Cisco Network Encryption Services
- More information on Cisco IOS Software and security technologies
- More information on Cisco IOS Software
Introduction
As growing numbers of enterprises move from a centralized information-management architecture toward one that is far more distributed and open, security becomes both increasingly important and vastly more difficult to achieve. Because no single approac h to security is sufficient, the Cisco Internetwork Operating System (Cisco IOSTM) software security architecture provides numerous security services and capabilities, including:
- Access management, which pertains to authentication and authorization services for telecommuting
- Network management
- Route authentication
- Firewalls, which restrict specified types of packets from entering and crossing an organization's network
As an additional element of this architecture, the Cisco IOS software also provides encryption services to ensure data privacy during transmission. This paper addresses Cisco's new encryption offerings. Specifically, it explains the particular strength s of the network-level encryption available from Cisco, comparing and contrasting it with alternative encryption methods. It also details the networking environments that can make best use of such encryption, a broad range that includes WANs, LANs, and pu blic switching services such as the Internet.
Figure 1. : Security Policy Supported by the Cisco IOS Security Architecture
Encryption Methods
Encryption using an algorithm and a key to transform intelligible information into an unintelligible state for purposes of security can occur at three levels: application, link, and network.
Application-Level Encryption
Encryption that occurs at this level requires that the specific application used either innately supports such functionality or, more commonly, is modified to incorporate it. At application level, encryption functions on an "end-to-end" basis; that is, information is encrypted as it is entered into an individual workstation and decrypted as it is received at another workstation. However, this setup means that the success of application-level encryption is tied to three factors:
- The availability of appropriate applications that support encryption
- The ability to trust users to communicate all information through such applications
- The compatibility of encryption software of all hosts
For these reasons, application-level encryption should be used in conjunction with additional security approaches that involve encryption during the process of information transmission.
Link-Level Encryption
This type of encryption provides a high level of security by encrypting all the traffic at a given link, including the network layer header, with address and protocol. Link-level encryption prevents unauthorized users from obtaining information about t he corporate network structure or specific data contained within particular transmissions. Link-level encryption is protocol- independent, but to accommodate link-layer variations, it must be both media- and interface-specific. For this reason, it works w ell in small, point-to-point network environments and in some bridging environments. However, because encryption and decryption must occur at each link, its utility is extremely dependent on network topology. For larger, more complex network systems, link -level encryption increases latency that degrades performance, and it is both costly and difficult to deploy. In addition, given the increasing use of Virtual Private Networks (VPNs), link-level encryption is simply unusable with public switched services such as the Internet.
Network-Level Encryption
Encryption at the network level is performed in conjunction with specific protocols rather than specific media, enabling a high degree of flexibility, while providing high performance. Network-level encryption operates on a flow-by-flow basis, encrypti ng payload traffic between specified user/application pairs or subnets while leaving network-layer headers intact. In other words, encryption support is required only at the boundaries of subnets, not at any intermediary networking devices. Because networ k-level encryption is media- and topology-independent and works well across all interfaces, it is the optimal approach for large, complex networks (especially those that involve routers) and, in general, for networks based on any WAN media, including the Internet. It is because of these advantages that Cisco chose to incorporate network-level encryption functionality into its Cisco IOS operating system.
Figure 2. : Encryption Alternatives
Cisco encryption services involve four basic components:
- Device certification and authentication
- Key exchange
- Encryption policy and connection setup
- Encryption methods
Cisco IOS Encryption Services
Device Certification and Authentication
The Cisco IOS software uses the Digital Signature Standard (DSS) established in 1994 by the National Institute of Standards and Technologies for device authentication during public key exchange. (Without device authentication, any third party could eff ectively pretend to be the recipient to both communicating devices and read, modify, and delete data.) The Cisco authentication scheme enables users to determine the pairs of networks that they wish to have encrypted. Routers establish secure connections with destination routers that allow them to authenticate each other without benefit of encrypted data or predefined secret keys. A certificate hierarchy provides a guarantee for the authenticity of the routers' credentials, including public key.
Key Exchange
The Cisco IOS software uses the Diffie-Hellman process for the exchange of public keys. Diffie-Hellman is an algorithm allowing two parties to exchange nonsecret information, while independently calculating a third number to be used as a session key to encrypt data that passes between them. This feature allows the routers to change their session key as often as necessary without having to send that key across the network in any form.
