Alcatel-Lucent VPN Firewall Brick 1200 Security Appliance
V P N , V o I P A N D Q o S S E C U R I T Y G A T E W AY S
The Alcatel-Lucent VPN Firewall Brick® 1200 security appliances take data security to new levels by providing up
to 4.75 Gbps firewall throughput, along with integrated high-speed VPN, VoIP Security, VLAN and virtual firewall
capabilities at a break though price. With QoS bandwidth management features, built in IDS/DoS protections and
high network performance, the VPN Firewall Brick 1200 security appliances provide solid security for large enterprise,
data centers and network-edge environments. This carrier-grade IP services platform provides excellent value with
low price/performance and total ownership costs, enabling service providers, government entities and large enterprises
to deploy secure IP and VPN services that enhance their business while maximizing returns on their capital investments.
A P P L I C A T I O N S
Advanced security services
VPN services for site-to-site and remote
access
Bandwidth management
capabilities
VoIP Security
Secure data center Web and
application hosting
Storage network security solution
Mobile data security
Packet Data Gateway and Packet Data
Interworking functions for fixed mobile
convergence Wifi VPN and VoIP/data
security
Managed Security Services
Unlicensed Mobile Access (UMA)
and IP Multimedia Subsystem (IMS)
Security
F E A T U R E S
• Integrated security platform —
Provides high-speed firewall, VPN,
QoS, VLAN and virtual firewall
capabilities in one configuration
• Industry-leading throughput —
Delivers up to 4.75Gbps firewall
performance, 1.7Gbps 3DES and
AES VPN performance with built-in
encryption accelerator cards (EAC),
depending on the Brick 1200 security
appliance version selected.
• Innovative security services —
Includes advanced distributed denial
of service attack protection, latest
IKEv2 standards, strong authentication and real-time monitoring, logging
and reporting
• High capacity — Supports up to
20,000 simultaneous VPN tunnels,
4,094 VLANs, 1100 virtual firewalls,
and 3 million simultaneous sessions
(HS version)
B E N E F I T S
• Higher performance — Deliver an
enhanced user experience with up to
4.75 Gbps cleartext and 1.7Gbps
3DES and AES IPSec VPN throughput,
combined with best-in-class bandwidth
management — with customer-level,
user-level and server-level QoS control
• Low price/performance —
Get outstanding security and throughput for less than the per-Mbps price
of major competitors
• Low cost of ownership — One
configuration supports multiple IP
services with no additional or recurring
licensing fees
• Flexible deployment — Options
include premises- or network-based
services with shared or dedicated
hardware environments
• Economical growth path —
Seamless migration to advanced,VoIP,
QoS and VPN security services with
no added infrastructure investments
F E A T U R E S B E N E F I T S
• Central staging and secure
remote management — Provides
integrated control over thousands of
VPN Firewall Brick appliances and IPSec
client users (including the AlcatelLucent IPSec Client, from one console,
using the Alcatel-Lucent Security
Management Server (SMS) software
• High-availability architecture —
Eliminates any single point of failure
• Proven Secure — Virtually impenetrable hardened security operating
• Economical growth path — Seamless migration to advanced, VoIP, QoS
and VPN security services with no added infrastructure investments
• Plug-and-play interoperability — There’s no need for costly network reconfigurations or on-site support
• Cost-effective business continuity — Take advantage of low priced encryption
performance and maintain carrier-class reliability for today’s data-heavy
business applications
• Assured business continuity — native high availability with carrier-class reliability
• Centralized, scalable, carrier-class management — Centrally manage up
to 20,000 VPN Firewall Brick security appliances and 500,000 Alcatel-Lucent
IPSec Client (or third party IPSec client) users with Alcatel-Lucent Security
Management Server v9.0 or later.
system coupled with secure
management infrastructure.
