Cisco Systems 2600, 7200, 1700, 3600, 3700 User Manual 4
CHAPTER
5
VPN and Security Products
VPN and Security Products at a Glance
Product Features Page
Cisco PIX Security
Appliance
Firewall Blade for
Catalyst 6500
Cisco VPN 3000 Family
Cisco IDS Network
Sensor
Cisco Security Agent
Cisco Secure Access
Control Server (ACS) for
Windows and Cisco
Secure Access Control
Solution Engine
Market-leading, purpose-built appliances which provide broad range of integrated security
services
• Robust stateful inspection firewalling with application awareness
• High-performance and scalable remote access and site-to-site VPN
• Intrusion protection with for real-time response to network attacks
• Enhanced routing and network integration
• Extensive support for multimedia and VoIP applications
• Award-winning firewall stateful failover for enterprise-class resiliency
Firewall Module is a high performance integrated stateful firewall solution for Catalyst 6500 family
of switches with performance exceeding 5GB. It is based on proven PIX technology while
providing the following benefits to the customers
• Investment protection
• Low cost of ownership
• Ease of use
• Operational Consistency
• Scalability
See the Catalyst 6500 Series Switch in Chapter 2: LAN Switching, page 2-22, for more information
Remote access Virtual Private Network platform
• Has models for all size companies, from small to large enterprise organizations
• Reduces communications expenditures
• Enables users to easily add capacity and throughput
Network-based, real-time intrusion detection system capable of monitoring an entire enterprise
network:
• Capable of directing and forwarding alarms between local, regional, and headquarters-based
monitoring consoles
• Scalable architecture to allow the deployment of large numbers of sensors in order to provide
comprehensive security coverage in large networks
• Tight integration into the network through the delivery of the IDS Network Module for the Cisco
Access Routers and the IDSM2 for the Catalyst 6500 switches
• CTR (Cisco Threat Response) delivers adaptive scan techniques to minimize false alarms
• Broad range of management options
The Cisco Security Agent provides threat protection for desktop and server computing systems
by identifying and preventing malicious activity. By acting on threats or attacks before they can
occur, Cisco Security Agent removes known and unknown security risks to enterprise networks
and applications:
• The Cisco Security Agent aggregates and extends multiple endpoint security functions by
providing host intrusion prevention, distributed firewall, malicious mobile code protection,
operating system integrity assurance, and audit log consolidation all within a single agent
package
• Protects against know and unknown attacks on both servers and desktops
A centralized identity networking solution that simplifies user-management experience across all
Cisco devices and security-management applications. An essential component of the Cisco
Identity Based Networking Services (IBNS) architecture, it extends access security by combining
authentication, user and administrator access, and policy control from a centralized identity
networking framework. This allows greater flexibility and mobility, increased security, and user
productivity gains. It helps ensure enforcement of assigned policies by allowing network
administrators to control: Who can log in to the network, Privileges each user has in the network,
and Security audit or account billing information that is recorded
5-2
2-22
5-5
5-8
5-10
5-12
CHAPTER 5 VPN AND
SECURITY PRODUCTS
VPN and Security Products at a Glance
5-1
Chapter 5 VPN and Security Products
Product Features Page
Cisco Secure User
Registration Tool (URT)
CiscoWorks
VPN/Security
Management Solution
CiscoWorks Security
Information
Management Solution
and CiscoWorks
Security Information
Management Solution
Engine
Cisco IOS Firewall
Cisco VPN Security
Router Bundles
Cisco 1700, 2600, 3600,
and 7200
Cisco 7100 Series
Identifies users within the network and creates user registration policy bindings that help support
mobility and tracking:
• Ensures that users are associated with their authorized subnet/VLAN
• Addresses the challenges associated with campus user mobility
• Supports Web-based authentication for Windows, Macintosh, and Linux client platforms
• Secure user access to the VLAN with MAC address-based security option
• Option to allow multiple users connected to a hub to access a VLAN served by a single switch
port
Combines general device management tools for configuring, monitoring, and troubleshooting
enterprise networks with powerful security solutions for managing virtual private networks
(VPNs), firewalls, and network and host-based intrusion detection systems (IDS). An integral part
of the Cisco SAFE Blueprint for Enterprise, this bundle also delivers network device inventory,
change audit and software distribution features. CiscoWorks VMS is organized into several
functional areas: Firewall Management, IDS Management, network and host-based, VPN Router
Management, Security Monitoring, VPN Monitoring, and Operational Management
See Chapter 9-1—IOS Software & Network Management for more information on CiscoWorks
VPN/Security Management Solution
A solution that collects, analyzes, and correlates security event data from across the enterpriseletting you detect and respond to security events as they occur.
