Description and Benefits
IPSec standards supported include Digital Encryption Standard
(DES), Triple DES (3DES), and Advanced Encryption Standard (AES;
128, 192, and 256) for encryption; Rivest, Shamir, Aldeman (RSA)
algorithm signatures and Diffie-Hellman for authentication; and
Secure Hash Algorithm 1 (SHA-1) or Message Digest Algorithm 5 (MD5)
hashing algorithms for data integrity.
Group Encrypted Transport VPN
Group Encrypted Transport VPN eliminates the need for compromise
between network intelligence and data privacy in private WAN
environments. Service providers can finally offer managed
encryption without provisioning and management difficulties because
Group Encrypted Transport VPN simplifies the provisioning and
management of VPN. Group Encrypted Transport VPN defines a new
category of VPN, one that does not use tunnels.
This Cisco innovation for site-to-site VPNs provides a scalable and
flexible way to establish virtual full-meshed IPSec connectivity
between multiple locations. DMVPN features advanced spoke-to-spoke
capabilities that enhance the performance of latency-sensitive
voice applications. For the traditional hub-and-spoke model, DMVPN
significantly reduces deployment complexity.
Easy VPN and Enhanced Easy VPN
Providing advanced value-add to IPSec standards, these features
ease administration and management of point-to-point VPNs by
actively pushing new security policies from the central headend
router to remote sites. Enhanced Easy VPN features integrate with
dynamic VTI for maximum ease of use and advanced per-user and
Cisco IOS SSL VPN
Cisco IOS SSL VPN provides secure remote-user access to corporate
resources over the public Internet using only a web browser and its
native SSL encryption.
You can configure these virtual interfaces directly with IPSec. VTI
greatly simplifies VPN configuration and design over alternatives
such as encapsulating IPSec inside generic routing encapsulation
(GRE). It allows for per-user attributes and tunnel-specific
features, offering administrators greater flexibility to respond to
granular requirements. Both static and dynamic VTI are supported.
Multi-VRF and Multiprotocol Label Switching (MPLS) secure contexts
This feature supports multiple independent contexts (addressing,
routing, and interfaces) at the branch-office location for
separation of departments, subsidiaries, or customers. All contexts
can share a single uplink connection to the core (for example,
IPSec VPN or Frame Relay or ATM), while still maintaining secure
separation between them.
IPSec high availability
With options such as IPSec Stateful Failover and Hot Standby Router
Protocol (HSRP) with Reverse Route Injection (RRI), Cisco VPNs
support numerous features for deploying redundancy and load
Integrated Threat Control
Cisco IOS Firewall
Cisco IOS Firewall is an ideal single-device security and routing
solution for protecting the WAN entry point into the network.
Important features include zone-based policies; advanced
application inspection and control for HTTP and email messages;
firewall for secure unified communications; VRF-aware firewall,
IPv6 support, and firewall high availability.
Cisco IOS IPS
Cisco IOS IPS offers an inline, deep-packet-inspection-based
solution that works with Cisco IOS Software to effectively mitigate
network attacks. It can drop traffic, send an alarm, or locally
shun or reset the connection, helping the router respond
immediately to security threats to protect the network. Important
features include: inline function (can drop packets); ready-made
"most-likely" signature file packages; Cisco Security Intelligence
Operation (SIO) worldwide virus detection; customizable signatures;
transparent IPS; and VRF-aware IPS.
Cisco IOS Content Filtering
Cisco IOS Content Filtering offers category-based productivity and
security ratings for small and medium-sized businesses (SMBs) and
midmarket companies. Content-aware security ratings protect against
malware, malicious code, phishing attacks, and spyware. URL and
keyword blocking help to ensure that employees are productive when
accessing the Internet. This subscription-based hosted solution
takes advantage of an in-the-cloud threat database, and is closely
integrated with Cisco IOS Software.
NetFlow provides anomaly-based detection of DDoS attacks and
supplies data that aids in tracing the attack source and reacting
to the attack in real time.
This deep inspection mechanism provides control over a wide variety
of applications by recognizing and classifying them. When an
application is classified, the network can then provide specific
services for that application.
FPM uses flexible and granular Layer 2-7 pattern matching deep
within the packet header or payload to provide a rapid first line
of defense against network threats and notable worms and viruses.
Trust and Identity
PKI client (x.509 digital certificates)
Cisco IOS Software supports embedded PKI client functions that
provide customers with a scalable and secure mechanism for
distributing, managing, and revoking encryption and identity
information. Advanced provisioning features provide powerful
mechanisms to automate enrollment of new remote nodes into the
network infrastructure with maximum security.
Cisco IOS certificate server
Cisco IOS Software includes an embedded scalable easy-to-manage
certificate server, allowing the router to act as a certification
authority on the network.
Standard 802.1x-based identity services
Standard 802.1x applications require valid access credentials that
make unauthorized access to protected information resources and
deployment of unsecured wireless access points more difficult.
AAA allows administrators to dynamically configure the type of
authentication and authorization they want on a per-line (per-user)
or per-service (for example, IP, Internetwork Packet Exchange
[IPX], or virtual private dialup network [VPDN]) basis.
Cisco Network Foundation Protection
AutoSecure offers a single command-line interface (CLI) command
that instantly configures the security posture of routers and
disables nonessential system processes and services, thereby
eliminating potential security threats.
Control Plane Policing and Protection
This feature protects the route processor from unnecessary or
malicious levels of traffic, including DoS attacks.
CPU and memory thresholding notification
This feature triggers a syslog notification when a specified
percentage of CPU resources for a given process exceeds or falls
below a certain threshold for a configured time period.
This feature validates routing peers, enhances routing stability,
and provides overload protection by using MD5 peer authentication
and redistribution protection.
These features protect the router from malicious traffic by
restricting the legitimate traffic that can be sent to the router
Secure access mode (silent mode)
Secure access mode suppresses response messages from the router
control plane, limiting network reconnaissance information
available to hackers.
Raw IP traffic export
This feature allows copies of inbound and outbound packets to
efficiently capture packets with analysis or
intrusion-detection-system (IDS) tools by sending them out a LAN
Source-based Remote-Triggered Black Holing (RTBH) filtering
This feature provides wire-rate, real-time defense against DDoS
attacks using a combination of IP routing features.
Unicast Reverse Path Forwarding (uRPF)
uRPF helps mitigate problems that are caused by the introduction of
malformed or forged (spoofed) IP source addresses into a network by
discarding IP packets that lack a verifiable IP source address.
Digital image signing
This feature provides SHA-512 hashing and RSA 2048-bit key
encryption mechanisms to ensure the authenticity of all downloaded
Cisco IOS Software images.
Cisco IOS Software login enhancements
These enhancements delay potential dictionary attacks and provide
other methods of thwarting unwanted device access.
Role-based CLI access
This feature provides view-based access to CLI commands, allowing
highly secure, logical separation of the router between network
operations, security operations, and end users.
Secure Shell (SSH) Protocol Version 2
SSHv2 enhances previous versions of SSH for remote network
management by concealing password length, making dictionary attacks
more difficult. It resolves SSHv1 vulnerability to
man-in-the-middle attacks during user authentication.
Simple Network Management Protocol (SNMP) Version 3
SNMPv3 provides secure, standards-based management and control of
devices for customer applications.