Home > Articles > Cisco Certification > CCIE > CCIE Self-Study: Security Protocols

CCIE Self-Study: Security Protocols

Chapter Description

This chapter covers some of today's most widely used technologies that enable network administrators to ensure that sensitive data is secure from unauthorized sources. Standards such as IP Security (IPSec) and encryption standards are covered, as are all the fundamental foundation topics you need to understand to master the topics covered in the CCIE Security written exam.

Foundation Summary

The "Foundation Summary" is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the "Foundation Topics" material, the "Foundation Summary" will help you recall a few details. If you just read the "Foundation Topics" section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the "Foundation Summary" offers a convenient and quick final review.

Table 4-8. AAA Terminology




Who are you? A remote user must be authenticated before being permitted access to network resources. Authentication allows users to submit their usernames and passwords, and permits challenges and responses. Username/password pairs are a common form of authentication.


What resources are you permitted to use? Once the user is authenticated, authorization defines what services in the network the user is permitted access to. The operations permitted here can include IOS privileged EXEC commands.


What resources were accessed, at what time, and by whom, and what commands were issued to access them? Accounting allows the network administrator to log and view what was actually performed; for example, if a Cisco router was reloaded or the configuration was changed. Accounting ensures that an audit will enable network administrators to view what was performed and at what time.

Table 4-9. RADIUS Summary




Packets sent between clients and servers are UDP primarily because TCP's overhead does not allow for significant advantages. Typically, the user can wait for a username/password prompt.

UDP destination port

Early deployments of RADIUS used UDP ports 1645 and 1646. The officially assigned port numbers are 1812 and 1813.


Attributes are used to exchange information between the NAS and client.


Client/server-based model in which packets are exchanged in a unidirectional manner.

Encryption method

The password is encrypted using MD5; the username is not encrypted. RADIUS encrypts only the password in the access-request packet, sent from the client to the server. The remainder of the packet is in clear text. A third party could capture other information, such as the username, authorized services, and accounting information.

Multiprotocol support

Does not support protocols such as AppleTalk, NetBIOS, or IPX. IP is the only protocol supported.

Table 4-10. TACACS+ Summary




Packets sent between client and server are TCP.

TCP destination port

Port 49.


Packet types are defined in TACACS+ frame format as follows:

Authentication 0x01
Authorization 0x02
Accounting 0x03


The sequence number of the current packet flow for the current session. The Seq_no starts with 1, and each subsequent packet increments by one. The client sends only odd numbers. TACACS+ servers send only even numbers.

Encryption method

The entire packet is encrypted. Data is encrypted using MD5 and a secret key that matches both on the NAS (for example, a Cisco IOS router) and the TACACS+ server.

Multiprotocol support

Supports protocols such as AppleTalk, NetBIOS, or IPX. IP-supported only.

Table 4-11. RADIUS Versus TACACS+




Packet delivery



Packet encryption

Encrypts only the password in the access-request packet from the client to the server.

Encrypts the entire body of the packet, but leaves a standard TCP header.

AAA support

Combines authentication and authorization.

Uses the AAA architecture, separating authentication, authorization, and accounting.

Multiprotocol support


Supports other protocols, such as AppleTalk, NetBIOS, and IPX.

Router management

Can pass a privilege level down to the router, which can then be used locally for command authorization.

Enables network administrators to control which commands can be executed on a router.

Table 4-12. Encryption Methods

Encryption Method


Data Encryption Standard (DES)

A block cipher algorithm, which means that it performs operations on fixed-length data streams. Uses a 56-bit key to encrypt 64-bit datagrams. DES is a published, U.S. government-approved encryption algorithm.

Triple DES (3DES)

A variant of DES that iterates three times with three separate keys (encrypts with one 56-bit key, decrypts with another 56-bit key, and then encrypts with another 56-bit key).

Three keys are used to encrypt data, resulting in a 168-bit encryption key.

Advanced Encryption Standard (AES)

A new standard that replaces DES. Encryption key lengths are 128, 192, and 256 bits.

Table 4-13. IKE Phase I/II



IKE phase I

Authenticates IPSec peers

Negotiates matching policy to protect IKE exchange

Exchanges keys using Diffie-Hellman

Establishes the IKE security association

IKE phase II

Negotiates IPSec SA parameters by using an existing IKE SA

Establishes IPSec security parameters

Periodically renegotiates IPSec SAs to ensure security and that no intruders have discovered sensitive data

Can also perform optional additional Diffie-Hellman exchange

Table 4-14. IPSec Terminology



Internet Key Exchange (IKE)

A protocol that provides utility services for IPSec, such as authentication of peers, negotiation of IPSec SAs, and encryption algorithms.

Security association (SA)

A connection between IPSec peers. An SA is unidirectional, and two SAs are required to form a complete tunnel.

Message Digest 5 (MD5)

A hash algorithm (128 bit) that takes an input message (of variable length) and produces a fixed-length output message. IKE uses MD5 or SHA-1 for authentication purposes.

Secure Hash Algorithm (SHA-1)

A hash algorithm (160 bit) that signs and authenticates data.

RSA signatures

RSA is a public-key encryption system used for authentication. Users are assigned both private and public keys. The private key is not available to the public and is used to decrypt messages created with the public key. To have a signature validated you need to have a CA sign the public key, making it a certificate.

Certificate Authority (CA)

A trusted third party whose purpose is to sign certificates for network entities it has authenticated.

Authentication Header (AH)

Used to authenticate data. AH provides data origin authentication and optional replay-detection services.

Encapsulating Security Payload (ESP)

ESP (transport mode) does not encrypt the original IP header, and only encrypts the IP data by placing a header in between the original IP header and data. ESP (tunnel and transport modes) provides data confidentiality, data integrity, and data origin authentication.

Diffie-Hellman (DH)

Algorithm that is used to initiate and secure the session between two hosts, such as routers.

Advanced Encryption Standard (AES)

A new encryption standard that is considered a replacement for DES. The U.S. government made AES a standard in May 2002. AES provides key lengths for 128, 192, and 256 bits.

Table 4-15. Enabling TKIP on an Access Point

Step 1

Enter global configuration mode:

configuration terminal

Step 2

Enter interface configuration mode for the radio interface:

interface dot11radio 0

Step 3

Enable WEP, MIC, and TKIP:

encryption [vlan vlan-id] mode wep {optional [key-hash] | mandatory [mic] [key-hash]}