The Integrated Services Module (ISM) for Cisco 7100 series VPN routers provides high-performance, hardware-assisted tunneling and encryption services suitable for virtual private network (VPN) remote access and site-to-site intranet and extranet applications. As an integral component of the Cisco VPN solution, the ISM provides platform scalability and security while working seamlessly with all services necessary for successful VPN deployments—security, quality of service (QoS), firewall and intrusion detection, service-level validation, and management. This integration, combined with ISM support for the broad set of WAN media and services offered by the Cisco 7100 series router, ensures the smooth integration of VPN technology into any enterprise or service provider network.
The high-performance acceleration of Cisco IP Security (IPSec) offered by the ISM provides privacy, integrity, and authenticity for VPN—crucial requirements for transmission of sensitive information over the Internet. The ISM supports up to 2000 Data Encryption Standard (DES) or Triple DES encrypted tunnels for remote access applications and supports up to full duplex DS-3 line rate (90 Mbps) for site-to-site VPNs. The ISM coprocessor architecture offloads these processor-intensive functions from the main route processor of Cisco 7100 series routers, minimizing impact on system resources, thus delivering increased tunneling and encryption scalability for the most demanding VPN deployments. In addition, ISM support for advanced IPSec system facilities, such as the Cisco Tunnel Endpoint Discovery (TED) protocol, allows customers to implement IPSec transparently into the network infrastructure without the need for time-consuming crypto map management and without affecting individual workstations or PCs.
The ISM also supports Microsoft's Point-To-Point Tunneling Protocol (PPTP) and Microsoft Point-to-Point Encryption (MPPE), providing highly scalable remote access VPN capabilities to Microsoft Windows 95/98/NT systems. The ISM supports up to 2000 simultaneous PPTP/MPPE remote VPN users protected with strong, 128-bit RC-4 encryption. With support for IPSec or PPTP, the ISM provides flexible options in remote access deployment models, enabling enterprises to utilize software resident in Microsoft Windows 95/98/NT or Cisco Secure VPN client software based on IPSec (or other qualified third-party IPSec clients).
Cisco VPN solutions encompass all segments of the networking infrastructure—platforms, security, network services, network appliances, and management. The services offered by Cisco VPN solutions include encryption, tunneling, firewall, and QoS capabilities. The ISM accelerates the encryption components of a VPN, including bulk data transfer, public key authentication, and key exchange.
IPSec—IPSec uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private network. Cisco provides full Encapsulating Security Payload (ESP) and Authentication Header (AH) support.
- DES and 3 DES—DES and 3 DES encryption are very CPU intensive, potentially impacting router performance in high- throughput configurations. The ISM makes it possible to send DES or 3 DES encrypted data at data rates up to 90 Mbps while still providing the full range of VPN services available from the Cisco 7100 router.
IKE—The Internet Key Exchange (IKE) provides security association management. IKE authenticates each peer in an IPSec transaction, negotiates security policy, and handles the exchange of session keys.
- RSA and Diffie-Hellman—These CPU-intensive protocols are used every time a new IPSec tunnel is established. RSA authenticates the remote device while Diffie-Hellman exchanges keys that will be used for DES or 3DES encryption. The ISM implements these protocols in specialized hardware ensuring fast tunnel setup and high overall encryption throughput.
- IKE Keepalive—The IKE keepalive mechanism provides enhanced availability for IPSec configurations by automatically sending "keepalive" messages, allowing peers to recognize availability of tunnel endpoints. This setup ensures tunnel availability during periods of network inactivity.
- Tunnel Endpoint Discovery (TED)—This protocol improves the scalability and availability of VPNs in intranet and extranet configurations. Rather than defining each tunnel endpoint for protected traffic in the configuration, the network manager can simply configure which traffic to protect and let TED automatically determine the other endpoint in real time.
- MPPE—This feature provides strong, 128-bit RC-4 encryption for PPTP tunneling. MPPE can impact router performance in high-throughput configurations. The ISM ensures high encryption throughput for remote access VPNs using PPTP/MPPE.
