Upload
jupode
View
221
Download
0
Embed Size (px)
Citation preview
7/31/2019 Advanced Security Technology Concepts
1/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
1 1999, Cisco Systems, Inc.
318
0944_05F9_c1 1 1999, Cisco Systems, Inc.
318
0944_05F9_c1
2 1999, Cisco Systems, Inc.
3180944_05F9_c1
Advanced SecurityAdvanced SecurityTechnology ConceptsTechnology Concepts
Session 318Session 318
7/31/2019 Advanced Security Technology Concepts
2/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
3 1999, Cisco Systems, Inc.
318
0944_05F9_c1
What Is CryptographyWhat Is Cryptography
A way of keeping information private
Provides authentication and integrity
Nonrepudiation
Requires key management
A communications enabler
Communication with confidence
4 1999, Cisco Systems, Inc.
3180944_05F9_c1
AgendaAgenda
Encryption Concepts and Terminology
The PKI and CEP
A Day In the Life of an IPSec Packet
IPSec Implementation Issues
7/31/2019 Advanced Security Technology Concepts
3/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
5 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Encryption ConceptsEncryption Conceptsand Terminologyand Terminology
5 1999, Cisco Systems, Inc.
318
0944_05F9_c1
6 1999, Cisco Systems, Inc.
3180944_05F9_c1
ConfidentialityConfidentiality
Confidentialitycommunicating suchthat the intended recipients knowwhat was being sent but unintendedparties cannot determine what
was sent
7/31/2019 Advanced Security Technology Concepts
4/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
7 1999, Cisco Systems, Inc.
318
0944_05F9_c1
PubPub
KeysKeys
Each device has three keys:
1. A private key that is kept secret and never shared.Used to sign messages
2. A public key that is shared. Used by others to verifya signature
3. A shared secret key that is used to encrypt datausing a symmetric encryption algorithm (e.g., DES)
DESDES DESDES
PriPri
PubPub
WAN
PriPri
8 1999, Cisco Systems, Inc.
3180944_05F9_c1
Cost 40 56 64 80 112 128
100 K 2 secs 35 hours 1 year 70,000 yrs 1014 yrs 1019 yrs
1 M .2 secs 3.5 hours 37 days 7000 years 1013 yrs 1018 yrs
10 M .02 secs 21 mins 4 days 700 years 10
12
yrs 10
17
yrs100 M 2 millisecs 2 mins 9 hours 70 years 1011 yrs 1016 yrs
1 B .2 millisec 13 secs 1 hour 7 years 1010 yrs 1015 yrs
Estimated Time for Brute-Force Attack(1995) on Symmetric Keys
Key SizesKey Sizes
7/31/2019 Advanced Security Technology Concepts
5/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 5
9 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Public Key
DecryptionDecryption
Private Key
NetworkersNetworkers &^$!@#l:{Q&^$!@#l:{Q NetworkersNetworkersEncryptionEncryption
Asymmetric orAsymmetric orPublic-Key EncryptionPublic-Key Encryption
Encryptor and decryptor use differentmathematical functions
Encryptor and decryptor use different keys Example: Public key algorithms
(RSA, Diffie-Hellman)
Generate a secret key
10 1999, Cisco Systems, Inc.
3180944_05F9_c1
YB = g mod p
Secret Value,XBPublic Value,
AliceAlice BobBobSecret Value, XAPublic Value, YA
YA
YA =g mod pXA
YB
XB
(Shared Secret)g is a large primep size is based on D-H group
YB mod p = g mod p = YA mod pXBXAXBXA
The Diffie-HellmanThe Diffie-Hellman
Public Key ExchangePublic Key Exchange
7/31/2019 Advanced Security Technology Concepts
6/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 6
11 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Host A
prime p = 5, primitive g = 3
Choose Xa such that
0
7/31/2019 Advanced Security Technology Concepts
7/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 7
13 1999, Cisco Systems, Inc.
318
0944_05F9_c1
DecryptionDecryptionEncryptionEncryption
Clear-TextOriginal
Clear-TextCipher-Text
NetworkersNetworkers &^$!@#l:{Q&^$!@#l:{Q NetworkersNetworkers
DES EncryptionDES Encryption
Peer routers now have identical keys
DES encryption turns cleartext
into ciphertext Decryption restores cleartext
from ciphertext
14 1999, Cisco Systems, Inc.
3180944_05F9_c1
IV
EKEK
Ci-1
Pi+1
Ci+1
Pi
Ci
DES TransformsCFBDES TransformsCFB
7/31/2019 Advanced Security Technology Concepts
8/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 8
15 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IV
EK
Ci-1
Pi
EK
Ci
Pi+1
EK
Ci+1
DES TransformsCBCDES TransformsCBC
16 1999, Cisco Systems, Inc.
3180944_05F9_c1
64 bit block plain textInitial Permutation
32 bits 32 bits
Expansion Permutation
S-Box Substitution
CompressionPermutation
Choose 48 bits
L i-1
56 bit Key
R i-1
P-Box Permutation
L i R i
Shift 28 bits Shift 28 bits
56 bit Key
XORXOR
XORXOR
DES ExplainedDES Explained
7/31/2019 Advanced Security Technology Concepts
9/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 9
17 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IntegrityIntegrity
Integrityensuring that datais transmitted from source todestination withoutundetected alteration
18 1999, Cisco Systems, Inc.
