Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features



Similar documents
How To Get A New Phone System For Your Business

PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION LIST VERSUS ONLINE CERTIFICATE STATUS PROTOCOL

Cisco Conference Connection

CISCO CONTENT SWITCHING MODULE SOFTWARE VERSION 4.1(1) FOR THE CISCO CATALYST 6500 SERIES SWITCH AND CISCO 7600 SERIES ROUTER

CISCO IP PHONE SERVICES SOFTWARE DEVELOPMENT KIT (SDK)

Cisco CNS NetFlow Collection Engine Version 4.0

THE CISCO CRM COMMUNICATIONS CONNECTOR GIVES EMPLOYEES SECURE, RELIABLE, AND CONVENIENT ACCESS TO CUSTOMER INFORMATION

CISCO METRO ETHERNET SERVICES AND SUPPORT

CISCO PIX SECURITY APPLIANCE LICENSING

CISCO NETWORK CONNECTIVITY CENTER

NetFlow Feature Acceleration

Cisco CNS NetFlow Collection Engine Version 5.0

Cisco 2-Port OC-3/STM-1 Packet-over-SONET Port Adapter

CISCO WIRELESS SECURITY SUITE

Cisco Secure Access Control Server Solution Engine

CISCO IOS SOFTWARE FEATURE PACKS FOR THE CISCO 1700 SERIES MODULAR ACCESS ROUTERS AND CISCO 1800 SERIES (MODULAR) INTEGRATED SERVICES ROUTERS

CISCO SMALL AND MEDIUM BUSINESS CLASS VOICE SOLUTIONS: CISCO CALLMANAGER EXPRESS BUNDLES

Cisco IT Data Center and Operations Control Center Tour

CISCO MDS 9000 FAMILY PERFORMANCE MANAGEMENT

CISCO IOS IP SERVICE LEVEL AGREEMENT

Cisco Blended Agent: Bringing Call Blending Capability to Your Enterprise

Cisco Router and Security Device Manager File Management

NETWORK AVAILABILITY IMPROVEMENT SUPPORT OPERATIONAL RISK MANAGEMENT ANALYSIS

Cisco 7200 and 7500 Series Routers

It looks like your regular telephone.

THE BUSINESS CASE FOR MANAGED SERVICES IN SMALL AND MEDIUM-SIZED BUSINESSES

E-Seminar. Financial Management Internet Business Solution Seminar

IS YOUR OLD PHONE SYSTEM HANGING UP YOUR DISTRICT? CISCO K 12 DIRECT LINE SOLUTION FOR IP COMMUNICATIONS

HIGH-DENSITY PACKET VOICE DIGITAL SIGNAL PROCESSOR MODULE FOR CISCO IP COMMUNICATIONS SOLUTION

CISCO IOS SOFTWARE RELEASES 12.4 MAINLINE AND 12.4T FEATURE SETS FOR THE CISCO 3800 SERIES ROUTERS

CISCO IOS SOFTWARE RELEASES 12.4 MAINLINE AND 12.4T FEATURE SETS FOR THE CISCO 2800 SERIES ROUTERS

CISCO 7304 SERIES ROUTER PORT ADAPTER CARRIER CARD

Cisco IOS Telephony Services Survivable/Standby Remote Site Telephony

Figure 1. The Cisco Aironet Power Injectors Provide Inline Power to Cisco Aironet Access Points and Bridges

IP Networking and the Advantages of consolidation

Cisco Systems GigaStack Gigabit Interface Converter

Cisco SMB Class Solutions Your Next Phone System Purchase

Cisco Aironet 1130AG Series

CISCO SFP OPTICS FOR PACKET-OVER-SONET/SDH AND ATM APPLICATIONS

CISCO AIRONET POWER INJECTOR

Internal IT Staff at a Serbian Children s Hospital Takes Innovative Approach to Outpatient Care

