Cisco IOS Security

Table Of Contents

Cisco IOS Software Release 12.3T:
New Security Features and Hardware

CISCO IOS SOFTWARE RELEASE 12.3T INTRODUCTION

RELEASE 12.3(14)T SECURITY FEATURES

Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall: Granular Protocol Inspection

Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall: Inspection of Router-Generated Traffic

Virtual Routing and Forwarding Aware Cisco IOS Firewall

Intrusion Prevention Systems Signature Enhancements

Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

Persistent Self-Signed Certificates

Easy VPN Remote Phase 4.1: Enhancements

IPsec Preferred Peer

IPsec Antireplay Window Expansion and Disable Options

IPsec Virtual Tunnel Interface

Reverse Route Injection

Easy VPN Remote Web-Based Activation

WebVPN

Cisco Router and Security Device Manager 2.1

RELEASE 12.3(11)T SECURITY FEATURES

Role-Based CLI Access—Granular Interface Control

802.1x Supplicant

Cisco IOS Intrusion Prevention System

Cisco IOS Security Device Event Exchange

Cisco IOS Firewall IPv6 FTP Support

Cisco Easy VPN 4.0

Cisco Security and Router Device Manager 2.0

RELEASE 12.3(8)T SECURITY FEATURES

Dynamic Multipoint VPN Spoke to Spoke Functionality

Cisco IOS Network Admission Control

Quality of Service per VPN Group

Cisco AutoSecure Rollback & Logging

Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

Cisco IOS Resilient Configuration

Call Admission Control for Internet Key Exchange

Certificate to Internet Security Association and Key Management Protocol Profile Mapping

Crypto Access Check On Clear Text Packet

RELEASE 12.3(7)T SECURITY FEATURES

RADIUS Attribute Screening Support for Access-Request

Role-Based CLI Access

Control Plane Policing Enhancements

IP Source Tracker

Per VRF TACACS+ Support

Cisco IOS Firewall for IPv6

Transparent Cisco IOS Firewall

Extended Simple Mail Transport Protocol

Key Rollover for Certificate Renewal

PKI: Query Multiple Servers during Certificate Revocation Check

Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN

Network Address Translation (NAT)—Transparency Aware DMVPN

SEAL Encryption

RELEASE 12.3(4)T SECURITY FEATURES

Control Plane Policing

Secure Shell Version 2

Secure Access Mode—Silent Mode

Image Verification

Login Enhancements—Password Retry Delay

Router IP Traffic Export

Cisco IOS Easy VPN Remote Phase 3.2

Cisco IOS Certificate Server

VPN Access Control using 802.1x Authentication

Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3

Cisco IOS Firewall Access Control Lists Bypass

Cisco IDS Network Module

ADDITIONAL INFORMATION

PRODUCT BULLETIN, NO. 2358

Cisco IOS Software Release 12.3T:
New Security Features and Hardware

---

CISCO IOS SOFTWARE RELEASE 12.3T INTRODUCTION

Cisco IOS^® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

The Release 12.3T family will be issued as a series of individual releases, each of which will create significant new revenue opportunities and will include hundreds of business-critical features, the latest hardware support, and ongoing quality improvements. Cisco will ultimately consolidate all of these individual 12.3T releases to form a single major release.

With more than sixty new features, Cisco IOS Software Release 12.3(14)T extends the functionality and benefits of Cisco IOS Software.

Release 12.3(T) powers the new Cisco Integrated Services Routers, the first hardware/software system to deliver secure, wire-speed data, voice, video, and security services to small and medium-sized businesses, Enterprise branch offices, and Service Providers who offer managed services. By speeding application deployment and reducing operating complexity, customers realize a lower total cost of ownership.

Release 12.3(11)T, extends the benefits of Cisco IOS High Availability to the small and medium sized business and branch office by minimizing router downtime during planned or unplanned outages.

