12-22-2012 03:04 AM
Hi,
I've some VPN encryption method questions.
Is it recommended to use different encryption algorithms for both VPN phases (phase 1 and phase 2)?
I’ve read once that it is much secure to use different encryption algorithms for each phase.
In my opinion, I would go for the AES256 algorithm in both phases. But maybe it is a better idea to use AES128 or AES192 in the first phase and AES-256 in the second phase… I don't know.
After saying this, I’m also wondering about the best VPN encryption setup for a site-to-site VPN (IKEv2) when using a Cisco ASA like the 5510, 5520 or the 5515.
I hope that someone can put me in right direction.
Thanks,
Niels
12-22-2012 07:16 AM
Cisco has a decent whitepaper here with recommendations.
Personally, as long as both ends support the performance levels you need, I'd go with AES-256 in Phase 1 and Phase 2. mostly because it makes the security auditors happier to use the strongest available encryption. In reality, the security of your system is more susceptible to social engineering than it is to hacking the cryptographic algorithm.
You might also be interested in the firewall performance paper BRKSEC-3021 on CiscoLive 365. On page 68 it states:
ASA Crypto Operations
Most impact during tunnel establishment for IPSEC
‒RSA key generation is always done in software
‒Routine IPSEC/SSL operations are hardware accelerated
‒Hardware processing with keys up to 2048 bits on ASA558x
‒DH Group 5 and 2048 bit RSA are processed in software by default on 5550 and lower platforms; can be changed on ASA5510-5550
asa(config)# crypto engine large-mod-accel
Higher impact from SSL VPN compared to IPSEC
‒Very heavy CPU load from Application Proxy Engine
‒~128KB vs ~18KB of memory usage per connection
‒No multi-core support until ASA 9.0 software
More generally, think about defense in depth vs. the hard crunchy exterior (strong VPN) but with soft chewy insides (no Data Loss Protection, unsecured laptops without disk encryption, personally owned devices without any BYOD policies and systems, etc.)
12-23-2012 11:26 PM
Hi Marvin,
Thank you for your opinion!
A few days ago I already found the "Cisco next generation encryption" documentation. I've decided to go for the AES256 in phase 1 and 2.
Thanks!
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide