Table Of Contents
Cisco IOS Software Release 12.4T Security Features
1) Introduction: Cisco IOS Software Release 12.4T
1.2) Release 12.4T Additional Information
2) Release 12.4(15)T Highlights
3) Release 12.4(11)T HiGHLIGHTS
4) Release 12.4(9)T Highlights
5) Release 12.4(4)T Highlights
6) Release 12.4(2)T Feature Technology Highlights
Product Bulletin No. 3002
Cisco IOS Software Release 12.4T Security Features
Last Updated: July 2007
1) Introduction: Cisco IOS Software Release 12.4T
Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
Cisco IOS® Software Release 12.4T integrates a comprehensive portfolio of new capabilities, including security, voice, and IP services, with powerful hardware support to deliver advanced services for Enterprise and access customers.
Release 12.4(15)T, the sixth release of the 12.4T family, streamlines the Cisco IOS Software upgrade process, provides sub-second link failure detection and faster convergence, delivers next-generation Layer 2-7 flexible packet classification, enhances intrusion protection and SSL VPN capabilities, and provides support for the new Cisco 7201 Router.
Release 12.4(11)T, the fifth release of the 12.4T family, delivers new Layer 2 VPN transport over MPLS capabilities, enhanced MPLS management, Mobile IPv6 authorization and identity support, and support for the high performance Network Processing Engine G2 (NPE-G2) and VPN Service Adapter (VSA) for the Cisco 7200 Series Router.
Release 12.4(9)T, the fourth release of the 12.4T family, delivers improved manageability, integrated IP communications capability, enhanced HTTP and P2P security, and faster routing protocol convergence.
Release 12.4(6)T, the third release of the 12.4T family, delivers highly available firewalls, comprehensive endpoint and network security for SSL VPN environments, and optimized bandwidth management for improved VoIP call quality.
Release 12.4(4)T, the second 12.4T release, enhances threat protection against malicious worm and virus attacks, improves performance monitoring of VoIP networks, and extends support for secure concurrent services on the Cisco 1800 Series Router.
Figure 1
New Technology and Maintenance Release Relationship
1.1) Migration Guide
Cisco recommends that customers running Release 12.3T or 12.3 (or prior) releases upgrade to the latest version of Release 12.4T or 12.4. Cisco IOS Software Release 12.4T continues to undergo rigorous ongoing testing and review cycles to continuously improve and increase reliability and quality.
Note:
Release 12.3T reached End of Software Maintenance on June 7, 2007. Release 12.3 reached End of Sale on March 15, 2007, and will reach end of Software Maintenance on March 15, 2008. For additional information about milestones, please visit Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.htmlFigure 2 illustrates the current migration path from Cisco IOS Software Release 12.3T or 12.3 (or prior) into Release 12.4T or 12.4.
Figure 2
Release 12.4T Migration Plan
Customers interested in upgrading to Release 12.4 or 12.4T (or successor releases when they become available) should determine their functionality needs and choose the appropriate release.
1.2) Release 12.4T Additional Information
•
Cisco IOS Software Releases 12.4 T—Products & Services—Cisco Systems
•
http://www.cisco.com/en/US/products/ps6441/prod_bulletin0900aecd801eda8a.html
•
http://www.cisco.com/go/124thardware/
•
Download Cisco IOS Software releases and access software upgrade planners.
http://www.cisco.com/public/sw-center/sw-ios.shtml
•
A web-based application that allows you to quickly match Cisco IOS Software releases to features to hardware.
•
Determine the minimum supported software for selected hardware.
http://tools.cisco.com/Support/Fusion/FusionHome.do
•
View all major releases, hardware, and software features from a single interface.
http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi
1.3) Cisco IOS Packaging
Figure 3
Cisco IOS Packaging for Cisco Routers
2) Release 12.4(15)T Highlights
Table 1 Release 12.4(15)T Feature Highlights
2.1) Cisco IOS Security
2.1.1) Cisco IOS Intrusion Prevention System (IPS) Support for Microsoft Vulnerabilities
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that enables Cisco IOS Software to effectively mitigate a wide range of network attacks. As a core facet of the self-defending network, Cisco IOS IPS enables the network to defend itself with the intelligence to accurately identify, classify, and stop or block malicious or damaging traffic in real time.
While it is common practice to defend against attacks by inspecting traffic at the data centers and corporate headquarters, distributing the defense to stop malicious traffic close to its entry point at the branch offices is also critical. Deploying inline Cisco IOS IPS at the branch enables gateways to drop offending traffic, send an alarm, block an attacker or reset a potentially malicious client-server connection as needed to stop attacking traffic at its point of origin.