In order to maximize the value of the network, Cisco customers are continually integrating new technologies, hardware, and services into the existing infrastructure. In recognition of the challenges this can pose, Release 12.3(8)T delivers network intelligence with integrated features that secure branch office communications, automate the deployment of new applications, and optimize the flow of outbound traffic.

Release 12.3(7)T, the third release of this family, extends the robust suite of Cisco IOS Security capabilities with features that further reduce network vulnerability. The powerful new hardware support, enhanced security management capabilities, and enriched Cisco IOS Firewall functionality in Release 12.3(7)T protect sensitive data and corporate resources from malicious attacks.

Release 12.3(4)T Security Features, the second of the 12.3T releases, allows customers to leverage embedded Cisco IOS Software functionality to more easily deploy Security, Voice and Wireless applications. By enabling integrated small-scale deployment scenarios, Release 12.3(4)T provides the infrastructure for future expansion of small and medium business and Enterprise branch customers.

RELEASE 12.3(14)T SECURITY FEATURES

Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:

•The administrator will specify an optional number of attempted logins before lockout. The default value will be 3 (and configurable).

•When a user makes the specified (as configured in the preceding item) number of unsuccessful attempts to log in, that user will be locked out of the system until the administrator unlocks that user.

•Only the administrator or users with administrator-equivalent privileges are able to unlock users.

•Local AAA will maintain a list of locked-out users.

•This configuration is not user specific but is device (per-box) specific.

•Exception: The system does not allow the administrator to be placed on the locked-out list.

•The locked-out list will not be maintained by an external server such as a RADIUS server.

•The command-line interface (CLI) can be used to display a list of locked-out users by use of a show command.

Benefits

•Improves the security of the networking device.

•Helps the network administrator to prevent potential unwanted access to the networking device.

•Offers flexibility for the network administrator to allow networking device access that meets the security policies and industry standards of individual corporations.

•Provides audit trail of locked-out users for security risk assessment.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.

Benefits

•Defines and enforces security policies for port 80.

•Controls misuse of port 80 by rogue applications that tunnel traffic inside HTTP and use port 80 to avoid scrutiny.

•Performs protocol anomaly detection services.

•Detects misuse of HTTP and Web connectivity.

•Prevents protocol masquerading.

•Provides strict RFC compliance enforcement.

•Allows RFC command control (for example, get or put).

•Enforces URL-length and header-length policy.

•Supports real-time alarms and audit trail messages.

•Provides MIME-type filtering and content validation.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

Cisco IOS Firewall: Granular Protocol Inspection

With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.

IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.

Benefits

•Greater flexibility by allowing more granularity in the selection of protocols to be inspected.

•Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword.

•Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined port ranges.

•Improved performance and reduced CPU load resulting from focused inspection selections.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Considerations

•A single port can only be mapped to one application.

•Port ranges cannot be specified directly in the ip inspect name command; the PAM table should be used instead.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).

Benefits

•Inspects SMTP, ESMTP, POP3, and IMAP.

•Detects misuse of email connectivity.

•Prevents protocol masquerading.

•Enforces strict RFC compliance.

•Performs protocol anomaly detection services.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Considerations

Users will need to have sufficient free memory.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

Cisco IOS Firewall: Inspection of Router-Generated Traffic

The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.

Benefits

•Cisco IOS Firewall policy can now be applied to router local traffic.

•The inspection of local H.323 connections enables the deployment of Cisco CallManager Express and Cisco IOS Firewall on the same router with a simplified access control list (ACL) configuration of the Cisco CallManager Express interface through which H.323 connections are made.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Considerations

•Inspection of Router-Generated Traffic is supported only on the following protocols: H.323, TCP, and UDP.

•Cisco IOS Firewall supports only Version 2 of the H.323 protocol.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

Virtual Routing and Forwarding Aware Cisco IOS Firewall

Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).

Benefits

•Allows users to configure a per-VRF firewall. The firewall inspects IP packets that are sent and received within a VRF.

•Allows service providers to deploy the firewall on the provider edge (PE) router.

•Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same IP address.