3180944_05F9_c1
Message
SecretKey
SecretKey
HashFunction
HashFunction
Hash
Message-Digest AlgorithmsMessage-Digest Algorithms
Secret key and messageare hashed together
Recomputation of digestverifies that messageoriginated with peer andthat message was notaltered in transit
Also used indigital signatures
Examples HMAC-MD5,HMAC-SHA
7/31/2019 Advanced Security Technology Concepts
10/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
19 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Hash AlgorithmsHash Algorithms
Produces a 128 bit hashvalue
Input 512 bit block split as16 x 32 bit blocks
Output is 4 x 32 bit blocksconcatenated
4 Chaining variables
4 rounds of 16 operationswith 4 functions per round
Produces a 128 bit hashvalue
Input 512 bit block split as16 x 32 bit blocks
Output is 4 x 32 bit blocksconcatenated
4 Chaining variables
4 rounds of 16 operationswith 4 functions per round
Produces a 160 bit hashvalue
Input 512 bit block split as16 x 32 bit blocks,expanded to 80 x 32 bitblocks
Output is 5 x 32 bit blocksconcatenated
5 Chaining variables
4 rounds of 20 ops
Produces a 160 bit hashvalue
Input 512 bit block split as16 x 32 bit blocks,expanded to 80 x 32 bitblocks
Output is 5 x 32 bit blocksconcatenated
5 Chaining variables
4 rounds of 20 ops
MD5MD5 SHASHA
20 1999, Cisco Systems, Inc.
3180944_05F9_c1
AuthenticationAuthentication
AuthenticationKnowing that thedata received is the same as the datathat was sent and that the claimedsender is in fact the actual sender.
7/31/2019 Advanced Security Technology Concepts
11/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
21 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Sign Hash with Private Key
Hash of Message
Signature = Encrypted
Hash of Message
AliceAlice
HashFunction
Hash
Function
Message
s74hr7sh7040236fw
7sr7ewq7ytoj56o4577sr7ewq7ytoj56o457
One-way function. Easy to
produce hash from message,impossible to produce
message from hash
Digital SignaturesDigital Signatures
22 1999, Cisco Systems, Inc.
3180944_05F9_c1
Message
AliceAlice
HashFunction
Hash
Function
Decrypt the
ReceivedSignature
Decrypt Using
Alices Public Key
Hash ofMessage Hash Message
Message with
AppendedSignature
If Hashes areEqual, Signature
is Authentic
Re-Hash theReceived
Message
MessageSignatureSignature
SignatureSignature
Signature VerificationSignature Verification
7/31/2019 Advanced Security Technology Concepts
12/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
23 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Message
SecretSecret
Secret
Secret
BobBob
+
Alice EncryptsMessage
with a RandomSecret Key
Encrypt the
Secret Keywith BobsPublic Key
SecretSecret
BobBob
Bob Decrypts theSecret Key with His
Private Key, thenDecrypts the
Message
Used During CA TransactionsUsed During CA Transactions
Digital EnvelopeDigital Envelope
24 1999, Cisco Systems, Inc.
3180944_05F9_c1
PKI and CEPPKI and CEP
24 1999, Cisco Systems, Inc.
3180944_05F9_c1
7/31/2019 Advanced Security Technology Concepts
13/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
25 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Certificate
Authority
Key RecoveryCertificate
Revocation
Registration and
Certification Issuance
CertificateDistribution
KeyGeneration
Support for Non-Repudiation
Trusted TimeService
Key Storage
PKI ComponentsPKI Components
26 1999, Cisco Systems, Inc.
3180944_05F9_c1
Certificate Life Cycle andCertificate Life Cycle and
ManagementPKIXManagementPKIX
ExpirationExpiration RevocationRevocation
Useful LifeUseful Life
CertificationCertification
InitializationInitialization
7/31/2019 Advanced Security Technology Concepts
14/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
27 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Certificates andCertificates and CAsCAs
Certificate Authority (CA) verifies identity
CA signs digital certificate containing
devices public key Verisign On-Site, Entrust PKI, Netscape
CA, Microsoft CA
InternetInternet
B A N K
28 1999, Cisco Systems, Inc.
3180944_05F9_c1
Certificate :: =Certificate :: =
{{
Version (v3)Version (v3)Serial NumberSerial NumberSign Algorithm IDSign Algorithm IDIssuer NameIssuer NameValidity PeriodValidity PeriodSubject NameSubject NameSubject Public KeySubject Public KeyIssuer Unique IDIssuer Unique ID
Subject Unique IDSubject Unique IDExtensionsExtensionsSignatureSignature
}}
X.509v3 CertificateX.509v3 Certificate
Binds user identity(Subject Name) to apublic key via signature
Issuer (CA) signs cert
Note cert has defined lifetime
Identifies which signaturealgorithm was used tosign cert
Extension fields allow otherinformation to be bound tocert (e.g., subjectsclearances)=
7/31/2019 Advanced Security Technology Concepts
15/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
29 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Home-gw10.1.2.3
Home-gw10.1.2.3
Enrolling a Device with a CAEnrolling a Device with a CA
Generate public/private keys
Send certificate request to CA
CA signs certificate
Retrieve certificate from CA
30 1999, Cisco Systems, Inc.
