output ACLs for tracking DoS attacks.

The IP Source Tracker works as follows:


Step 1. After you identify the destination being attacked, enable tracking for the destination address on the whole router by entering the ip source-track command.

Step 2. A special Cisco Express Forwarding (CEF) entry is created for the destination address being tracked. For line cards or port adapters that use specialized ASICs to do packet switching, the CEF entry is used to punt packets to the line card's or port adapter's CPU.

Step 3. Each line card CPU collects information about the traffic flow to the tracked destination (via utilization of NetFlow).

Step 4. The data generated is periodically exported to the router. To display a summary of the flow information, enter the show ip source-track summary command. To display more detailed information for each input interface, enter the show ip source-track command.

Step 5. Statistics provide a breakdown of the traffic to each tracked IP address. This allows you to determine which upstream router to analyze next. You can shut down the IP source tracker on the current router by entering the no ip source-track command, and re-open it on the upstream router.

Step 6. Repeat Step 1 through Step 5 until you identify the source of the attack.

Step 7. Apply CAR or ACLs to limit or stop the attack.

Figure 20

IP Source Tracker

Benefits

Complete Network Coverage: Because the IP Source Tracker feature is now supported on all platforms it allows you to track DoS attacks across your entire network.

Complete Tracking Information Provided: The IP source tracker generates all the necessary information in an easy-to-use format to track the network entry point of a DoS attack.

Tracking an Unlimited Number of IPs Simultaneously: Using the IP source tracker, you can track multiple IPs at the same time. By default there is no limit. To limit the number of IPs that are simultaneously tracked, use the ip source-track address-limit command.

Hardware

Routers

Cisco 800, 1700, 2600, 7200, and 7500 Series

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.40) Per VRF TACACS+ Support

Description

The Per VRF AAA functionality enables AAA services to be based on VPN routing and forwarding (VRF) instances. The Provider Edge (PE) or Virtual Home Gateway (VHG) can now communicate directly with the customer's TACACS+ server.In this new version of Cisco IOS Software, TACACS+ protocol support is now VRF aware in addition to RADIUS protocol that is already VRF aware in Cisco IOS Release 12.2(15)T.

Benefits

The new Per VRF support of TACACS+.

Scalable Solution—Customers who are using TACACS+ can now support user assignment on a Per VRF level making it much more scalable and manageable.

Hardware

Routers

Cisco 7200 and 7500 Series


Product Management Contact: IOS-Security-PM@cisco.com

2.1.41) Cisco IOS Firewall for IPv6

Cisco IOS Firewall provides advanced traffic filtering and stateful packet inspection functionality as an integral part of a network. In addition to providing filtering of Layer 4 through Layer 7 traffic for IPv4 networks, Cisco IOS Firewall now extends the same support for IPv6 topologies. Key features supported in this release include:

Layer 4 inspection (ICMP, UDP, TCP) including IP fragment inspection of IPv6 packets. Simple TCP/IP applications, such as a Web browser and telnet clients also covered by the layer 4 inspection.

Track TCP sequence numbers and drop packets not within the range ICMP echo request/reply packets will be inspected using ICMPv6.

Support of IPv6 fragmented packets. The fragment header will be used to trigger fragment processing. The Cisco IOS Firewall virtual fragment reassembly (VFR) will perform the following functions on fragments:

Examine out of sequence fragments and switch the packets in order.

Examine number of fragments from a single IP given a unique identifier (DoS attack).

Perform virtual reassembly to handoff to upper layer protocols.

IPv6 DoS attack mitigation mechanisms supported in the same fashion as for the current Ipv4 implementation.

IPv6 packets tunnelled in going to an IPv4 destination will be terminated on the Cisco IOS Firewall router and inspected.

For additional information, refer to Cisco IOS Firewall documentation at: http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00801d65f4.html

Figure 21

Cisco IOS Firewall for IPv6

Benefits

Cisco IOS Firewall now enables users to deploy firewalls in both IPv4 and IPv6 networks on the same platform. Benefits include:

Stateful packet inspection of TCP, UDP, ICMP sessions.

Coexistence in IPv4 and IPv6 environments.

Inspect traffic and mitigate network attacks trying to exploit IPv4 and IPv6 fragments.

Stateful inspection of packets originating from the IPv4 network terminating in an IPv6 environment by providing v4 to v6 translation services.

