Practically each piece of knowledge that strikes throughout your community and the web at giant is protected by encryption. Encryption works through the use of math issues that at this time’s computer systems merely can’t clear up quick sufficient to crack. That’s about to alter.
Quantum computer systems are a brand new form of machine. With out delving into physics, what issues is that this: the encryption that takes at this time’s supercomputers thousands and thousands of years to interrupt will quickly be breakable inside hours. Already at this time, it’s thought that attacker teams and nation-state actors are capturing and stockpiling encrypted information, awaiting the second when It can all be unlocked. Delicate information crossing your community proper now (monetary data, mental property, system credentials) may be captured at this time and uncovered tomorrow.
The answer is a brand new class of encryption algorithms referred to as post-quantum cryptography (PQC). PQC is constructed on totally different math issues that quantum computer systems can’t shortcut the way in which they’ll with at this time’s algorithms. NIST has finalized these algorithms as formal requirements, and governments and trade are shifting rapidly to require their adoption.
The NSA is requiring all Nationwide Safety Techniques purchases made after January 2027 to be future-proofed for these “quantum secure” requirements. Australia has set an aggressive 2030 migration goal. The European Union revealed its personal roadmap with phased deadlines by 2035. Whether or not or not your group is certain by these mandates, they are going to turn into de facto baselines for all the world. The companions you join with, the cyber insurance coverage insurance policies you carry, and the shoppers whose information you deal with will all more and more measure you by these requirements.
Cisco Safe Firewall makes use of encryption for a lot of issues: VPN tunnels, distant administration, hardware-level belief, and inline decryption. For community directors this raises a really sensible query: what does this transition to post-quantum cryptography appear like for our infrastructure? This submit lays out the place we’re, the place we’re headed, and what try to be fascinated with at this time.
The NIST requirements that matter for firewall
NIST’s PQC requirements outline three algorithms, every designed to exchange a particular class of classical cryptography. Additionally they outline stronger baselines of safety for current algorithms, which are already included into Cisco Safe Firewall.
ML-KEM (FIPS 203) protects the second two units agree on a shared secret, the handshake in the beginning of each encrypted session. In the present day that job is completed by algorithms like ECDH, which quantum computer systems will break. ML-KEM is totally different, constructed on a essentially totally different kind of math downside (lattice-based cryptography) that resists each classical and quantum secure assaults. Help arrives in Safe Firewall Risk Protection (FTD) 10.5 and ASA 9.25focused for Basic Availability in late 2026.
ML-DSA (FIPS 204) is how units show their identification and the way software program proves it hasn’t been tampered with. Each time your firewall authenticates a VPN peer or verifies a signed software program picture, it depends on digital signatures. In the present day we use RSA or ECDSA, each of which quantum computer systems will break. ML-DSA is the quantum-safe alternative, additionally constructed on lattice-based cryptography. Help is deliberate for FTD/ASA 11.0, within the second half of calendar 12 months 2027.
SLH-DSA (FIPS 205) is cryptography’s method of “diversifying your investments.” ML-KEM and ML-DSA are each constructed on lattice-based cryptography. SLH-DSA is deliberately constructed in another way, utilizing a special hash-based math downside. Its signatures are bigger, however since its method is totally different, it offers a vital safeguard for networks in case the lattice-based math downside is ever weakened by future analysis. Help is deliberate for FTD/ASA 11.0.
Cisco’s method operates on two tracks:
Safe Communications: integrating PQC into the protocols that carry information – IPsec, TLS, SSH
Safe Merchandise: securing the merchandise themselves, guaranteeing the firewall’s personal identification, software program integrity, and boot chain are quantum-safe.
Each tracks align to the NIST requirements and are being delivered into the platform properly prematurely of compliance deadlines and properly earlier than quantum computer systems able to breaking at this time’s encryption exist.
IPsec: constructing the bridge at this time
For a lot of organizations, IPsec VPN is essentially the most fast PQC concern — significantly for site-to-site tunnels defending delicate or labeled information that could possibly be topic to harvest-now-decrypt-later assaults. The excellent news is that Cisco hasn’t been ready for the NIST algorithms to ship earlier than offering transitional protections.
A number of vital RFCs are already supported on ASA and coming to FTD in 10.5:
RFC 8784 (Mixing Preshared Keys in IKEv2) permits a post-quantum pre-shared key (PPK) to be blended into the IKEv2 key derivation, including quantum-resistant entropy to each session even earlier than native PQC algorithms are deployed. This has been obtainable on ASA since model 9.18.
