Customers looking for more performance and security in their branch operations should find the plug-and-play Cisco VPN Internal Service Module (VPN ISM) for the Integrated Services Routers Generation 2 (ISR G2) family very attractive, especially for the public sector, say company officials. The compact VPN blade provides up to three times better throughput for IPSec VPN encrypted traffic (1.2 Gbps), as well as support for the latest encryption standards. These include stronger National Security Agency-regulated encryption algorithms such as Suite-B, which has been selected for use by the U.S. government.
First announced by the NSA in 2005, Suite B cryptography is built on the Advanced Encryption Standard (AES) with 256-bit keys and Elliptic Curve Public Key Cryptography using the 384-bit prime modulus elliptic curve as specified in FIPS PUB 186-3 and SHA-384, and includes cryptographic algorithms for key exchange, digital signatures and hashing (Suite B Implementers' Guide to FIPS 186-3 (ECDSA), February 2010). Cisco says Suite B is pretty much restricted to government customers, but SHA-2 appeals to the commercial market, with growing interest from service providers. The company says the next-generation encryption (NGE) technologies are required because existing methods like RSA signatures and DH key exchange are increasingly inefficient as security levels rise, and CBC encryption performs poorly at high data rates.
Provided the module performs as advertised, it should enable Cisco to increase its market share in both the federal and enterprise markets, says networking analyst Nick Lippis, Lippis Enterprises. "The barrier of entry into branch office networking just got higher with this addition to the ISR G2. Cisco holds its lead and picks up some share."
In a report on the new offering, Lippis says that the ISR G2’s routing security portfolio is second to none, literally, and Cisco’s 70.3% market share is indicative of the market’s acceptance of this fact. "The previous G1 ISR was equipped with a VPN accelerator module, and many Cisco customers have been waiting for the same on the newer G2 platform. They need not wait any longer."
Suite B support is essential for being part of the U.S. federal government network, he says. "As Cisco’s VPN ISM supports Suite B in hardware, it’s highly likely that it’s the fastest implementation in the industry for IPSec applications, but this needs to be verified via independent lab performance test. Cisco claims that its VPN ISM support of Suite B is three to five times faster than its previous implementation."
See more on this topic by subscribing to Network Computing Pro Reports Security That Never Sleeps (subscription required).