Key benefits of Cisco IOS IPS features include:
•
•
•
•
•
•
In Cisco IOS Software Release 12.4(15)T, Cisco IOS Intrusion Prevention System (IPS) provides support for the Cisco IPS Software Version 5.x/6.0 signature format, which is also used by the latest Cisco appliance-based IPS products. The Cisco IPS version 5.x signature format is improved to support encrypted signature parameters and other features such as signature Risk Rating. In this release, Cisco IOS IPS feature will also support signatures for many vulnerabilities found in Microsoft Server Message Block (SMB) and Microsoft Remote Procedure Call (MSRPC) protocols. Both of those protocols are widely and frequently used by most of Microsoft's computer applications and software packages.
New Cisco IOS IPS features in Cisco IOS Release 12.4(15)T provides:
•
•
•
•
•
•
•
•
Figure 4
IPS Now Supports Microsoft SMB and MSRPC Signatures Natively
Benefits of IPS Features in Cisco IOS Software Release 12.4(15)T
Enhanced Microsoft Signature Support (MSRPC and SMB):
Cisco IOS IPS adds support for ~95 signatures for vulnerabilities in Microsoft Remote Procedure Call (MSRPC) and Microsoft Small Message Block (SMB) protocols.
Support for Encrypted Signatures Released Under NDA:
Cisco IOS IPS can now scan for encrypted signatures for certain vulnerabilities as provided by vendors under NDA (such as Microsoft) sometimes even before their public release.
More Accurate and Efficient Event Monitoring with Reduced False Positives:
Event Risk Rating value provided in IPS alarms are calculated based on signature severity, signature fidelity (high fidelity signatures have a lower rate of false positives) and a "target value rating" defined by users. Event monitoring/correlation applications or devices such as CS-MARS may use the Risk Rating (RR) value in IPS alarms to filter out events below a certain RR threshold and/or trigger event correlation/action rules based on relative importance of IPS events indicated by their Risk Rating value.
Quick and Automated Adjustment of Signature Event Actions Based on Calculated Risk:
The Signature Event Action Processor (SEAP) feature allows overriding of default signature actions based on calculated Risk Rating value. For instance, signatures generating events with a Risk Rating value of 90 or higher (on a scale of 1 to 100) may be configured to drop offending packets and/or deny traffic from the attacker's address in addition to the default action of simply sending an alarm.
Common Operational Model for Cisco IPS Appliances, Modules and Cisco IOS IPS:
In this release, Cisco IOS IPS starts using the same signature format and deployment/update/provisioning mechanism as all other Cisco IPS devices allowing Cisco Security Manager 3.1 to apply the same policy changes (signature tunings) to all Cisco IOS routers, IPS appliances and modules in a customer network.
Secure and Scalable Management of Signature Policies for Any Kind of Deployment:
Security Device Manager 2.4 and Cisco Security Manager 3.1 provides complete IPS provisioning capabilities for a single router and multiple routers and IPS devices, respectively. Both management applications use IDCONF protocol running securely over HTTPS. Granular customization and tuning of signatures is also possible via CLI and custom CLI scripts. For large scale deployments, it is possible to distribute signature selection and action tunings applied to a single router to a large number of routers using Cisco Configuration Engine.
Timely Protection from the Latest Threats with Minimal User Intervention:
Automated and periodic signature updates from a local TFTP or HTTP(S) server.
Hardware
Additional Information: http://www.cisco.com/go/iosips
Product Management Contact: Kemal Akozer ( kemal@cisco.com)
2.1.2) Flexible Packet Matching (FPM) Full Packet Filtering
Flexible Packet Matching (FPM) is the next-generation Access Control List (ACL) technology that provides a flexible and rapid first line of defense against malicious traffic at the entry point into the network. It features powerful custom pattern matching deep within the packet header or payload, minimizing inadvertent blocking of legitimate business traffic.
FPM is a packet classification feature that allows users to define one or more classes of network traffic by pairing a rich set of standard matching operators with user-defined protocol header fields. FPM further extends the network traffic class definition capability to include new CLI syntax to offset into a user-defined protocol header and, furthermore, into the data portion of the packet.
FPM provides network security administrators with powerful tools to identify miscreant traffic as it enters the network, and to immediately drop and/or keep a log for audit purposes. Administrators can specify custom match patterns at multiple offsets within the packet. FPM includes ready-made definitions for standard protocols via Protocol Header Definition Files (PHDF), which simplify deployment. Customers can also customize and add extensions to PHDFs at device run time.
FPM was first introduced in Cisco IOS Release 12.4(4)T. In the initial release, FPM was limited to searching for patterns 32 bytes long within the first 256 bytes of a packet. Release 12.4(15)T extends the FPM matching capability by allowing network security administrators the ability to search for strings up to 256 bytes long anywhere within the entire packet. This provides greater flexibility for defining filters for miscreant traffic targeting your network.
