Cisco Network Encryption Services

Tue Oct 22 18:03:49 PDT 1996

Cisco has an interesting web page about encryption services
that may be attached below :-)
http://www.cisco.com/warp/public/732/Security/ncryp_tc.htm

Starting with Release 11.2, they offer several kinds of encryption,
including single-DES for US use and 40-bit-something for export.
Key exchange is Diffie-Hellman with DSS signatures.
There's a pointer to a brief white paper at 
http://www.cisco.com/warp/public/732/Security/ncryp_wp.htm
and a press release from May 96 about 
<a href="http://www.cisco.com/warp/public/146/298.html">
"Cisco Systems to Offer Free Reference Implementation
of IETF's ISAKMP Security Framework"
</a>

Title: Cisco Network Encryption Services

Cisco Network Encryption Services

More information on Cisco IOS Software and security technologies
More information on Cisco IOS Software

   Introduction    
As growing numbers of enterprises move from a centralized information-management architecture toward one that is far more distributed and open, security becomes both increasingly important and vastly more difficult to achieve. Because no single approac
h to security is sufficient, the Cisco Internetwork Operating System (Cisco IOSTM) software security architecture provides numerous security services and capabilities, including:

Access management, which pertains to authentication and authorization services for telecommuting 

Network management

Route authentication

Firewalls, which restrict specified types of packets from entering and crossing an organization's network

As an additional element of this architecture, the Cisco IOS software also provides encryption services to ensure data privacy during transmission. This paper addresses Cisco's new encryption offerings. Specifically, it explains the particular strength
s of the network-level encryption available from Cisco, comparing and contrasting it with alternative encryption methods. It also details the networking environments that can make best use of such encryption, a broad range that includes WANs, LANs, and pu
blic switching services such as the Internet. 

 Figure 1.  :    Security Policy Supported by the Cisco IOS Security Architecture    

   Encryption Methods    
Encryption using an algorithm and a key to transform intelligible information into an unintelligible state for purposes of security can occur at three levels: application, link, and network.

Application-Level Encryption
Encryption that occurs at this level requires that the specific application used either innately supports such functionality or, more commonly, is modified to incorporate it. At application level, encryption functions on an "end-to-end" basis; that is,
 information is encrypted as it is entered into an individual workstation and decrypted as it is received at another workstation. However, this setup means that the success of application-level encryption is tied to three factors:

The availability of appropriate applications that support encryption 

The ability to trust users to communicate all information through such applications 

The compatibility of encryption software of all hosts 

For these reasons, application-level encryption should be used in conjunction with additional security approaches that involve encryption during the process of information transmission.

Link-Level Encryption 
This type of encryption provides a high level of security by encrypting all the traffic at a given link, including the network layer header, with address and protocol. Link-level encryption prevents unauthorized users from obtaining information about t
he corporate network structure or specific data contained within particular transmissions. Link-level encryption is protocol- independent, but to accommodate link-layer variations, it must be both media- and interface-specific. For this reason, it works w
ell in small, point-to-point network environments and in some bridging environments. However, because encryption and decryption must occur at each link, its utility is extremely dependent on network topology. For larger, more complex network systems, link
-level encryption increases latency that degrades performance, and it is both costly and difficult to deploy. In addition, given the increasing use of Virtual Private Networks (VPNs), link-level encryption is simply unusable with public switched services 
such as the Internet.

Network-Level Encryption 
Encryption at the network level is performed in conjunction with specific protocols rather than specific media, enabling a high degree of flexibility, while providing high performance. Network-level encryption operates on a flow-by-flow basis, encrypti
ng payload traffic between specified user/application pairs or subnets while leaving network-layer headers intact. In other words, encryption support is required only at the boundaries of subnets, not at any intermediary networking devices. Because networ
k-level encryption is media- and topology-independent and works well across all interfaces, it is the optimal approach for large, complex networks (especially those that involve routers) and, in general, for networks based on any WAN media, including the 
Internet. It is because of these advantages that Cisco chose to incorporate network-level encryption functionality into its Cisco IOS operating system.

 Figure 2.  :    Encryption Alternatives     

Cisco encryption services involve four basic components: 

Device certification and authentication 

Key exchange

Encryption policy and connection setup 

Encryption methods

   Cisco IOS Encryption Services    

Device Certification and Authentication 
The Cisco IOS software uses the Digital Signature Standard (DSS) established in 1994 by the National Institute of Standards and Technologies for device authentication during public key exchange. (Without device authentication, any third party could eff
ectively pretend to be the recipient to both communicating devices and read, modify, and delete data.) The Cisco authentication scheme enables users to determine the pairs of networks that they wish to have encrypted. Routers establish secure connections 
with destination routers that allow them to authenticate each other without benefit of encrypted data or predefined secret keys. A certificate hierarchy provides a guarantee for the authenticity of the routers' credentials, including public key. 

