New Security Features in Cisco IOS 15.0

15.0 Works on ISR and ISR G2 Platforms

Cisco's newly released ISR G2 routers come with a new update to their software features in IOS version 15.0. I will focus on describing some of the new security features that are found in the IOS 15.0 security feature set. It is important to note that IOS 15.0 will work on older ISR models as well as the new ISR G2 platforms. This is a straightforward list with a description of each new feature.

• IOS IPS Lightweight Signatures – Cisco has developed significantly more efficient signature definitions, called lightweight signatures, to replace many existing signatures. This new signature format results in decreased memory storage and usage allowing you to load even more signatures onto your Cisco IOS device.

• AAA authorization and Authentication caching – This long awaited feature allows the router to cache AAA user information. In the event that an application is triggering multiple authorization requests, the requests will no longer have to traverse back to the AAA server but rather will be done at the router instead. This is helpful for tacacs+ command authorization, proxy and 802.1x AAA. In the event of a loss of communication to the AAA server the router will use the previously cached AAA information to keep things running.

• Digitally signed code – Cisco IOS code now supports digital signing. Digitally signed code can be downloaded from Cisco.com. This now allows you to verify the integrity and validity of your IOS images and your ROMMON code. A new cli command, show software authenticity running has been added to check the IOS signatures. This new feature will allow Cisco IOS to pass the FIPS 140-3 standard coming in 2011. This feature is only available on the ISR G2 platforms. Digitally signed IOS code will end in either a .SPA or .SSA postfix. S=signed, P=production code, S=engineering special release, A=a third character for the varient of the P or S code version.

• DMVPN Tunnel Health Monitoring and Recovery feature – Several new SNMP trap alerts have been added to help better monitor the DMVPN tunnel state. They are:
  
  

  • A spoke perceives that a hub has gone down. This can occur even if the spoke was not previously registered with the hub.
  • A spoke successfully registers with a hub.
  • A hub perceives that a spoke has gone down.
  • A hub perceives that a spoke has come up.
  • A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has gone down. For example, a modeling spoke-to-spoke tunnel goes down.
  • A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has come up. For example, a modeling spoke-to-spoke tunnel comes up.
  • The rate limit set for NHRP packets on the interface is exceeded.

• Another nifty new feature is the ability of DMVPN to control the up-down status of its physical interface. This allows NHRP (next-hop routing protocol) to down a physical interface if it cannot connect to any of its next-hop peers. Once any one of its peers comes alive it will then bring the interface up.
  
  

  When the NHRP changes the interface state, other Cisco IOS services can react to the state change, for example:
  • If the interface status changes, the generic routing and encapsulation (GRE) interface generates IF-MIB and general notifications (traps) that report a LinkUp or LinkDown message. The system uses these traps to monitor the DMVPN tunnel health.
  • If the interface state changes to down, the Cisco IOS backup interface feature can be initiated to allow the system to use another interface to provide an alternative path to the failed primary path.
  • If the interface state changes to down, the system generates an update that is sent to all dynamic routing protocols. This provides a failover mechanism for dynamic routing when the mGRE interface is down.
  • If the interface state changes to down, the system clears any static routes that use the GRE interface as the next hop. This provides a failover mechanism for routing when the GRE interface is down.

• FPM Enhancements – Flexible Packet Matching in IOS allows you to create a stateless layer 7 deep packet inspection rule. This rule then acts much like a typical ACL rule does in that it can drop traffic, mark traffic, etc. 15.0 brings encrypted traffic classification definition files (eTCDF) to IOS. A TCDF file or package contains xml code defining the FPM rule(s) criteria and regex matching. eTCDF will allow Cisco to release eTCDF files for protection of new PSIRT vulnerabilities. Before encyrption this was not possible because it would give the attackers to much information on how to execute attacks on the new vulnerability.

  Also, FPM now supports searching for patterns up to 256 bytes long anywhere within the entire packet. Also, the number of filters that can be configured per class map has increased from 8 to 32.

• Using Performance Routing to Control EIGRP Routes with mGRE DMVPN Hub-and-Spoke Support

• PKI High-availability support – This allows you to configure a backup IOS Certificate authority PKI server. This support allows for certificate state tracking between IOS CA servers so a failover is seamless. The following items are automatically synchronized between the failover pair:
  
  

  • Synchronizing revoke commands with the standby certificate server
  • Sending serial-number commands when new certificates are issued
  • Certificate-server configuration
  • Pending requests
  • Grant and reject commands
  • For box-to-box high availability, which does not support configuration synchronization, a basic configuration synchronization mechanism is layered over a redundancy facility.
  • Trustpoint configuration synchronization support.

• Intra-zone FW inspection for ZBFW – Allows for access control of users within the same zone but between different networks in the same zone. Before only zone to zone access control was possible. This should result in less zones needed and a simpler configuration.

• Out-of-Order packet processing support – Before 15.0, any packet received out of order by the IOS FW was dropped and the application was forced to re-transmit it. With 15.0, the zone-based IOS FW will be able to re-assemble OoO packets, thereby cutting down on re-transmits.

Well, there you have it. Let me know if you have any questions or comments on the new security features.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• Security
• 15.0 security
• Cisco IOS Security
• Heary
• ios 15.0
• ios 15.0 security
• IOS security
• Jamey Heary
• router security