•Supports per-VRF (not global) firewall command parameters and denial-of-service (DoS) parameters so that the VRF-aware firewall can run as multiple instances (with VRF instances) allocated to various VPN customers.

•Performs per-VRF URL filtering.

•Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit trail messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect malicious sources and attacks, add security policies, and so on.

•Supports the ability to limit the number of firewall sessions per VRF.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Considerations

•VRF-Aware Cisco IOS Firewall is not supported on MPLS interfaces.

•If two VPN networks have overlapping addresses, VRF-aware NAT is required for them to support VRF-aware firewalls.

•When crypto tunnels belonging to multiple VPNs terminate on a single interface, per-VRF firewall policies cannot be applied.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

Intrusion Prevention Systems Signature Enhancements

This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:

String TCP Worm and Virus Support
Agobot	ANTS	Apache/mod_ssl Worm	Bagle	Blaster
GaoBot	Klez	Minmai	MyDoom	Netsky
Norvag	Phatbot	Sober	Worm Slapper (Buffer Overflow)	ZAFI.D
String UDP Worm and Virus Support
Agobot	Blaster	GaoBot	Phatbot	Slammer
String ICMP Worm and Virus Support
Nachi

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.

Benefits

•Support for more than 400 more signatures for a total of more than 1275 from which to choose.

•Increased efficiency for traffic blocking with shun action.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)

Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.

SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.

In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.

Figure 1

SDP Administrative Introducer

Benefits

Allows an IT administrator or security management solution to provision multiple devices.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.

Figure 2

SDP Hierarchical Certificate Server

Benefits

•Allows for hierarchical certificate servers, ensuring better scalability and availability.

•Simplifies PKI deployment in geographically distributed VPN installations where each location could have its own certificate server handling the network beneath it.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.

Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.

Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.

Figure 3

USB Token: PKI

Benefits

•Simplifies secure initial deployment. Router can be drop-shipped by distributor, while the token containing configuration and private keys is distributed by other means.

•Simplifies replacement of failed routers. The user just needs to remove the spare from the closet or have it drop-shipped and plug in the token from the failed router, and it should work. This method assumes that the token contains the configuration and keys.

•Helps in securing a VPN connection. The router may have access to the Internet at all times, but it can only use the VPN when the token is present, because the keys on the token are used to set up the tunnel, and the tunnel is torn down when the token is removed.

Hardware

Routers

•Cisco 871, 1811, 1812, and 1841 Routers, and Cisco 2800 and 3800 Series

Cisco IOS Packaging

OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

Persistent Self-Signed Certificates

Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.

If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.

Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.

Figure 4

Persistent Self-Signed Certificates

Benefits

•Ease of use: a persistent self-signed certificate stored in the router's startup configuration eliminates need for manual user intervention to accept a certificate every time the router reloads.

•Improved performance: as user intervention is no longer necessary to accept the certificate, the secure connection process is faster.

•Better security: having a persistent self-signed certificate stored in the router's startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

Easy VPN Remote Phase 4.1: Enhancements

Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.

Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.

This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.

Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.

backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup.

   crypto ipsec client ezvpn <ezvpn-cfg-name>

     backup <ezvpn-cfg-name> track <tracked-object-number>

Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.

Benefits

•Allows flexibility to track an object and initiate dial backup.

Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Figure 5

Activation Triggered by Easy VPN Remote Traffic

Benefits

Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

IPsec Preferred Peer

IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.

Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.

This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.

Benefits

Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Additional Information

•The set a peer with default option must be used in conjunction with DPD. It is most effective on a remote site running DPD in periodic mode. DPD will detect the failure of the other device quickly and reset the peer list to try the default peer again on the next attempt.

•Only one peer may be designated the default on a crypto map.

•The default peer must be the first peer in the list.

•Use with the crypto map set peer default feature.

•Idle timers with the default keyword are only available on a per-crypto-map basis. This command will not work with the global idle timer command.

•If a global idle timer is set, the crypto map idle timer value must be different from the global value; otherwise it will not be added to the crypto map.

