Almost each piece of information that strikes throughout your community and the web at massive is protected by encryption. Encryption works through the use of math issues that at the moment’s computer systems merely can’t clear up quick sufficient to crack. That’s about to vary.
Quantum computer systems are a brand new sort of machine. With out delving into physics, what issues is that this: the encryption that takes at the moment’s supercomputers tens of millions of years to interrupt will quickly be breakable inside hours. Already at the moment, it’s thought that attacker teams and nation-state actors are capturing and stockpiling encrypted knowledge, awaiting the second when It can all be unlocked. Delicate knowledge crossing your community proper now (monetary information, mental property, system credentials) could be captured at the moment and uncovered tomorrow.
The answer is a brand new class of encryption algorithms referred to as post-quantum cryptography (PQC). PQC is constructed on totally different math issues that quantum computer systems can’t shortcut the way in which they’ll with at the moment’s algorithms. NIST has finalized these algorithms as formal requirements, and governments and trade are shifting shortly to require their adoption.
The NSA is requiring all Nationwide Safety Methods purchases made after January 2027 to be future-proofed for these “quantum secure” requirements. Australia has set an aggressive 2030 migration goal. The European Union revealed its personal roadmap with phased deadlines by means of 2035. Whether or not or not your group is certain by these mandates, they may grow to be de facto baselines for the whole world. The companions you join with, the cyber insurance coverage insurance policies you carry, and the shoppers whose knowledge you deal with will all more and more measure you by these requirements.
Cisco Safe Firewall makes use of encryption for a lot of issues: VPN tunnels, distant administration, hardware-level belief, and inline decryption. For community directors this raises a really sensible query: what does this transition to post-quantum cryptography appear to be for our infrastructure? This submit lays out the place we’re, the place we’re headed, and what you have to be excited about at the moment.
The NIST requirements that matter for firewall
NIST’s PQC requirements outline three algorithms, every designed to interchange a selected class of classical cryptography. In addition they outline stronger baselines of safety for present algorithms, which are already integrated into Cisco Safe Firewall.
ML-KEM (FIPS 203) protects the second two units agree on a shared secret, the handshake at the beginning of each encrypted session. Right this moment that job is completed by algorithms like ECDH, which quantum computer systems will break. ML-KEM is totally different, constructed on a essentially totally different kind of math downside (lattice-based cryptography) that resists each classical and quantum secure assaults. Assist arrives in Safe Firewall Menace Protection (FTD) 10.5 and ASA 9.25, focused for Common Availability in late 2026.
ML-DSA (FIPS 204) is how units show their id and the way software program proves it hasn’t been tampered with. Each time your firewall authenticates a VPN peer or verifies a signed software program picture, it depends on digital signatures. Right this moment we use RSA or ECDSA, each of which quantum computer systems will break. ML-DSA is the quantum-safe substitute, additionally constructed on lattice-based cryptography. Assist is deliberate for FTD/ASA 11.0, within the second half of calendar yr 2027.
SLH-DSA (FIPS 205) is cryptography’s method of “diversifying your investments.” ML-KEM and ML-DSA are each constructed on lattice-based cryptography. SLH-DSA is deliberately constructed otherwise, utilizing a distinct hash-based math downside. Its signatures are bigger, however since its approach is totally different, it supplies a vital safeguard for networks in case the lattice-based math downside is ever weakened by future analysis. Assist is deliberate for FTD/ASA 11.0.
Cisco’s strategy operates on two tracks:
Safe Communications: integrating PQC into the protocols that carry knowledge – IPsec, TLS, SSH
Safe Merchandise: securing the merchandise themselves, making certain the firewall’s personal id, software program integrity, and boot chain are quantum-safe.
Each tracks align to the NIST requirements and are being delivered into the platform effectively prematurely of compliance deadlines and effectively earlier than quantum computer systems able to breaking at the moment’s encryption exist.
IPsec: constructing the bridge at the moment
For a lot of organizations, IPsec VPN is probably the most rapid PQC concern — notably for site-to-site tunnels defending delicate or categorised knowledge that may very well be topic to harvest-now-decrypt-later assaults. The excellent news is that Cisco hasn’t been ready for the NIST algorithms to ship earlier than offering transitional protections.
A number of vital RFCs are already supported on ASA and coming to FTD in 10.5:
RFC 8784 (Mixing Preshared Keys in IKEv2) permits a post-quantum pre-shared key (PPK) to be blended into the IKEv2 key derivation, including quantum-resistant entropy to each session even earlier than native PQC algorithms are deployed. This has been out there on ASA since model 9.18.