3180944_05F9_c1
Cert 12345Cert 12241Cert 22333
Certificate Revocation ListCertificate Revocation List
List of revokedcertificates signedby CA
Stored on CA ordirectory service
No requirement ondevices to ensureCRL is current
RevokedRevoked
7/31/2019 Advanced Security Technology Concepts
16/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
31 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Certificate Authority
Certificate User
Certificate (points issuer to subject)
Cross Certificate
Alice
Bob
Carol
CA RelationshipsHierarchyCA RelationshipsHierarchyand Cross-Certificationand Cross-Certification
CACA
CACA
CACA CACA
CACA
CACA
CACA
32 1999, Cisco Systems, Inc.
3180944_05F9_c1
Certificate Enrollment ProtocolCertificate Enrollment Protocol
PKCS #7 for signing and enveloping
PKCS #10 for certificate request
HTTP and LDAP for transport
Requires manual authenticationduring enrollment
CRL distribution is manual
7/31/2019 Advanced Security Technology Concepts
17/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
33 1999, Cisco Systems, Inc.
318
0944_05F9_c1
A Day In the Life of anA Day In the Life of anIPSec PacketIPSec Packet
33 1999, Cisco Systems, Inc.
318
0944_05F9_c1
34 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPHeader
IPHeader
IPSec Header(s)AH/ESP
IPData(Encrypted)
IPData(Encrypted)
IPSec OverviewIPSec Overview
Interoperable authentication,integrity and encryption
7/31/2019 Advanced Security Technology Concepts
18/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
35 1999, Cisco Systems, Inc.
318
0944_05F9_c1
All Data in Clear TextRouter
Firewall
Authentication HeaderAuthentication Header
Data integrityno twiddling of bits
Origin authenticationdefinitelycame from Router
Uses keyed-hash mechanism
Does NOT provide confidentiality
Replay protection
36 1999, Cisco Systems, Inc.
3180944_05F9_c1
AHAH
Authentication
Data (00ABCDEF)
Authentication
Data (00ABCDEF)
IP Header + Data IP Header + Data
Router
Firewall
IP HDRIP HDR DataData
AH Authentication and IntegrityAH Authentication and Integrity
7/31/2019 Advanced Security Technology Concepts
19/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 1
37 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Next
Header
NextHeader
Payload
Length
PayloadLength
RESERVEDRESERVED
Security Parameter Index (SPI)Security Parameter Index (SPI)
Sequence Number FieldSequence Number Field
Authentication DataAuthentication Data
IPSec AuthenticationIPSec AuthenticationHeader (AH)Header (AH)
AH header isprepended to IPdatagram or toupper-layer protocol
IP datagram, part ofAH header, andmessage itself areauthenticated with akeyed hash function
38 1999, Cisco Systems, Inc.
3180944_05F9_c1
Encapsulating Security PayloadEncapsulating Security Payload
Data confidentiality
Limited traffic flow confidentiality
Data integrity
Data origin authentication
Anti-replay protection
Does not protect IP Header
7/31/2019 Advanced Security Technology Concepts
20/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
39 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Encryption with a Keyed-MAC
Authenticated
Firewall
Encrypted
ESPESPIP HDRIP HDR DataData
ESP Confidentiality and IntegrityESP Confidentiality and Integrity
Router
40 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPSec Encapsulating SecurityIPSec Encapsulating Security
Payload Header (ESP)Payload Header (ESP)
ESP header isprepended toIP datagram
Confidentialitythrough encryptionof IP datagram
Integrity throughkeyed hash function
Security Parameter Index (SPI)Security Parameter Index (SPI)
Sequence Number FieldSequence Number Field
Padding (If Any)Padding (If Any)
PadLengthPadLength NextHeaderNextHeader
Initialization VectorInitialization Vector
Authentication DataAuthentication Data
Payload DataPayload Data
7/31/2019 Advanced Security Technology Concepts
21/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
41 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IP HDRIP HDR
Encrypted
IP HDRIP HDR DATADATA
IPSec HDRIPSec HDR DATADATA
IP HDRIP HDR DATADATA
IPSec HDRIPSec HDR IP HDRIP HDRNew IP HDRNew IP HDR
Encrypted
DATADATA
Tunnel Mode
Transport Mode
IPSec ModesIPSec Modes
42 1999, Cisco Systems, Inc.
3180944_05F9_c1
Router
Firewall
Insecure Channel
Security Association (SA)Security Association (SA)
Agreement between two entitieson method to communicate securely
Unidirectionaltwo-way communicationconsists of two SAs
7/31/2019 Advanced Security Technology Concepts
22/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
43 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Tunnel-Mode
AH-HMAC-SHAPFS 50
Tunnel-ModeAH-HMAC-SHA
PFS 50
Transport-Mode
ESP-DES-HMAC-MD5PFS 15
Transport-ModeESP-DES-HMAC-MD5
PFS 15
Security Associations EnableSecurity Associations EnableYour Chosen PolicyYour Chosen Policy
44 1999, Cisco Systems, Inc.
3180944_05F9_c1
Destination Address
Security Parameter Index (SPI)
IPSec Transform
Key
Additional SA Attributes(e.g., lifetime)
205.49.54.237205.49.54.237
7A390BC17A390BC1
AH, HMAC-MD5AH, HMAC-MD5
7572CA49F76329467572CA49F7632946
One Day or 100MBOne Day or 100MB
IPSec Security Association (SA)IPSec Security Association (SA)
7/31/2019 Advanced Security Technology Concepts
23/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
45 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IKEIKE
Negotiates policy toprotect communication
Authenticated Diffie-Hellmankey exchange
Negotiates (possibly multiple)security associations for IPSec
A flavor of ISAKMP/Oakley for IPSec
Provides PFS
46 1999, Cisco Systems, Inc.
