Skip Links

Network World

Jamey Heary

New Security Features in Cisco IOS 15.0

15.0 Works on ISR and ISR G2 Platforms

By jheary on Sun, 11/01/09 - 9:50pm.

Cisco's newly released ISR G2 routers come with a new update to their software features in IOS version 15.0. I will focus on describing some of the new security features that are found in the IOS 15.0 security feature set. It is important to note that IOS 15.0 will work on older ISR models as well as the new ISR G2 platforms. This is a straightforward list with a description of each new feature.

  • IOS IPS Lightweight Signatures – Cisco has developed significantly more efficient signature definitions, called lightweight signatures, to replace many existing signatures. This new signature format results in decreased memory storage and usage allowing you to load even more signatures onto your Cisco IOS device.
  • AAA authorization and Authentication caching – This long awaited feature allows the router to cache AAA user information. In the event that an application is triggering multiple authorization requests, the requests will no longer have to traverse back to the AAA server but rather will be done at the router instead. This is helpful for tacacs+ command authorization, proxy and 802.1x AAA. In the event of a loss of communication to the AAA server the router will use the previously cached AAA information to keep things running.
  • Digitally signed code – Cisco IOS code now supports digital signing. Digitally signed code can be downloaded from Cisco.com. This now allows you to verify the integrity and validity of your IOS images and your ROMMON code. A new cli command, show software authenticity running has been added to check the IOS signatures. This new feature will allow Cisco IOS to pass the FIPS 140-3 standard coming in 2011. This feature is only available on the ISR G2 platforms. Digitally signed IOS code will end in either a .SPA or .SSA postfix. S=signed, P=production code, S=engineering special release, A=a third character for the varient of the P or S code version.
  • DMVPN Tunnel Health Monitoring and Recovery feature – Several new SNMP trap alerts have been added to help better monitor the DMVPN tunnel state. They are:

    • A spoke perceives that a hub has gone down. This can occur even if the spoke was not previously registered with the hub.
    • A spoke successfully registers with a hub.
    • A hub perceives that a spoke has gone down.
    • A hub perceives that a spoke has come up.
    • A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has gone down. For example, a modeling spoke-to-spoke tunnel goes down.
    • A spoke or hub perceives that another NHRP peer, not related by an NHRP registration, has come up. For example, a modeling spoke-to-spoke tunnel comes up.
    • The rate limit set for NHRP packets on the interface is exceeded.
  • Another nifty new feature is the ability of DMVPN to control the up-down status of its physical interface. This allows NHRP (next-hop routing protocol) to down a physical interface if it cannot connect to any of its next-hop peers. Once any one of its peers comes alive it will then bring the interface up.

    When the NHRP changes the interface state, other Cisco IOS services can react to the state change, for example:
    • If the interface status changes, the generic routing and encapsulation (GRE) interface generates IF-MIB and general notifications (traps) that report a LinkUp or LinkDown message. The system uses these traps to monitor the DMVPN tunnel health.
    • If the interface state changes to down, the Cisco IOS backup interface feature can be initiated to allow the system to use another interface to provide an alternative path to the failed primary path.
    • If the interface state changes to down, the system generates an update that is sent to all dynamic routing protocols. This provides a failover mechanism for dynamic routing when the mGRE interface is down.
    • If the interface state changes to down, the system clears any static routes that use the GRE interface as the next hop. This provides a failover mechanism for routing when the GRE interface is down.

  • FPM Enhancements – Flexible Packet Matching in IOS allows you to create a stateless layer 7 deep packet inspection rule. This rule then acts much like a typical ACL rule does in that it can drop traffic, mark traffic, etc. 15.0 brings encrypted traffic classification definition files (eTCDF) to IOS. A TCDF file or package contains xml code defining the FPM rule(s) criteria and regex matching. eTCDF will allow Cisco to release eTCDF files for protection of new PSIRT vulnerabilities. Before encyrption this was not possible because it would give the attackers to much information on how to execute attacks on the new vulnerability.

    Also, FPM now supports searching for patterns up to 256 bytes long anywhere within the entire packet. Also, the number of filters that can be configured per class map has increased from 8 to 32.

    • Using Performance Routing to Control EIGRP Routes with mGRE DMVPN Hub-and-Spoke Support
    • PKI High-availability support – This allows you to configure a backup IOS Certificate authority PKI server. This support allows for certificate state tracking between IOS CA servers so a failover is seamless. The following items are automatically synchronized between the failover pair:

      • Synchronizing revoke commands with the standby certificate server
      • Sending serial-number commands when new certificates are issued
      • Certificate-server configuration
      • Pending requests
      • Grant and reject commands
      • For box-to-box high availability, which does not support configuration synchronization, a basic configuration synchronization mechanism is layered over a redundancy facility.
      • Trustpoint configuration synchronization support.
    • Intra-zone FW inspection for ZBFW – Allows for access control of users within the same zone but between different networks in the same zone. Before only zone to zone access control was possible. This should result in less zones needed and a simpler configuration.
    • Out-of-Order packet processing support – Before 15.0, any packet received out of order by the IOS FW was dropped and the application was forced to re-transmit it. With 15.0, the zone-based IOS FW will be able to re-assemble OoO packets, thereby cutting down on re-transmits.

    Well, there you have it. Let me know if you have any questions or comments on the new security features.

    The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

    More from Jamey Heary:
    * Credit Card Skimming: How thieves can steal your card info without you knowing it
    * Why you should always shred your boarding pass
    * Video rental records are afforded more privacy protections than your online data
    * The truth about new SSL attacks
    * 2009 Top Urban Legends in IT Security/a>

    Go to

    Jamey’s Blog for more articles on security.

    "IOS 15 More Secure" Misleading

    0
    By Anon (not verified) on Wed, 11/04/2009 - 9:52am.

    More security features doesn't necessarily make IOS more secure.

    Strange

    0
    By jheary on Wed, 11/04/2009 - 7:59pm.

    The article was highlighting new security features of IOS 15.0 and didn't speak about the inherent security of the operating system itself. Hopefully that clears it up. If not feel free to post again and I'll try to answer the best I can. You bring up a good topic though, I'll look into whether or not IOS 15.0 is in an of itself more secure than previous releases. Perhaps new secure coding methodologies were used, etc. I'll check on it.
    -Jamey

    ZBFW IPv6

    0
    By Roberto Taccon (not verified) on Wed, 11/04/2009 - 2:16pm.

    Any news about the support with ZBFW for IPv6 ?
    Is available with IOS 15.0 (or when will be) ?

    IPv6

    0
    By jheary on Wed, 11/04/2009 - 8:05pm.

    No support yet and unfortuntely I can't discuss roadmap stuff in a public forum. Ask your Cisco account team for info on this though. I can say that Cisco is completely committed to pervasive IPv6 support in all their products long term.
    -Jamey

    Thanks for the summary!

    0
    By Aaron Woland (not verified) on Fri, 11/06/2009 - 8:55am.

    Thanks Jamey,

    WRT the comment about security features not making the device secure...

    IOS is an Operating System. As with most Operating Systems, it provides the ability to run many different services. To properly secure pretty much any OS - you should plan to harden that OS.

    IOS is not an exception to the rule. There are guides on how to harden the IOS devices to make them as secure as any other secure OS on the market today. Things such as turning off unused services, locking down administrative access, enabling command authorization - the list goes on and on.

    One great thing about IOS is the amount of things you can do to make the device VERY secure and the level of security that it can provide.

    The real question is this: What have you (the Cisco administrator) done to harden the router that Cisco sold you, and what SHOULD you have done?

    Just my .02,

    -Aaron

    Cisco IOS device hardening

    0
    By turvas (not verified) on Wed, 11/18/2009 - 9:28am.

    to start hardening, I found nice structured doc at http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

    Great Article

    0
    By SHIPROUTE (not verified) on Wed, 11/18/2009 - 12:45pm.

    Thanks Jamey!

    Comment viewing options

    Select your preferred way to display the comments and click "Save settings" to activate your changes.

    Post new comment

    The content of this field is kept private and will not be shown publicly.
    • You can use BBCode tags in the text.
    • Lines and paragraphs break automatically.
    • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

    More information about formatting options

    CAPTCHA
    This question is for testing whether you are a human visitor and to prevent automated spam submissions.
    Welcome, visitor. Register Log in
    About Cisco Security Expert

    Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.

    Contact him.