This chapter briefly describes the following security features and how they relate to each other:
Cisco Encryption Technology (CET) is a proprietary security solution introduced in Cisco IOS Release 11.2. It provides network data encryption at the IP packet level and implements the following standards:
For more information regarding CET, refer to the chapter "Configuring Cisco Encryption Technology."
IPSec is a framework of open standards developed by the Internet Engineering Task Force (IETF) that provides security for transmission of sensitive information over unprotected networks such as the Internet. It acts at the network level and implements the following standards:
IPSec services are similar to those provided by CET. However, IPSec provides a more robust security solution and is standards-based. IPSec also provides data authentication and anti-replay services in addition to data confidentiality services, while CET provides only data confidentiality services.
For more information regarding IPSec, refer to the chapter "Configuring IPSec Network Security."
IPSec shares the same benefits as CET: both technologies protect sensitive data that travels across unprotected networks, and, like CET, IPSec security services are provided at the network layer, so you do not have to configure individual workstations, PCs, or applications. This benefit can provide a great cost savings. Instead of providing the security services you do not need to deploy and coordinate security on a per-application, per-computer basis, you can simply change the network infrastructure to provide the needed security services.
IPSec also provides the following additional benefits not present in CET:
These and other differences between IPSec and CET are described in the following sections.
Should you implement CET or IPSec network security in your network? The answer depends on your requirements.
If you require only Cisco router-to-Cisco router encryption, then you could run CET, which is a more mature, higher-speed solution.
If you require a standards-based solution that provides multivendor interoperability or remote client connections, then you should implement IPSec. Also, if you want to implement data authentication with or without privacy (encryption), then IPSec is the right choice.
If you want, you can configure both CET and IPSec simultaneously in your network, even simultaneously on the same device. A Cisco device can simultaneously have CET secure sessions and IPSec secure sessions, with multiple peers.
Table 20 compares Cisco Encryption Technology to IPSec.
|Feature||Cisco Encryption Technology||IPSec|
Cisco IOS Release 11.2 and later
Cisco IOS Release 11.3(3)T and later
Cisco router to Cisco router
All IPSec compliant implementations
Remote Access Solution
Client encryption will be available
Manual between each peer at installation
IKE uses digital certificates as a type of "digital ID card" (when Certification Authority support is configured); also supports manually-configured authentication shared secrets and manually-configured public keys
X509.V3 support; will support public key infrastructure standard when the standard is completed
Selected IP traffic is encrypted, based on extended access lists you define
Selected IP traffic is encrypted and/or authenticated, based on extended access lists; additionally, different traffic can be protected with different keys or different algorithms
Encryption Service Adapter (ESA) for the Cisco 7200/7500
Support planned for later
Tunnel mode adds a new IP and IPSec header to the packet; transport mode adds a new IPSec header
Scope of Encryption
IP and ULP headers remain in the clear
In tunnel mode, both the IP and ULP headers are encrypted; in transport mode, IP headers remain in the clear but ULP headers are encrypted. (In tunnel mode, the inner IP header is also encrypted.)
Data authentication with or without encryption
Can configure data authentication and encryption to both occur, or can use AH header to provide data authentication without encryption
Internet Key Exchange (IKE) support
Concurrent redundant Cisco Encryption Technology peers not supported
IPSec packet processing is slower than Cisco Encryption Technology packet processing for these reasons:
You can use Cisco Encryption Technology and IPSec together; the two encryption technologies can coexist in your network. Each router may support concurrent encryption links using either IPSec or Cisco encryption technology. A single interface can even support the use of IPSec or CET for protecting different data flows.
Internet Key Exchange (IKE) security protocol is a key management protocol standard that is used in conjunction with the IPSec standard. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard.
For more information regarding IKE, refer to the chapter "Configuring Internet Key Exchange Security Protocol."
Certification Authority (CA) interoperability is provided in support of the IPSec standard. It permits Cisco IOS devices and CAs to communicate so that your Cisco IOS device can obtain and use digital certificates from the CA. Although IPSec can be implemented in your network without the use of a CA, using a CA provides manageability and scalability for IPSec.
For more information regarding CA interoperability, refer to the chapter "Configuring Certification Authority Interoperability."