• Event monitoring of multivendor security environments
• Extensive reporting for operators and high-level administrators
• Risk assessment information to understand overall vulnerability of critical network assets within
the enterprise; Forensics tools to investigate attacks
• Traffic utilization reports and graphs to understand changes in traffic patterns
See Chapter 9-1—IOS Software & Network Management for more information on CiscoWorks
Security Information Management Solution
• Tightly integrated with IOS VPN and advanced routing technologies
• Application aware stateful packet inspection via context-based access control (CBAC) for TCP ,
UDP, SIP, Skinny, H.323 and others
• Supports user authentication for https, ftp and telnet connections
• URL filtering through router exclusive domains or use of external Websense and N2H2 servers
• Inline intrusion prevention for real-time response to network attacks supporting 100 common
attack signatures
• Dynamic, network-to network, per-user authentication and authorization via TACACS+ and
RADIUS
Cisco 1700, 2600, 3600, 3700, and 7200 VPN Security Router Bundles with Enhanced Integrated
Network Security. See individual product pages for more detail (page 1-1)
Wide variety of modular router platforms with options for IOS-based and hardware-enabled VPN
and security support. See individual product pages and Cisco IOS Firewall Feature Set (page
5-15).
Large branch and central site VPN router
• Comprehensive suite of VPN services, including encryption, tunneling, firewall, and bandwidth
management
• Embedded I/O for ease of deployment
• Service module slot for IPSec and PPTP encryption coprocessing
• Dedicated Site-to-Site VPN router
5-14
9-16
9-18
5-15
1-1
1-1
5-16
Cisco PIX Security Appliance Series
The world-leading Cisco PIX® Security Appliance
Series provides enterprise-class, integrated network
security services including stateful inspection
firewalling, protocol and application inspection, virtual
private networking (VPN), in-line intrusion protect ion,
rich multimedia and voice security in cost-effective, easy-to-deploy solutions. Ranging
from compact, “plug-and-play” desktop firewalls for small offices to carrier-class
gigabit firewalls for the most demanding enterprise and service-provider environments,
Cisco PIX Security Appliances provide robust security, performance, and reliability for
network environments of all sizes.
5-2
Chapter 5 VPN and Security Products
When to Sell
Sell This Product When a Customer Needs These Features
PIX 501
PIX 506E
PIX 515E
PIX 525
PIX 535
1. At 1400-byte packets
• Small Office / Home Office desktop integrated security appliance
• Up to 60 Mbps of firewall throughput
• Up to 3 Mbps of 3DES and 3.4 Mbps of AES-256 IPsec VPN throughput
• Hardware VPN client (Easy VPN Remote)
• VPN concentrator services (Easy VPN Server) for up to 10 remote users
• Integrated four port 10/100 Mbps switch
• Remote Office / Branch Office desktop integrated security appliance
• Up to 100 Mbps of firewall throughput
• Up to 16 Mbps of 3DES and 30 Mbps of AES-256 IPsec VPN throughput
• Hardware VPN client (Easy VPN Remote)
• VPN concentrator services (Easy VPN Server) for up to 25 remote users
• Maximum of two 10BASE-T Ethernet interfaces
• OSPF dynamic routing support
• Small-to-Medium Business (SMB) integrated security appliance
• Up to 188 Mbps of firewall throughput
• Up to 130 Mbps of 3DES/AES-256 VPN throughput1 using hardware acceleration (integrated in select
models, optional for others)
• VPN concentrator services (Easy VPN Server) for up to 2,000 remote users
• Up to six 10/100 FE interfaces
• VLAN trunking (802.1q tag-based) and OSPF dynamic routing support
• Active/standby firewall stateful failover support
• Enterprise-class integrated security appliance
• Up to 330 Mbps of firewall throughput
• Up to 145 Mbps of 3DES and 135 Mbps of AES-256 VPN throughput1 using hardware acceleration
(integrated in select models, optional for others)
• VPN concentrator services (Easy VPN Server) for up to 2,000 remote users
• Gigabit Ethernet support; Up to eight 10/100 FE or three Gigabit Ethernet interfaces
• VLAN trunking (802.1q tag-based) and OSPF dynamic routing support
• Active/standby firewall stateful failover support
• Carrier class large enterprise and service provider firewall appliance
