Firewall Wizards mailing list archives
Re: Cisco Firewall IOS question
From: "Ryan Russell" <ryanr () sybase com>
Date: Tue, 6 Oct 1998 00:23:54 -0700
Well, to answer your questions.... no, no, no, and uh.. no. The firewall feature set (I think) doesn't include an encryption functionality. Also, it's mutually-exclusive with the IOS package that DOES include encryption. IOS isn't modular at this point, and if Cisco doesn't package all the features you need into one binary, you're screwed. Some of this gets better with IOS 12. Some of what I mention as "future" below is availble in 11.3T betas. Here's what you CAN do (and this part I'm sure about, because I've done it.) All current versions of IOS include GRE tunnelling capabilities. Get an IOS that includes encryption (56-bit DES is the best availabe at present.) With a combination of GRE tunneling, encryption, and access-lists, you can build a servicable VPN. I'm aware that 56-bit isn't enough, but hey, that's what you get right now. In the future, starting with IOS 12, you'll be able to get an IPSec version of the IOS that will likely include realistic bit-lengths for the crypto. It also gives you a choice for tunneling (other than GRE.) I'm hoping that it improves the process of making a Cisco router-based VPN, as it's a bitch right now. Also, for the first time, you'll be able to securely admin your router (yay!) with IPSec. I think you may even get SSH to use so you're not stuck with telnet. I've also run into some nasty bugs doing the above. If you're heading down that path, mail me and I might be able to save you a couple of headaches. Ryan P.S. For folks interested, I haven't really done a real crypto analysis of the protocols used.. I'm not really capable of it at this point. But, here's a few bits that I've gleaned: Uses Diffe-Helmann for initial key exhange, manuals state to verify keys via phone or some other trusted channel... good advice. DES session keys are exchanges using the public-private keys exhanged with DH. Key exchange seems to be done with ICMP. Encrypts after the IP header. Session key lifetimes are configurable. Cisco claims that its firewall IOS can provide secure data transfer over public lines (such as the Internet) using any of the following protocols: - Generic Routing Encapsulation (GRE) Tunneling - Layer 2 Forwarding (L2F) - Layer 2 Tunneling Protocol (L2TP) - Quality of Service (QoS) controls: prioritize applications and allocate network resources to ensure delivery of mission-critical application traffic Do any of these protocols actually encrypt the data?? Seems to me that the answer is no, but I'm not suire... Also, Cisco claims that their network-layer encryption capability prevents eavesdropping or tampering with data across the network during transmission. Does anyone know what type of encryption they use? Could this be utilized in tandem with the aforementioned protocols to achieve security for VPN over the internet? Comments welcome....
Current thread:
- Cisco Firewall IOS question Chris Hughes (Oct 05)
- Re: Cisco Firewall IOS question Leonard Miyata (Oct 05)
- <Possible follow-ups>
- Re: Cisco Firewall IOS question Ryan Russell (Oct 06)
- RE: Cisco Firewall IOS question James D. Wilson (Oct 07)
- RE: Cisco Firewall IOS question Ryan Russell (Oct 07)
- RE: Cisco Firewall IOS question Eric Vyncke (Oct 09)
- Re: Cisco Firewall IOS question Steve Bellovin (Oct 13)