Ability to interpret or recognize most IPv6 Extension Header information such as routing header, hop-by-hop Options header, fragment header and Destination Option header.

Hardware

Routers

Cisco 1700—7200 Series


Product Management Contact: IOS-Security-PM@cisco.com

2.1.42) Transparent Cisco IOS Firewall

Description

This feature is sometimes referred to as Layer 2 Firewall. Conventional Layer 3 Firewalls require the existing network architecture to be split into three subnets comprising of the inside, outside and DMZ segments. A network not designed to accommodate this subnetted architecture would have to be rearchitected and/or renumbered to securely deploy a Layer 3 firewall. This is time consuming and resource intensive and not technically feasible in some deployment scenarios.

Most commercial firewalls operate in either a transparent mode or the conventional L3 mode. The Cisco IOS Firewall is designed to simultaneously interoperate in both modes and allows for better total ROI by reducing the firewall requirements of an organization.

The following diagram depicts a retail store network with the Transparent Cisco IOS Firewall deployed. Cisco now has a Firewall that can protect the network by applying the appropriate Layer 2 Mac access control lists and Layer 3 IP access control lists.

Figure 22

Transparent Cisco IOS Firewall Deployment

The transparent firewall is configured just like the current L3 firewall using the "ip inspect" command. The `inspect in/out' command can be configured on any of the bridged interfaces for L2 protection while also being configured on any LAN or serial interfaces to provide traditional Layer 3 protection. The transparent firewall operates on the bridged packets and the Layer 3 firewall continues to operate on the routed packets.

Benefits

The Transparent Cisco IOS Firewall offers several distinctive advantages over conventional Layer 3 Firewalls.

Ability to insert a Stateful Layer 2 firewall within an existing network.

No need to readdress statically addressed devices due to the introduction of a firewall into the network. It can be deployed into existing networks without creating any L3 subnet separations and offers complete Cisco IOS Firewall Functionality (tcp, udp, icmp and application support).

Untrusted wireless access points that are part of existing network can be seamlessly deployed behind the Transparent Cisco IOS Firewall to provide added security to wireless users.

It can be deployed on vlan trunks running between switches and routers for added security.

Users can allow selected devices from a subnet to traverse the firewall while denying access to other devices on the same subnet.

Ability to provide both Layer 2 and Layer 3 firewalling capabilities on the same router.

Hardware

Routers

Cisco 800—2600 Series


Product Management Contact: IOS-Security-PM@cisco.com

2.1.43) Extended Simple Mail Transport Protocol

Description

Cisco IOS Firewall has always detected and blocked SMTP attacks (illegal SMTP commands) and issued alerts when it detects an SMTP attack. The Firewall detects a limited number of SMTP attack signatures. A signature in a SYSLOG message indicates a possible attack against the protected network, such as the detection of illegal SMTP commands in a packet. Whenever a signature is detected, the connection will be reset.

The Cisco IOS Firewall now supports the inspection of ESMTP (Extended Simple Mail Transport Protocol) by inspecting SMTP commands for legality. Commands that will be inspected include AUTH, DATA, EHLO, ETRN, HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML and VRFY. All others are considered illegal. RFC 1869 describes the SMTP Service Extensions.

Included in the current SMTP implementation is an IDS signature capability built into the Cisco IOS Firewall. SMTP firewall currently scans for set of hard coded attack signatures. The detection of a signature causes the Cisco IOS Firewall to raise an alert message and close the SMTP session. There are 11 "IDS Sensor" attack signatures and five have always been integrated into the Cisco IOS Firewall SMTP implementation.

Signature
Description
Mail: bad rcpt

Triggers on any mail message with a "pipe" ( | ) symbol in the recipient field.

Mail: bad from

Triggers on any mail message with a "pipe" ( | ) symbol in the "From:" field.

Mail: old attack

Triggers when "wiz" or "debug" commands are sent to the SMTP port.

Mail: decode

Triggers on any mail message with a ":decode@" in the header.

Majordomo

A bug in the Majordomo program will allow remote users to execute arbitrary commands at the privilege level of the server.


Benefits

The Cisco IOS Firewall now dynamically supports the traversal of ESMTP messages.

Able to identify ESMTP/SMTP attacks with built in IDS signature capability.