• Up to 1.7 Gbps of firewall throughput
• Up to 425 Mbps of 3DES/AES-256 VPN throughput using hardware acceleration (integrated in select
models, optional for others)
• VPN concentrator services (Easy VPN Server) for up to 2,000 remote users
• Gigabit Ethernet throughput; Up to ten 10/100 FE or nine Gigabit Ethernet interfaces
• VLAN trunking (802.1q tag-based) and OSPF dynamic routing support
• Redundant, hot-swappable power supplies
• Active/standby firewall stateful failover support
1
1
1
1
1
Key Features
• Security—Purpose-built appliance with a proprietary, hardened operating system
• Performance—Stateful inspection firewall capable of up to 500,000 concurrent
connections and 1.7 Gbps of throughput (at 1400-byte packets on Cisco PI X 535
Security Appliances)
• High availability—Award-winning, active/standby firewall stateful failover
provides enterprise-class, cost-effective resiliency
• Virtual Private Networking (VPN)—Supports both standards-based IPsec and
L2TP/PPTP-based VPN services
• Optional PIX VPN Accelerator Card+—Scales 3DES/AES-256 VPN throughput
up to 495 Mbps, using specialized co-processors designed for accelerating
cryptographic operations
• Free software Cisco VPN Client provides secure connectivity across a broad range
of platforms including Windows, Mac OS X, Linux and Solaris
• Network Address Translation (NAT) and Port Address Translation
(PAT)—Conceals internal IP addresses and expands network address space
• Denial-of-Service (DoS) Attack Protection—Protects the firewall, internal servers
and clients from disruptive hacking attempts
• OSPF dynamic routing support for improved network reliability and performance
Cisco PIX Security Appliance Series
5-3
Chapter 5 VPN and Security Products
• VLAN trunking (802.1q tag) support for simplified deployment in switched
network environments
• Multimedia and VoIP support for widely popular standards, H.232 v4, TAPI,
JTAPI, RTSP, SIP, MGCP and SCCP
• W eb-Based PIX Device Manager (PDM)—For simplified c onfiguration, real-time
and historical reports, performance baselines and security events information
• Auto Update, SSH, SNMP, TFTP, HTTPS, and telnet for remote management
• Support from two 10/100 Ethernet interfaces to up to nine Gigabit Ethernet
interfaces
Competitive Products
• Check Point Software: FireWall-1 / VPN-1
• NetScreen: NetScreen Security Appliances
• Nokia: IP-Series Security Appliances
• SonicWALL: SonicWALL Security Appliances
• WatchGuard Technologies: Firebox-series and V-series Security
Appliances
Specifications
Feature PIX 501 PIX 506E PIX 515E PIX 525 PIX 535
Processor
RAM
Flash Memory
PCI Slots
Fixed Interfaces
(Physical)
Maximum
Interfaces
(Physical and
Virtual)
VPN Accelerator
Card+ (VAC+)
Option
Failover Support
Size
Selected Part Numbers and Ordering Information
Cisco PIX Bundles
PIX-535-UR-BUN PIX 535 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX-535-R-BUN PIX 535 Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX-535-FO-BUN PIX 535 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX-525-UR-GE-BUN PIX 525 Unrestricted GE Bundle (Chassis, unrestricted software, two GE ports, two 10/100 ports, VPN
PIX-525-FO-GE-BUN PIX 525 Failover GE Bundle (Chassis, failover software, two GE ports, two 10/100 ports, VPN Acceleration
PIX-525-UR-BUN PIX 525 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX-525-R-BUN PIX 525 Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX-525-FO-BUN PIX 525 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX-515E-UR-FE-BUN PIX 515E Unrestricted Bundle (Chassis, unrestricted software, six 10/100 ports, VPN Accelerator Card+)
PIX-515E-FO-FE-BUN PIX 515E Failover Bundle (Chassis, failover software, six 10/100 ports, VPN Accelerator Card+)
PIX-515E-UR-BUN PIX 515E Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX-515E-R-BUN PIX 515E Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX-515E-FO-BUN PIX 515E Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX-515E-R-DMZ-BUN PIX 515E DMZ Bundle (Chassis, restricted software, three 10/100 ports)
PIX-506E-BUN-K9 PIX 506E 3DES/AES Bundle (Chassis, software, 3DES/AES license, two 10-BaseT ports)2
PIX-501-BUN-K9 PIX 501 10 User/3DES/AES Bundle (Chassis, SW, 10 user/3DES/AES license, 4 port 10/100 switch)