Cisco WebEx Social Compatibility Guide

Cisco Router and Security Device Manager Dial-Backup Solution

Cisco GLBP Load Balancing Options

CISCO CATALYST 3750 SERIES SWITCHES

CISCO IP PHONE EXPANSION MODULE 7914

Combined voice and data solution supports Orange s ongoing success in the UK business market

Cisco 2600XM DSL Router Bundles

CISCO ATA 186 ANALOG TELEPHONE ADAPTOR

Cisco IOS Firewall Intrusion Detection System

Cisco Outbound Option

Cisco AVVID Network Enterprise Data Center Solution Overview

Cisco PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with CallManager using Analog FXS and FXO Interfaces as an MGCP Gateway

Serial Connectivity Network Modules for the 2600, 3600, and 3700 Series (NM-1HSSI, NM-4T, NM-4A/S, NM-8A/S, NM-16A/S, NM-16A, NM-32A)

Cisco Catalyst 6500 Series/Cisco 7600 Series Supervisor Engine 720-3BXL

CISCO ATA 188 ANALOG TELEPHONE ADAPTOR

CISCO NETWORK CONNECTIVITY CENTER MPLS MANAGER 1.0

Cisco Solution Incentive Program Asia Pacific

CISCO ISDN BRI S/T WIC FOR THE CISCO 1700, 1800, 2600, 2800, 3600, 3700, AND 3800 SERIES

Cisco Systems Brings World-Class Online Banking Solutions to State Bank of India

CISCO CATALYST 6500 SERIES CONTENT SWITCHING MODULE

World Consumer Income and Expenditure Patterns

E-Seminar. E-Commerce Internet Business Solution Seminar

CISCO MEETINGPLACE MANAGED SERVICE

PREVENTING WORM AND VIRUS OUTBREAKS WITH CISCO SELF-DEFENDING NETWORKS

The Palace of Versailles Goes Digital, Increasing Revenue and Enhancing Overall Visitor Experience

Cisco Intelligent Contact Management Enterprise Edition

How To Outtask Metro Ether To A Managed Service Provider

Cisco 7200 Series Enterprise WAN Aggregation Application

CISCO MEETINGPLACE FOR OUTLOOK 5.3

CISCO 10GBASE X2 MODULES

SOUTH BAY BMW ACHIEVES UNMATCHED AVAILABILITY AND SECURITY WITH ITS CISCO NETWORK

Appendix 1: Full Country Rankings

Cisco IT Data Center and Operations Control Center Tour

CISCO CALLMANAGER EXPRESS 3.2

How To Connect A Cisco Aironet 350 Series Wireless Bridge To A Network With A Wireless Bridge

CISCO CATALYST 6500 SUPERVISOR ENGINE 32

Enterprise Reporting

Foreign Taxes Paid and Foreign Source Income INTECH Global Income Managed Volatility Fund

Enabling High Availability for Voice Services in Cable Networks

Cisco Secure Policy Manager Version 3.1

CISCO ISDN BRI S/T WIC FOR THE CISCO 1700, 1800, 2600, 2800, 3600, 3700, AND 3800 SERIES

Cisco Unified IP Conference Station 7936

Optical Service Modules: OC-3/STM-1, OC-12/STM-4 and OC-48/STM-16 POS, OC-12/STM-4 ATM, Gigabit Ethernet WAN, Channelized T3 (CT3) and OC12/STM-4

Reporting practices for domestic and total debt securities

CISCO DISTRIBUTED DENIAL OF SERVICE PROTECTION SOLUTION: LEADING DDOS PROTECTION FOR SERVICE PROVIDERS AND THEIR CUSTOMERS

Cisco PIX Device Manager v3.0

IP Communications for Small Offices Using Cisco CallManager Express and Cisco Unity Express

CONNECT TO COMPREHENSIVE NETWORK SECURITY SOLUTIONS WITH THE CISCO IP NETWORK DEFENDER PROGRAM.