Figure 5
Flexible Packet Matching Process
Benefits
•
•
•
•
•
Hardware
Considerations
The Flexible Packet Matching feature is only available in Cisco IOS Software Release 12.4(15)T (and higher) Advanced Security, Advanced IP Services, and Advanced Enterprise Software packages.
Additional Information: http://www.cisco.com/go/fpm
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.3) Cisco IOS SSL VPN Enhancements
Unlike IPsec-VPN, SSL VPN in clientless mode is an application-aware technology. Using SSL VPN on the routers, companies can securely and transparently extend their companies' networks to any Internet-enabled location. SSL VPN is compelling because the security is transparent to the end user and easy for IT to administer. Using only a Web browser, companies can extend their secure Enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots-thereby enabling higher employee productivity and protecting corporate data. Cisco IOS SSL VPN supports clientless access to applications such as HTML-based intranet content, email, network file shares, and Citrix. While this allows for a great end-user experience, it must be balanced with proper access-control so end-users have access to only those resources dictated by corporate policy. Figure 6 provides a use-case scenario for customers to implement Cisco IOS SSL VPN effectively at the branch.
Figure 6
IOS SSL VPN Use Case Scenario
Cisco IOS® SSL VPN is a licensed feature supported on Cisco® 871, 1800, 2800, 3700, 3800, 7200, and 7301 routers running the Advanced Security image since Cisco IOS Software Release 12.4(6)T (and higher). You can purchase the feature license in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com ordering tool or through your Cisco partner/account team. Figure 7 provides more portfolio and license pricing details.
Figure 7
Cisco IOS SSL VPN Portfolio and Pricing
New SSL VPN features in Cisco IOS Software Release 12.4(15)T include the following:
1.
2.
3.
4.
2.1.3.1) SSL VPN Clientless Performance Enhancements
Prior to this feature, traffic from clientless SSL VPN users was processed switched. Clientless performance enhancements bring CEF support to clientless SSL VPN traffic through this Cisco IOS SSL VPN gateway. Cisco Express Forwarding (CEF) technology for IP is a scalable, distributed, layer 3 switching solution designed to meet the future performance requirements of the Internet and Enterprise networks. Hardware acceleration is also now supported, offloading the processor from extensive cryptographic computations.
Reduction of the overall load of the processor allows for greater scalability and throughput providing for an improved user experience and user density per router. Reducing the CPU load also allows for configuration of other concurrent features on the router. CEF and hardware support are enabled by default.
Benefits
Increased Scalability and Performance—Increased number of concurrent users and throughput.
2.1.3.2) SSL VPN GUI Enhancements
Ergonomic improvements of the GUI user interface of the Cisco IOS SSL VPN gateway have been added. Improved customization of the user interface provide for greater flexibility and ability to tailor the portal pages for an individualized look and feel. Features are more clearly delineated, making for a more intuitive and less cluttered interface. The portal page now spawns new pages for mangled links or URLs, eliminating any need to navigate back to the portal page. The separate toolbar window has been replaced with an integrated floating toolbar that floats in either the upper left or right (dynamically configurable) of pages spawned from the portal page. Previous interface configurations are still available.
Figure 8
SSL VPN GUI Enhancements
User Configurable Enhancements:
•
•
GUI Improvements:
•
•
Previous Configurable Elements:
•
•
•
•
•
Benefits
Ease of use/Customization—The improved GUI takes into account the latest Cisco IOS SSL VPN features and presents them in a layout that is more intuitive and aesthetic. Integration of the toolbar reduces clutter of the desktop by removing an extra window.
2.1.3.3) SSL VPN User-Level Bookmarking
User level bookmarking allows individual users to customize the portal page with their own bookmarks. Bookmarks are stored on the router and are linked to the individual user id's so the user's bookmarks are location/machine independent. The user profile location can be stored on any of the file systems on the router as well as externally such as a Trivial File Transfer Protocol (TFTP) server. In addition to administrator defined bookmarks, Cisco IOS SSL VPN users can create, edit, and delete their own individual bookmark list and have access to them on any computer at any location.
Figure 9
SSLVPN User-Level Bookmarking
Benefits
Increased Usability—The user level bookmarking feature gives flexibility to users to customize the portal page to suit their individual needs. In addition to predefined links configured by the administrator, users can create a list of bookmarks that are most useful for them.
2.1.3.4) Front door-VRF (fVRF) Support
Front door-VRF (fVRF) support, coupled with the already supported internal VRF (iVRF) capability in Cisco IOS Software Release 12.4T, allows the Cisco IOS SSL VPN gateway to be fully integrated into an MPLS network. The virtual gateway can be placed into a VRF, separate from the Internet to avoid internal MPLS/IP network exposure. This reduces the vulnerability of the router by separating the Internet routes and/or the global routing table. Clients can now reach the gateway via the fVRF which can be separate from the global VRF. The backend or iVRF functionality remains the same.