PIX-501-50-BUN-K9 PIX 501 50 User/3DES/AES Bundle (Chassis, SW, 50 user/3DES/AES license, 4 port 10/100 switch)
PIX-501-UL-BUN-K9 PIX 501 Unlimited User/3DES/AES Bundle (Chassis, SW, Unlimited Users 3DES/AES license, 4 port 10/100
Cisco PIX Interfaces and Cards
PIX-1GE-66 PIX 66-MHz Single-port Gigabit Ethernet interface card (multimode fiber, SC connector)
PIX-4FE-66 PIX 66-MHz Four-port 10/100 Fast Ethernet interface card, RJ45
PIX-1FE PIX Single-port 10/100 Fast Ethernet interface card
PIX-VPN-ACCEL PIX DES/3DES VPN Accelerator Card (VAC)
PIX-VPN-PLUS PIX DES/3DES /AES VPN Accelerator Card+ (VAC+)
133 MHz 300 MHz 433 MHz 600 MHz 1.0 GHz
16 MB 32 MB 32 or 64 MB 128 or 256 MB 512 MB or 1 GB
8 MB 8 MB 16 MB 16 MB 16 MB
None None 2 3 9
Four port 10/100 switch
(inside), One 10Base-T
Ethernet (outside)
Four port 10/100 switch
(inside), One 10Base-T
Ethernet (outside)
No No Yes, integrated in
No No Yes, UR/FO models
Desktop Desktop 1 RU 2 RU 3 RU
Two 10Base-T
Ethernet
Two 10Base-T
Ethernet
Two 10/100 Fast
Ethernet
Six 10/100 Fast
Ethernet (FE) or 8
VLANs
select models
only
Two 10/100 Fast
Ethernet
Eight 10/100 FE or
GE or 10 VLANs
Yes, integrated in
select models
Yes, UR/FO models
only
None
Ten-10/100 FE or GE
or 24 VLANs
Yes, integrated in
select models
Yes, UR/FO models
only
1
1
Acceleration Card+)
Card+)
switch)
5-4
Cisco PIX Security Appliance Series
Chapter 5 VPN and Security Products
PIX Accessories
PIX-506E-PWR-AC Redundant AC power supply for PIX 506E
PIX-515-PWR-DC Redundant DC power supply for PIX 515/515E
1. This is only a small subset of all parts available via URL listed under “For More Information”. Some parts have
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).
For More Information
See the PIX Security Appliance Web site:
http://www.cisco.com/go/pix
Cisco VPN 3000 Family
The Cisco VPN 3000 Concentrator Series—
A family of purpose-built, remote access Virtual
Private Network (VPN) platforms that incorporates
high availability, high performance and scalability with the most advanced encryption
and authentication techniques available today. Customers can greatly reduce costs by
leveraging their ISPs’ infrastructure and eliminate costly leased lines. This series
supports small offices as well as large organizations with up to 10,000 simultaneous
remote users per unit. With load balancing configured, multiple units can be clustered
to enable unlimited remote access users. It also supports the widest range of VPN clients
including Certicom MovianVPN client, Microsoft 2000 L2TP/IPsec Client, and
Microsoft PPTP for Windows 95/98/ME/NT/2000/XP.
The Cisco VPN 3002 Hardware Client—Combines the best capabilities of a software
client with the reliability and stability of a dedicated hardware platform, and scales to
tens of thousands of users. It sets up connections to a variety of Cisco VPN
concentrators, including the VPN 3000 series and PIX firewalls.
When to Sell
Sell This
Product When a Customer Needs These Features
VPN 3005 and 3015
Concentrators
VPN 3030 and 3060
Concentrators
VPN 3080
Concentrator
VPN 3000 Client
VPN 3002
Hardware Client
• A fixed configuration device designed for small- to medium-sized organizations with bandwidth requirements
up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous remote access sessions
• Encryption processing is performed in software
• VPN 3015 is field-upgradable to the Cisco VPN 3030 and 3060 models and for redundancy
• VPN 3030 is for medium- to large-sized organizations with bandwidth requirements from full T1/E1 through T3/E3
(50 Mbps max. performance) and up to 1500 simultaneous sessions; field-upgradeable to the Cisco VPN 3060
• VPN 3060 is for large organizations, with high-performance, high-bandwidth requirements from fractional T3
through full T3/E3 or greater (100 Mbps max. performance) and up to 5000 simultaneous remote access sessions
• Both have specialized SEP modules to perform hardware-based acceleration
• Optimized to support large enterprise organizations that demand the highest level of performance combined
with support for up to 10,000 simultaneous remote access sessions
• Specialized SEP modules perform hardware-based acceleration
• Establishes secure, end-to-end encrypted tunnels to the Cisco VPN 3000 Concentrator and other Cisco Easy
VPN compliant devices.
