Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS Security

Cisco IOS Software Release 12.4: Security Features and Hardware

Downloads

Table Of Contents

Cisco IOS Software Release 12.4: Security Features and Hardware support

1) Introduction: Cisco IOS Software Release 12.4

1.1) Migration Guide

1.2) Cisco IOS Packaging: Secure Management Access

1.3) Release 12.4 Additional Information

2) Release 12.4 Feature Technology Highlights

2.1) Security and VPN


Product Bulletin No. 2853

Cisco IOS Software Release 12.4: Security Features and Hardware support

1) Introduction: Cisco IOS Software Release 12.4

Cisco IOS® Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, ranging from the small home office router to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

One of the most significant delivery milestones for Cisco IOS Software is the introduction of a new major release, which ships once every two years, delivers hundreds of advanced capabilities, and aggregates multiple prior releases into a synergistic whole.

Developed for wide deployment in the world's most demanding Enterprise, Access, and Service Provider Aggregation networks, Major Release 12.4 is a comprehensive portfolio of Cisco technologies, including the leading-edge functionality and hardware support introduced in Release 12.3T, anchored by an intensive stability and testing program.

Major Release 12.4 introduces more than 700 industry-leading features across the widest range of hardware in the industry. These key innovations span multiple technology areas, including Security, Voice, High Availability, IP Routing, Quality of Service (QoS), IP Multicast, IP Addressing, IP Mobility, Multiprotocol Label Switching (MPLS), and VPNs.

Figure 1

Major and Technology Release Relationship

1.1) Migration Guide

Cisco recommends that customers who need to deploy Release 12.3T features upgrade to Cisco IOS Software Major Release 12.4. Release 12.3T is scheduled for End of Sales in Q4CY'05.

While customers can no longer order software releases that reach End of Sales, they can download such releases from Software Center if they have a maintenance contract.

The following Cisco IOS Software releases identify the current recommended migration into Release 12.4.

Figure 2

Release 12.4 Migration Recommendation

Major Release 12.4 undergoes testing and review cycles to continuously improve and increase reliability and quality. As per Cisco's policies, no new technologies or features are added. Cisco updates Release 12.4 via regular maintenance releases to include minor improvements based upon customer experiences.

Maintenance for Release 12.3T ceases upon this introduction of Release 12.4. Users of Release 12.3T should migrate to Major Release 12.4 in order to receive maintenance.

For additional information about Cisco IOS Software Product Lifecycle Dates & Milestones, please visit:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

1.2) Cisco IOS Packaging: Secure Management Access

Cisco IOS Software Release 12.4 will introduce support for management access using Secure Shell (SSH), HTTPS and Simple Network Management Protocol version 3 (SNMPv3) on the Cisco 1800, 2800, and 3800 Series Access Routers. These three features work with other device management features (ie: image verification, role-based CLI views, user authentication, and VTY access control lists) to provide flexible and secure management access to any remote router, regardless of which Release 12.4 feature set it is configured on the router.

SSHv2 client and server functionality provides a secure, encrypted alternative to traditional telnet for router configuration and administration.

SSL Server functionality provides an HTTPS-based secure, encrypted complement to access graphical user interfaces (ie: Router and Security Device Manager).

SNMPv3 Server functionality includes authPriv mode, which provides authentication and encryption of SNMP messages.

Note: Export controls on strong encryption vary according to type, strength, territory, end-use, and end-user. Visit the Cisco Encryption Sales Support Tool to determine eligibility for Cisco strong encryption solutions. Send an email to Export Compliance ( export@cisco.com) for clarification. Encryption-free versions of IP Base, IP Voice, Enterprise Base, and Enterprise Services feature sets will continue to be available.

1.3) Release 12.4 Additional Information

Release 12.4

http://www.cisco.com/go/release124/

Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

Cisco IOS Software Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

Cisco Feature Navigator

A web-based application that allows users to quickly match Cisco IOS Software releases to features to hardware.