Figure 10
Front door-VRF Support
Benefits
Increased Security—Cisco IOS SSL VPN virtual gateway can be placed and accessed on a separate VRF to reduce network exposure and provide support for overlapping IP addresses.
Hardware
Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.4) Cisco IOS Software Support for AnyConnect VPN Client
The Cisco AnyConnect VPN Client is the Cisco next generation VPN client providing secure remote access through an SSL VPN tunnel. It provides similar functionality and features as traditional IPsec clients. As with clientless access, no provisioning on the client machine is required. The AnyConnect client is pushed from the Cisco IOS SSL VPN gateway to the client where it is installed and a secure tunnel is established. Initial installation requires admin rights, but upgrading an existing install does not.
AnyConnect supports 32-bit Microsoft Windows 2000, Windows XP, Windows Vista (64-bit platforms to follow as well as Windows Mobile 5), Mac, and Linux platforms.
Figure 11
Cisco IOS Software Support for AnyConnect VPN Client
Benefits
Increased Functionality and Flexibility—the Cisco AnyConnect VPN Client provides a secure remote access alternative for non-Web based traffic. It compliments clientless operations, allowing for traditional IPsec like connectivity between clients and the secure Cisco IOS Software gateway.
Hardware
Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.5) Reverse Route Injection Distance Metric Enhancements
Reverse Route Injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint. The RRI Distance Metric Enhancement defines a distance metric for each static route created by RRI.
RRI is supported on both ipsec-profile and crypto map configuration (CLI) profiles:
•
crypto map mymap 1 ipsec-isakmpset reverse-route distance 20•
crypto ipsec profile myprofset reverse-route distance 20Benefits
Increased Flexibility—Improves RRI flexibility when used in dynamic routing scenarios. Static routes can be tailored so dynamic routes can have priority in the routing table.
Hardware
Additional Information: http://www.cisco.com/go/iossecurity
Product Management Contact: ask-stg-ios-pm@cisco.com
3) Release 12.4(11)T HiGHLIGHTS
Table 2 Release 12.4(11)T Feature Highlights
3.1) Cisco IOS Security
3.1.1) Cisco IOS SSL VPN Enhancements
SSL VPN in clientless mode is an application aware technology. Using SSL VPN on the routers, companies can securely and transparently extend their companies' networks to any Internet-enabled location. SSL VPN is compelling because the security is transparent to the end user and is easy for an IT staff to administer and maintain. Using only a Web browser, companies can extend their secure Enterprise networks to any Internet-enabled location, including home computers, Internet kiosks, and wireless hotspots, enabling higher employee productivity and protecting corporate data. Cisco IOS SSL VPN supports full tunnel client access and clientless access to applications such as HTML-based intranet content, email, network file shares, and Citrix. While this allows for a great end-user experience, it has to be balanced with proper access-control for the end-user to only get access to the corporate resources that are allowed by the corporate policy. Figure 12 illustrates a user case scenario for customers implementing Cisco IOS SSL VPN effectively at the branch router.
Figure 12
Cisco IOS SSL VPN Use Case Scenario
Cisco IOS SSL VPN is a licensed feature supported on Cisco 871, 1800, 2800, 3700, 3800, 7200, and 7301 routers running the Advanced Security image on Cisco IOS Software Release 12.4(6)T or higher. The feature license can be purchased in packs of 10, 25, or 100 simultaneous users directly from the Cisco.com ordering tool or through your Cisco partner/account team. Figure 13 provides more portfolio and license pricing details.
Figure 13
Cisco Routers with SSL VPN
SSL VPN Portfolio and Pricing
SSL VPN functionality added in Release 12.4(11)T includes the following features:
•
•
•
•
•
3.1.2) SSL VPN Netegrity Single Sign-on (SSO) Support
When users attempt to access web (HTTP/HTTPS) resources of a corporation or a partner, they may be prompted to authenticate in order to validate access to the particular information. Generally these credentials are specific to a particular application and access control information must be located on each individual web server. Basic centralized authentication options offered do not allow for granular access control. This may mean that a user needs to remember multiple passwords or to enter the same username/password multiple times.
Netegrity SiteMinder allows corporations to provide seamless access to many web resources, using almost any possible authentication option, and eliminates the need to authenticate to each individual server. This solution simplifies the authentication process for network resources by eliminating the need to constantly re-authenticate and removes the requirement for multiple distinct access control databases.
Netegrity SiteMinder functions by supplying an encrypted cookie back to the user's Web browser after authenticating to the first SiteMinder Agent-enabled web server. Other enabled servers use this cookie to identify this particular user and validate access to any available resources. Each web server must have a SiteMinder Agent installed, which performs verification of the cookie and access rights by communicating with a centrally controlled policy database (SiteMinder Policy Server). Figure 14 illustrates what the implementation would look like in a customer network.