CISCO 100BASE-X SFP FOR FAST ETHERNET SFP PORTS

SERIAL AND ASYNCHRONOUS HIGH-SPEED WAN INTERFACE CARDS FOR CISCO 1800, 2800, AND 3800 SERIES INTEGRATED SERVICES ROUTERS

What is network convergence all about?

networks (VPNs). models, the Cisco 800 series of routers addresses wide range Figure 1 Cisco 800 Series Routers give Small Offices and Corporate

Triple-play subscriptions to rocket to 400 mil.

Logix5000 Clock Update Tool V /13/2005 Copyright 2005 Rockwell Automation Inc., All Rights Reserved. 1

CISCO 7609 ROUTER ENHANCED 9-SLOT CHASSIS

Transcription:

Data Sheet Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features Introduction to Public Key Infrastructure Public Key Infrastructure (PKI) offers a scalable method of securing networks, reducing management overhead, and simplifying the deployment of network infrastructures by deploying Cisco IOS Security protocols, including Cisco IOS IPsec, Secure Shell (SSH), and Secure Socket Layer (SSL). Cisco IOS Software can also use PKI for authorization via access lists and authentication resources. Additional new features build the value-added proposition of Cisco IOS Software to simplify the provisioning and management of Cisco IOS security technologies. Any network, from small home office routers to the core systems of the world s largest service provider networks, can benefit the enhanced security in Cisco IOS Software. PKI is a system that manages encryption keys and identity information for the human and mechanical components of a network, which participate in secured communications. For a person or a piece of equipment to enroll in a PKI, the software on a user s computer generates a pair of encryption keys that will be used in secured communications: a public and a private key. Alternatively, this can be generated by a component of the operating system or functional software on a network device. The private key is never distributed or revealed; conversely, the public key is freely distributed to any party that negotiates a secure communication. During the enrollment process, the user s public key is sent in the certificate request to the certification authority, which is responsible for the portion of the organization to which that entity belongs. The user sends his public key to the registration component of the Certification Authorities (CA). Subsequently, the administrator approves the request and the CA generates the user s certificate. After the user receives a certificate and installs it on the computer, they can participate in the secured network. All contents are Copyright 1992 2002 All rights reserved. Important Notices and Privacy Statement. Page 1 of 5

Figure 1 Public Key Infrastructure Enrollment Step 1 Step 2 Step 3 Generate Keys Step 4 Step 5 CA s Keys PRIV PUB PRIV PUB Request Sign End Host s User s Keys End Host Authority PKI is used most frequently for encrypted email communications and IPsec tunnel negotiation, which both use the identity and security features of the certificate. The identity components determine the identity of the user, their level of access to the particular type of communication under negotiation, and the encryption information that protects the communication from other parties who are not allowed access. Communicating parties will exchange certificates, and inspect the information presented by the other. The certificates are checked to see if they are within their validity period, and if the certificate was generated by a trusted PKI. If all the identity information is appropriate, the public key is extracted from the certificate and used to establish an encrypted session. The Case for PKI There are multiple methods for compromising the security of a network: man-in-the-middle attack, sniffing, tampering, and denial-of-service. Administrators must deploy some combination of encryption and authentication in order to ensure that hackers do not compromise the communications of a secured network. In order to fully leverage most encryption and authentication technologies, key information must be distributed between the components that will manage network security. Passwords, known as shared secrets, are the simplest way to distribute keys. This requires the configuration of all secured network devices, so that any two devices negotiating a session will have been pre-set with each other s passwords. Shared secrets should be unique, and should be changed periodically in order to ensure continued security. All of these requirements add up to a fairly substantial task to provision and manage shared secrets for encryption. The combination of these requirements is a fairly substantial amount of work, in terms of the provisioning and managing of shared secrets for encryption. While RSA encryption keys increase encryption security, the network and security operations team still maintain a great deal of responsibility. Administrators must ensure that all devices in the network can communicate, and must manually intervene to ensure that security is maintained if the network is compromised or if it is locked out of a device. All contents are Copyright 1992 2003 All rights reserved. Important Notices and Privacy Statement. Page 2 of 5