3180944_05F9_c1
Perfect Forward Secrecy (PFS)Perfect Forward Secrecy (PFS)
Compromise of a single key willpermit access to only dataprotected by that particular key
IKE provides PFS if required by usingDiffie-Hellman for each rekey
If PFS not required, can refresh keymaterial without using Diffie-Hellman
7/31/2019 Advanced Security Technology Concepts
24/51
7/31/2019 Advanced Security Technology Concepts
25/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
49 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Cisco IOS IPSec ConfigurationCisco IOS IPSec Configuration
! If certain traffic matches the rules in access-list 101, then apply! the crypto map or template. The map is called test1, it requires! SAs for both ISAKMP and IPSec. The appropriate peer is! 192.168.0.20 (Fred) and the transform-sets router and test2! should be proposed to Fred in order to find the best match to! be the basis of the IPSec SA. The ISAKMP SAs will be based! on the ISAKMP policies defined earlier in the config
crypto map test1 10 ipsec-isakmpset peer 192.168.0.20set transform-set router test2match address 101
! Apply the crypto map to an interface
interface Ethernet0ip address 192.168.0.2 255.255.255.0crypto map test1
access-list 101 permit ip host 192.168.0.2 host192.168.0.20
50 1999, Cisco Systems, Inc.
3180944_05F9_c1
SA Request IPSec (triggered by ACL)
FredFred WilmaWilma
IKE SA Offerdes, sha, rsa sig, D-H group 1, lifetime
Policy Match accept offer
Fred D-H exchange : KE, nonce
Wilma D-H exchange : KE, nonce
Fred Authenticate D-H apply Hash
Wilma Authenticate D-H apply Hash
ISAKMPPhase 1
Oakley Main
Mode
ISAKMPPhase 1
Oakley MainMode
IKE Bi-Directional SA EstablishedIKE Bi-Directional SA Established
In the Clear
Protected
In the Clear
Protected
Establishing the IKE SAEstablishing the IKE SA
7/31/2019 Advanced Security Technology Concepts
26/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
51 1999, Cisco Systems, Inc.
318
0944_05F9_c1
FredFred WilmaWilma
IPSec SA Offertransform, mode,pfs, authentication,lifetime
Policy Match accept offer
Fred D-H exchange or refresh IKE key
Wilma D-H exchange or refresh IKE key
ISAKMP
Phase 2Oakley
Quick Mode
ISAKMPPhase 2
OakleyQuick Mode
IPSec Outbound SA EstablishedIPSec Inbound SA Established
IPSec Outbound SA Established
IPSec Inbound SA Established
Protectedby the
IKE SA
Protectedby theIKE SA
Establishing IPSec SAsEstablishing IPSec SAs
52 1999, Cisco Systems, Inc.
3180944_05F9_c1
IKE with preshared keys
Fred proposes using esp-des to Wilma,access-list 101 triggers the
IPSec requirement.
fred#telnet 192.168.0.2
Trying 192.168.0.2
A Day DebugA Day Debug
7/31/2019 Advanced Security Technology Concepts
27/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
53 1999, Cisco Systems, Inc.
318
0944_05F9_c1
A Day DebugA Day Debug
Traffic matching an ACL specification triggers a policyformulation by the sender. If more than one policyexists for a particular destination, then gather allrelevant policies.
IPSEC(sa_request): ,
(key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2,
src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
54 1999, Cisco Systems, Inc.
3180944_05F9_c1
A Day DebugA Day Debug
ISAKMP Phase One using Oakley Main Mode.Negotiate an ISAKMP security association(policy). This SA will protect any key and/orparameter negotiation required by other servicessuch as IPSec.
ISAKMP (26): beginning Main Mode exchangeISAKMP (26): processing SA payload. message ID = 0ISAKMP (26): Checking ISAKMP transform 1 against priority1 policy
ISAKMP: encryption DES-CBCISAKMP: hash SHAISAKMP: default group 1ISAKMP: auth pre-shareISAKMP (26): atts are acceptable. Next payload is 0
7/31/2019 Advanced Security Technology Concepts
28/51
7/31/2019 Advanced Security Technology Concepts
29/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 2
57 1999, Cisco Systems, Inc.
318
0944_05F9_c1
A Day DebugA Day Debug
Now, negotiate an SA for IPSecThis is ISAKMP Phase 2 using Oakley Quick Mode
ISAKMP (26): beginning Quick Mode exchange, M-ID of -652741699IPSEC(key_engine): got a queue event...IPSEC(spi_response): getting spi 258023605 for SA
from 192.168.0.2 to 192.168.0.20 for prot 3ISAKMP (26): processing SA payload. message ID = -652741699ISAKMP (26): Checking IPSec proposal 1ISAKMP: transform 1, ESP_DESISAKMP: attributes in transform:ISAKMP: encaps is 1ISAKMP: SA life type in secondsISAKMP: SA life duration (basic) of 3600
58 1999, Cisco Systems, Inc.
3180944_05F9_c1
ISAKMP: SA life type in kilobytesISAKMP: SA life duration (VPI) of0x0 0x46 0x50 0x0
ISAKMP (26): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) dest= 192.168.0.2, src= 192.168.0.20,
dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1),src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des ,lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
A Day DebugA Day Debug
7/31/2019 Advanced Security Technology Concepts
30/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
59 1999, Cisco Systems, Inc.