Figure 14
SSL VPN Netegrity SiteMinder Single Sign-on implementation
Benefits
•
•
3.1.3) SSL VPN Application ACL Support
The SSL VPN Application ACL feature provides administrators the ability to control end-user access to corporate applications, by filtering the connection requests based on URL and user/group policy. While developing this functionality, a balanced approach was adopted by keeping configuration as simple as possible while providing administrators the detail/flexibility they need to secure their corporate applications through applying corporate security application usage policy to each user.
The SSL VPN Application ACL functionality includes both Network-level and Application-level ACL support. In the application layer, the gateway may have a better idea regarding how to filter the traffic than it does in network layer; hence this feature provides great flexibility for customers to filter the traffic going through their SSL VPN tunnel. SSL VPN Application ACL enhances the already rich Cisco IOS SSL VPN feature-set, providing the necessary control on the traffic that traverses the SSL VPN tunnel to the inside network.
Network-level ACL, the SSL VPN gateway (router) will allow access control based on network protocols, source IP address and destination IP address.
Application-level ACL, the SSL VPN gateway (router) will allow matches based on the application filter URL string. The URL may include a wildcard for the server names, may be a partial URL, or may include a port number or server IP address/net mask.
Benefits
•
•
3.1.4) SSL VPN Port-forwarding Enhancement
The Port forwarding applet is started when the user clicks the "Start Application Access" link on the SSL VPN portal page. A new browser window will be launched with the applet. This Java-based Port forwarding applet is also known as the SSL VPN Thin-client mode. The Java-based application helper provides support for additional TCP-based applications that are not Web-enabled and supplements clientless access by providing connectivity to applications such as e-mail, instant messaging, Telnet, SSH etc.
The Port-forwarding enhancements were added to improve the existing thin-client support (application helper). As part of this enhancement, HTTP proxy functionality was added, like the one that might be found on the network (ie: an Internet Proxy). The HTTP proxy code modifies the browser's proxy configuration on demand to redirect all browser HTTP/S requests to the new proxy configuration. This allows the Java Applet to take over as the proxy for the browser. For additional security, the applet needs to be digitally signed, since this allows for file modification, and port opening rights. It supports both HTTP and HTTPS connections.
Another possible use case for this functionality is to provide access to Web pages for which the mangling code isn't supported. This occasionally occurs with sites that use Java, ActiveX and Flash. By auto-installing an HTTP proxy on the user's workstation, the mangling code can be bypassed, while allowing connection to pass through the secure gateway.
Table 2 provides a quick comparison between the old and new port-forwarding enhancement.
Table 3 SSL VPN Port Forwarding Comparison by Cisco IOS Release
Note:
Benefits
•
•
3.1.5) SSL VPN Debug Infrastructure
The SSL VPN Debug Infrastructure introduced in Release 12.4(11)T aims to provide an easy to use methodology to debug SSL VPN problems more efficiently. This release adds an extensive debug infrastructure to help customers and Cisco Technical Assistance Center engineers better identify and filter the activity on the network.
Benefits
•
•
3.1.6) SSL VPN URL Obfuscation Support
Employees or partners accessing internal resources via SSL VPN have visibility in to internal IP addressing and DNS names. This unnecessarily exposes internal host information to remote users accessing web resources. This feature would ensure that the directory path being accessed on the internal network is hidden from the remote user. The functionality provides the ability to hide (ie: obfuscate) the internal hostnames, IP addresses in the URL links presented at the client browser.
The benefit is the security of hiding/masquerading internal hosts for over-the-shoulder viewers at an Internet kiosk etc. If enabled, sites accessed become converted into masqueraded URLs containing randomly generated strings (cookies) instead of actual host names/IPs. This includes all bookmarks and sites accessed by entering in the URL in the appropriate location on the web page.
Example:
Accessing http://somesite.cisco.com/index.html which presently becomes something like:
https://testvpn.cisco.com/http/0/somesite.cisco.com/index.html
Would become a randomly generated URL:
https://testvpn.cisco.com/http/0/342FDSFDSCS0AFA5A1DSA/index.html
Benefits
•
Considerations
The SSL VPN URL obfuscation feature is disabled by default.
Hardware
Additional Information: http://www.cisco.com/go/iossslvpn
Product Management Contact: Aamir Waheed, ( awaheed@cisco.com) or ask-stg-ios-pm@cisco.com
3.1.7) Group Encrypted Transport (GET) VPN
Today's networked applications such as voice and video drive the need for instantaneous, branch interconnected, and QoS-enabled WANs. The distributed nature of these applications results in increased demands for scale. At the same time, Enterprise WAN technologies force businesses to make a trade-off between QoS-enabled branch interconnectivity and transport security. As network security risks increase and regulatory compliance becomes paramount, Group Encrypted Transport (GET) VPN, a next-generation WAN encryption technology, eliminates the need to compromise between network intelligence and keeping data private.
