Router Security: Ready for Primetime
I have a confession: I’m a technology late-adopter. On Rogers’ Innovation Adoption bell curve, I probably fall somewhere in the ‘late majority’ — I like the tried and true.
But with a few years and many advances, I’m back on Facebook (my short experience with it left me with privacy paranoia), and if you can believe it, I’m now an iPhone user. I appreciate not lugging around my iPod, and having a camera ready whenever I need it, but it’s not only the extra bells on the integrated device that has impressed me – it’s the realization that I don’t have to compromise functionality to have it all.
Another technology that has made a lot of strides since its entry into the market is integrated router security. In the past, adding security could severely impact the performance on your routers, or the security functionality was so trimmed down that it was hardly worth it. But innovations in routing have made integrated security a viable option, with significant opex benefits. So even you’re a technology late adopter, it may be time to think about integrated router security. Here are three reasons why:
1. Cisco routers can be used for firewalling and DDoS attack protection, without compromising router performance. There are multiple ways to use the IOS Firewall on the Next-Gen Integrated Services Routers (ISR G2s) and Cisco Aggregation Services Routers (ASR 1000s). Here are just a few typical scenarios:
- Use the ISR G2 IOS Firewall for hybrid direct Internet access from the branch, with the non-Internet traffic backhauled to headquarters
- Use the ASR 1000 IOS Firewall to protect all traffic backhauled to the head end
- Use the ASR 1000 IOS Firewall to protect all campus internet traffic at the enterprise edge
At the enterprise edge, speeds are critical, and layering firewall technology on the router could raise eyebrows as it would be the first line of defense. The ASR 1000 was built to accommodate multiple simultaneous services running on a single platform; a built-in zone-based firewall and capabilities to protect against mass traffic (traffic flooding). If a DDoS attack was directed at an ASR 1000, the router doesn’t exhibit high CPU consumption because the packet forwarding engine (or data plane) has extremely high capacity, and the route processor (or control plane) runs on a separate, independent CPU which can instruct the data plane to open or close pinholes for traffic. Even under attack or overload with oversubscribed interfaces, the ASR 1000 will always give priority to high priority packets, to maintain QoS. The ISR G2 IOS Firewall also provides stateful firewall capabilities to meet compliance mandates such as PCI or HIPAA, and it works with other Cisco IOS security features, including Cisco IOS Intrusion Prevention System (IPS), and IOS Network Address Translation (NAT), Cisco ScanSafe Cloud Web Security, or Cisco TrustSec (below) to create an integrated branch-office perimeter security solution.
2. Cisco routers can provide all of your VPN functionality at high scale. The ASR 1000 Series and ISR G2s offer both remote-access and site-to-site VPN connectivity. End users can connect securely to the network, and you can increase the integrity confidentiality of your sensitive traffic between branch offices and across your WAN. For remote access, users can connect using the Cisco AnyConnect VPN client on laptops to handhelds to the FlexVPN Server on the ISR G2. Businesses with remote offices can use Group Encrypted Transport VPN (GET VPN) for encrypting IPv4 and IPv6 traffic over the WAN, and Dynamic Multipoint VPN (DMVPN) for encrypting IPv4 and IPv6 traffic over the internet using the ISR G2 or ASR 1000. In addition, the encryption on Cisco routers offers next-generation encryption, including AES 128-bit encryption or higher. And both the ASR 1000 and ISR G2 have built-in hardware encryption capabilities that are enabled without impact on router performance – the ASR 1000 can encrypt up to 11 Gbps, and the ISR G2 up to 1.2 Gbps.
3. Cisco routers can enforce access control policies typical firewalls and access control lists (ACLs) cannot. There are several reasons to have security policies that are based on the user or group and the data that is being accessed – whether it be compliance, internal governance, or best practices to protect confidential or sensitive data. Even your senior executives may not be allowed to access sensitive financial data when on a mobile device on an unsecured public Wi-Fi network. Cisco TrustSec is a contextual, data-centric security solution uses Cisco infrastructure, including the ISR G2 and ASR 1000, to enforce access control throughout the network. Based on the policy set in the centralized policy engine (Cisco Identity Services Engine (ISE)), you can restrict user access using the ASR 1000 or ISR G2 IOS Firewall (blocking based on the Secure Group Tag (SGT)). TrustSec enables you to leverage your Cisco infrastructure for more granular access control, down to the device being used, the location from which users are connecting, or what data they’re trying to access.
In a nutshell, it sums up to: you can have the security functionality you need, without compromising your routing infrastructure. And this goes without saying, but by combining your security functionality on your routers, you have less to buy, install, maintain, and manage. If you’re in the market for a new router, you might want to think about integrated security sooner than later, as you can often get a discount when you buy security bundles up front. Visit the Cisco router security page or contact your channel partner or account manager for more information on security bundle offers. As with my iPhone, the integrated technology approach may just be your life-changer.