The Integrated Services Adapter (ISA) for Cisco 7100 and 7200 series routers provides high-performance, hardware-assisted tunneling and encryption services suitable for private WAN and virtual private network (VPN) applications. As an integral component of Cisco security solutions, the ISA provides encryption scalability while working seamlessly with advanced WAN and VPN services such as quality of service (QoS), firewall and intrusion detection, and service-level validation. This feature integration, combined with ISA support for the broad set of LAN/WAN media and services, ensures the smooth integration of encryption technology into virtually any enterprise or service provider network environment.
The high-performance acceleration of Cisco IP Security (IPSec) offered by the ISA also provides privacy, integrity, and authenticity for fast-emerging VPN deployments—crucial requirements for transmission of sensitive information over the Internet. The ISA supports Data Encryption Standard (DES) or Triple DES IPSec encryption at full duplex DS-3 line rate (90 Mbps) for site-to-site VPNs. For mixed VPN environments with both site-to-site and remote access VPN requirements, the ISA supports up to 2000 encrypted tunnels. The ISA co-processor architecture offloads these processor-intensive functions from the main route processor, minimizing impact on system resources, thus delivering increased tunneling and encryption scalability for the most demanding encryption deployments. In addition, ISA support for advanced IPSec system facilities, such as the Cisco Tunnel Endpoint Discovery (TED) protocol, allows customers to implement IPSec transparently into the network infrastructure without the need for time-consuming crypto map management and without affecting individual workstations or PCs.
The ISA also supports Microsoft's Point-To-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE), providing highly scalable remote access VPN capabilities to Microsoft Windows 95/98/NT systems. The ISA supports up to 2000 simultaneous PPTP/MPPE remote VPN users protected with strong, 128-bit RC-4 encryption. With support for IPSec or PPTP/MPPE, the ISA provides flexible options in remote access deployment models, enabling enterprises to utilize software resident in Microsoft Windows 95/98/NT, L2TP/IPSec software resident in Microsoft Windows 2000 or Cisco Secure VPN client software based on IPSec (or other qualified third-party IPSec clients). For VPN environments requiring concurrent support of both IPSec and MPPE acceleration in the same Cisco 7200 system, multiple ISA cards may be installed in any open port adapter slots. In a Cisco 7100 series system, the primary encryption service is provided by the Integrated Services Module (ISM). The ISA, however, can be installed in the open port adapter slot of a Cisco 7100 series system to deliver concurrent IPSec and MPPE acceleration.
IPSec—IPSec uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private network. Cisco provides full Encapsulating Security Payload (ESP) and Authentication Header (AH) support.
- DES and 3DES—DES and 3DES encryption are very CPU intensive, potentially impacting router performance in high- throughput configurations. The ISA makes it possible to send DES or 3DES encrypted data at rates up to 90 Mbps while still providing the full range of advanced services available from Cisco 7100 and 7200 series routers.
IKE—The Internet Key Exchange (IKE) provides security association management. IKE authenticates each peer in an IPSec transaction, negotiates security policy, and handles the exchange of session keys.
- RSA and Diffie-Hellman—These CPU-intensive protocols are used every time a new IPSec tunnel is established. RSA authenticates the remote device while Diffie-Hellman exchanges keys that will be used for DES or 3DES encryption. The ISA implements these protocols in specialized hardware ensuring fast tunnel setup and high overall encryption throughput.
- IKE Keepalive—The IKE keepalive mechanism provides enhanced availability for IPSec configurations by automatically sending "keepalive" messages, allowing peers to recognize availability of tunnel endpoints. This setup ensures tunnel availability during periods of network inactivity.
- Tunnel Endpoint Discovery (TED)—This protocol improves the scalability and availability of VPNs in intranet and extranet configurations. Rather than defining each tunnel endpoint for protected traffic in the configuration, the network manager can simply configure which traffic to protect and let TED automatically determine the other endpoint in real time.
- MPPE—This feature provides strong, 128-bit RC-4 encryption for PPTP tunneling. MPPE can impact router performance in high-throughput configurations. The ISA ensures high encryption throughput for remote access VPNs using PPTP/MPPE.