Key Exchange 
The Cisco IOS software uses the Diffie-Hellman process for the exchange of public keys. Diffie-Hellman is an algorithm allowing two parties to exchange nonsecret information, while independently calculating a third number to be used as a session key to
 encrypt data that passes between them. This feature allows the routers to change their session key as often as necessary without having to send that key across the network in any form. 

Encryption Policy 
Cisco software now enables users to set up subnet-to-subnet encryption services and per-user/application based on IP packets. When a packet is sent through a secured connection, it is encrypted as it leaves the source subnet and decrypted as it arrives
 at the destination subnet. By selectively encrypting traffic from specific users and applications, network encryption reduces the cost and increases the flexibility of ensuring secure data transmission. To meet the needs of organizations whose internetwo
rks include sections running non-IP protocols, such as Novell IPX or AppleTalk, the Cisco IOS software supports generic routing encapsulation (GRE). GRE allows the encapsulation of the non-IP protocol as part of the network traffic and, as such, it is enc
rypted, and a new header is appended. This approach effectively enables the non-IP protocol to "tunnel" rapidly through the IP portion of the network. When it reaches its destination, the traffic is first decrypted and then deencapsulated. This technique 
can also be used to hide network address and application information as encrypted payloads are transmitted across a network. Cisco plans to support other protocols in later releases of the Cisco IOS software.

Encryption Methods
Cisco supports the Data Encryption Standard (DES), with two key lengths. Standard DES is based on a 56-bit encryption key and is subject to U.S. State Department restrictions, as well as import/export restrictions of various countries. The second optio
n supported by Cisco encryption services is based on a 40-bit key and is fully exportable.

 Figure 3.  :    Cisco IOS Encryption    

   Implementation    
Cisco offers network-level encryption solutions implemented through both software and hardware.

Software-Based Encryption Solutions
Starting with the Cisco IOS software Version 11.2, Cisco offers users network-level encryption using DES. This feature is implemented as an extension to access lists. Cisco's software-based encryption services are available for networks running over an
y media that support IP and Cisco 2500, 4XXX, 7000, and 7500 routers. 

Organizations that use the Cisco 7500 series or Cisco 7000 with Route/Switch Processor (RSP) series have two options: performing software-based encryption on the main RSP or offloading such encryption functions to one of the router's Versatile Interfac
e Processors (VIPs) for higher performance. 

Hardware-Based Encryption Tools
To augment the encryption support available through the Cisco IOS software, Cisco also offers a hardware accelerator for the Cisco VIP: the Encryption Port Adapter (EPA). This card, which greatly enhances the performance of Cisco's software-based encry
ption services, has been jointly developed with Cylink, the company that pioneered the development of public key management systems more than a decade ago. 
The Cisco EPA card also meets the federal information processing standards and includes numerous security features. For example, it offers a tamper shield designed to prevent probing. In addition, the EPA has an extraction detection system that require
s reauthentication if the card is removed from one router and inserted into another.

   Applications    
The following scenarios illustrate the networking applications that can benefit most from the network-level encryption now offered by the Cisco IOS software.

Wide-Area Private Networking
Organizations such as banks face difficulties inherent in securing information traffic between many sites, compounded by the challenges posed by their use of varied media. Link-level encryption can be difficult and costly, since its media-specific natu
re would require the purchase of numerous different encryption products. In contrast, Cisco's network-level encryption, with its media-independence, provides a single, less expensive security option. Organizations can run the Cisco IOS network encryption 
feature in remote Cisco 2500/4XXX systems and use the Cisco 7500 and EPA to provide the higher performance required at the central site. 

LAN or Campus Networks
Today's enterprises generally have extremely complex network environments, with multiple servers containing sensitive information dispersed throughout the network. To further complicate matters, the network often includes multiple media types, such as 
Ethernet, Fiber Distributed Data Interface (FDDI), and Token Ring. In an environment with multiple paths between any two end stations, link-level encryption is unsuitable, if not impossible. Cisco's network-level encryption can offer the flexible, end-to-
end approach required, allowing enterprises to choose the specific traffic they wish to encrypt within an enterprise network LAN.

Public Networks/Internet
Organizations that need to make a variety of information (data on stocking, ordering, and pricing, for example) available globally to their own remote sites and partners are increasingly turning to public services such as the Internet to create VPNs. F
or these organizations, link-level encryption is simply not an option, because it cannot be operated across public switched networks. Since Cisco's network-level encryption can run over any media that support IP, it offers an ideal security solution for V
PNs, allowing data security across a public network.

   Conclusion    
Security policies are becoming more important as enterprises make increasing use of distributed networking models. Today, to secure their network information, most enterprises must implement a broad range of approaches, including access management, fir
ewalls, and host security. The Cisco IOS software security architecture addresses each of these areas. In addition, it now encompasses powerful new encryption capabilities at the network level that offer major enhancements over available link-level soluti
ons and can significantly augment the security provided by any application-level encryption already in use.

Posted: Mon May 6 14:03:00 PDT 1996