T E C H N I C A L S P E C I F I C A T I O N S
Processor/Memory
• 3.6 GHz Processor with 2GB of RAM for Brick
1200 HS AC and DC models
• 3.2 GHz Processor with 1GB of RAM for Brick
1200 AC Model
LAN/VPN Interfaces
B R I C K 12 0 0 HS AC AN D D C MO D EL S
• (14) 10/100/1000 copper ports
• (6) GigE mini-GBIC SFP ports
• (1) VPN Encryption Accelerator
B R I C K 12 0 0 A C M O D EL
• (8) 10/100/1000 copper ports
• (2) GigE mini-GBIC SFP ports
• (1) VPN Encryption Accelerator
Other Ports
• SVGA video, DB9 serial, PS/2 keyboard, 4xUSB
Performance
B R I C K 12 0 0 HS AC OR H S D C
• Concurrent sessions – 3,000,000
• New sessions/second – 45,000
• Rules – 30,000 (shared among all virtual firewalls)
• Maximum cleartext throughput – 4.75Gbps (1460
byte UDP Packets)
• Maximum cleartext PPS throughput – 2,200,000
pps (78 byte UDP Packets)
• Maximum 3DES and AES 256 throughput with
hardware encryption acceleration
¬ 1.7 Gbps (1460 byte UDP Packets)
• Maximum 3DES and AES 256 PPS throughput with
hardware encryption acceleration
¬ 480,000 pps (78 byte UDP Packets
B R I C K 12 0 0 A C
• Concurrent sessions – 2,000,000
• New sessions/second – 30,000
• Rules – 30,000 (shared among all virtual
firewalls)
• Maximum cleartext throughput – 4.1 Gbps (1460
byte UDP Packets)
• Maximum cleartext PPS throughput – 2,016,000
pps (78 byte UDP Packets)
• Maximum 3DES and AES 256 throughput with
hardware encryption – 1.1 Gbps (1460 byte UDP
Packets)
• Maximum 3DES and AES 256 PPS throughput with
hardware encryption – 332,000 pps (78 byte UDP
Packets)
Virtualization
• Maximum number of virtual firewalls – 1100
(Brick 1200 HS AC or DC)
• Maximum number of virtual firewalls – 500 (Brick
1200 AC)
• Number of VLANs supported – 4,094
• VLAN domains – up to 16 per VLAN trunk
• VPN Firewall Brick partitions – allows for
virtualization of customer IP address range,
including support for overlapping IP addresses
Modes of Operation
• Bridging and/or routing on all interfaces
• All features supported with bridging
• IP routing with static routes
• 802.1Q VLAN tagging supported inbound and
outbound on any combination of ports
• Layer-2 VLAN bridging
• Network Address Translation (NAT)
• Port Address Translation (PAT)
• Policy-based NAT and PAT (per rule)
• Supports virtual IP addresses for both address
translation and VPN tunnel endpoints
• PPPoE and DHCP-assignable interface/VLAN
addresses
• Redundant DHCP Relay capabilities
• Dynamic registration of mobile VPN Firewall Brick
security appliance address for centralized remote
management
• Nested zone rule sets for common firewall
policies for all Bricks in the zone
• Link Aggregation
• Mobile Brick using integrated DHCP Client.
2 Alcatel-Lucent VPN Firewall Brick 1200 Security Appliance
T E C H N I C A L S P E C I F I C A T I O N S
Services Supported
Bootp, http, irc, netstat, pop3, SNMP, tftp, pptp,
•
dns, https, kerberos, nntp, rip, ssh, who, RADIUS,
eigrp, ident, LDAP, ntp, rip2, syslog, shell, X11,
exec, gmp, login, OSPF, rlogin, telnet, talk, H.323,
SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus
notes, VoIP/SIP, Gopher, IPSec, netbios, pointcast,
mtp, sql*net
• Any IP protocol (user definable)
Any IP protocol + layer 4 ports (user definable)
•
Support for non-IP protocols as defined by
•
AP/Ethertype
S
Layer-7 Application Support
• Application Filter architecture supports layer-7
protocol inspection (deep packet inspection) for
ommand and protocol validation, protocol a
c
omaly detection, dynamic channel pinholes and
n
pplication layer address translation. Application
a
filters include http, ftp, RPC, tftp, H.323/H.323
RAS, SMTP, Oracle SQL*Net, NetBIOS, ESP, DHCP
Relay, DNS, GTP, and SIP
Firewall Attack Detection
and Protection
• Generalized Day 0 anomaly-based flood
protection with patent-pending Intelligent Cache
Management Protections
• SYN flood protection to specifically protect
inbound servers, e.g. Web servers, from inbound
TCP SYN floods
• Strict TCP validation to ensure TCP session state
enforcement, validation of sequence and ac
knowledgement numbers,
• Rejection of bad TCP flag combinations
• Initial Sequence Number (ISN) rewriting for weak
TCP stack implementations
• Fragment flood protection with robust
fragment reassembly, ensures no partial
or overlapping fragments are transmitted
• Generalized IP packet validation including
detection of malformed packets
• DoS mitigations for over 190 DoS attacks,
including ping of death, land attack, tear drop
attack, etc.
