How do you know for sure that a router in your network has not been altered since you deployed it? Wouldn’t it be great if you could cryptographically challenge your router to provide its unique identity? In addition, what if the underlying OS could provide a secure mechanism to detect if the software had been tampered with during boot time and runtime?

Networking equipment manufacturers are seeing an increase in supply chain attacks, which means communication service providers (CSP) need tools that can detect the replacement of critical components such as CPU/NPU. Software security features are insufficient in detecting and protecting against these attacks if the underlying hardware has been compromised. To completely trust the device, CSPs need a chain of trust that is preserved in hardware manufacture, software development and installation, procurement, and live deployment within their network.

With 5G deployments gaining traction, routers are now increasingly deployed in distributed architectures (read as remote locations) and depended on as critical infrastructure. Cisco’s trustworthy platforms ensure customers can validate the authenticity of their devices in both hardware and software to help eliminate malicious access to the network and significantly improve the CSP’s security posture.

To understand how we do this, let’s go over the basic security building blocks included in the NCS 500 platforms (as well as others) that enable us to deliver the following aspects of trustworthy platforms:

  • Hardware integrity
  • Boot integrity
  • Runtime integrity
  • Operational visibility of your trustworthy network

Root of Trust in Hardware

Incorporating the latest software security features is immaterial unless the underlying hardware itself is trustworthy. To provide this strong foundation of Trust, the Cisco NCS 540 and NCS 560 routers incorporate a tamper-resistant Trust Anchor module. This acts to protect the entire Secure boot process from components to operating system loading and establishing a chain of trust.

Cisco Trust Anchor

The hardware trust anchor module primarily provides the following set of features.

  • Microloader needed for the secure boot process
  • Secure Unique Device Identifier (SUDI) for device identification
  • On-chip storage for encryption keys
  • UEFI compliant DB for key management
  • On-chip registers (PCRs) to record boot and runtime measurements
  • On-chip DB to secure the hash of CPU for Chip Guard feature

TAM Chip Module

Measuring & Verifying Trust

Trust, unlike security, is tangible. It can be measured and verified by an entity external to the device. The NCS 500 series routers come with Boot Integrity Visibility and Chip Guard features to ensure customers can validate the trustworthiness of the device and that it hasn’t been tampered with during boot time or subjected to supply-chain attacks. The Trust Anchor module captures measurements recorded during the secure boot process and these measurements can later be retrieved to validate that the boot process hasn’t been tampered.

With increasing supply-chain attacks, components like CPUs are being replaced with compromised chips that contain Trojan programs. At boot-up, the NCS 500 series can counter these types of attacks because the Chip Guard feature utilizes stored Known Good Values (KGV) within the TAm to validate all components. If a KGV value does not match, then the hardware boot will fail, and an alert can be sent to the network monitoring tools.

Lastly, the Secure Unique Device Identifier (SUDI) that gets programmed inside the Trust Anchor module during the manufacturing process ensures that the router can be cryptographically challenged at any time during its operational lifetime to validate its identity. This way customers can ensure that they are still talking to the same router that was deployed in their network months or even years ago.

In short, the features of SUDI, Chip Guard, and Cisco Secure Boot enable customers to verify the integrity of the router over its entire lifetime.

Trust at Runtime

Moving to runtime protections and establishing trust in software, NCS 500 routers come with the latest IOS XR Operating System that includes a host of security features. Starting with SELinux policies that provide mandatory access controls for accessing files, it also supports the Linux Integrity Measurement Architecture (IMA). With these features, customers can now establish trust in software by querying the runtime measurements from a router at any point in time. The router continuously gathers file hashes for all the files being loaded and executed. These measurements can be queried by an external entity to compare against the expected Known Good Values published by Cisco. To ensure the authenticity of these remotely attested measurements, they are signed with the device’s unique SUDI private key.

With these foundational blocks of trust being established in hardware, both during boot time and runtime, we are now able to provide additional features like a trusted path routing that can help extend trust further into the network. The trust status of a device, the trusted routing path, and the ability to validate software updates as genuine per the manufactures specifications are valuable assets included in the Crosswork Trust Insights tool that can provide proof of the network’s trustworthiness.

Learn about Network Security and Trust.

Visit the NCS 500 series family page for more details.


Prakash Daga

Director, Product Management

Global Service Provider