Cisco IOS Packaging

The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

IPsec Antireplay Window Expansion and Disable Options

IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.

Figure 6

IPsec Antireplay

Benefits

Allows an IT administrator flexibility to control antireplay window size or disable it.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

IPsec Virtual Tunnel Interface

VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.

With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.

Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.

Figure 7

IPsec Static Virtual Tunnel Interfaces Between Two Sites

Benefits

•Simplified management—Customers can use Cisco IOS Software virtual tunnel constructs to configure an IPsec VTI, thus simplifying VPN configuration complexity, which translates into reduced costs as the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

•Support for multicast encryption—Customers can use Cisco IOS Software IPsec VTIs to transfer the multicast traffic, control traffic, or data traffic-for example, many voice and video applications,-from one site to another securely.

•Routable interface—Cisco IOS Software IPsec VTIs can support all types of IP routing protocols. Customers can use these capabilities of VTI to connect larger office environments, such as branch offices, complete with a PBX extension.

•Improved scaling—IPsec virtual interfaces need fewer security associations to be established to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

•Flexibility of defining features—An IPsec virtual interface is an encapsulation within its own interface. This arrangement offers flexibility of defining features to run on either the physical or the IPsec interface.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Cisco IOS Packaging

The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

Reverse Route Injection

Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.

RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.

Figure 8

Reverse Route Injection

Benefits

Saves the user from statically defining routes.

Considerations

Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

Easy VPN Remote Web-Based Activation

Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.

Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.

Figure 9

Easy VPN Remote Web-Based Activation

Benefits

Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.

Hardware

Routers

•Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

WebVPN

WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.

The first release of WebVPN in Cisco IOS Software supports two functional modes:

•The first mode (clientless) provides secure access to private Web resources and will provide access to Web content. This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web browsing, databases, or online tools that employ a Web interface.

•The second functional mode (thin client) extends the capability of the cryptographic functions of the Web browser to enable remote access for email applications using POP3, SMTP, and IMAP.

Benefits

•Uses a standard Web browser to access the corporate network and does not require a client to be installed on the client machine.

•SSL encryption native to browser provides transport security.

•Has granular access control.

•Additional client and server applications are accessed using a Java applet.

•Allows access from noncorporate machines such as airport kiosks.

•Allows easy firewall and network traversal from any location.

•Allows transparent wireless roaming.

•Integrated Cisco IOS Firewall provides enhanced security.

Hardware

Routers

•Cisco 1800, 2800, 3700, 3800, and 7200 Series; Cisco 7301 Router

Considerations

•If WebVPN needs to be enabled on the router that is running HTTP Secure Server, the administrator must configure an IP address for WebVPN using the gateway-addr keyword option of the webvpn enable command.

•The browsing of URLs that are referred by Macromedia Flash is not modified for secure retrieval by the WebVPN gateway.

•This feature in Cisco IOS Software Release 12.3(14)T supports SSL Version 3. Transport Layer Security (TLS) is not supported.

•Thin client used for TCP port-forwarding applications requires administrative privileges on the computer of the end user.

Cisco IOS Packaging

WebVPN is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)

Cisco Router and Security Device Manager 2.1

Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Benefits

•New hardware support

–Cisco Small Business 100 Series

–Cisco VPN Acceleration Module 2+ (VAM2+)

–High-speed WAN interface card 4T (HWIC-4T), HWIC-4A/S, HWIC-8A/S, HWIC-8A, and HWIC-16A

–Provides ability to recognize, configure, and monitor the new hardware

•Localized in six languages

–Cisco SDM user interface and online help translated into Japanese, simplified Chinese, French, German, Spanish, and Italian (available in May 2005)

–Microsoft Windows OS support for these languages (available now)

–Simplifies router management for native language users

•Cisco SDM Express

–Wizard-based deployment of router

–Offers quick and easy router deployment for basic WAN access configurations

–Ideal router deployment tool for nonexpert users

•PC-based SDM

–Cisco SDM installed on Windows-based PC instead of router flash memory

–No extra flash memory space required on router for SDM

–Great tool to manage the installed base of Cisco routers

•PPP over ATM (PPPoA)