• Provided at no charge, installs on PCs and is available for Windows, MAC OS X and Linux/Solaris environments
• Emulates the software client in hardware
• Ideal for mixed operating system environments and where corporation does not own/control remote PC or for
very large applications requiring large number of devices due to ease of deployment, upgradability & scalability
Cisco VPN 3000 Family
5-5
Chapter 5 VPN and Security Products
Key Features
• Cisco VPN 3000 Concentrators Series
– Support for industry standard IPSec DES/3DES/AES and Cisco IPSec/NAT for
VPN Access through Port Address Translation firewalls
– Unlimited-use license for Cisco VPN Client distribution included at no cost with
multiple OS support including Windows, MAC OS X, Linux and Solaris; also
integrates with Zone Alarms personal firewall
– Supports standard authentication: RADIUS, SDI Tokens, and Digital Certificates
– VPN load balancing allows for multiple units to cluster as a single shared pool
• Cisco VPN 3002 Hardware Client supports up to 253 users/stations per VPN 3002
–
W orks with most operating systems including Windows, Linux, Solaris, and MAC OS X
– Auto-upgrade capability automates upgrades with no user intervention required
– Client technology employs push policy and automatic address assignment from the
central site concentrator, enabling virtually unlimited scalability
Competitive Products
• Nortel: Contivity products
• Netscreen: LAN to LAN environments
•Nokia
Specifications
Cisco VPN 3000 Series Concentrators
Feature VPN 3005 VPN 3015 VPN 3030 VPN 3060 VPN 3080
Simultaneous Users
Encryption Throughput
Encryption Method
Encryption (SEP) Module
Redundant SEP
Expansion Slots
Upgradeable
Memory
Hardware Configuration
Power Supply
Client License
LAN-to-LAN Connections
(internal user database)
Dimensions (HxWXD)
100 100 1500 5000 10,000
4 Mbps 4 Mbps 50 Mbps 100 Mbps 100 Mbps
Software Software Hardware Hardware Hardware
00124
No No Optional Optional Yes
0432N/A
No Yes Yes N/A N/A
32 MB 128 MB 128 MB 256 MB 256 MB
1U, Fixed 2U, Scalable 2U, Scalable 2U, Scalable 2U
Single Single, with a dual
Unlimited Unlimited Unlimited Unlimited Unlimited
100 100 500 1000 1000
1.75 x 17.5 x 11.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in. 3.5 x 17.5 x 14.5 in.
option
Single, with a dual
option
Single, with a dual
option
Dual
Cisco VPN 3002 Hardware Client
Feature VPN 3002 Hardware Client
Hardware Processor
Network Interfaces
Physical Dimensions
Power Supply
Tunneling Protocol Support
Monitoring & Configuration
Encryption Algorithms, Key
Management & Authentication
Algorithms
Cisco VPN 3000 Family
Motorola PowerPC processor; Dual flash image architecture
CPVN3002-K9: One Public 10/100Mbps RJ-45 Ethernet Interface and One Private Port 10/100Mbps
RJ-45 Ethernet Interface
CVPN3002-8E-K9: One Public 10/100Mbps RJ-45 Ethernet Interface and Eight Private Port
10/100Mbps RJ-45
Ethernet Interfaces via AUTO-MDIX switch
1.967 x 8.6 x 6.5 in. (5 x 8.6 x 16.51 cm)
External AC Operation: 100-240V at 50/60 Hz with universal power factor correction; 4 foot cord
included and international “pigtail” power cord selection
IPsec with IKE key management
Event logging; SNMP MIB-II support
Embedded management interface is accessible via console port or local web browser; SSH/SSL
56-bit DES (IPsec); 168-bit Triple DES (IPsec); AES 128 & 256-bit (IPsec)
5-6
Loading...