GET introduces a new IPsec-based security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPsec tunnel relationship. By utilizing trusted groups instead of point-to-point tunnels, meshed networks are able to scale higher while maintaining network intelligence features critical to voice and video quality—such as QoS, routing and multicast.
Group Encrypted Transport networks can be used in a variety of WAN environments, including IP/MPLS. GET-enabled MPLS VPNs are highly scalable, manageable and cost-effective, and meet government mandated encryption requirements. The flexible nature of GET allows security-conscious Enterprises to manage their own network security over a service provider WAN service or to off load encryption services to their providers. GET simplifies securing large Layer 2 or MPLS networks requiring partial or full mesh connectivity.
Figure 15
Group Encrypted Transport
Features
GET is built on standards based technologies and integrates routing and security seamlessly together in the network fabric. Secure group members are managed through an IETF standard, Group Domain of Interpretation (GDOI).
Table 4 Summary of key GET features
Benefits
In extending GDOI by encrypting and authenticating both multicast and unicast traffic, GET provides benefits to a variety of applications:
•
•
•
•
•
•
Hardware
Product Management Contact: Siva Natarajan ( sinatara@cisco.com) or ask-stg-ios-pm@cisco.com
3.1.8) MPLS VPN (RFC 2547) over Dynamic Multipoint VPN (DMVPN)
Enterprise customers increasingly require segmentation for a number of different reasons. Those reasons include:
•
•
•
•
Enterprises require VPNs to be created and segmented based on practical considerations that conform to the business needs of the organization. For example, a company-wide multicast stream would need to be accessible by all the employees irrespective of their group association.
Segmentation to the end-user desktop is driving virtualization in the application server space. This means that even existing employees can be segmented into different Closed User Groups where they are provided access to internal services based on their group membership. For certain Enterprises, in addition to users, the applications themselves are driving the needs for virtualization. For example, an organization that feels that its critical applications need to be separated from everyday network users can create VPNs for each application or group of applications.
Initially, the solutions focused for virtualization requirements focused on the Enterprise core networks. Lately, the concept of virtualization has been expanded across the WAN edge to their remote branches. MPLS VPN (RFC 2547) over DMVPN is a deployment model for these Enterprises that have requirements for virtualizing their Enterprise branches.
DMVPN provides two key advantages—bulk encryption, and scalable overlay model--for extending MPLS VPNs to the branches. The large number of existing DMVPN deployments makes this an attractive deployment option. Since the branches are connected to the hub through a Layer 3 SP service, a tunneled model using GRE is needed to extend MPLS to the branches. DMVPN allows the hub to have a single multipoint GRE tunnel interface to support large numbers of spokes. The spokes can be point-to-point or multipoint GRE tunnels depending on the requirement of direct spoke-to-spoke communication.
The DMVPN model does not have some of the scale limitations of the Multi-VRF based solutions because the GRE tunnels are created outside the VRFs and a single tunnel can be shared for transporting many VRFs. The hub is configured with a single mGRE tunnel while spokes have a single GRE tunnel. It is important to note that the model is to be used for hub and spoke communication only.
Figure 16
MPLS VPN (RFC 2547) over DMVPN (Hub & Spoke Only)
As shown in Figure 16, in the control plane the following protocols exist:
•
•
•
•
•
Additionally, IPsec can be used to encrypt the GRE tunnels; encryption happens after the GRE encapsulation.
Benefits
Key benefits and applications of MPLS VPN (RFC 2547) over DMVPN include:
•
•
Hardware
Product Management Contact: Siva Natarajan ( sinatara@cisco.com) or ask-stg-ios-pm@cisco.com
3.1.9) EasyVPN Phase 8.0 Enhancements
EasyVPN Manageability Enhancements
These enhancements include new filters for existing show, clear, and debug commands. It also includes new commands for group and individual session viewing and debugging.
The specific enhancements include:
•
•
•
•
•
EasyVPN Remote Identical Addressing Support
This feature supports having identically addressed LANs on EasyVPN Remotes. Network resources such as printers and Web servers on the LAN side of the EasyVPN Remote that have overlapping addressing with other EasyVPN remotes can now be reachable. The EasyVPN Remote feature was enhanced to work with NAT to provide this functionality. The EasyVPN Server requires no changes to support this functionality. This feature is supported in network extension modes only (network-extension and network-plus).
Figure 17
Easy VPN Remote Identical Addressing Support
Notes
•
•
Hardware
Product Management Contact: ask-stg-ios-pm@cisco.com
3.1.10) Cisco IOS Firewall H.323 Registration, Admission, and Status (RAS) Message Inspection Support
The Registration, Admission and Status (RAS) signaling protocol is part of the H.323 protocol suite and is generally used between voice gateways and gatekeepers. The H.323 RAS message inspection support feature provides users/customers a secure way to allow RAS messages between zones without having to enable entire UDP protocol inspection for the H.323 RAS port (1719 by default). H.323 RAS messages between peers are tracked to establish their request-response relationship and accordingly, only RAS messages from known peers are accepted for inter-zone traffic. This feature is only supported in the new zone based firewall policy configuration model. This feature is also supported for messages originated from the router or terminating on the router.