http://www.cisco.com/go/fn/

Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

Cisco IOS Software Questions and Feedback

http://www.cisco.com/warp/public/732/feedback/release/

2) Release 12.4 Feature Technology Highlights

2.1) Security and VPN

Table 1  Security & VPN Feature Highlights

Sections
2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)
2.1.2) Cisco IOS Firewall: HTTP Inspection Engine
2.1.3) Cisco IOS Firewall: Granular Protocol Inspection
2.1.4) Cisco IOS Firewall: Email Inspection Engine
2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic
2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall
2.1.7) Intrusion Prevention Systems Signature Enhancements
2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer
2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers
2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements
2.1.11) Persistent Self-Signed Certificates
2.1.12) Easy VPN Remote Phase 4.1: Enhancements
2.1.13) IPsec Preferred Peer
2.1.14) IPsec Antireplay Window Expansion and Disable Options
2.1.15) IPsec Virtual Tunnel Interface
2.1.16) Reverse Route Injection
2.1.17) Easy VPN Remote Web-Based Activation
2.1.18) WebVPN
2.1.19) Cisco Router and Security Device Manager 2.1
2.1.20) Role-Based CLI Access—Granular Interface Control
2.1.21) 802.1x Supplicant
2.1.22) Cisco IOS Intrusion Prevention System
2.1.23) Cisco IOS Security Device Event Exchange
2.1.24) Cisco IOS Firewall IPv6 FTP Support
2.1.25) Cisco Easy VPN 4.0
2.1.26) Cisco Security and Router Device Manager 2.0
2.1.27) Dynamic Multipoint VPN Spoke to Spoke Functionality
2.1.28) Cisco IOS Network Admission Control
2.1.29) Quality of Service per VPN Group
2.1.30) Cisco AutoSecure Rollback & Logging
2.1.31) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration
2.1.32) Cisco IOS Resilient Configuration
2.1.33) Call Admission Control for Internet Key Exchange
2.1.34) Certificate to Internet Security Association and Key Management Protocol Profile Mapping
2.1.35) Crypto Access Check On Clear Text Packet
2.1.36) RADIUS Attribute Screening support for Access-Request
2.1.37) Role-Based CLI Access
2.1.38) Control Plane Policing Enhancements
2.1.39) IP Source Tracker
2.1.40) Per VRF TACACS+ Support
2.1.41) Cisco IOS Firewall for IPv6
2.1.42) Transparent Cisco IOS Firewall
2.1.43) Extended Simple Mail Transport Protocol
2.1.44) Key Rollover for Certificate Renewal
2.1.45) PKI: Query Multiple Servers during Certificate Revocation Check
2.1.46) Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN
2.1.47) Network Address Translation (NAT)—Transparency Aware DMVPN
2.1.48) SEAL Encryption
2.1.49) Control Plane Policing
2.1.50) Secure Shell Version 2
2.1.51) Secure Access Mode—Silent Mode
2.1.52) Image Verification
2.1.53) Login Enhancements—Password Retry Delay
2.1.54) Router IP Traffic Export
2.1.55) Cisco IOS Easy VPN Remote Phase 3.2
2.1.56) Cisco IOS Certificate Server
2.1.57) VPN Access Control using 802.1x Authentication
2.1.58) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3
2.1.59) Cisco IOS Firewall Access Control Lists Bypass
2.1.60) User Management Enhancements for Easy VPN Server
2.1.61) IPsec VPN Monitoring
2.1.62) Online Certificate Status Protocol

2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:

The administrator will specify an optional number of attempted logins before lockout. The default value will be 3 (and configurable).

When a user makes the specified (as configured in the preceding item) number of unsuccessful attempts to log in, that user will be locked out of the system until the administrator unlocks that user.

Only the administrator or users with administrator-equivalent privileges are able to unlock users.

Local AAA will maintain a list of locked-out users.

This configuration is not user specific but is device (per-box) specific.

Exception: The system does not allow the administrator to be placed on the locked-out list.

The locked-out list will not be maintained by an external server such as a RADIUS server.

The command-line interface (CLI) can be used to display a list of locked-out users by use of a show command.

Benefits

Improves the security of the networking device.

Helps the network administrator to prevent potential unwanted access to the networking device.

Offers flexibility for the network administrator to allow networking device access that meets the security policies and industry standards of individual corporations.

Provides audit trail of locked-out users for security risk assessment.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.2) Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.

Benefits

Defines and enforces security policies for port 80.

Controls misuse of port 80 by rogue applications that tunnel traffic inside HTTP and use port 80 to avoid scrutiny.

Performs protocol anomaly detection services.

Detects misuse of HTTP and Web connectivity.

Prevents protocol masquerading.

Provides strict RFC compliance enforcement.

Allows RFC command control (for example, get or put).

Enforces URL-length and header-length policy.