318
0944_05F9_c1
A Day DebugA Day Debug
Generate a shared key for encryption for IPSec.Generally the original D-H generated shared secretkey is refreshed via combining it with a random value(another nonce) as shown below.
ISAKMP (26): processing NONCE payload. message ID = -652741699ISAKMP (26): processing ID payload. message ID = -652741699
ISAKMP (26): processing ID payload. message ID = -652741699
60 1999, Cisco Systems, Inc.
3180944_05F9_c1
A Day DebugA Day Debug
ISAKMP (26): Creating IPSec SAs
inbound SA from 192.168.0.2 to 192.168.0.20 (proxy192.168.0.2to 192.168.0.20 )
has spi 258023605 and conn_id 27 and flags 4lifetime of 3600 secondslifetime of 4608000 kilobytesoutbound SA from 192.168.0.20 to 192.168.0.2 (proxy
192.168.0.20to 192.168.0.2 )
has spi 251200955 and conn_id 28 and flags 4
lifetime of 3600 secondslifetime of 4608000 kilobytes
IPSEC(key_engine): got a queue event...
7/31/2019 Advanced Security Technology Concepts
31/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
61 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 192.168.0.20, src= 192.168.0.2,dest_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1),
src_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des ,
lifedur= 3600s and 4608000kb,spi= 0xF6120B5(258023605), conn_id= 27, keysize= 0,
flags= 0x4
IPSEC(initialize_sas): ,(key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2,
src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1),
dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des ,lifedur= 3600s and 4608000kb,spi= 0xEF905BB(251200955), conn_id= 28, keysize= 0,
flags= 0x4
A Day DebugA Day Debug
62 1999, Cisco Systems, Inc.
3180944_05F9_c1
A Day DebugA Day Debug
Each SA is unidirectional so we need to seetwo SAs created on each participating peer,one outbound and one inbound :
IPSEC(create_sa): sa created,(sa) sa_dest= 192.168.0.20, sa_prot= 50,sa_spi= 0xF6120B5(258023605),sa_trans= esp-des , sa_conn_id= 27
IPSEC(create_sa): sa created,(sa) sa_dest= 192.168.0.2, sa_prot= 50,sa_spi= 0xEF905BB(251200955),sa_trans= esp-des , sa_conn_id= 28
7/31/2019 Advanced Security Technology Concepts
32/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
63 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Using a CAUsing a CAEntrust ConfigurationEntrust Configuration
ip domain-name cisco.com
crypto isakmp policy 4
crypto ca identity cisco.com
enrollment mode ra
enrollment url http://10.0.0.2/cgi-bin
query url ldap://10.0.0.2
crl optional
64 1999, Cisco Systems, Inc.
3180944_05F9_c1
Step 1Generate Public/Private KeysStep 1Generate Public/Private Keys
barney(config)#crypto key gen rsa usage
The name for the keys will be: barney.cisco.comChoose the size of the key modulus in the range of 360 to 2048 for yourSignature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:Generating RSA keys ...[OK]Choose the size of the key modulus in the range of 360 to 2048 for your
Encryption Keys. Choosing a key modulus greater than 512 may takea few minutes.
How many bits in the modulus [512]:Generating RSA keys ...[OK]
CA and CEP ExampleCA and CEP Example
7/31/2019 Advanced Security Technology Concepts
33/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
65 1999, Cisco Systems, Inc.
318
0944_05F9_c1
CA and CEP ExampleCA and CEP Example
barney#sho crypto key mypublic rsa% Key pair was generated at: 01:18:43 UTC Mar 1 1999Key name: barney.cisco.comUsage: Signature KeyKey Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BEDC6C FBD327FC2AFC7521 F2DE3D04 D3239759 7908C8F1 64F0E58F 0116CF6A 897D6210 2D4BFC80CE41DF7B AA75ECAA 6680B13F 30F079BE DD361565 A325B72A 3D020301 0001
% Key pair was generated at: 01:18:45 UTC Mar 1 1993Key name: barney.cisco.comUsage: Encryption Key
Key Data:305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C06DC2 3AE2BF72CE9FD6F6 55C13A0D A3C183D5 1E7E4523 E8863DDC D852FD32 86461BBC F10EEA778A6A5AC9 AFEF6B0A 03107565 03384DB4 4E6C4A77 0C594B10 31020301 0001
Step 1Generate Public/Private KeysStep 1Generate Public/Private Keys
66 1999, Cisco Systems, Inc.
3180944_05F9_c1
CA and CEP ExampleCA and CEP Example
barney(config)#cryp ca auth cisco.comCertificate has the following attributes:Fingerprint: 1A5416D6 2EEE8943 D11CCEE1 3DEE9CE7
% Do you accept this certificate? [yes/no]: y
Step 2Request the CA and RA CertificatesManually verify Fingerprint of CA
Step 2Request the CA and RA CertificatesManually verify Fingerprint of CA
7/31/2019 Advanced Security Technology Concepts
34/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
67 1999, Cisco Systems, Inc.
318
0944_05F9_c1
CA and CEP ExampleCA and CEP Example
Step 2Request the CA and RA CertificatesManually verify Fingerprint of CA
Step 2Request the CA and RA CertificatesManually verify Fingerprint of CA
68 1999, Cisco Systems, Inc.