Hardware

Routers

Cisco 800-2600 Series


Product Management Contact: IOS-Security-PM@cisco.com

2.1.44) Key Rollover for Certificate Renewal

Description

Automatic certificate enrollment was introduced to allow the router to automatically request a certificate from the certification authority (CA) server. By default, the automatic enrollment feature requests a new certificate when the old certificate expires. Connectivity can be lost while the request is being serviced because the existing certificate and key pairs are deleted immediately after the new key is generated. The new key does not have a certificate to match it until the process is complete and incoming Internet Key Exchange (IKE) connections cannot be established until the new certificate is issued. The Key Rollover for Certificate Renewal feature allows the certificate renewal request to be made before the certificate expires and retains the old key and certificate until the new certificate is available.

Figure 23

Key Rollover for Certificate Renewal

Benefits

Certificate Autoenrollment with key rollover allows you to configure your router to automatically request a certificate from the certification authority (CA) that is using the parameters in the configuration. Thus, operator intervention is no longer required at the time the enrollment request is sent to the CA server. When the certificate expires, a new certificate is requested. This provides unattended recovery from expiration of certificates.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, and 7400


Product Management Contact: IOS-Security-PM@cisco.com

2.1.45) PKI: Query Multiple Servers during Certificate Revocation Check

Description

When validating an X.509 certificate presented by a peer, the Certificate Revocation List (CRL) is checked to make sure the certificate has not been revoked by the issuing Certificate Authority (CA). The certificate usually contains a Certificate Distribution Point (CDP) in the form of a URL. Cisco IOS Software uses the CDP to locate and retrieve the CRL.

Previous versions of Cisco IOS Software make only one attempt to retrieve the CRL, even when the certificate contains more than one CDP. If the CDP server does not respond, the Cisco IOS Software reports an error which may result in the peer's certificate being rejected.

Cisco IOS Software Release 12.3(103)T introduces the ability for the Cisco IOS Software to use all of the available CDPs in a certificate. The Cisco IOS Software will attempt to retrieve a CRL until all of the CDPs in the certificate have been tried. In addition this feature introduces the ability to override the CDPs in a certificate with a manually configured CDP.

Figure 24

Checking the Certificate Revocation List

Benefits

This feature introduces the ability for Cisco IOS Software to make multiple attempts to retrieve the CRL, allowing operations to continue when a particular server is not available. In addition, the ability to override the CDPs in a certificate with a manually configured CDP has been introduced. Manually overriding the CDPs in a certificate can be advantageous when a particular server may be unavailable for an extended period of time. The certificates CDPs can be replaced with a URL or directory specification without re-issuing all of the certificates containing the original CDP.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, and 7400


Product Management Contact: IOS-Security-PM@cisco.com

2.1.46) Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN

Virtual Private Network (VPN) Routing and Forwarding (VRF) Instance Integrated Dynamic Multipoint VPN (DMVPN) enables users to map site-to-site DMVPN IPsec sessions into Multiprotocol Label Switching (MPLS) VPNs. This allows service providers to extend their existing MPLS VPN service by mapping off-net sites (typically a branch office) to their respective VPNs. IPsec sessions are terminated on the DMVPN PE device and traffic is placed in VRFs for MPLS VPN connectivity. Specifically, work was done to extend the Next Hop Routing Protocol (NHRP) to look into the VRF Tables while building the database of spoke addresses in the hub.

Figure 25

Dynamic Multipoint VPN

Benefits

DMVPNs can be used to extend the MPLS networks deployed by service providers to take advantage of the ease of configuration of hub and spokes, support for dynamically addressed CPEs and zero touch provisioning for adding new spokes into a DMVPN.

DMVPN architecture can coalesce many spokes into a single multipoint GRE interface, removing the need for a distinct physical/logical interface for each spoke in a native IPsec installation.

Hardware

Routers

Cisco 1700, 2600, 3600, 7200, and 7400 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.47) Network Address Translation (NAT)—Transparency Aware DMVPN

When DMVPN spokes need to send a packet to a destination (private) subnet behind another spoke, it queries the NHRP server for the real (outside) address of the destination spoke. The DMVPN hub maintains a NHRP database of the tunnel endpoints and the physical address of the spokes. In the diagram, it is very likely for spokes in a DMVPN cloud to be given the same physical address by the NAT Boxes sitting in front of them. As the spokes oftentimes have no control over the addresses provided to them by the ISP, DMVPN was enhanced to work for spokes behind a NAT Box.

