Features

License Required

Authentication, authorization, and accounting (AAA), NetFlow, Network-Based Application Recognition (NBAR), access control lists (ACLs), Cisco IOS Flexible Packet Matching (FPM), 802.1x, and Cisco IOS Network Foundation Protection

None (available in base image)

Standard IP Security (IPSec), Group Encrypted Transport VPN, Dynamic Multipoint VPN (DMVPN), Easy VPN and Enhanced Easy VPN, Virtual Tunnel Interface (VTI), Multi-Virtual Route Forwarding (VRF) Customer Edge (CE) (IPSec, firewall, and IPS), IPSec high availability, Cisco IOS Zone-Based Firewall, advanced application inspection and control, firewall for secure unified communications, VRF-aware firewall, firewall high availability, transparent firewall, Cisco IOS IPS, transparent IPS, VRF-aware IPS, secure provisioning and digital certificates, and Cisco IOS Certificate Server and Client

Security Technology Package License

Cisco IOS SSL VPN

Security Technology Package License + SSLVPN Feature License

Cisco IOS Content Filtering

Security Technology Package License + Content Filtering Subscription License

Cisco IOS IPS Subscription Service

Security Technology Package License +

IPS Service

Features

Description and Benefits

Secure Connectivity

Standard IPSec

IPSec standards supported include Digital Encryption Standard (DES), Triple DES (3DES), and Advanced Encryption Standard (AES; 128, 192, and 256) for encryption; Rivest, Shamir, Aldeman (RSA) algorithm signatures and Diffie-Hellman for authentication; and Secure Hash Algorithm 1 (SHA-1) or Message Digest Algorithm 5 (MD5) hashing algorithms for data integrity.

Group Encrypted Transport VPN

Group Encrypted Transport VPN eliminates the need for compromise between network intelligence and data privacy in private WAN environments. Service providers can finally offer managed encryption without provisioning and management difficulties because Group Encrypted Transport VPN simplifies the provisioning and management of VPN. Group Encrypted Transport VPN defines a new category of VPN, one that does not use tunnels.

DMVPN

This Cisco innovation for site-to-site VPNs provides a scalable and flexible way to establish virtual full-meshed IPSec connectivity between multiple locations. DMVPN features advanced spoke-to-spoke capabilities that enhance the performance of latency-sensitive voice applications. For the traditional hub-and-spoke model, DMVPN significantly reduces deployment complexity.

Easy VPN and Enhanced Easy VPN

Providing advanced value-add to IPSec standards, these features ease administration and management of point-to-point VPNs by actively pushing new security policies from the central headend router to remote sites. Enhanced Easy VPN features integrate with dynamic VTI for maximum ease of use and advanced per-user and tunnel-specific capabilities.

Cisco IOS SSL VPN

Cisco IOS SSL VPN provides secure remote-user access to corporate resources over the public Internet using only a web browser and its native SSL encryption.

VTI

You can configure these virtual interfaces directly with IPSec. VTI greatly simplifies VPN configuration and design over alternatives such as encapsulating IPSec inside generic routing encapsulation (GRE). It allows for per-user attributes and tunnel-specific features, offering administrators greater flexibility to respond to granular requirements. Both static and dynamic VTI are supported.

Multi-VRF and Multiprotocol Label Switching (MPLS) secure contexts

This feature supports multiple independent contexts (addressing, routing, and interfaces) at the branch-office location for separation of departments, subsidiaries, or customers. All contexts can share a single uplink connection to the core (for example, IPSec VPN or Frame Relay or ATM), while still maintaining secure separation between them.

IPSec high availability

With options such as IPSec Stateful Failover and Hot Standby Router Protocol (HSRP) with Reverse Route Injection (RRI), Cisco VPNs support numerous features for deploying redundancy and load balancing.

Integrated Threat Control

Cisco IOS Firewall

Cisco IOS Firewall is an ideal single-device security and routing solution for protecting the WAN entry point into the network. Important features include zone-based policies; advanced application inspection and control for HTTP and email messages; firewall for secure unified communications; VRF-aware firewall, IPv6 support, and firewall high availability.