Supports real-time alarms and audit trail messages.

Provides MIME-type filtering and content validation.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.3) Cisco IOS Firewall: Granular Protocol Inspection

With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.

IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.

Benefits

Greater flexibility by allowing more granularity in the selection of protocols to be inspected.

Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword.

Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined port ranges.

Improved performance and reduced CPU load resulting from focused inspection selections.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

A single port can only be mapped to one application.

Port ranges cannot be specified directly in the ip inspect name command; the PAM table should be used instead.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.4) Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).

Benefits

Inspects SMTP, ESMTP, POP3, and IMAP.

Detects misuse of email connectivity.

Prevents protocol masquerading.

Enforces strict RFC compliance.

Performs protocol anomaly detection services.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Users will need to have sufficient free memory.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.

Benefits

Cisco IOS Firewall policy can now be applied to router local traffic.

The inspection of local H.323 connections enables the deployment of Cisco CallManager Express and Cisco IOS Firewall on the same router with a simplified access control list (ACL) configuration of the Cisco CallManager Express interface through which H.323 connections are made.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

Inspection of Router-Generated Traffic is supported only on the following protocols: H.323, TCP, and UDP.

Cisco IOS Firewall supports only Version 2 of the H.323 protocol.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).

Benefits

Allows users to configure a per-VRF firewall. The firewall inspects IP packets that are sent and received within a VRF.

Allows service providers to deploy the firewall on the provider edge (PE) router.

Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same IP address.

Supports per-VRF (not global) firewall command parameters and denial-of-service (DoS) parameters so that the VRF-aware firewall can run as multiple instances (with VRF instances) allocated to various VPN customers.

Performs per-VRF URL filtering.

Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit trail messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect malicious sources and attacks, add security policies, and so on.

Supports the ability to limit the number of firewall sessions per VRF.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Considerations

VRF-Aware Cisco IOS Firewall is not supported on MPLS interfaces.

If two VPN networks have overlapping addresses, VRF-aware NAT is required for them to support VRF-aware firewalls.

When crypto tunnels belonging to multiple VPNs terminate on a single interface, per-VRF firewall policies cannot be applied.

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)

2.1.7) Intrusion Prevention Systems Signature Enhancements

This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:

String TCP Worm and Virus Support

Agobot

ANTS

Apache/mod_ssl Worm

Bagle

Blaster

GaoBot

Klez

Minmai

MyDoom

Netsky

Norvag

Phatbot

Sober

Worm Slapper (Buffer Overflow)

ZAFI.D

String UDP Worm and Virus Support

Agobot

Blaster

GaoBot

Phatbot

Slammer

String ICMP Worm and Virus Support

Nachi

       

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.

Benefits

Support for more than 400 more signatures for a total of more than 1275 from which to choose.

Increased efficiency for traffic blocking with shun action.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)

2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.

SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.

In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.

Figure 3

SDP Administrative Introducer

Benefits

Allows an IT administrator or security management solution to provision multiple devices.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.

Figure 4

SDP Hierarchical Certificate Server

Benefits

Allows for hierarchical certificate servers, ensuring better scalability and availability.

Simplifies PKI deployment in geographically distributed VPN installations where each location could have its own certificate server handling the network beneath it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.

Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.

Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.

Figure 5

USB Token: PKI

Benefits

Simplifies secure initial deployment. Router can be drop-shipped by distributor, while the token containing configuration and private keys is distributed by other means.

Simplifies replacement of failed routers. The user just needs to remove the spare from the closet or have it drop-shipped and plug in the token from the failed router, and it should work. This method assumes that the token contains the configuration and keys.

Helps in securing a VPN connection. The router may have access to the Internet at all times, but it can only use the VPN when the token is present, because the keys on the token are used to set up the tunnel, and the tunnel is torn down when the token is removed.

Hardware

Routers

Cisco 1841 Routers, and Cisco 2800 and 3800 Series


Cisco IOS Packaging

OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.11) Persistent Self-Signed Certificates

Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.

If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.

Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.

Figure 6

Persistent Self-Signed Certificates

Benefits

Ease of use: a persistent self-signed certificate stored in the router's startup configuration eliminates need for manual user intervention to accept a certificate every time the router reloads.

Improved performance: as user intervention is no longer necessary to accept the certificate, the secure connection process is faster.