–Offers quick and easy deployment of xDSL router interfaces for PPPoA configurations

•Three new Intrusion Prevention Systems (IPS) engines

–STRING.TCP, STRING.UDP, STRING.ICMP

–Allows deployment of 500+ additional IPS signatures through SDM

•Dial-backup improvements

–Support for dial-back for dynamically addressed primary WAN interface

–Offers several fixes to make the configuration process more user friendly

Hardware

Routers

•Cisco 830, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200VXR, and 7301 Series Routers

Cisco IOS Packaging

Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers.

Product Management Contacts: ask-stg-ios-pm@cisco.com, sdm-feedback@cisco.com

RELEASE 12.3(11)T SECURITY FEATURES

Role-Based CLI Access—Granular Interface Control

Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the network device administrator to set up views that define the set of CLI commands that can be accessed by each user. With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and slots on a router.

Figure 10

Role-Based CLI Access—Granular Interface Control

Benefits

With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands based on their operational roles in the organization.

•Security: Enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

•Availability: Prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

•Operational efficiency: Users will only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex and commands are easier to identify when using on device help.

Hardware

Routers

•Cisco 7200 Series •Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

802.1x Supplicant

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have the ability to authenticate itself against another network device.

The 802.1x supplicant support functionality provides the following solutions:

•Extensible Authentication Protocol (EAP) framework: supplicant can "understand" and "respond" to EAP requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

•Two network devices that are connected through an Ethernet link can act as simultaneously as supplicant and authenticator, thus providing mutual authentication capability.

•A network device that is acting as a supplicant can authenticate itself with more than one authenticator (i.e.: a single port on a supplicant can connect to multiple authenticators).

Figure 11

802.1x Supplicant

Benefits

•Consistent, standards-based technology for insertion into any mixed multimedia, multi-vendor network

•Enforcing corporate policy for network access at Layer 2

•Single supplicant can connect to multiple authenticators, so different connectivity and security policies can be implemented for different users

Hardware

Routers

•Cisco 800, 1600, 1700, 2600, 3600, 7100, 7200, 7300, 7400, and 7500 Series Routers

Additional Information:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from known network attacks without disrupting router functions or other embedded security capabilities, such as protocol anomaly detection.

The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the following actions:

•Send an alarm

•Drop the packet

•Reset the connection

Figure 12

Cisco IOS Intrusion Prevention System

Benefits

•Ubiquitous protection of network assets

Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and assets deep into the network architecture. The router is a security enforcer.

•Inline deep packet inspection

Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the payload of a packet and uncover the known malicious activity.

•IDS signature support

Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to mitigate today's known network attacks. As attacks are identified in the Internet, these signatures are updated and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3 or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.

•Customized signature support

Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.

Hardware

Routers

•Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, 7200 Series Routers

Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

Cisco IOS Security Device Event Exchange

Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol format for all vendors to communicate with network management applications. SDEE uses a pull mechanism: requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.

Figure 13

Cisco IOS Security Device Event Exchange

Benefits

•Vendor Interoperability

SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.

•Secured transport

The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network.

Hardware

Routers

•Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, 7200 Series Routers

Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

Cisco IOS Firewall IPv6 FTP Support

Cisco IOS Software now performs stateful packet inspection of the IPv6 File Transfer Protocol (FTP). Cisco IOS Firewall creates dynamic data channel monitors for FTP session RFC compliance and alerts the network about any protocol anomalies performed by the end user trying to perform a malicious act as a result of stateful inspection of FTP in order to allow return traffic traversing Cisco IOS Firewall back to the FTP client. Cisco IOS Firewall tracks the initial FTP hand-shaking and session termination by ensuring that all users have been authenticated before any data traverses the Cisco IOS Firewall. This enables Cisco IOS Firewall to prevent network intrusion by unauthorized users who attempt to initiate a connection across the network or leverage the session of an authorized user. When the user logs off or initiates other forms of session termination (abort), the Firewall immediately closes all open data and control channels associated with the authorized user.

Additionally, Cisco IOS Firewall now supports Port to Address Mapping (PAM) for IPv6. PAM correlates TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations not defined by well-known ports.

Benefits

•Investment Protection

A wide range of Cisco routers, from the Cisco 1700 Series through the Cisco 7200 Series, support Cisco IOS Firewall. This further enhances the total return of investment in Cisco routers by providing a broad range of network enforcement points, while coexisting in IPv4 and IPv6 environments.

•Protocol Anomaly Detection for FTP

Cisco IOS Firewall maintains the integrity of the network by monitoring it for network attacks that leverage protocol RFC non-compliance.

•Authorized FTP users allowed

Only allows users who have been authorized by an end ftp server to initiate session creation. Cisco IOS Software ensures that unauthorized users do not take advantage of data and control channels left open by a previous user. This decreases network vulnerability to unauthorized users.

Hardware

Routers

•Cisco 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

Cisco Easy VPN 4.0

Release 12.3(11)T introduces several enhancements to the Easy VPN Remote:

•Easy VPN Remote with IEEE 802.1x Authentication

Cisco Easy VPN 4.0 adds support for configuration of 802.1x port-based authentication on the private interfaces of the Easy VPN Remote router. This was not available in previous instances of Easy VPN Remote.

Cisco Easy VPN 4.0 also supports Public Key Infrastructure (PKI) / certificates. Previously, only pre-shared keys could be used as key material for the Internet Key Exchange (IKE) (IPsec Phase 1) connection. Configuration is the same as for standard site-to-site IPsec. When configuring PKI on the remote router, it is critical that the subject-name command is set to the subject name in the certificate or PKI will fail.

•Easy VPN Remote Backup Server List Auto-Configuration

Easy VPN Remote allows the configuration of multiple servers (concentrators) to which the remote router will attempt to connect. With this enhancement, the Easy VPN Server can "push" this server list to Easy VPN Remote clients, eliminating the requirement to manually configure the list of servers on the Easy VPN Remote. Instead, only one server needs to be preconfigured on the remote, and the rest of the server list will be pushed from the server at connect time.

•Easy VPN Remote Management Enhancements

This feature simplifies the remote management of a Cisco IOS Router acting as an Easy VPN Remote. It does this by making the IP address pushed from the server at connect time fully manageable. The pushed address is automatically assigned to a loopback interface that is dynamically created. This enables ping, Telnet, SNMP, and even dynamic routing to use the pushed address as the address to reach the router. The user can design central site management solutions that use the pushed address as the address to reach the remote routers. This feature can be enabled in both client and network extension modes; it is possible to push an address in NEM, although users can manage the static IP address assigned to the private interface.

•Easy VPN Remote Load Balancing

When configured for load balancing, the Cisco VPN 3000 Series Concentrator with Easy VPN, accepts an incoming request from the Easy VPN Remote router on its virtual IP address, and if required (for instance, if the server is heavily loaded), it sends a "notify" message to the remote that contains an IP address that represents the new peer to which the client should connect. The Easy VPN Remote router can receive this "redirect" message and it attempts to connect a different server at the address contained in the notify message. Syslog messages indicate when a transition from one peer to another occurs.

•Easy VPN Remote VLAN Support

It is now possible to define a VLAN as an Easy VPN Remote inside (private) interface. This may be an internal VLAN on the remote router (for instance, switch ports in a Cisco 1711 Router). This means that upon definition, IPsec Service Adapters will be established for the VLAN inside interface just as they are for the physical inside interfaces.

•Easy VPN Remote Multiple Subnet Support

This enhancement allows multiple subnets on a single inside interface on the Easy VPN Remote router to be defined to Easy VPN. Previously, only a single subnet could be defined for Easy VPN on each inside interface.