• Drops bad IP options as well as source route
options
• Connection rate limits to minimize effects of new
attacks.
QoS/Bandwidth Management
Classified by physical port, virtual firewall,
•
firewall rule, session bandwidth guarantees – Into
and out of virtual firewall, allocated in bits/second
Bandwidth limits - Into and out of virtual
•
irewall, allocated in bits/second, packets/
f
ession, sessions/second
s
ToS/DiffServ marking and matching
•
• Integrated with application layer filters
Content Security
• HTTP Filter Keyword support integrated with HTTP
Application Filter
• Basic content filtering with configurable
whitelist/blacklist and content keyword matching.
• URL redirection for blacklist sites
Rules-based routing feature for HTTP, SMTP
•
nd FTP features (Security Management Server
a
v9.1 or later)
¬ Interoperates with all 3rd party Anti-virus,
Anti-Spam, and Content Filtering systems
¬ Redirects only protocol-specific packets to
3rd party systems performing Anti-virus,
Anti-spam, and content filtering services.
• Application-layer protocol command
recognition and filtering
• Application-layer command line length
enforcement
• Unknown protocol command handling
• Extensive session-oriented logging for
application-layer commands and replies
• Hostile mobile code blocking (Java®, ActiveX™)
Firewall User Authentication
• Browser-based authentication allows
authentication of any user protocol
• Built-in internal database – user limit 10,000
• Local passwords, RADIUS, SecurID
• User assignable RADIUS attributes
• Certificate authentication
VPN
Maximum number of dedicated VPN
•
tunnels – 7,500
Manual Key, IKEv1, IKEv2, DoD PKI, X.509
•
3DES (168-bit), DES (56-bit)
•
• AES (128, 192, 256-bit)
SHA-1 and MD5 authentication/integrity
•
Replay attack protection
•
• Remote access VPN
• Site-to-site VPN
IPSec NAT Traversal/UDP encapsulated IPSec
•
IKEv2 IPSec NAT Traversal and dead peer
•
etection
d
LZS compression
•
Spliced and nested tunneling
•
• Fully meshed or hub and spoke site-to-site VPN
VPN Authentication
• Local passwords, RADIUS, SecurID, X.509 digital
certificates
• PKI Certificate requests (PKCS 12)
• Automatic LDAP certificate retrieval
• DoD PKI
High Availability
• VPN Firewall Brick security appliance to VPN Firewall
Brick security appliance active/passive failover with
full synchronization
• 400 millisecond device failure detection and
activation
• Session protection for firewall, VoIP and VPN
• Link failure detection
• Alarm notification on failover
• Encryption and authentication of session
synchronization traffic
• Self-healing synchronization links
• Pre-emption and IP tracking for improved health
state checking
• Seamless system upgrade with no downtime for
redundant deployments
3Alcatel-Lucent VPN Firewall Brick 1200
T E C H N I C A L S P E C I F I C A T I O N S
Diagnostic Tools
• Out of band debugging and analysis via serial
port/modem/terminal server
• Centralized, secure remote console to any VPN
Firewall Brick
• VPN Firewall Brick security appliance supports
ing, Traceroute, and Packet Trace with filters
P
• Remote Brick security appliance bootstrapping
• Real-time log viewer analysis tool
• Java-based Navigator for remote access to
anagement system
m
3-Tier Management Architecture
• Centralized, carrier-class, active/active
management architecture with Alcatel-Lucent
Security Management Server (SMS) software
• Secure VPN Firewall Brick to SMS
communications with Diffie-Helman and 3DES
encryption, SHA-1 authentication and integrity
and digital certificates for VPN Firewall Brick
security appliance/Alcatel-Lucent Security
Management Server authentication
• Up to 100 simultaneous administrators securely
managing all aspects of up to 20,000 VPN Firewall
Brick units in a hierarchical
management cluster.
• Secure, reliable, redundant real-time alarms, logs,
reports
Certifications
• ICSA V4.1 Firewall Certification in process,
• ICSA V1.2 IPSec Certification in process,
• FIPS 140-2 Certification in process
• EAL-4 Certification in process
• NEBS™ Level 3 (compliant to Telecordia
GR1089-CORE and GR-63-CORE) in process
for Brick 1200 HS DC version.
Mean Time Between Failure
• Brick 1200 Basic: 129,801 hours
• Brick 1200HS AC: 128,820 hours
• Brick 1200HS DC: 128,833 hours
• Telecordia SR-332 at Standard Reference
Conditions.
