Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Controlling Network Boundaries.

Similar presentations


Presentation on theme: "© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Controlling Network Boundaries."— Presentation transcript:

1 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Controlling Network Boundaries

2 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Current security architectures (such as site to site VPNs and tunnels) present scalability and management problems Presents significant challenges for customers when they are expanding (e.g. adding new branches on their network) The security landscape presents new challenges in terms of hackers etc. The network of the future has to be secured by a new architecture that is not only secure but scalable and resilient Examples of these new types of VPN architectures include GetVPN and FlexVPN

3 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Communications and IT infrastructures must be defended against attack and exploitation Attackers are persistent and well- funded Computing advances are driving a move to higher cryptographic strengths Future Ready – meets security and scalability requirements for 20 years Efficiency Cybersecurity Cost-Effective

4 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Cisco has Industry-Leading VPN Solutions Flexible for site-to-site and remote-access VPNs Centralized Policy Management with AAA Latest IKEv2 Protocol 3 rd Party Compatible FlexVPN Converged Site to Site and Remote Access Simplifies branch-to- branch instantaneous communications Maximizes security Government compliance and privacy Flexible management Lowered CAPEX and OPEX Simplified branch communications Simplified Deployment Improved business resiliency Public Internet Transport Hub-Spoke, Spoke-Spoke Public Internet Transport Hub-Spoke, Spoke-Spoke DMVPN Private IP Transport Any-to-Any Connectivity Private IP Transport Any-to-Any Connectivity GETVPN

5 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 5 New/Upgraded algorithms, key sizes, protocols and entropy Compatible with existing security architectures, e.g., GETVPN, DMVPN Cryptographic Technologies Algorithm efficiency enabling increased security Scales well to high/low throughput Secure and Efficient Suite B (US) FIPS-140 (US/Canada) NATO Compatible with Government Standards

6 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 DH, RSA Significant risk RSA Significant risk MD5, SHA1 Collision attacks 3DES 1GB encryption limit HMAC-MD5 Theoretical weaknesses Entropy Significant risk TLS1.0, IKEv1 TLS1.0, IKEv1 Known flaws, lack of Authenticated Encryption P

7 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Key Establishment ECDH-P256 Digital Signatures ECDSA-P256 Hashing SHA-256 Authenticated Encryption Authenticated Encryption AES-128-GCM Authentication HMAC-SHA-256 Entropy SP Protocols TLSv1.2, IKEv2, SRTP P Suite B

8 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Performance and Scalability WAN/Campus EdgeBranch OfficeSOHOInternet Edge ASR 1006/1013 (40 Gbps, 200K cps) ASR 1002/1004 (10-40 Gbps, 200K cps) ISR 2900/3900, ASR 1001 (Up to 2.5Gbps,100K cps) ISR 8xx/1900 VPN, Zone Based Firewall, Integrated Threat Defense ISR / ASR Secure Routers Secure WAN Aggregation Integrated Threat Control Application Intelligence, Control, & Routing

9 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 VPN Interop Dynamic Routing IPsec Routing Spoke-Spoke Direct (shortcut) Remote Access Simple Failover Source Failover Config. Push Per-Peer Config Per-Peer QoS Full AAA Management Easy VPN NO YESNOYES NOYES DMVPNNOYESNOYESNOSOMENO GROUPNO Crypto Map YESNOYESNOYESPOORNO FLEX VPN YES Unifies all overlay VPN’s under a single umbrella Simplifies deployment and configuration Simplifies positioning Phase1 Shipping Nov’11

10 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 DMVPNFlexVPNGET VPN Network Style  Large Scale Hub and Spoke  Converged Site to Site and Remote Access  Any-to-Any; (Site-to-Site) Failover Redundancy  A/A based on Dynamic Routing  Dyn Routing or IKEv2 Route Distribution  Server Clustering  Stateful Failover *  Transport Routing  COOP Based on GDOI 3 rd Party Compatibility  No  Yes – up to 3 rd party implementation  No IP Multicast  Multicast replication at hub  Multicast replication in IP WAN network *  Multicast replication in IP WAN network QoS  Per Tunnel QoS, Hub to Spoke  Per SA QoS, Hub to Spoke  Per SA QoS, Spoke to Spoke*  Transport QoS Policy Control  Locally Managed  AAA Integrated  Locally Managed Technology  Tunneled VPN  Multi-Point GRE Tunnel  IKEv1 and IKEv2  Tunneled VPN  Point to Point Tunnels  IKEv2 Only  Tunnel-less VPN  Group Protection  G-IKEv2 * Infrastructure Network  Public or Private Transport  Overlay Routing  Public or Private Transport  Overlay Routing  Private IP Transport  Flat/Non-Overlay IP Routing * Roadmap Item

11 © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Thank you.Thank you.


Download ppt "© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Controlling Network Boundaries."

Similar presentations


Ads by Google