Please note that the ports registered by an endpoint are NOT opened automatically for H.225 connection acceptance through the Cisco IOS Firewall. The user has to include H.323 inspection separately to allow connections to an endpoint.
Benefits
Customers who previously had to enable "inspect UDP" for RAS messages on port 1719 can now only enable "inspect h.323-ras" and achieve better performance and security because not all UDP messages on port 1719 are allowed through/inspected.
Hardware
Additional Information: http://www.cisco.com/go/iosfirewall
Product Management Contact: Darshant Bhagat ( dabhagat@cisco.com) or ask-stg-ios-pm@cisco.com
3.1.11) Cisco IOS Intrusion Prevention System (IPS) Version 5.0 Signature Format Support
The Intrusion Prevention System (IPS) feature now supports using the same signature format as Cisco IPS appliances/modules (also known as Cisco Intrusion Prevention System version 5.x signature format). This enhancement allows the Cisco IOS IPS feature to support more signatures. It also provides a "Risk Rating" value (calculated based on signature severity and fidelity) within the IPS alarms sent to event monitoring applications for easier and more effective event correlation.
Due to this change in IPS signature format in Release 12.4(11)T, existing users of the Cisco IOS IPS feature will have to follow the update procedure to migrate to the new format while upgrading their routers to this new release. More information on can be found at http://www.cisco.com/go/iosips.
To configure and manage Cisco IOS IPS features in Release 12.4(11)T, Cisco highly recommends using one of the two management applications: The next release of Cisco Security Manager Software and Cisco Router and Security Device Manager (SDM) will support Cisco IOS IPS 5.x. SDM will also include a IPS migration wizard to assist existing Cisco IOS IPS users to migrate their configuration and signature files from previous Cisco IOS Software Releases to Release 12.4(11)T.
Hardware
Product Management Contact: Kemal Akozer ( kemal@cisco.com) or ask-stg-ios-pm@cisco.com
4) Release 12.4(9)T Highlights
Table 5 Release 12.4(9)T Feature Highlights
4.1) Cisco IOS Security
4.1.1) Cisco IOS Firewall Enhancements
Cisco IOS Firewall integrates stateful firewall and application inspection functionality as part of a complete set of threat defense features offered on Cisco routers. Routers with integrated firewalls enable cost-effective and easy-to-deploy security solutions at every access point in the network. A firewall combined with other integrated router security capabilities allows new classes of solutions to connect mobile workers, branch offices, telecommuters, partners and customers into the network.
Release 12.4(9)T introduces the following functionality to Cisco IOS Firewall:
•
•
•
HTTP Application Inspection and Control Enhancements
HTTP is the most commonly used application-layer protocol on the Internet. HTTP offers a flexible, extensible mechanism to support numerous networked applications. Businesses, educational institutions, and government offices that rely on the Internet must allow HTTP traffic through their firewalls to accommodate most Web-based applications. Unfortunately, the pervasive nature of HTTP support has contributed to TCP port 80 being a transmission vector for malicious software such as worms and viruses, as well as offering an effective conduit for concealing other traffic generated by undesirable software such as Instant Messaging (IM) applications and Peer-to-Peer (P2P) file-sharing tools.
Cisco IOS Software HTTP Application Inspection (AI) offers flexible application-layer inspection to examine network traffic to detect and take action against malicious or unwanted HTTP traffic. This release offers the following enhancements in this area:
1.
2.
Session Policing and Ingress Rate Policing based on Firewall Policies
Denial of Service (DoS) attacks designed to cripple network routers and corporate computing resources by flooding networks with packets are an important security threat that needs to be defended against to maintain network integrity and availability for designated users. Additionally, controlling the allocation of network resources based on protocol is critical to engineering high performance networks. Preventing DoS attacks and controlling network resource utilization, both require the ability to designate which users and/or applications can use the network and how much bandwidth they can consume.
To address this topic, Cisco introduces two new innovations for Cisco IOS Firewall policies:
1.
2.
Although the above descriptions focus on the issue of preventing malicious users from gaining control of the network in DoS attacks, it is straightforward to see how these mechanisms can also be used to control the usage pattern of users and/or applications. This control allows network administrators to have a means of controlling network resource utilization.
