Table of Contents
IP Security and Encryption Overview
This chapter briefly describes the following security features and how they relate to each other:
Cisco Encryption Technology (CET) is a proprietary security solution introduced in Cisco IOS Release 11.2. It provides network data encryption at the IP packet level and implements the following standards:
- Digital Signature Standard (DSS)
- Diffie-Hellman (DH) public key algorithm
- Data Encryption Standard (DES)
For more information regarding CET, refer to the chapter "Configuring Cisco Encryption Technology."
IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. It acts at the network level and implements the following standards:
- IPSec
- Internet Key Exchange (IKE)
- Data Encryption Standard (DES)
- MD5 (HMAC variant)
- SHA (HMAC variant)
- Authentication Header (AH)
- Encapsulating Security Payload (ESP)
IPSec services provide a robust security solution that is standards-based. IPSec also provides data authentication and anti-replay services in addition to data confidentiality services, while CET provides only data confidentiality services.
For more information regarding IPSec, refer to the chapter "Configuring IPSec Network Security."
IPSec shares the same benefitsc as CET: both technologies protect sensitive data that travels across unprotected networks, and, like CET, IPSec security services are provided at the network layer, so you do not have to configure individual workstations, PCs, or applications. This benefit can provide a great cost savings. Instead of providing the security services you do not need to deploy and coordinate security on a per-application, per-computer basis, you can simply change the network infrastructure to provide the needed security services.
IPSec encryption offers a number of additional benefits not present in CET:
- Because IPSec is standards-based, enables Cisco devices to interoperate with other IPSec-compliant networking devices to provide the IPSec security services. IPSec-compliant devices could include both Cisco devices and non-Cisco devices such as PCs, servers, and other computing systems.
- Cisco and its partners, including Microsoft, are planning to offer IPSec across a wide range of platforms, including Cisco IOS software, the Cisco PIX Firewall, and Windows 2000.
- Enables a mobile user to establish a secure connection back to the office. For example, the user can establish an IPSec "tunnel" with a corporate firewall---requesting authentication services---in order to gain access to the corporate network; all of the traffic between the user and the firewall will then be authenticated. The user can then establish an additional IPSec tunnel---requesting data privacy services---with an internal router or end system.
- Provides support for the Internet Key Exchange (IKE) protocol and for digital certificates. IKE provides negotiation services and key derivation services for IPSec. Digital certificates allow devices to be automatically authenticated to each other without the manual key exchanges required by Cisco Encryption Technology. For more information, see the "Configuring Internet Key Exchange Security Protocol" chapter.
- This support allows IPSec solutions to scale better than CET solutions, making IPSec preferable in many cases for use with medium-sized, large-sized, and growing networks, where secure connections between many devices is required.
Should you implement CET or IPSec network security in your network? The answer depends on your requirements.
If you require only Cisco router-to-Cisco router encryption, then you could run CET, which is a more mature, higher-speed solution.
If you require a standards-based solution that provides multivendor interoperability or remote client connections, then you should implement IPSec. Also, if you want to implement data authentication with or without privacy (encryption), then IPSec is the right choice.
If you want, you can configure both CET and IPSec simultaneously in your network, even simultaneously on the same device. A Cisco device can simultaneously have CET secure sessions and IPSec secure sessions, with multiple peers.
Table 23 compares Cisco Encryption Technology to IPSec.
Table 23: Cisco Encryption Technology. vs. IPSec
| Feature
| Cisco Encryption Technology
| IPSec
|
|---|
Availability
| Cisco IOS Release 11.2 and later.
| Cisco IOS Release 11.3(3)T and later.
|
Standards
| Pre-IETF standards.
| IETF standard.
|
Interoperability
| Cisco router to Cisco router.
| All IPSec compliant implementations.
|
Remote Access Solution
| Not supported.
| Client encryption will be supported.
|
Device Authentication
| Manual between each peer at installation.
| IKE uses digital certificates as a type of "digital ID card" (when Certification Authority support is configured); also supports manually-configured authentication shared secrets and manually-configured public keys.
|
Certificate Support
| Not supported.
| X509.V3 support; will support public key infrastructure standard when the standard is completed.
|
Protected Traffic
| Selected IP traffic is encrypted according to extended access lists you define.
| Selected IP traffic is encrypted and/or authenticated according to extended access lists; additionally, different traffic can be protected with different keys or different algorithms.
|
Hardware Support
| Encryption Service Adapter (ESA) for the Cisco 7200/7500.
| Integrated Services Adapter (ISA) for the Cisco 7200 and 7500; Integrated Services Module (ISM) for the Cisco 7100.
|
Packet Expansion
| Not supported.
| Tunnel mode adds a new IP and IPSec header to the packet; transport mode adds a new IPSec header.
|
Scope of Encryption
| IP and ULP headers remain in the clear.
| In tunnel mode, both the IP and ULP headers are encrypted; in transport mode, IP headers remain in the clear, but ULP headers are encrypted. (In tunnel mode, the inner IP header is also encrypted.)
|
Data Authentication with or without Encryption
| Encryption only.
| Can configure data authentication and encryption, or can use AH header to provide data authentication without encryption.
|
Internet Key Exchange (IKE) Support
| Not supported.
| Supported.
|
Redundant Topologies
| Concurrent redundant Cisco Encryption Technology peers are not supported.
| Concurrent redundant IPSec peers are supported
|
IPSec packet processing is slower than Cisco Encryption Technology packet processing for these reasons:
- IPSec offers per-packet data authentication, an additional task not performed with Cisco Encryption Technology.
- IPSec introduces packet expansion, which is more likely to require fragmentation/reassembly of IPSec packets.
You can use Cisco Encryption Technology and IPSec together; the two encryption technologies can coexist in your network. Each router may support concurrent encryption links using either IPSec or Cisco encryption technology. A single interface can even support the use of IPSec or CET for protecting different data flows.
Internet Key Exchange (IKE) security protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
For more information regarding IKE, refer to the chapter "Configuring Internet Key Exchange Security Protocol."
Certification Authority (CA) interoperability is provided in support of the IPSec standard. It permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
For more information regarding CA interoperability, refer to the chapter "Configuring Certification Authority Interoperability."
Posted: Tue Jul 18 12:47:03 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.