Cisco IOS IPS

Cisco IOS IPS offers an inline, deep-packet-inspection-based solution that works with Cisco IOS Software to effectively mitigate network attacks. It can drop traffic, send an alarm, or locally shun or reset the connection, helping the router respond immediately to security threats to protect the network. Important features include: inline function (can drop packets); ready-made "most-likely" signature file packages; Cisco Security Intelligence Operation (SIO) worldwide virus detection; customizable signatures; transparent IPS; and VRF-aware IPS.

Cisco IOS Content Filtering

Cisco IOS Content Filtering offers category-based productivity and security ratings for small and medium-sized businesses (SMBs) and midmarket companies. Content-aware security ratings protect against malware, malicious code, phishing attacks, and spyware. URL and keyword blocking help to ensure that employees are productive when accessing the Internet. This subscription-based hosted solution takes advantage of an in-the-cloud threat database, and is closely integrated with Cisco IOS Software.

NetFlow

NetFlow provides anomaly-based detection of DDoS attacks and supplies data that aids in tracing the attack source and reacting to the attack in real time.

NBAR

This deep inspection mechanism provides control over a wide variety of applications by recognizing and classifying them. When an application is classified, the network can then provide specific services for that application.

FPM

FPM uses flexible and granular Layer 2-7 pattern matching deep within the packet header or payload to provide a rapid first line of defense against network threats and notable worms and viruses.

Trust and Identity

PKI client (x.509 digital certificates)

Cisco IOS Software supports embedded PKI client functions that provide customers with a scalable and secure mechanism for distributing, managing, and revoking encryption and identity information. Advanced provisioning features provide powerful mechanisms to automate enrollment of new remote nodes into the network infrastructure with maximum security.

Cisco IOS certificate server

Cisco IOS Software includes an embedded scalable easy-to-manage certificate server, allowing the router to act as a certification authority on the network.

Standard 802.1x-based identity services

Standard 802.1x applications require valid access credentials that make unauthorized access to protected information resources and deployment of unsecured wireless access points more difficult.

AAA

AAA allows administrators to dynamically configure the type of authentication and authorization they want on a per-line (per-user) or per-service (for example, IP, Internetwork Packet Exchange [IPX], or virtual private dialup network [VPDN]) basis.

Cisco Network Foundation Protection

AutoSecure

AutoSecure offers a single command-line interface (CLI) command that instantly configures the security posture of routers and disables nonessential system processes and services, thereby eliminating potential security threats.

Control Plane Policing and Protection

This feature protects the route processor from unnecessary or malicious levels of traffic, including DoS attacks.

CPU and memory thresholding notification

This feature triggers a syslog notification when a specified percentage of CPU resources for a given process exceeds or falls below a certain threshold for a configured time period.

Routing protection

This feature validates routing peers, enhances routing stability, and provides overload protection by using MD5 peer authentication and redistribution protection.

ACL protection

These features protect the router from malicious traffic by restricting the legitimate traffic that can be sent to the router destination address.

Secure access mode (silent mode)

Secure access mode suppresses response messages from the router control plane, limiting network reconnaissance information available to hackers.

Raw IP traffic export

This feature allows copies of inbound and outbound packets to efficiently capture packets with analysis or intrusion-detection-system (IDS) tools by sending them out a LAN interface.

Source-based Remote-Triggered Black Holing (RTBH) filtering

This feature provides wire-rate, real-time defense against DDoS attacks using a combination of IP routing features.

Unicast Reverse Path Forwarding (uRPF)

uRPF helps mitigate problems that are caused by the introduction of malformed or forged (spoofed) IP source addresses into a network by discarding IP packets that lack a verifiable IP source address.

Digital image signing

This feature provides SHA-512 hashing and RSA 2048-bit key encryption mechanisms to ensure the authenticity of all downloaded Cisco IOS Software images.

Cisco IOS Software login enhancements

These enhancements delay potential dictionary attacks and provide other methods of thwarting unwanted device access.

Role-based CLI access

This feature provides view-based access to CLI commands, allowing highly secure, logical separation of the router between network operations, security operations, and end users.

Secure Shell (SSH) Protocol Version 2

SSHv2 enhances previous versions of SSH for remote network management by concealing password length, making dictionary attacks more difficult. It resolves SSHv1 vulnerability to man-in-the-middle attacks during user authentication.

Simple Network Management Protocol (SNMP) Version 3

SNMPv3 provides secure, standards-based management and control of devices for customer applications.