Better security: having a persistent self-signed certificate stored in the router's startup configuration (NVRAM) lessens the opportunity for an attacker to substitute an unauthorized certificate.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)

2.1.12) Easy VPN Remote Phase 4.1: Enhancements

Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.

Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.

This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.

Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.

backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup. 

   crypto ipsec client ezvpn <ezvpn-cfg-name>

     backup <ezvpn-cfg-name> track <tracked-object-number>

Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.

Benefits

Allows flexibility to track an object and initiate dial backup.

Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Figure 7

Activation Triggered by Easy VPN Remote Traffic

Benefits

Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.13) IPsec Preferred Peer

IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.

Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.

This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.

Benefits

Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

The set a peer with default option must be used in conjunction with DPD. It is most effective on a remote site running DPD in periodic mode. DPD will detect the failure of the other device quickly and reset the peer list to try the default peer again on the next attempt.

Only one peer may be designated the default on a crypto map.

The default peer must be the first peer in the list.

Use with the crypto map set peer default feature.

Idle timers with the default keyword are only available on a per-crypto-map basis. This command will not work with the global idle timer command.

If a global idle timer is set, the crypto map idle timer value must be different from the global value; otherwise it will not be added to the crypto map.

Cisco IOS Packaging

The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.14) IPsec Antireplay Window Expansion and Disable Options

IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.

Figure 8

IPsec Antireplay

Benefits

Allows an IT administrator flexibility to control antireplay window size or disable it.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.15) IPsec Virtual Tunnel Interface

VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.

With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.

Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.

Figure 9

IPsec Static Virtual Tunnel Interfaces Between Two Sites

Benefits

Simplified management—Customers can use Cisco IOS Software virtual tunnel constructs to configure an IPsec VTI, thus simplifying VPN configuration complexity, which translates into reduced costs as the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

Support for multicast encryption—Customers can use Cisco IOS Software IPsec VTIs to transfer the multicast traffic, control traffic, or data traffic-for example, many voice and video applications,-from one site to another securely.

Routable interface—Cisco IOS Software IPsec VTIs can support all types of IP routing protocols. Customers can use these capabilities of VTI to connect larger office environments, such as branch offices, complete with a PBX extension.

Improved scaling—IPsec virtual interfaces need fewer security associations to be established to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

Flexibility of defining features—An IPsec virtual interface is an encapsulation within its own interface. This arrangement offers flexibility of defining features to run on either the physical or the IPsec interface.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Cisco IOS Packaging

The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.16) Reverse Route Injection

Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.

RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.

Figure 10

Reverse Route Injection

Benefits

Saves the user from statically defining routes.

Considerations

Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.17) Easy VPN Remote Web-Based Activation

Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.

Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.

Figure 11

Easy VPN Remote Web-Based Activation

Benefits

Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.

Hardware

Routers

Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Additional Information

If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)

2.1.18) WebVPN

WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.

The first release of WebVPN in Cisco IOS Software supports two functional modes:

The first mode (clientless) provides secure access to private Web resources and will provide access to Web content. This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web browsing, databases, or online tools that employ a Web interface.

The second functional mode (thin client) extends the capability of the cryptographic functions of the Web browser to enable remote access for email applications using POP3, SMTP, and IMAP.

Benefits

Uses a standard Web browser to access the corporate network and does not require a client to be installed on the client machine.

SSL encryption native to browser provides transport security.

Has granular access control.

Additional client and server applications are accessed using a Java applet.

Allows access from noncorporate machines such as airport kiosks.

Allows easy firewall and network traversal from any location.

Allows transparent wireless roaming.

Integrated Cisco IOS Firewall provides enhanced security.

Hardware

Routers

Cisco 1800, 2800, 3700, 3800, and 7200 Series; Cisco 7301 Router


Considerations

If WebVPN needs to be enabled on the router that is running HTTP Secure Server, the administrator must configure an IP address for WebVPN using the gateway-addr keyword option of the webvpn enable command.

The browsing of URLs that are referred by Macromedia Flash is not modified for secure retrieval by the WebVPN gateway.

This feature in Cisco IOS Software Release 12.3(14)T supports SSL Version 3. Transport Layer Security (TLS) is not supported.

Thin client used for TCP port-forwarding applications requires administrative privileges on the computer of the end user.

