Table of Contents
Overview
This chapter describes the ISA and the ISM and contains the following sections:
The ISA is a single-width service adapter and the ISM is a single-width service module. Each provides high-performance, hardware-assisted tunneling and encryption services suitable for virtual private network (VPN) remote access, site-to-site intranet, and extranet applications, as well as platform scalability and security while working with all services necessary for successful VPN deployments---security, quality of service (QoS), firewall and intrusion detection, and service-level validation and management. The ISA and the ISM off-load IPSec and MPPE processing from the main processor of the Cisco 7200 series or Cisco 7100 series router, thus freeing resources on the processor engines (that is, the network processor engine [NPE] on the Cisco 7200 series, and the network processor [NP] on the Cisco 7100 series routers) for other tasks.
The ISA and the ISM provide hardware-accelerated support for multiple encryption functions:
- 56-bit Data Encryption Standard (DES) standard mode: Cipher Block Chaining (CBC)
- 3-Key Triple DES (168-bit)
- Secure Hash Algorithm (SHA)-1 and Message Digest 5 (MD5) hash algorithms
- Rivest, Shamir, Adelman (RSA) public-key algorithm
- Diffie-Hellman key exchange RC4-40
Note Cisco 7100 series routers do not support online insertion and removal of the ISM.
Note Cisco 7200 series routers support online insertion and removal of the ISA.
The ISA and the ISM support IPSec, IKE, Microsoft Point to Point Encryption (MPPE), and Certification Authority (CA) interoperability features, providing highly scalable remote access VPN capabilities to Microsoft Windows 95/98/NT systems.
MPPE in conjunction with Microsoft's Point-to-Point tunneling protocol (PPTP) provides security for remote Microsoft Windows users by providing a tunneling capability, user-level authentication, and data encryption.
Note For more information on IPSec, IKE, MPPE, and CA interoperability, refer to the "IP Security and Encryption" chapter in the Security Configuration Guide and Security Command Reference publications.
IPSec acts at the network level and is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. IPSec services are similar to those provided by Cisco Encryption Technology (CET). However, IPSec provides a more robust security solution and is standards-based. IPSec also provides data authentication and antireplay services in addition to data confidentiality services, whereas CET provides data confidentiality services only.
Cisco implements the following standards with data encryption:
- IPSec---IPSec is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer; it uses IKE to handle negotiation of protocols and algorithms based on local policy, and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
- IPSec is documented in a series of Internet Drafts. The overall IPSec implementation is documented in RFC 2401 through RFC 2412 and RFC 2451.
- IKE---Internet Key Exchange (IKE) is a hybrid security protocol that implements Oakley and Skeme key exchanges inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. Although IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
- Microsoft Point-to-Point Encryption (MPPE) protocol is an encryption technology that provides encryption across point-to-point links. These links may use Point-to-Point Protocol (PPP) or Point-to-Point Tunnel Protocol (PPTP).
The ISA and the ISM support MPPE when encapsulation is set to PPP or PPTP.
- CA---In addition, Certificate Authority (CA) interoperability is provided in support of the IPSec standard, using Certificate Enrollment Protocol (CEP). CEP permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
The component technologies implemented for IPSec include:
- DES and Triple DES---The Data Encryption Standard (DES) and Triple DES (3DES) are used to encrypt packet data. Cisco IOS implements the 3-key triple DES and DES-CBC with Explicit IV. Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is explicitly given in the IPSec packet.
- MD5 (HMAC variant)---MD5 is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.
- SHA (HMAC variant)---SHA is a hash algorithm. HMAC is a keyed hash variant used to authenticate data.
IPSec as implemented in Cisco IOS software supports the following additional standards:
- AH---Authentication Header is a security protocol that provides data authentication and optional antireplay services.
- The AH protocol allows for the use of various authentication algorithms; Cisco IOS has implemented the mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol provides antireplay services.
- ESP---Encapsulating Security Payload is a security protocol that provides data privacy services, optional data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP protocol allows for the use of various cipher algorithms and (optionally) various authentication algorithms. Cisco IOS software implements the mandatory 56-bit DES-CBC with Explicit IV or Triple DES as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms. The updated ESP protocol provides antireplay services.
The ISA has three LEDs, as shown in Figure 1-1. Table 1-1 lists the colors and functions of the ISA LEDs.
Figure 1-1: ISA Front Panel LEDs (SA-ISA shown)
Table 1-1:
| LED Label
| Color
| State
| Function
|
ENABLE
| Green
| On
| Indicates the ISA is powered up and enabled for operation.
|
BOOT
| Amber
| Pulses1
On
| Indicates the ISA is operating.
Indicates the ISA is booting or a packet is being encrypted or decrypted.
|
ERROR
| Amber
| On
| Indicates an encryption error has occurred.
This LED is normally off.
|
1After successfully booting, the boot LED pulses in a "heartbeat" pattern to indicate that the ISA is operating. As crypto traffic increases, the nominal level of this LED increases in proportion to the traffic level.
|
ISA LEDs
The following conditions must all be met before the enabled LED goes on:
- The ISA is correctly connected to the backplane and receiving power.
- The system bus recognizes the ISA.
If either of these conditions is not met, or if the router initialization fails, the enabled LED does not go on.
The ISM has three LEDs, as shown in Figure 1-2. Table 1-2 lists the colors and functions of the LEDs.
Figure 1-2: ISM LEDs
Note The physical orientation of the ISM LEDs is reversed from that of the ISA (see Figure 1-2).
Table 1-2:
| LED Label
| Color
| State
| Function
|
EN
| Green
| On
| Indicates the ISM is powered up and enabled for operation.
|
BOOT
| Amber
| Pulses1
On
| Indicates the ISM is operating.
Indicates the ISM is booting or a packet is being encrypted or decrypted.
|
ERROR
| Amber
| On
| Indicates an encryption error has occurred. This LED is normally off.
|
1After successfully booting, the boot LED pulses in a "heartbeat" pattern to indicate that the ISM is operating. As crypto traffic increases, the nominal level of this LED increases in proportion to the traffic level.
|
ISM LEDs
The following conditions must all be met before the enabled LED goes on:
- The ISM is correctly connected to the backplane and receiving power.
- The system bus recognizes the ISM.
If either of these conditions is not met, or if the router initialization fails for other reasons, the enabled LED does not go on.
The ISM can be installed in service module slot 5 in Cisco 7120 series and Cisco 7140 series routers. Figure 1-3 shows a Cisco 7120 with an ISM installed in slot 5. Figure 1-4 shows a Cisco 7140 with an ISM installed in slot 5.
Figure 1-3: Service Module Slot 5 in the Cisco 7100 Series Router---Cisco 7120 Series
Figure 1-4: Service Module Slot 5 in the Cisco 7100 Series Router
---Cisco 7140 Series
Figure 1-5 shows a Cisco 7206 with port adapters installed. In the Cisco 7206, port adapter slot 1 is in the lower left position, and port adapter slot 6 is in the upper right position. (The Cisco 7202 and Cisco 7204 are not shown; however, the ISA can be installed in any available port adapter slot.)
Figure 1-5: Port Adapter Slots in the Cisco 7206
Posted: Mon Mar 13 09:09:12 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.