Encryption Policy
Cisco software now enables users to set up subnet-to-subnet encryption services and per-user/application based on IP packets. When a packet is sent through a secured connection, it is encrypted as it leaves the source subnet and decrypted as it arrives at the destination subnet. By selectively encrypting traffic from specific users and applications, network encryption reduces the cost and increases the flexibility of ensuring secure data transmission. To meet the needs of organizations whose internetwo rks include sections running non-IP protocols, such as Novell IPX or AppleTalk, the Cisco IOS software supports generic routing encapsulation (GRE). GRE allows the encapsulation of the non-IP protocol as part of the network traffic and, as such, it is enc rypted, and a new header is appended. This approach effectively enables the non-IP protocol to "tunnel" rapidly through the IP portion of the network. When it reaches its destination, the traffic is first decrypted and then deencapsulated. This technique can also be used to hide network address and application information as encrypted payloads are transmitted across a network. Cisco plans to support other protocols in later releases of the Cisco IOS software.
Encryption Methods
Cisco supports the Data Encryption Standard (DES), with two key lengths. Standard DES is based on a 56-bit encryption key and is subject to U.S. State Department restrictions, as well as import/export restrictions of various countries. The second optio n supported by Cisco encryption services is based on a 40-bit key and is fully exportable.
Figure 3. : Cisco IOS Encryption
Implementation
Cisco offers network-level encryption solutions implemented through both software and hardware.
Software-Based Encryption Solutions
Starting with the Cisco IOS software Version 11.2, Cisco offers users network-level encryption using DES. This feature is implemented as an extension to access lists. Cisco's software-based encryption services are available for networks running over an y media that support IP and Cisco 2500, 4XXX, 7000, and 7500 routers.
Organizations that use the Cisco 7500 series or Cisco 7000 with Route/Switch Processor (RSP) series have two options: performing software-based encryption on the main RSP or offloading such encryption functions to one of the router's Versatile Interfac e Processors (VIPs) for higher performance.
Hardware-Based Encryption Tools
To augment the encryption support available through the Cisco IOS software, Cisco also offers a hardware accelerator for the Cisco VIP: the Encryption Port Adapter (EPA). This card, which greatly enhances the performance of Cisco's software-based encry ption services, has been jointly developed with Cylink, the company that pioneered the development of public key management systems more than a decade ago.
The Cisco EPA card also meets the federal information processing standards and includes numerous security features. For example, it offers a tamper shield designed to prevent probing. In addition, the EPA has an extraction detection system that require s reauthentication if the card is removed from one router and inserted into another.
Applications
The following scenarios illustrate the networking applications that can benefit most from the network-level encryption now offered by the Cisco IOS software.
Wide-Area Private Networking
Organizations such as banks face difficulties inherent in securing information traffic between many sites, compounded by the challenges posed by their use of varied media. Link-level encryption can be difficult and costly, since its media-specific natu re would require the purchase of numerous different encryption products. In contrast, Cisco's network-level encryption, with its media-independence, provides a single, less expensive security option. Organizations can run the Cisco IOS network encryption feature in remote Cisco 2500/4XXX systems and use the Cisco 7500 and EPA to provide the higher performance required at the central site.
LAN or Campus Networks
Today's enterprises generally have extremely complex network environments, with multiple servers containing sensitive information dispersed throughout the network. To further complicate matters, the network often includes multiple media types, such as Ethernet, Fiber Distributed Data Interface (FDDI), and Token Ring. In an environment with multiple paths between any two end stations, link-level encryption is unsuitable, if not impossible. Cisco's network-level encryption can offer the flexible, end-to- end approach required, allowing enterprises to choose the specific traffic they wish to encrypt within an enterprise network LAN.
Public Networks/Internet
Organizations that need to make a variety of information (data on stocking, ordering, and pricing, for example) available globally to their own remote sites and partners are increasingly turning to public services such as the Internet to create VPNs. F or these organizations, link-level encryption is simply not an option, because it cannot be operated across public switched networks. Since Cisco's network-level encryption can run over any media that support IP, it offers an ideal security solution for V PNs, allowing data security across a public network.
Conclusion
Security policies are becoming more important as enterprises make increasing use of distributed networking models. Today, to secure their network information, most enterprises must implement a broad range of approaches, including access management, fir ewalls, and host security. The Cisco IOS software security architecture addresses each of these areas. In addition, it now encompasses powerful new encryption capabilities at the network level that offer major enhancements over available link-level soluti ons and can significantly augment the security provided by any application-level encryption already in use.
Posted: Mon May 6 14:03:00 PDT 1996