3180944_05F9_c1
CA and CEP ExampleCA and CEP Example
barney(config)#cry ca enrol cisco.com% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:Re-enter password:
% The subject name in the certificate will be: barney.cisco.com% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [yes/no]: nRequest certificate from CA? [yes/no]: y
Step 3Enrol the Router with the CAStep 3Enrol the Router with the CA
7/31/2019 Advanced Security Technology Concepts
35/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
69 1999, Cisco Systems, Inc.
318
0944_05F9_c1
CA and CEP ExampleCA and CEP Example
barney(config)#Signing Certificate Request Fingerprint:4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB
Encryption Certificate Request Fingerprint:D33447FE 71FF2F24 DA98EC73 822BE4F7
Step 3Enrol the Router with the CAFingerprints sent to CA for manual verification
Step 3Enrol the Router with the CAFingerprints sent to CA for manual verification
70 1999, Cisco Systems, Inc.
3180944_05F9_c1
Step 3Enrol the Router with the CAFingerprints sent to CA for manual verification
Step 3Enrol the Router with the CAFingerprints sent to CA for manual verification
CA and CEP ExampleCA and CEP Example
7/31/2019 Advanced Security Technology Concepts
36/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
71 1999, Cisco Systems, Inc.
318
0944_05F9_c1
CA and CEP ExampleCA and CEP Example
barney#sho cryp ca certCertificateSubject Name
Name: barney.cisco.comStatus: Pending
Key Usage: SignatureFingerprint: 4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB
Certificate
Subject NameName: barney.cisco.com
Status: Pending
Key Usage: EncryptionFingerprint: D33447FE 71FF2F24 DA98EC73 822BE4F7
Step 4CA grants CertificatesStatus Pending -> Available
Step 4CA grants CertificatesStatus Pending -> Available
72 1999, Cisco Systems, Inc.
3180944_05F9_c1
CA and CEP ExampleCA and CEP Example
Step 4CA grants CertificatesStep 4CA grants Certificates
7/31/2019 Advanced Security Technology Concepts
37/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
73 1999, Cisco Systems, Inc.
318
0944_05F9_c1
00:02:29: ISAKMP (2): Checking ISAKMP transform 1 against priority
5 policy00:02:29: ISAKMP: encryption DES-CBC00:02:29: ISAKMP: hash MD5
00:02:29: ISAKMP: default group 100:02:29: ISAKMP: auth RSA sig
Certificate DebugCertificate Debug
74 1999, Cisco Systems, Inc.
3180944_05F9_c1
Certificate DebugCertificate Debug
00:02:29: ISAKMP (2): atts are acceptable. Next payload is 000:02:29: ISAKMP (2): SA is doing RSA signature authentication00:02:29: ISAKMP (2): processing KE payload. message ID = 0
00:02:29: ISAKMP (2): processing NONCE payload. message ID = 000:02:29: ISAKMP (2): SKEYID state generated
00:02:30: ISAKMP (2): processing ID payload. message ID = 000:02:30: ISAKMP (2): processing CERT payload. message ID = 0
00:02:30: ISAKMP (2): processing a CT_X509_SIGNATURE cert00:02:30: ISAKMP (2): cert approved with warning00:02:30: ISAKMP (2): processing CERT_REQ payload. message ID = 0
00:02:30: ISAKMP (2): peer wants a CT_X509_SIGNATURE cert00:02:30: ISAKMP (2): processing SIG payload. message ID = 0
00:02:30: ISAKMP (2): SA has been authenticated with 10.0.0.300:02:30: ISAKMP (2): processing SA payload. message ID = 1451572340
7/31/2019 Advanced Security Technology Concepts
38/51
7/31/2019 Advanced Security Technology Concepts
39/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 3
77 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Scaling Example 1Scaling Example 1Central Site RouterCentral Site Router
crypto map HQ 10 ipsec-isakmp
set peer 172.21.115.1
set peer 172.21.116.1
set transform-set encrypt-des
match address 101
78 1999, Cisco Systems, Inc.
3180944_05F9_c1
Scaling Example 2Scaling Example 2
Central Site RouterCentral Site Router
crypto map HQ 10 ipsec-isakmp
set peer 172.21.115.1
set transform-set encrypt-des
match address 101
crypto map HQ 20 ipsec-isakmp
set peer 172.21.116.1set transform-set encrypt-des
match address 102
7/31/2019 Advanced Security Technology Concepts
40/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
79 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Scaling Example 3Scaling Example 3Central Site RouterCentral Site Router
crypto dynamic-map AcceptRemote 20
set transform-set encrypt-des
crypto map dynamicHQ 10 ipsec-isakmp dynamic AcceptRemote
80 1999, Cisco Systems, Inc.
3180944_05F9_c1
Scaling for LargeScaling for Large
Networks OptionsNetworks Options
Multihop encryption
Tunnel endpoint discovery
All-or-nothing approach
Registration server
7/31/2019 Advanced Security Technology Concepts
41/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
81 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSec andIKE
Layer 2TP
PPP
Enable Mobile UsersEnable Mobile Userswith Layer 2TP and IPSecwith Layer 2TP and IPSec
1. Client dials ISP uses PPP via modem
2. Client dials gateway using Layer 2TPvia VPN port
3. AAA and assign configuration by gateway
4. IPSec transport mode established betweenclient and gateway
82 1999, Cisco Systems, Inc.
