Intel Express Routers 9000 User Manual

KEY FEATURESJ

■

Secure LAN to LAN

connectivity over the

Internet featuring

144 bit encryption

■

Multiple protocol

support including

Frame Relay, X.25,

EuroISDN and PPP

■

Easy configuration

and management

with Intel Device

View for Windows*

Intel Express Routers

The VPN routers for secure networking over the Internet.

Intel Express Routers can now secure your private business communications for safe
transmission over the Internet, while continuing to offer a simple and cost effective
solution for all your traditional WAN routing needs. With two or more Express Routers,
you can create a secure Virtual Private Network over the Internet. Powerful encryption
and tunneling capabilities safeguard your data. With the comparatively low cost of
Internet access, you can save as much as 80% of the cost of dedicated long distance
WAN connections.

Intel Express Routers provide a rich set of features while simplifying the traditional
complexity of router installation and management. An Intel Express Router can be
up and running in minutes, using simple menu-based options with default settings
that will satisfy most network situations. Management is also easy, with powerful
Windows* OS-based SNMP management tools that provide a hierarchal view of each
WAN and LAN connection for monitoring and troubleshooting.

You get sophisticated control of WAN link activity. Features such as advanced
filtering, data compression and Network Address Translation (NAT) are built in
to each router, ensuring efficient data transmission, a secure data link across the
public domain, and a safeguard that restricts public access to your private LAN.

Unlike other router solutions in which software and other important components
are costly add-ons, Intel Express Routers are complete, cost-effective solutions.
Each Intel Express Router includes all the hardware and software needed for full
installation. The only item packaged separately is the appropriate WAN interface
cable for the environment.

Intel Express Routers are designed for worldwide network environments worldwide,
with support for a range of WAN protocols and interfaces. They integrate with other
Intel networking products for a complete corporate internetworking solution.

NEW FEATURES

■

Secure Virtual Private Network
support

■

Even easier-to-use console interface

■

Robust new features added to
Intel Device View for Windows*

■

Enhanced SNMP support

■

Support for RMON groups 1, 2, 3 and 9

■

Frame Relay encryption (per link

■

Improved diagnostic tools

)

Intel Express Routers

The features described below are supported by
all Intel Express Routers. The router models are
differentiated by the WAN support they provide.

Secure business communication over the Internet –
Virtual Private Networks and more

The Internet offers unprecedented savings as a means of
long distance corporate communication. In fact, Internet
access can easily cost as little as 20% of the cost of a traditional
WAN connection. But how do you keep your vital business
data secure as it crosses the public domain?

Intel Express Routers provide a simple and inexpensive
solution, enabling you to create a highly secure Virtual Private
Network (VPN) over the Internet and public Frame Relay
and X.25 networks. There’s no need to alter your existing
network architecture. Security is provided by using an Intel
router for each point at which you connect to the Internet.
Powerful encryption keeps your data private. (See the side
bar on tunneling for more information.)

Other security features include:

■

Data encryption. Encryption is available when used over
Point-to-Point Protocol (PPP) or Frame Relay links. Encryption
is performed using the Blowfish algorithm, with a 144 bit
encryption key. For best effectiveness, encryption is performed
across the entire data stream rather than on individual packets
only. All Express Router models come in two versions – with
or without encryption.

■

Network Address Translation (NAT). Network Address
Translation enhances security by hiding internal IP addresses
when data is sent over the Internet or WAN. NAT also provides
considerable savings in time and money by eliminating the need
to redesign your business’s internal TCP/IP addressing scheme
when connecting to the Internet or remote sites with conflicting
IP addressing schemes.

Using NAT, an Intel Express Router automatically assigns
a unique Internet IP address to each internal LAN address,
enabling transparent communication with those outside your
corporate network. Alternatively, the router can maintain a
pool of unique IP addresses, assigning a temporary address to
a workstation whenever it connects over the Internet or WAN.
This method requires fewer official Internet IP addresses.

■

Authentication – PAP, CHAP. To ensure that Intel
Express Routers communicate only with other authorized
devices, the routers can be configured to use the Password
Authentication Protocol (PAP) or the Challenge Handshake
Authentication Protocol (CHAP) when communicating
over PPP links. The routers will demand authentication
whenever the link is established.

Over ISDN (EuroISDN only) and analog modems, PPP
Call Back can be used for authentication. If a user dials in for
access to the LAN, the router cuts the connection, then calls
back to ensure that it’s an authorized link. PPP Call Back is
compatible with the Microsoft Call Back standard.

■

Filtering. IP and IPX filtering eliminates unauthorized
communication over the WAN or LAN link. By tightly
defining filters to pass communication only to and from
authorized sources, links remain secure.