Figure 26

Hardware

Routers

Cisco 1700, 2600, 3600, 7200, and 7400 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.48) SEAL Encryption

The Software Encryption Algorithm (SEAL) Encryption feature adds support for the SEAL in IP Security implementations. SEAL encryption is an alternative algorithm to Software based Data Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL has a lower impact to the CPU, when compared to other software based algorithms. It uses a 160-bit key for encryption and provide adequate encryption for many applications. The SEAL encryption is recommended for use on IPsec peers without crypto accelerators hardware present. Configuring SEAL also require the use of authentication transform. Also, SEAL transform cannot be used with a manually keyed crypto map.

For additional information, please visit:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801e9e7e.html

Product Management Contact: IOS-Security-PM@cisco.com

2.1.49) Control Plane Policing

Packets sent to an address of the networking device are processed by the control plane (Route Processor [RP]). There is potential of a denial of service (DoS) on the router if the control plane overwhelmed with packets.

Cisco Control Plane Policing protects the control plane by using QoS Policies to limit the incoming traffic destined to the control plane. Users define the policy most suitable for their environment using QoS Policy Maps to control the volume of different types of traffic that will be processed by the control plane, therefore, reducing the incoming processed traffic and alleviating potential of a successful DoS attack.

Benefits

Control plane policing reduces the success of a DoS attack by policing incoming rate of traffic destined to the control plane.

Easily defined though Qos Policy maps.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200 Series

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.50) Secure Shell Version 2

Secure Shell Version 2 (SSHv2) provides strong authentication and encryption capabilities. It supports logging into the router remotely for secure management and administration, executing commands remotely, and moving files from one host to another.

Figure 27

SSHv2

Benefits

Protects from host spoofing, password sniffing, and eavesdropping by providing a secure session.

Provides capabilities to a network administrator for secure remote configuration and management.

Improved security compared to SSHv1.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, 7400, and 7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.51) Secure Access Mode—Silent Mode

When packets are destined to the processor, the control plane makes a decision that may include discarding the packet. When a packet is discarded, the control plane may provide additional information as to why the packet was dropped (ie: ICMP unreachable). Hackers use this drop information for reconnaissance when preparing for an attack.

Silent Access Mode is a new feature that provides the means to define a policy (via QoS policy map) about the type of information that will be communicated from discarded packets—basically outbound filtering on control plane.

Benefits

Improves the security posture of the Cisco IOS Software devices by returning no error messages for discarded packets:

Makes hacker reconnaissance more challenging.

Policy definition offers flexibility to define relevant information to be communicated about discarded packets.

Reduces the risk of an attack against the router.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series

Cisco 3640 and 3660 Routers


Additional Information: http://www.cisco.com/warp/public/732/Tech/security/

Product Management Contact: IOS-Security-PM@cisco.com

2.1.52) Image Verification

To verify the integrity of Cisco IOS Software images, Cisco uses the method of MD5 hash coding method for Cisco IOS Software images. While the MD5 hash code is published on Cisco.com, users must perform Cisco IOS Software image verification:

Run an MD5 hash coding software either by using the Cisco IOS Software "verify" CLI command or generate the MD5 hash coding using a MD5 software running on a separate server.

Manually compare the MD5 coding with the code published on Cisco.com or include the Cisco.com value as part of the verify command.

As of Cisco IOS Software Release 12.3(4)T, Cisco IOS Software images embed the MD5 hash coding within the images to simplify this process:

The "verify" command instead of generating MD5 hash coding, now return three MD5 coding values & performs the verification:

1. Computed MD5—value of MD5 hash coding

2. Embedded MD5—value of MD5 value embedded in the IOS image

3. CCO MD5—value of MD5 value that is published on Cisco.com

4. If computed & embedded values are the same, image verification is considered successful

Additionally, extensions to several common Cisco IOS Software image operational CLI commands are made:

1. copy command now has an extension "verify|noverify" which will automatically perform MD5 hash validation.

2. Reload command will also have an extension "verify|noverify" that will also automatically perform MD5 hash validation.

3. User can also use the new config command "file verify auto", then the copy & reload command will automatically include the "verify" option.

Benefits

Image Verification automates the validation process of the Cisco IOS Software image running on the router by providing automated checks during the download process:

Simplifies the Cisco IOS Software image verification process.