- Layer 2 Tunneling Protocol/Layer 2 Forwarding (L2TP/L2F)—L2TP/L2F tunnels provide remote access VPNs with full support for Cisco IOS authentication, authorization and accounting (AAA) services, including authentication services through TACACS+ and Remote-Access Dial-In User Service (RADIUS), per-user authorization, and accounting capabilities for tracking VPN usage. IPSec protects the L2TP/L2F tunnel by encrypting the tunnel itself. The combination of L2TP/L2F and IPSec provides a secure remote access VPN solution.
- GRE—Generic routing encapsulation (GRE) tunnels provide site-to-site intranet or extranet VPNs with multiprotocol support, routing support, and tunneling reliability. GRE tunnels can be used in conjunction with IPSec, to provide a secure site-to-site VPN solution.
- PPTP—PPTP tunnels provide easy-to-provision remote access VPNs for customers with Microsoft Windows 95/98/NT clients. PPTP tunnels can be encrypted via MPPE for a secure remote access VPN solution.
- IPSec—IPSec tunneling, alone, is appropriate for remote access or site-to-site VPNs when the added features of L2TP/L2F or GRE tunneling are not required. IPSec has lower packet overhead than other tunneling protocols, and supports IP packets only.
Certificate management—The ISM supports the X509.V3 certificate system for device authentication, and the Certificate Enrollment Protocol (CEP) for communicating with certificate authorities. This setup enables deployment of large VPN deployments requiring authentication between many locations and devices. Several vendors, including Verisign and Entrust Technologies, support Cisco CEP and are interoperable with Cisco devices.
Enhanced security—Hardware-based encryption solutions, such as the ISM, offer several security advantages over software-based implementations, including enhanced protection of keys and other confidential materials and tamper-resistant chip-based cryptographic algorithms.
The ISM is fully compatible with network-layer IPSec and Layer 3 encryption software services found in Cisco IOS Software. Throughput is simply enhanced through the use of specialized hardware to perform the complex mathematical transformations necessary to generate keys, authenticate devices, authenticate packets, and encrypt/decrypt data.
The Cisco 7100 series routers can be configured to encrypt data by main route processors, or by the Integrated Services Module. This flexibility enables the use of the routers main CPU of the routers for modest encryption requirements, reducing overall system costs. In order to provide the highest IPSec performance available, the ISM can be used. Cisco IOS software automatically detects the presence of the ISM encryption engine and transfers all encryption activities to the hardware accelerator without configuration changes. With this ability to match performance needs with resource utilization requirements, the Cisco 7100 VPN router offers the best mix of value, performance, and cost for any encryption environment. Figure 1 illustrates a typical VPN deployment.
A Cisco 7140 VPN router with an ISM card connects a corporation's headquarters to the Internet over a T3 line terminating VPN tunnels from remote offices, extranet partners, and remote users. The use of the ISM ensures high encryption performance without impacting the routing and services capabilities of the platform.
A Cisco 7120 with ISM connects the regional office to the Internet for intranet VPN and provides a full complement of VPN capabilities, including integrated firewall services with the Cisco IOS Firewall. Suppliers connect to the VPN using local branch or regional office routers, such as the Cisco 1700, 2600, or 3600, enabling extranet VPNs. The Cisco 800 series routers or the Cisco Secure VPN client software provide remote access for telecommuters and mobile users.
Figure 1 Using the ISM in a typical VPN deployment
To enable either 56-bit DES/40-bit MPPE or 168-bit DES/128-bit MPPE encryption services, please select the appropriate software image. ISM support for IPSec and PPTP/MPPE available in Cisco IOS 12.0XE or 12.1E software images beginning with Release 12.0(5)XE4. ISM support for PPTP/MPPE is anticipated for a Cisco IOS 12.0(5)XE software release in Cisco IOS Software images beginning with release 12.0(5)XE image at time of shipment.
Table 1 Cisco IOS Software Release 12.0XE or 12.1E
An unrestricted license for the Cisco Secure VPN client is included with every ISM card at no additional charge if selected at time of order. However, a separate support contract for the client is required. The Cisco Secure VPN client is available in DES or 3DES versions. For more information on the Cisco Secure VPN client, please see:
http://www.cisco.com/wwl/export/encrypt.html for guidance.
Table 2 ISM Ordering Information