3180944_05F9_c1
IKE SA
ISAKMP TransactionExchange
IPSec
SAsPPP
Enable Mobile UsersEnable Mobile Users
with Mode Config IKE Extensionwith Mode Config IKE Extension
1. Dial ISP using PPP via modem
2. Establish the IKE SA with gateway3. Send ISAKMP_CFG_REQUEST to gateway
4. Gateway sends ISAKMP_CFG_REPLY
5. Client has internal attributes, establish IPSec SAs
7/31/2019 Advanced Security Technology Concepts
42/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
83 1999, Cisco Systems, Inc.
318
0944_05F9_c1
192.168.0.0
255.255.255.0
10.0.0.0
255.255.255.240
192.168.1.0255.255.255.0.1
.2
.6
.2
.1
LO0: 30.30.30.30255.255.255.0
Cisco IPSec Peer
IRE ClientWorkstationIPSec Peer
.12
.20172.17.11.0
255.255.255.0 .1
.2
IPSec, NAT andIPSec, NAT andCisco IOS FirewallCisco IOS Firewall
84 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPSec, NAT andIPSec, NAT and
Cisco IOS FirewallCisco IOS Firewallversion 12.0service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname wilma!enable secret 5 $1$baf6$1VAnALbAuaJheCXi.u3fV0enable password cisco!ip subnet-zero! NAT Config translate all inside source addresses matching access-
! list 1 to those addresses defined in the pool outside. Also define a!static translation for the inside web server 192.168.0.20ip nat pool outside 172.17.1.30 172.17.1.50 netmask 255.255.255.0ip nat inside source list 1 pool outsideip nat inside source static 192.168.0.20 172.17.1.20
7/31/2019 Advanced Security Technology Concepts
43/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
85 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSec, NAT andIPSec, NAT andCisco IOS FirewallCisco IOS Firewall
! IOS Firewall Timeout declarationsip inspect name firewall tcp timeout 3600ip inspect name firewall udp timeout 15!! Define your IKE Policies. All will be offered to the Peer and the most! secure match will be usedcrypto isakmp policy 1hash md5authentication pre-share!! If the peer can accept this policy, then it will be used as it is more! secure than Policy 1crypto isakmp policy 2
authentication pre-sharegroup 2lifetime 360!! Define the Pre-Shared Keys of your Peerscrypto isakmp key ciscosys address 10.0.0.6
86 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPSec, NAT andIPSec, NAT and
Cisco IOS FirewallCisco IOS Firewall
! IPSec policies are defined here. These include your AH and ESP! choices as well as the mode of operation.crypto ipsec transform-set dessha esp-des esp-sha-hmaccrypto ipsec transform-set ahmd5 ah-md5-hmaccrypto ipsec transform-set desmd5tr esp-des esp-md5-hmacmode transport
crypto ipsec transform-set desmd5 esp-des esp-md5-hmac!! When dealing with multiple clients a dynamic crypto map can be! used so that the peers identity need not be defined here. Note! that this router must still authenticate the incoming client via
! either a Pre-Shared key, or a certificate. This is the dynamic! maps template.crypto dynamic-map remotes 1set transform-set desmd5match address 120
7/31/2019 Advanced Security Technology Concepts
44/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
87 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSec, NAT andIPSec, NAT andCisco IOS FirewallCisco IOS Firewall
! Regular crypto maps are defined here. The first map allows the! use of PFS such that a brand new Diffie-Hellman exchange is! performed during each IKE quick mode. The identity of this peer! is defined by its loopback address. If the loopback is used it must! be a public address, IPSec is done first, then NATcrypto map iosirepfs local-address Loopback0crypto map iosirepfs 1 ipsec-isakmpset peer 10.0.0.6set transform-set desmd5set pfs group1match address 120
! This crypto map uses the dynamic template defined above.crypto map iosirerem 1 ipsec-isakmp dynamic remotes
88 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPSec, NAT andIPSec, NAT and
Cisco IOS FirewallCisco IOS Firewall
interface Loopback0ip address 30.30.30.30 255.255.255.0no ip directed-broadcast
!! We want to use NAT and also make sure we trigger the! IOS Firewall such that conversations initiated on the! inside have a dynamic stateful (CBAC) access-list! created.interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 110 inno ip directed-broadcastip nat insideip inspect firewall in
7/31/2019 Advanced Security Technology Concepts
45/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
89 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSec, NAT andIPSec, NAT andCisco IOS FirewallCisco IOS Firewall
! Inside source addresses are translated to the outside
! pool. All incoming traffic is examined by the! firewall via access-group 111. For IPSec, the crypto! map is applied.
interface Serial0ip address 192.168.1.1 255.255.255.0ip access-group 111 inno ip directed-broadcastip nat outsideno ip mroute-cache
no keepalivecrypto map iosirerem
90 1999, Cisco Systems, Inc.
3180944_05F9_c1
IPSec, NAT andIPSec, NAT and
Cisco IOS FirewallCisco IOS Firewall
! ACL for NAT translation, any source IP from the! 192.168.0.0 subnet will be translatedaccess-list 1 permit 192.168.0.0 0.0.0.255!! ACL triggers CBAC on traffic initiated on the inside of! the firewallaccess-list 110 permit tcp any anyaccess-list 110 permit udp any anyaccess-list 110 permit icmp any any
7/31/2019 Advanced Security Technology Concepts
46/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
91 1999, Cisco Systems, Inc.
