CISCO Packet Level Encryption with Remote Management

Product type: Network and Network Related Devices and Systems
Product Status: Archived
Assurance Level: E1

Version: Cisco IOS 11.2(16), 11.2(16)P, 11.2(21), 11.2(21)P, 11.3(6), 11.3(6)AA1, 11.3(6)T, 11.3(6)T1, 11.3(11a), 11.3(11a)T1, 12.0(8), 12.0(7)T & VIP Encryption Port Adapter

Product Details

Product Description

Certificate Details: 97/02, October 1997 (Extended March 1999)
Certification Method: ITSEC
Evaluation Facility: CSC
Manufacturer/Vendor/Distributor: Cisco Systems

Network data encryption and router authentication together provide a means to safeguard network data that travels from one Cisco router to another, across unsecured networks. Network data encryption is provided at the IP packet level. IP packet encryption prevents eavesdroppers from reading the data that is being transmitted. When IP packet encapsulation is used, IP packets can be seen during transmissions, but the IP packet contents (payload) cannot be read. Specifically, the IP header and upper-layer protocol (TCP or UDP) headers are not encrypted, but all payload data within the TCP or UDP packet will be encrypted and therefore not readable during transmission.

Cisco IOS has a flexible network-level encryption solution that encrypts on specified pairs of networks, subnets hosts, or IP protocols. Cisco uses public key cryptography to authenticate each router participating in an encrypted connection, and to exchange encrypted session keys. DES(56 bit) encryption for high-performance bulk encryption of the actual network data. The routers negotiate their connection using Diffie-Hellman key exchange, thus protecting sensitive keys while transiting the public network. Cisco's encryption solution has high bandwidth confidentiality with assurance that the encrypted traffic originates from the correct location and is not being injected midstream by an interloper. 

The encryption feature can be configured with a simple keyword extension to an IP access list. Network managers can specify each router that is permitted to raise an encrypted connection and the traffic that must be encrypted by origin and destination. For example, a manger can elect to encrypt all traffic between remote networks, all traffic between two financial offices, e-mail between administrative machines, or SQL databases queries from a remote site to a central database server. 

When implemented with Cisco's Generic Routing Encapsulation (GRE) tunnels, network-layer encryption can also deploy multiprotocol encrypted virtual private networks (VPNs), integrating remote, trusted LANs and users. Such secure, multiprotocol tunnels make the Internet a viable replacement for many private Corporate WANs or private backbones.

Secure remote management of Cisco Routers can be facilitated through the establishment of specific management VPNs and the use of SNMP.

Please Note: The Security Target and Certification Report for this product is currently unavailable. For further information please contact [email protected].