Cisco IOS Packaging

WebVPN is positioned in the Advanced Security packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)

Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)

2.1.19) Cisco Router and Security Device Manager 2.1

Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Benefits

New hardware support

Cisco Small Business 100 Series

Cisco VPN Acceleration Module 2+ (VAM2+)

High-speed WAN interface card 4T (HWIC-4T), HWIC-4A/S, HWIC-8A/S, HWIC-8A, and HWIC-16A

Provides ability to recognize, configure, and monitor the new hardware

Localized in six languages

Cisco SDM user interface and online help translated into Japanese, simplified Chinese, French, German, Spanish, and Italian (available in May 2005)

Microsoft Windows OS support for these languages (available now)

Simplifies router management for native language users

Cisco SDM Express

Wizard-based deployment of router

Offers quick and easy router deployment for basic WAN access configurations

Ideal router deployment tool for nonexpert users

PC-based SDM

Cisco SDM installed on Windows-based PC instead of router flash memory

No extra flash memory space required on router for SDM

Great tool to manage the installed base of Cisco routers

PPP over ATM (PPPoA)

Offers quick and easy deployment of xDSL router interfaces for PPPoA configurations

Three new Intrusion Prevention Systems (IPS) engines

STRING.TCP, STRING.UDP, STRING.ICMP

Allows deployment of 500+ additional IPS signatures through SDM

Dial-backup improvements

Support for dial-back for dynamically addressed primary WAN interface

Offers several fixes to make the configuration process more user friendly

Hardware

Routers

Cisco 830, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200VXR, and 7301 Series Routers


Cisco IOS Packaging

Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers.

Product Management Contacts: ask-stg-ios-pm@cisco.com, sdm-feedback@cisco.com

2.1.20) Role-Based CLI Access—Granular Interface Control

Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the network device administrator to set up views that define the set of CLI commands that can be accessed by each user. With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and slots on a router.

Figure 12

Role-Based CLI Access—Granular Interface Control

Benefits

With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands based on their operational roles in the organization.

Security: Enhances the security of the device by defining the set of CLI commands that is accessible by a particular user. This prevents a user from accidentally or purposely changing a configuration or collecting information to which they should not have access.

Availability: Prevents unintentional execution of CLI commands by unauthorized personnel, which could result in undesirable results. This minimizes downtime.

Operational efficiency: Users will only see the CLI commands applicable to the ports and CLI to which they have access; therefore, the router appears to be less complex and commands are easier to identify when using on device help.

Hardware

Routers

Cisco 7200 Series

Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers


Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.21) 802.1x Supplicant

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have the ability to authenticate itself against another network device.

The 802.1x supplicant support functionality provides the following solutions:

Extensible Authentication Protocol (EAP) framework: supplicant can "understand" and "respond" to EAP requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

Two network devices that are connected through an Ethernet link can act as simultaneously as supplicant and authenticator, thus providing mutual authentication capability.

A network device that is acting as a supplicant can authenticate itself with more than one authenticator (ie: a single port on a supplicant can connect to multiple authenticators).

Figure 13

802.1x Supplicant

Benefits

Consistent, standards-based technology for insertion into any mixed multimedia, multi-vendor network.

Enforcing corporate policy for network access at Layer 2.

Single supplicant can connect to multiple authenticators, so different connectivity and security policies can be implemented for different users.

Hardware

Routers

Cisco 800, 1700, 2600, 3600, 7200, 7300, 7400, and 7500 Series Routers


Additional Information:
 http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.22) Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from known network attacks without disrupting router functions or other embedded security capabilities, such as protocol anomaly detection.

The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the following actions:

Send an alarm

Drop the packet

Reset the connection

Figure 14

Cisco IOS Intrusion Prevention System

Benefits

Ubiquitous protection of network assets

Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and assets deep into the network architecture. The router is a security enforcer.

Inline deep packet inspection

Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the payload of a packet and uncover the known malicious activity.

IDS signature support

Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to mitigate today's known network attacks. As attacks are identified in the Internet, these signatures are updated and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3 or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.

Customized signature support

Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.

Hardware

Routers

Cisco 830, 1700, 1800, 2600, 2800, 3700, 3800, and 7200 Series Routers


Additional Information:
 http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.23) Cisco IOS Security Device Event Exchange

Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol format for all vendors to communicate with network management applications. SDEE uses a pull mechanism: requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.

Figure 15

Cisco IOS Security Device Event Exchange

Benefits

Vendor Interoperability

SDEE will become the standard format for all vendors to communicate events to a network management application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network management platforms.