P2P Application Filtering
Peer-to-Peer (P2P) Applications, like eDonkey, Kazaa, and Gnutella, are becoming an increasingly common form of network traffic that consumes valuable network bandwidth and can potentially become a security threat by carrying malicious traffic and applications. In order to address this issue, Cisco is introducing P2P Application Filtering as part of its firewall policies to help customers defend and protect their networks from P2P threats. A key differentiator of Cisco's offering is the ability for customers to load a protocol definition file, called a Packet Description Language Module (PDLM), for new P2P protocols; the Cisco IOS Firewall can then start dynamically recognizing the protocol and apply firewall policies on the protocol without requiring an update of the software image.
Figure 18
HTTP Application Inspection on Firewall Router for a Web Server
Benefits
•
•
•
•
Hardware
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_data_sheet09186a0080117962.html
Product Management Contact: Darshant Bhagat (dabhagat@cisco.com)
4.1.2) Cisco EasyVPN 7.1
Cisco EasyVPN, a software enhancement for existing Cisco routers and security appliances, greatly simplifies VPN deployment for site to site, remote offices and tele-workers. Cisco EasyVPN centralizes VPN management across all Cisco VPN devices thus reducing the complexity of VPN deployments. Cisco EasyVPN enables integration of VPN remote devices, Cisco routers, Cisco Adaptive Security Appliances (ASA), PIX Firewalls, and Cisco VPN concentrators or software clients; it allows a consistent policy and key management method within a single deployment to enable simplified remote site administration.
Release 12.4(9)T introduces the following key functionality to Cisco EasyVPN:
•
•
•
Cisco Tunnelling Control Protocol
In many situations, customers require a VPN client to operate in an environment where standard Encapsulating Security Protocol (ESP with protocol or next header field value 50) or UDP Port 500 (Internet Key Exchange - IKE) can either not function, or not function transparently (without modification to existing firewall rules). TCP tunnelling of IPsec packets is often requested by road warriors, operating out of hotels rooms, airports etc. to pass through third party firewall devices in their environments.
Situations where standard ESP or UDP 500 is often not acceptable/permitted include:
•
•
•
•
To solve this problem in the above situations, without modifying the rules configured in the firewall, Cisco has come up with a protocol called Cisco Tunneling Control Protocol (CTCP). When CTCP is enabled on client and head-end devices, IKE and ESP traffic will be encapsulated in TCP header, so that the firewalls in between the client and the head-end device would simply permit this traffic (considering it as TCP traffic).
Split DNS in EasyVPN
The Split-DNS functionality enables EasyVPN client to act as a "DNS proxy", directing Internet queries to the DNS Server of the ISP and directing corporate DNS requests to the corporate DNS servers. Without Split DNS, enterprises typically must point their CPEs to the corporate DNS servers for all DNS queries, because only their internal servers can resolve all their internal domains. This means that the internal servers will also have to carry the load of resolving or proxying all the queries for Internet URLs. This puts an unnecessary extra load on this key corporate resource. If the Internet queries can be sent to the ISP, the load on the corporate DNS server will reduced. This feature accomplishes that functionality.
Figure 19
Topology for Split DNS
In the diagram above, DNS requests coming from hosts behind the router (EzVPN Remote), need to be sent out to the correct DNS server (ISP's DNS or corporate DNS) based on domain name being queried for. For example, if a request is made to the Internet, this request will be sent to the ISP's DNS server.
DHCP Client Proxy Support in EasyVPN
This functionality allows the EasyVPN server to assign a DHCP address to a client from the corporate DHCP Server rather than the local pool.
The Cisco IOS EzVPN server currently assigns an ip address to a client using either a local pool configured on the router or using the framed-IP-address attribute defined in radius. With this functionality, the EzVPN server will support DHCP for assigning ip address. The EzVPN server will act as a proxy DHCP client and acquire an ip address from the corporate DHCP server. The ip address will be pushed to the client.
The client supplies its hostname, in a mode configuration request. This should be forwarded to the DHCP server, so that DHCP servers that support Dynamic DNS (DDNS) registration will be able to register the hostname with the ip address assigned with the DDNS server. This will allow anyone in the corporate network to reach the client by its DNS hostname rather than an ip address.
Benefits
•
•
•
Hardware
•
•
Additional Information: http://www.cisco.com/go/easyvpn
Product Management Contact: Jai Balasubramaniyan (jsundar@cisco.com)
4.1.3) DMVPN Manageability Enhancements
DMVPN provides an easy and scalable way to create large and small IPsec VPNs by combining GRE tunnels, IPsec encryption, and Next Hop Resolution Protocol (NHRP). Dynamic Multipoint VPN (DMVPN) enables zero-touch deployment of IPsec networks. DMVPN Spoke-to-Spoke Functionality is an enhancement that enables the secure exchange of data between two branch offices without traversing the head office. This improves network performance by reducing latency and jitter, while optimizing head office bandwidth utilization.
DMVPN functionality has been enhanced to allow easier manageability by including the following key features:
•
•
•
•
Benefits
•
̶