RFC 9242 (Intermediate Alternate in IKEv2) and RFC 9370 (A number of Key Exchanges in IKEv2) allow hybrid key trade, the place each a classical and a post-quantum key settlement are carried out concurrently. This method is endorsed by NISTthe NSA, Germany’s BSIand France’s TRAP because the advisable transitional technique — offering safety towards each classical and quantum adversaries in the course of the migration interval. This has been obtainable on ASA since model 9.19.
Moreover, Cisco has developed the Safe Key Integration Protocol (SKIP)presently in RFC draft standing, which allows units to securely import distributed pre-shared keys from third-party suppliers / Quantum Key Distributed (QKD) units. SKIP has seen extensive adoption throughout different half of Cisco’s networking portfolio, and is a confirmed a part of Cisco’s WAN and repair supplier infrastructure at this time. Bringing SKIP to Safe Firewall in FTD 10.5 and ASA 9.25 extends that very same framework, giving organizations a constant quantum-safe key administration resolution for the community.
These capabilities imply that organizations requiring quantum-resistant protections for IPsec can usually start the journey at this time, and full a very powerful items with Cisco Safe Firewall’s subsequent software program launch.
TLS: a number of surfaces, a number of timelines
TLS touches the firewall in ways in which go properly past easy net shopping. Every use case has its personal PQC issues:
TLS decryption — the firewall’s capability to examine encrypted visitors inline — positive factors PQC help in levels. TLS decryption with PQC algorithms is focused for FTD 10.5. PQC metadata logging, offering visibility into PQC-negotiated classes, is deliberate for FTD 11.0, the identical launch deliberate to convey QUIC decryption with PQC help.
Distant Entry VPN utilizing TLS or DTLS is deliberate for ML-KEM and ML-DSA help in ASA/FTD 11.0, pending the end result of RFC requirements presently in draft. DTLS-based RAVPN depends upon the provision of DTLSv1.3 within the underlying TLS library (OpenSSL), which doesn’t but have a confirmed timeline.
Administration entry and monitoring spherical out the TLS floor space. PQC help for TLS shopper options is deliberate for ASA/FTD 11.0, whereas administration net server PQC help depends upon underlying net server library readiness.
{Hardware} belief anchors
Cryptography doesn’t begin on the protocol layer — it begins at boot. Aligned with our Safe Merchandise pillar for end-to-end safety, Cisco {hardware} makes use of Safe Boot to set up a sequence of belief. This ensures solely legitimate and signed software program runs on the machine. Transitioning Safe Boot to PQC-capable algorithms is crucial to defend towards supply-chain and firmware-level assaults in a post-quantum world.
All future firewall platforms presently in improvement will ship with PQC-capable {hardware} Safe Boot at first buyer cargo. Lately launched platforms such because the Safe Firewall 1200 and 6100 collection have the required {hardware} help and can obtain PQC-enabled Safe Boot by future software program updates. Platforms launched previous to 2025 are being evaluated, however most are anticipated to lack the {hardware} conditions for PQC Safe Boot.
What this implies for planning at this time
You don’t have to overhaul your community tomorrow. However you do want to start out making deliberate selections now so you’re not left scrambling. Right here’s the place to start out:
Know the place your encryption lives. Perceive the place your firewalls depend on encryption: VPN tunnels, inline decryption, administration entry, logging, authentication. Every of those has its personal path to post-quantum readiness, and also you can’t plan a transition when you don’t know what wants transitioning.
Construct the improve paths into your planning cycles. FTD 10.5 (and ASA 9.25), focused for late 2026, introduces ML-KEM, permitting VPN tunnels to achieve post-quantum resilience. FTD and ASA 11.0 full the image in 2027 with ML-DSA and SLH-DSA, together with broader protection for inline visitors inspection.
If you’re not accustomed to these algorithm names, that’s OK. A very powerful factor is to know that the complete suite of protection is coming quickly. Plan your improve home windows accordingly.
Take into consideration {hardware} now, not later. If you’re buying new firewall platforms, Cisco’s latest {hardware} will help PQC Safe Boot. If you’re operating older platforms and anxious about this function, begin factoring a {hardware} refresh into your longer-term migration plans.
The quantum risk isn’t theoretical, and the timelines aren’t distant. The requirements are revealed, the algorithms are chosen, and the roadmap is in movement. Cisco Safe Firewall is constructing post-quantum cryptography into each layer of the platform, in order that when your group is able to make the transition, your firewall is prepared too.
All future timelines referenced on this submit are roadmap projections and topic to alter. Dates are present as of April 2026.
We’d love to listen to what you assume! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
