Cisco Catalyst 4503-E Manual page 69
Catalyst 4500 series
Hide thumbs
Also See for Catalyst 4503-E:
- Brochure (2 pages) ,
- Configuration manual (612 pages) ,
- Installation manual (172 pages)
Table of Contents
Advertisement
Cisco Cat4K NDPP ST
EDCS-1228241
TOE SFRs
FCS_IPSEC_EXT.1
How the SFR is Met
methods.
The TOE implements IPsec to provide authentication and
encryption services to prevent unauthorized viewing or
modification of data as it travels over the external network. The
TOE implementation of the IPsec standard (in accordance with
the RFCs noted in the SFR) uses the Encapsulating Security
Payload (ESP) protocol to provide authentication, encryption and
anti-replay services.
IPsec Internet Key Exchange, also called ISAKMP, is the
negotiation protocol that lets two peers agree on how to build an
Security Association (
IPsec
implement Peer Authentication using the rDSA algorithm.
IKE separates negotiation into two phases: phase 1 and phase 2.
Phase 1 creates the first tunnel, which protects later ISAKMP
negotiation messages. The key negotiated in phase 1 enables IKE
peers to communicate securely in phase 2. During Phase 2 IKE
establishes the IPsec SA. IKE maintains a trusted channel,
referred to as a Security Association (SA), between IPsec peers
that is also used to manage IPsec connections, including:
The negotiation of mutually acceptable IPsec options
between peers,
The establishment of additional Security Associations to
protect packets flows using ESP, and
The agreement of secure bulk data encryption AES (128
and 256 bit) keys for use with ESP.
After the two peers agree upon a policy, the security parameters
of the policy are identified by an SA established at each peer, and
these IKE SAs apply to all subsequent IKE traffic during the
negotiation.
The TOE support IKEv1 session establishment. As part of this
support, the TOE can be configured to not support aggressive
mode for IKEv1 exchanges and to only use mainmodeusing the
'crypto isakmp aggressive-mode disable' command
for the evaluated configuration
The TOE can be configured to not allow "confidentiality only"
ESP mode by ensuring the IKE Policies configured include ESP-
encryption.
The TOE supports configuration lifetimes of both Phase 1 SAs
and Phase 2 SAs using "lifetime" command. The default time
value for Phase 1 SAs is 24 hours. The default time value for
Phase 2 SAs is 1 hour, but it is configurable to 8 hours.
The TOE also supports configuration of maximum traffic that is
69
The IKE protocols
SA).
as specified
.
11 March 2014
Hide quick links:
Advertisement
Table of Contents