Improves the security of the router by alleviating potential corrupted Cisco IOS Software images being loaded to the router.

Removes having to trust this process is done manually by network administrators upgrading a router.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.53) Login Enhancements—Password Retry Delay

Cisco IOS Login Enhancement increases the security of the networking device by offering a new time-based dimension to user login. Network administrators can specify a time period between retries in order to alleviate dictionary attacks. User account lockout can now include a time period in which a user must succeed in attempt to logon to the device.

Benefits

Cisco IOS Login Enhancements adds a new dimension to the current Cisco IOS Software login/password method by providing new tools to prevented unwanted accessibility to the networking device:

Delay potential dictionary attacks.

Adds new flexibility to Lock-out unwanted attempts to access the device.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.54) Router IP Traffic Export

Router IP Traffic Export feature is a lightweight mechanism to export IP packets as they arrive at or leave the router. A designated Ethernet interface is used for exporting captured IP packets out of the router. The objective is to export raw IP packets in their unaltered form to a designated server, analyzer, or security device connected directly to the router's designated export interface for further analysis.

Filter capability (using ACL) to help focus on exporting only traffic of interest.

Sampling option is available to minimize the volume of traffic exported.

An Ethernet port using either a MAC/802.1q/ISL address associated with the destination host or an IP address can be used.

Syslog information is provided when the feature is activated or deactivated.

Benefits

A lightweight mechanism embedded in Cisco IOS Software to export IP traffic.

Alleviate the need to attach an in-line device to capture traffic destine to or from the network device.

Ability to monitor multiple interfaces simultaneously by connecting to a single interface.

Filtering capability to focus on only traffic of interest.

Add or remove traffic analyzers for in-line analysis without disrupting the network connection.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.55) Cisco IOS Easy VPN Remote Phase 3.2

Cisco IOS Easy VPN Remote allows Cisco IOS Software routers to act like a PC IPsec Software client (Unity Client). Cisco IOS Easy VPN simplifies router configuration and deployment dramatically by allowing IPsec VPN parameters to be pushed down from the concentrator (Easy VPN Server), which can also be an Cisco IOS Software router.

Phase 3.2 introduces two new features:

Xauth password & username saving option.

Backup Peers (multiple peer support, stateless failover with Dead Peer Detection).

Figure 28

Cisco IOS Easy VPN Remote Phase 3.2

Benefits

Xauth Password and Username Saving Option

Currently, when Xauth authentication is enabled, a user must telnet to CLI in order to type in the Xauth username and password. The saving option allows the Cisco IOS Easy VPN Remote router to save the Xauth username and password, so that user does not have to retype this information when the tunnel is established again.

Backup Peers (multiple peer support, stateless failover with Dead Peer Detection)

The other new addition is the locally configured backup peer list. This is a list of multiple Easy VPN Servers that will be attempted when building an IPsec tunnel, if the previous server on the list is unavailable. Also, a failover to a new server on the list will occur if the Hello timers from the dead peer detection routines expire. This feature increases VPN availability by allowing for backup servers to be used when the primary server is unavailable.

Hardware

Routers

Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

Cisco 3640 and 3660 Routers


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftezvpnr.htm

Product Management Contact: IOS-Security-PM@cisco.com

2.1.56) Cisco IOS Certificate Server

Cisco IOS Certificate Server embeds a certificate server into the Cisco IOS Software. The router can now act as a Certificate Authority on the network.

Figure 29

Cisco IOS Certificate Server

Benefits

Offers a simpler solution to deploy IPsec VPN with certificates.

Provides relief from the expense and workload of configuring a full-function third-party Certificate Authority.

Simpler, easier, and less expensive Public Key Infrastructure (PKI) deployment.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, and 7200

Cisco 3640 and 3660 Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.57) VPN Access Control using 802.1x Authentication

VPN Access Control using 802.1x Authentication allows Enterprise employees to access their enterprise networks from home while allowing other household members to access only the Internet. The feature uses the Institute of Electrical and Electronics Engineers (IEEE) 802.1x protocol framework to achieve the VPN access control. The authenticated employee has access to the VPN tunnel and others (unauthenticated users on the same LAN) have access only to the Internet. This feature is targeted to the SOHO/Telecommuter market segment.