- Layer 2 Tunneling Protocol/Layer 2 Forwarding (L2TP/L2F)—L2TP/L2F tunnels provide remote access VPNs with full support for Cisco IOS authentication, authorization and accounting (AAA) services, including authentication services through TACACS+ and Remote-Access Dial-In User Service (RADIUS), per-user authorization, and accounting capabilities for tracking VPN usage. Scalable support for L2TP+IPSec enables use of VPN client software resident in Microsoft Windows 2000. IPSec protects the L2TP/L2F tunnel by encrypting the tunnel itself. The combination of L2TP/L2F and IPSec provides a secure remote access VPN solution.
- GRE—Generic routing encapsulation (GRE) tunnels provide site-to-site intranet or extranet VPNs with multiprotocol support, routing support, and tunneling reliability. GRE tunnels can be used in conjunction with IPSec, to provide a secure site-to-site VPN solution.
- PPTP—PPTP tunnels provide easy-to-provision remote access VPNs for customers with Microsoft Windows 95/98/NT clients. PPTP tunnels can be encrypted via MPPE for a secure remote access VPN solution.
- IPSec—IPSec tunneling, alone, is appropriate for remote access or site-to-site VPNs when the added features of L2TP/L2F or GRE tunneling are not required. IPSec has lower packet overhead than other tunneling protocols, and supports IP packets only.
Certificate management—The ISA supports the X509.V3 certificate system for device authentication, and the Certificate Enrollment Protocol (CEP) for communicating with certificate authorities. This setup enables deployment of large VPN deployments requiring authentication between many locations and devices. Several vendors, including Verisign and Entrust Technologies, support Cisco CEP and are interoperable with Cisco devices.
Enhanced security—Hardware-based encryption solutions, such as the ISA, offer several security advantages over software-based implementations, including enhanced protection of keys and other confidential materials and tamper-resistant chip-based cryptographic algorithms.
The ISA is fully compatible with network-layer IPSec and Layer 3 encryption software services found in Cisco IOS Software. Throughput is simply enhanced through the use of specialized hardware to perform the complex mathematical transformations necessary to generate keys, authenticate devices, authenticate packets, and encrypt/decrypt data.
The Cisco 7200 series router can be configured to encrypt data by main route processor, or by the Integrated Services Adapter. Furthermore, Cisco 7200 series routers can provide concurrent IPSec and MPPE acceleration using two ISA cards. The Cisco 7100 series VPN router can be configured to encrypt data using the main route processor or the Integrated Services Module (ISM). The ISA card is installed on a Cisco 7100 system to complement the ISM, enabling concurrent acceleration of both IPSec and MPPE. This flexibility enables the use of the routers main CPU of the routers for modest encryption requirements, reducing overall system costs. In order to provide the highest encryption performance available, the ISA can be used. Cisco IOS software automatically detects the presence of the ISA encryption engine and transfers all encryption activities to the hardware accelerator without configuration changes. With this ability to match performance needs with resource utilization requirements, the Cisco 7100 and 7200 series offers the best mix of value, performance, and cost for any encryption environment. Figure 1 illustrates ISA deployed on a Cisco 7200 series router in a typical VPN environment.
Figure 1 Using the ISA in a typical VPN deployment
A Cisco 7200VXR router with an NPE-300 and an ISA card connects a corporation's headquarters to the Internet over a T3 line terminating VPN tunnels from remote offices, extranet partners, and remote users. A Cisco 7200VXR with an NPE-175 and an ISA provides nxT1/E1 encryption scalability up to 50 Mbps suitable for regional office VPN environments. The use of the ISA ensures high encryption performance without impacting the routing and services capabilities of the platform. Suppliers connect to the VPN using local branch or regional office routers, such as the Cisco 1700, 2600, or 3600, enabling extranet VPNs. The Cisco 800 series routers or the Cisco Secure VPN client software provide remote access for telecommuters and mobile users. Cisco IOS software features provides a full complement of VPN capabilities, including integrated firewall services with the Cisco IOS Firewall, and content-aware QoS features.
To enable either 56-bit DES/40-bit MPPE or 168-bit DES/128-bit MPPE encryption services, please select the appropriate software image. ISA support for IPSec and PPTP/MPPE available in Cisco IOS 12.1E software images beginning with Release 12.1(1)E.
An unrestricted license for the Cisco Secure VPN client is included with every ISA card at no additional charge if selected at time of order. However, a separate support contract for the client is required. The Cisco Secure VPN client is available in DES or 3DES versions. For more information on the Cisco Secure VPN client, please see:
http://www.cisco.com/wwl/export/encrypt.html for guidance.
Table 1 ISA Ordering Information