Re: Cisco Firewall IOS question

["Ryan Russell" <ryanr () sybase com>]

Well, to answer your questions.... no, no, no, and uh.. no.

The firewall feature set (I think) doesn't include an encryption
functionality.
Also, it's mutually-exclusive with the IOS package that DOES include
encryption.  IOS isn't modular at this point, and if Cisco doesn't package
all the features you need into one binary, you're screwed.

Some of this gets better with IOS 12.  Some of what I mention
as "future" below is availble in 11.3T betas.

Here's what you CAN do (and this part I'm sure about,
because I've done it.)

All current versions of IOS include GRE tunnelling capabilities.  Get
an IOS that includes encryption (56-bit DES is the best availabe
at present.)  With a combination of GRE tunneling, encryption, and
access-lists, you can build a servicable VPN.  I'm aware that 56-bit
isn't enough, but hey, that's what you get right now.

In the future, starting with IOS 12, you'll be able to get an IPSec
version of the IOS that will likely include realistic bit-lengths
for the crypto.  It also gives you a choice for tunneling (other
than GRE.)  I'm hoping that it improves the process of making
a Cisco router-based VPN, as it's a bitch right now.

Also, for the first time, you'll be able to securely admin your
router (yay!) with IPSec.  I think you may even get SSH to use so
you're not stuck with telnet.

I've also run into some nasty bugs doing the above.  If you're
heading down that path, mail me and I might be able to save
you a couple of headaches.

                    Ryan

P.S.  For folks interested, I haven't really done a real crypto
analysis of the protocols used.. I'm not really capable of it
at this point.  But, here's a few bits that I've gleaned:  Uses
Diffe-Helmann for initial key exhange, manuals state to verify
keys via phone or some other trusted channel... good advice.
DES session keys are exchanges using the public-private
keys exhanged with DH.  Key exchange seems to be done
with ICMP.  Encrypts after the IP header.  Session key lifetimes
are configurable.






Cisco claims that its firewall IOS can provide secure data transfer over
public lines (such as the Internet) using any of the following protocols:

- Generic Routing Encapsulation (GRE) Tunneling

- Layer 2 Forwarding (L2F)

- Layer 2 Tunneling Protocol (L2TP)

- Quality of Service (QoS) controls: prioritize applications and allocate
network resources to ensure delivery of mission-critical application
traffic

Do any of these protocols actually encrypt the data??  Seems to me that the
answer is no, but I'm not suire...

Also, Cisco claims that their network-layer encryption capability prevents
eavesdropping or tampering with data across the network during
transmission.
Does anyone know what type of encryption they use?  Could this be utilized
in tandem with the aforementioned protocols to achieve security for VPN
over
the internet?

Comments welcome....