Figure 30

VPN Access Control using 802.1x Authentication

Benefits

Enforcing corporate policy for network access to home/telecommuter/day time extender users.

Authentication at Layer 2 to allow only authenticated traffic to access VPN tunnels to access corporate resources.

Hardware

Routers

Cisco 806, 831, 836, 837, 1701, 1710, 1721, 1751-V, and 1760 Routers


Additional Information:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm

Product Management Contact: IOS-Security-PM@cisco.com

2.1.58) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3

IPv6 specifications mandate the implementation of IPsec to enable end-to-end security. First IPv6 IPsec implementation in Cisco IOS Software ensures security between routers that run Open Shortest Path First version 3 (OSPFv3. In OSPFv3 (RFC 2740), authentication field has been removed from OSPF headers, instead OSPFv3 relies on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload (ESP) to ensure integrity, authentication and confidentiality of routing exchanges. Data traffic encryption is not supported in this first phase

Reference: draft-ietf-ospf-ospfv3-auth

Figure 31

Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for OSPFv3

Benefits

Encrypting routing protocol exchange information increases the security of the internet infrastructure. OSPFv3 IPsec support is another step in the Cisco IPv6 support strategy.

Hardware

Routers

Cisco 800—7500 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.59) Cisco IOS Firewall Access Control Lists Bypass

Cisco IOS Firewall Access Control Lists (ACL) Bypass enhances the performance of Cisco IOS Firewall by removing multiple lookups on the return traffic passing through the router. The previous implementation performed multiple checks of each packet of the return traffic of an existing firewall flow: the input ACL search, the output ACL search and the inspection session search. Now a check is only done once and packets are marked if they belong to an existing firewall session before the input ACL search, and this marking is used to skip the input and output dynamic ACL searches.

Figure 32

Cisco IOS Firewall ACL Bypass

Benefits

The primary benefit is that the throughput performance improvement of Cisco IOS Firewall will be approximately 10%. This feature is transparent to the user, because there are no associated configuration changes to enable or disable.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, and 7000 Series Routers


Product Management Contact: IOS-Security-PM@cisco.com

2.1.60) User Management Enhancements for Easy VPN Server

This feature includes the following enhancements:

RADIUS Support for User Profiles:

Radius attributes can now be applied on a per-user basis. If you apply attributes on a per-user basis, you can override a group attribute value with the individual user attribute. The attributes are retrieved at the time that user authentication via Xauth occurs. The attributes are then combined with group attributes and applied during Mode Configuration.

Session Monitoring for VPN Group Access:

It is now possible to limit the maximum number of connections to a specific server group as well as limit the number of simultaneous logins for users in that group. After user-defined thresholds are defined in each VPN group, new connections will be denied until existing connections drop below these thresholds. This limit can be specified in CLI or using a RADIUS server, such as CiscoSecure ACS. When enabling this feature on the router itself, only connections to groups on that specific device are monitored.

Benefits

Enables customized per user policy control when using RADIUS.

Alleviate the need for local configuration on the router and enables user mobility with the use of radius.

Ability to limit the number of users according to the available network resources.

For more information contact: IOS-Security-PM@cisco.com

2.1.61) IPsec VPN Monitoring

The IPsec Virtual Private Network (VPN) Monitoring feature provides VPN session monitoring enhancements that will assist in troubleshooting the VPN and monitor the end-user interface. Session monitoring enhancements include the following:

Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file.

Summary listing of crypto session status.

Syslog notification for crypto session up or down status.

Ability to clear both IKE and IPsec security associations (SAs) using one command-line interface (CLI).

Benefits

Simplified listing for current active IPsec tunnels.

Granular control and monitoring on per session basis.

Real time reporting of session changes activities with syslog.

For more information contact: IOS-Security-PM@cisco.com

2.1.62) Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) allows users to enable OCSP instead of certificate revocation lists (CRLs) to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely information regarding the status of a certificate.

Figure 33

OSCP

Benefits

OCSP provides revocation status information more frequently than CRLs, which provide only periodic updates.

OCSP allows a network administrator to configure a central OCSP server to collect and update CRLs from different certification authority (CA) servers; thus, the devices within the network can rely on the OCSP server to check the certificate status without retrieving and caching each CRL for every device.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 3700, 7200, 7400, and 7500 Series Routers


Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755b.html

Product Management Contact: IOS-Security-PM@cisco.com