PKI, consisting of one or more CA Server and digital certificates, automates several of these tasks. The CA issues a digital certificate (one time use key) to a device in the network that can authenticate itself to the CA server. Therefore, the process of generating and distributing keys is automated. s are exchanged any time a new session is negotiated, so static pre-shared keys are not configured or stored, enhancing security and reducing administration. Cisco IOS Software supports interoperability with any X.509 v3 CA to enroll and use digital certificates for traffic authentication and encryption when secure communication is required. By enrolling a Cisco IOS Software device with a CA, the responsibility of managing the security key information is transferred to the network, reducing reliance on people for network security. Cisco IOS Simplifies Security Infrastructure Deployment and Management Provisioning and managing a secure network infrastructure becomes much simpler with the Cisco IOS Software PKI Enrollment features. Provisioning When deploying a secure network infrastructure, Cisco IOS Software PKI interoperability features reduce the network s engineer s workload by eliminating the need to track cumbersome shared secret lists. The CA interoperability features enables configuration of enrollment so that the router takes care of its enrollment status automatically; in a high-security environment, routers may be enrolled offline with a certificate that is hand-carried or sent via other out-of-band options. Management Auto Enrollment Cisco IOS Software offers features that simplify network management. With the Auto-Enroll Feature, network devices may be configured to periodically contact the CA and request a new certificate. This reduces the likelihood of network compromise through identity theft. Auto Enrollment may be configured to generate new encryption keys, or continue to use existing keys. Cisco IOS Public-Key Infrastructure Features to Simplify Deployment and Management Table 1 PKI Features and Benefits Feature Auto-Enroll Based Access Control (CBAC) N-Tier Chaining Manual and TFTP Enrollment Benefit Simplifies deployment and management by forcing the router to retrieve digital certificates Centralizes authorization information. A router can extract peer information from a certificate, present it to an AAA server (i.e., RADIUS), and receive an access list to define the access policy for that peer. Allows Cisco IOS Software network devices to operate in a complex PKI environment, where the structure of the PKI is defined by organizational or geographical boundaries. Increases the security of the enrollment process and granularity of control by enabling offline enrollment when the CAs must be closely monitored. All contents are Copyright 1992 2003 All rights reserved. Important Notices and Privacy Statement. Page 3 of 5

Provisioning and Management Tools Cisco offers multiple options for PKI provisioning and management, in terms of embedded management and as external management consoles. PKI is currently supported in the VPN Device Manager on routers from the Cisco 1710 to the Cisco 7200 Series Routers. One exception is the Cisco 3700 Series Routers, which will support this in the future. IP Solution Center offers a scripting interface to provision PKI enrollment on network devices. Another option for managing PKI configuration with regards to IPsec settings may be found in CiscoWorks. The requirements for network device management will dictate the appropriate management platform. Platform Support Cisco IOS Software supports PKI functionality on router platforms, beginning with Cisco IOS Software Release 11.3. Support for certificate enrollment and use with Cisco IOS IPsec is available through Cisco IOS Software Release 12.2T. After this release, Cisco enhanced the development cycle of Release 12.2T to increase PKI flexibility and increase the number of enrollment options. Table 2 Availability Routers Platforms Cisco 800 Series Cisco ubr900 Series Cisco 1600 Series Cisco 1700 Series Cisco 2600 Series Cisco 3600 Series Cisco 3700 Series Cisco AS5x00 Series Cisco 7100 Series Cisco 7200 Series Software Cisco IOS Software Release 12.2(15)T Cisco 6500 and 7600 Series will support Cisco PKI features as the new security service modules are developed. All contents are Copyright 1992 2003 All rights reserved. Important Notices and Privacy Statement. Page 4 of 5

Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Capital Tower 168 Robinson Road #22-01 to #29-01 Singapore 068912 Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at /go/offices Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand Turkey Ukraine United Kingdom United States Venezuela Vietnam Zimbabwe All contents are Copyright 1992 2003 All rights reserved. Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks or trademarks of and/or its affiliates in the U.S. and certain other countries. All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0303R) 203031.C/ETMG_04/03