Comprehensive cost control of WAN links

Traditionally, WAN link traffic is by far the most expensive
cost component of WAN connections. Intel Express Routers
help control WAN link costs while also maximizing the avail­able bandwidth for data communication. They do this in a
variety of ways:

■

Data compression. Data compression allows the trans­mission of more information over the same bandwidth on
a WAN connection. Software-based LZS data compression
is supported in the Intel Express 9100, 9200, 9201 and
9300 Routers for Frame Relay and PPP. LZS is an industry
accepted specification providing typical compression rates
of approximately 4:1 and interoperability with other routers.
The hardware-based data compression supported in the Intel
Express Router 9400 is also based on the LZS algorithm.
This distinctive feature allows compression while running at
full bandwidth. X.25 and LAPB compression is supported
in an implementation that requires Express Routers at both
ends of the connection.

■

Filtering. Filtering eliminates unnecessary communication
over the WAN link. With tightly defined filters, only essential
traffic passes through, thus lowering communication costs. The
Intel Express Routers support filters for IP, IPX and bridging.

2

■

Intel Express Router

(with tunneling enabled)

ISP

POP

Public

Internet

Secure Tunnel:
IP, IPX or bridged LAN
traffic encrypted,
compressed by PPP
and encapsulated in IP

Local private
WAN link to ISP
(PPP, Frame
Relay or X.25)

Site A

Site C

Site B

ISP POP

ISP POP

Intel Express

Router

(with tunneling

enabled)

Intel Express Router

(with tunneling enabled)

IPX/SPX spoofing. The Novell IPX protocol sends IPX
Watchdog packets between servers and clients on a regular
basis to ensure that IPX sessions remain valid. Similarly, SPX
sends keep-alive packets between clients to ensure that SPX
sessions are still active. The packets continually activate the WAN
link, which significantly increases the cost of operation. Intel
Express Routers prevent these unnecessary dial-up connections
by answering the packets on behalf of remote clients until the
WAN link is established for data communication.

■

Triggered RIP. Standard RIP updates are transmitted
between routers at regular intervals and whenever a topology
change occurs. With Triggered RIP, the routers store these
updates until the next WAN link is established, and thereafter
send only those updates that report a topology change. By
eliminating unnecessary information exchange between routers,
Triggered RIP reduces the cost of the WAN link and maximizes
the available bandwidth for data communication.

■

IP and IPX static routes. Even with Triggered RIP updates
sent via IP and IPX, keeping track of topology changes can
consume valuable bandwidth on the WAN link and increase
costs. To prevent routing updates from being sent over the
WAN link at all, users can establish static routes.

■

Controlled bridging. Intel Express Routers offer user-defined
control of the bridging functions. For example, the routers
can be configured to forward data only to known destinations,
helping to ensure that only essential information is forwarded.

■

EuroISDN cost control. Timer profiles and link accounting
are especially useful for controlling WAN link costs on ISDN­based (EuroISDN only) networks. Timer profiles (up to 16) can
be used to restrict outgoing and incoming access to the WAN link.
For example, access can be restricted to times when operating
tariffs are lowest. Link accounting allows usage monitoring of
the ISDN link, including the number of calls and cumulative
uptime. An activity alarm can be set to close the ISDN links
or send an alert when usage reaches a predefined threshold.

To control and consolidate the billing of dial-in connections
over analog or ISDN modems, the Call Back feature can be
used. In this case, the router cuts the inbound connection, then
immediately calls back the remote site so the billing originates
from the central site.

Tunneling – Secure Use of the Internet
Via a Virtual Private Network (VPN)

With two or more Intel Express Routers, you can use tunneling
and encryption to create a VPN that allows safe use of the Internet
to send and receive secure business data between LANs. You get
the security of a private network at the vastly lowered expense
of simple Internet connections. Typically, because of current
limitations in the Internet infrastructure, VPNs are most suitable
for non real-time or lower bandwidth traffic.

Tunneling with Intel Express Routers is supported by powerful
encryption, using the Blowfish algorithm, with a 144 bit encryption
key. Compare this with competing solutions providing key lengths
of only 40 to 128 bits – this is strong encryption. For even greater
security, you can use a different key for each tunnel.

Before any data enters the public domain, each packet is
encrypted and placed in a separate envelope for transmission.
For best effectiveness, the encryption is performed across the
entire data stream rather than on individual packets only. Even
the original source and destination address of the data stream
are hidden from potential hackers.

With Intel Express Routers, configuring a tunnel is simple.
You don’t have to modify applications or add any specialized
software to your LAN. Just enter the IP address of the router at
the remote site and enter the same encryption key on both ends
of the communication. The connection will work with virtually
any ISP and travel as easily as open traffic through the Internet.

Because Intel’s solution encapsulates tunneled traffic in
standard IP, Intel Express Routers can tunnel any LAN protocol
they can route or bridge, including IPX. This allows existing
LAN applications to be used unchanged over the Internet tunnel.

LAN to LAN Connectivity Via

Virtual Private Network Over the Internet