318
0944_05F9_c1
IPSec, NAT andIPSec, NAT andCisco IOS FirewallCisco IOS Firewall
! Before the firewall will allow traffic initiated on the outside in,
! that traffic must satisfy this listaccess-list 111 permit udp host 10.0.0.6 host 192.168.1.1access-list 111 permit esp host 10.0.0.6 host 192.168.1.1access-list 111 permit ahp host 10.0.0.6 host 192.168.1.1
access-list 111 permit tcp host 10.0.0.6 host 172.17.1.20 eq wwwaccess-list 111 permit icmp host 10.0.0.6 anyaccess-list 111 permit udp host 10.0.0.6 host 172.17.1.20 eq tftp!! Encrypt any traffic matching these conditions. Note that the
! NATd addresses are the source addresses.access-list 120 permit ip 172.17.1.0 0.0.0.255 host 10.0.0.6
92 1999, Cisco Systems, Inc.
3180944_05F9_c1
crypto map
my_crypto_map 10
set algorithm 40-bit-des
set peer r3-4k
match address 128
interface Tunnel0
ip address 5.5.5.3 255.255.255.0
tunnel source Loopback0
tunnel destination 1.1.6.1
crypto map my_crypto_map
interface Serial0
ip address 2.2.5.3 255.255.255.0
crypto map my_crypto_map
access-list 128 permit gre host
2.2.6.3 host 1.1.6.1
Configuring GRE TunnelsConfiguring GRE Tunnels
7/31/2019 Advanced Security Technology Concepts
47/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
93 1999, Cisco Systems, Inc.
318
0944_05F9_c1
1750 Routername: vvpn_1
Phone Number: 1750-120 Phone Number: 1750-220
201.168.4.1 201.168.2.1
Internet
VOIP and IPSecVOIP and IPSec
IPSec ACL must specify WANendpoints/subnets to facilitate RTP, H.225
Port numbers used for VOIP may not bewell-known and may be negotiated
1750 Routername: vvpn_2
94 1999, Cisco Systems, Inc.
3180944_05F9_c1
VOIP and IPSec NotesVOIP and IPSec Notes
Due to additional headers and packetexpansion,an RTP frame of G.729encoded voice is 100 bytes acrossan IPSEC facility
At 50pps 100 byteframes, a 56kb linkcan only accommodate a single call
(50 x 100bytes = 40kb) RTP header compression is not
available to IPSEC frames
7/31/2019 Advanced Security Technology Concepts
48/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
95 1999, Cisco Systems, Inc.
318
0944_05F9_c1
VOIP and IPSec NotesVOIP and IPSec Notes
RTP packets cannot be distinguishedwithin an ESP encrypted flow.So interleaving between fragmentsis not possible
Increasing bandwidth for smaller
packets sizes is good for IPSecand VOIP
96 1999, Cisco Systems, Inc.
3180944_05F9_c1
QOS and IPSecQOS and IPSec
Diff-serventire TOS byte is copiedto the IPSEC header so precedencecan be applied. The additional lengthmay change the packets servicecharacteristics
QOS must be implementedbefore IPSec
7/31/2019 Advanced Security Technology Concepts
49/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 4
97 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Model Suggested Bandwidth
1600 up to 64Kb - 128Kb
2500 up to 128Kb
2600 up to 512Kb
3640 up to 1.5Mb
4700 up to 2.0Mb
7206 up to 2.5Mb
7505 up to 6.0Mb
Model Suggested Bandwidth
1600 up to 64Kb - 128Kb
2500 up to 128Kb
2600 up to 512Kb
3640 up to 1.5Mb
4700 up to 2.0Mb
7206 up to 2.5Mb
7505 up to 6.0Mb
PerformancePerformance
98 1999, Cisco Systems, Inc.
3180944_05F9_c1
Encryption Performance StatsEncryption Performance Stats
Model Baseline CET Auth.only
Encryptonly
Auth. andEncrypt.
SuggestedBandwidth
2514 2.49.9 0.20.3
0.11.0 0.160.25
0.10.2 up to 128kbps
3640 9.9+ 2.04.0
0.66.1 0.72.5 0.52.1 up to 1.5Mbps
4700 9.59.9 4.95.3
1.49.1 1.53.1 1.12.6 up to 2.0Mbps
7206 9.9+ 2.95.5
1.09.1 1.13.5 0.92.9 up to 2.5Mbps
7505* 9.9+ 9.2
9.9
2.99.4 3.69.1 2.67.9 up to 6.0
Mbps* The processing of IPSec is done on the RSP.
7/31/2019 Advanced Security Technology Concepts
50/51
Copyright 1998, Cisco Systems, Inc. All rights reserved. Printed in USA.Presentation_ID.scr 5
99 1999, Cisco Systems, Inc.
318
0944_05F9_c1
Reference MaterialReference Material
Applied Cryptography [2nd Edition],Bruce Schneier, Addison-Wesley
Cryptography and Network Security, WilliamStallings, Prentice Hall
Web Security and Commerce, Garfinkel andSpafford, OReilly
Internet Cryptography, Richard E Smith,Addison Wesley
Internet Drafts and RFCswww.ieft.org,Public-Key Infrastructure and IP SecurityProtocol Charters
100 1999, Cisco Systems, Inc.
3180944_05F9_c1
Please Complete YourPlease Complete YourEvaluation FormEvaluation Form
Session 318Session 318
100 1999, Cisco Systems, Inc.
3180944_05F9_c1
7/31/2019 Advanced Security Technology Concepts
51/51
101 1999, Cisco Systems, Inc.
318
0944_05F9_c1