RFC 9242 (Intermediate Trade in IKEv2) and RFC 9370 (A number of Key Exchanges in IKEv2) allow hybrid key trade, the place each a classical and a post-quantum key settlement are carried out concurrently. This strategy is endorsed by NIST, the NSA, Germany’s BSI, and France’s ANSSI because the really useful transitional technique — offering safety in opposition to each classical and quantum adversaries throughout the migration interval. This has been out there on ASA since model 9.19.
Moreover, Cisco has developed the Safe Key Integration Protocol (SKIP), at the moment in RFC draft standing, which permits units to securely import distributed pre-shared keys from third-party suppliers / Quantum Key Distributed (QKD) units. SKIP has seen extensive adoption throughout different half of Cisco’s networking portfolio, and is a confirmed a part of Cisco’s WAN and repair supplier infrastructure at the moment. Bringing SKIP to Safe Firewall in FTD 10.5 and ASA 9.25 extends that very same framework, giving organizations a constant quantum-safe key administration answer for the community.
These capabilities imply that organizations requiring quantum-resistant protections for IPsec can usually start the journey at the moment, and full crucial items with Cisco Safe Firewall’s subsequent software program launch.
TLS: a number of surfaces, a number of timelines
TLS touches the firewall in ways in which go effectively past easy internet shopping. Every use case has its personal PQC issues:
TLS decryption — the firewall’s capacity to examine encrypted site visitors inline — positive factors PQC assist in phases. TLS decryption with PQC algorithms is focused for FTD 10.5. PQC metadata logging, offering visibility into PQC-negotiated classes, is deliberate for FTD 11.0, the identical launch deliberate to convey QUIC decryption with PQC assist.
Distant Entry VPN utilizing TLS or DTLS is deliberate for ML-KEM and ML-DSA assist in ASA/FTD 11.0, pending the end result of RFC requirements at the moment in draft. DTLS-based RAVPN is dependent upon the provision of DTLSv1.3 within the underlying TLS library (OpenSSL), which doesn’t but have a confirmed timeline.
Administration entry and monitoring spherical out the TLS floor space. PQC assist for TLS consumer options is deliberate for ASA/FTD 11.0, whereas administration internet server PQC assist is dependent upon underlying internet server library readiness.
{Hardware} belief anchors
Cryptography doesn’t begin on the protocol layer — it begins at boot. Aligned with our Safe Merchandise pillar for end-to-end safety, Cisco {hardware} makes use of Safe Boot to set up a sequence of belief. This ensures solely legitimate and signed software program runs on the gadget. Transitioning Safe Boot to PQC-capable algorithms is important to defend in opposition to supply-chain and firmware-level assaults in a post-quantum world.
All future firewall platforms at the moment in growth will ship with PQC-capable {hardware} Safe Boot at first buyer cargo. Just lately launched platforms such because the Safe Firewall 1200 and 6100 collection have the required {hardware} assist and can obtain PQC-enabled Safe Boot by means of future software program updates. Platforms launched previous to 2025 are being evaluated, however most are anticipated to lack the {hardware} conditions for PQC Safe Boot.
What this implies for planning at the moment
You don’t must overhaul your community tomorrow. However you do want to start out making deliberate decisions now so you’re not left scrambling. Right here’s the place to start out:
Know the place your encryption lives. Perceive the place your firewalls depend on encryption: VPN tunnels, inline decryption, administration entry, logging, authentication. Every of those has its personal path to post-quantum readiness, and also you can’t plan a transition when you don’t know what wants transitioning.
Construct the improve paths into your planning cycles. FTD 10.5 (and ASA 9.25), focused for late 2026, introduces ML-KEM, permitting VPN tunnels to realize post-quantum resilience. FTD and ASA 11.0 full the image in 2027 with ML-DSA and SLH-DSA, together with broader protection for inline site visitors inspection.
If you’re not aware of these algorithm names, that’s OK. A very powerful factor is to know that the total suite of protection is coming quickly. Plan your improve home windows accordingly.
Take into consideration {hardware} now, not later. If you’re buying new firewall platforms, Cisco’s latest {hardware} will assist PQC Safe Boot. If you’re working older platforms and anxious about this function, begin factoring a {hardware} refresh into your longer-term migration plans.
The quantum menace isn’t theoretical, and the timelines aren’t distant. The requirements are revealed, the algorithms are chosen, and the roadmap is in movement. Cisco Safe Firewall is constructing post-quantum cryptography into each layer of the platform, in order that when your group is able to make the transition, your firewall is prepared too.
All future timelines referenced on this submit are roadmap projections and topic to vary. Dates are present as of April 2026.
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media
LinkedIn
Fb
Instagram
