Cisco PIX 520 - PIX Firewall 520 Installation Manual page 21

Chapter 1 Overview
• CA—Certification authority (CA) interoperability supports the IPSec standard, using Simple
Certificate Enrollment Protocol (SCEP) and Certificate Enrollment Protocol (CEP). CEP permits
PIX Firewall devices and CAs to communicate to permit your PIX Firewall device to obtain and use
digital certificates from the CA. IPSec can be configured with or without CA. The CA must be
properly configured to issue certificates.
The component technologies implemented for IPSec include:
• DES and Triple DES—The Data Encryption Standard (DES) and Triple DES (3DES) encryption
packet data. Cisco IOS software implements the 3-key Triple DES and DES-CBC with Explicit IV.
Cipher Block Chaining (CBC) requires an initialization vector (IV) to start encryption. The IV is
explicitly given in the IPSec packet.
AES—The Advanced Encryption Standard, a next-generation symmetric encryption algorithm, used
•
by the U.S. Government and organizations outside the U.S.
MD5 (HMAC variant)—Message Digest 5 (MD5) is a hash algorithm. HMAC is a keyed hash
•
variant used to authenticate data.
• SHA (HMAC variant)—Secure Hash Algorithm (SHA) is a hash algorithm. HMAC is a keyed hash
variant used to authenticate data.
IPSec with the PIX Firewall software supports the following additional standards:
AH—Authentication Header is a security protocol that provides data authentication and optional
•
antireplay services.
The AH protocol uses various authentication algorithms; PIX Firewall software has implemented
the mandatory MD5 and SHA (HMAC variants) authentication algorithms. The AH protocol
provides antireplay services.
Explicit IV—Explicit Initialization Vector is a sequence of random bytes appended to the front of a
•
plaintext message before encryption by a block cipher, which eliminates the possibility of having
the initial ciphertext block the same for any two messages. For example, if messages always start
with a common header (a letterhead or "From" line) their initial ciphertext would always be the
same, assuming that the same cryptographic algorithm and symmetric key was used. Adding a
random initialization vector eliminates this from happening.
ESP—Encapsulating Security Payload, a security protocol, provides data privacy services, optional
•
data authentication, and antireplay services. ESP encapsulates the data to be protected. The ESP
protocol uses various cipher algorithms and (optionally) various authentication algorithms. PIX
Firewall software implements the mandatory 56-bit DES-CBC with Explicit IV, Triple DES, or AES
as the encryption algorithm, and MD5 or SHA (HMAC variants) as the authentication algorithms.
The updated ESP protocol provides antireplay services.
For more information on PIX Firewall IPSec terms, see
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdm30olh.pdf
78-15483-01
Data Encryption Overview
IPSec terms in the online Help at
Cisco PIX Device Manager Installation Guide
1-3