Dimensions (W x L x H)
Est. 19” x 19” x 3.5” (2U)
•
Est. 48.3 cm x 48.3 cm x 8.9 cm (2U)
•
Rack Mountable per EIA-310 specification
•
• Est. Weight: 44 lbs (20 kg)
Est. Shipping Weight: 50 lbs (22 kg
•
ooling
C
• Chassis fan (Intake and Exhaust), power supply
fanss
Operating Altitude
Up to 13,123 ft (4,000 m)
•
nvironmental
E
P E R A T I NG
O
Normal Operating Temperature: 0 to 40º C
•
• Shock: 2.5g at 15 – 20 ms on any axis
• Relative humidity: 5–85% at 40 C.
(non-condensing)
• Vibration: 5g at 2 – 200Hz on any axis
N O N - OP ER AT I NG
• Temperature: -40 to 70º C
• Shock: 35g at 15 – 20 ms on any axis
• Relative humidity: 5–90% at 40 C.
(non-condensing)
• Vibration: 5g at 2 – 200Hz on any axis
Power
A C M O D E LS :
• Hot Swappable, Internal Dual AC to DC Power
Supply: 500W max
• Auto-ranging: 100 to 240 VAC, 47 to 63 Hz
• Consumption: 8A @ 120 VAC; 5A @ 240 VAC
D C M O D E L:
• Hot Swappable, Internal Dual DC to DC Power
Supply: 500W max
• Input Range: -36 to -72 VDC
• Consumption: 10A @ -48 VDC, 8A@ -60VDC
Alcatel-Lucent Security
Management Server
Software Requirements
Sun Solaris™ 2.8, 2.9 or 2.10 on SPARC
•
rocessors
p
Microsoft Windows® 2000 Professional,
•
indows® 2000 Server, Windows XP Professional,
W
indows Server 2003 or Windows Vista Business.
W
UN® WORKSTATION OR SERVER FOR SUNSOLARIS
S
OPERATING SYSTEM:
• Sun UltraSPARC5 (600 MHz processor or
better) or better
• 512MB of system memory (minimum)
• Swap space at least as large as system memory
• 2 GB free disk space in file system partition
where software is to be installed
• 50MB free disk space in root partition
• 1 10/100 Ethernet interface
• CD-ROM drive
• 3.5” floppy drive, USB port and serial port.
• Video card capable of supporting
1024x768 resolution (65,535 colors)
INTEL®-BASED COMPUTER (FOR MICROSOFT
WINDOWS® 2000 PROFESSIONAL, WINDOWS 2000
SERVER, WINDOWS XP PROFESSIONAL, WINDOWS
SERVER 2003)
• 700 MHz Pentium III processor
(minimum)
• 512 MB system memory (minimum),
higher recommended
• CD-ROM drive
• Swap space at least as large as install
system memory
• 2 GB free space on an NTFS partition
• 3.5” floppy, USB port and serial port.
• 1 Ethernet 10/100 card
• Video card capable of supporting 1024x768
resolution
INTEL®-BASED COMPUTER (FOR MICROSOFT
VISTA® BUSINESS)
• 2.0 GHz processor (minimum)
• 1GB system memory (minimum),2GB recommended
• CD-ROM drive
• Swap space at least as large as install system
memory
• 80 GB harddisk with 40GB free space on a
NTFS partition
• 3.5” floppy, USB port and serial port.
• 1 Ethernet 10/100 card
• Video card capable of supporting 1024x768
resolution
4 Alcatel-Lucent VPN Firewall Brick 1200 Security Appliance
North and South
America
urope Asia, Pacific
E
Product Safety
Approvals
EMC Approval
Network Attachment
Approvals
CSA Certified to UL® 60950-1,
1st Edition
CAN/CSA 22.2 No. 60950-1-03
FCC Part 15, Class A CE VCCI Class A
ICES-003, Class A
Not Applicable Not Applicable Not Applicable
CB Scheme to EN/IEC 60950-1
EN300-386, Class B
CE
EN55024/VCC
CB Scheme to EN/IEC 60950-1
AS/NZS 3260 1993 with
amendments 1,2,3 and 4
AS/NZS – CISPR Pub 22, Class A
O R D E R I N G I N F O R M A T I O N
PART N UMB ER DES CRIPTION
109625772 VPN Firewall Brick 1200 AC Model
109625780 VPN Firewall Brick 1200HS AC Model
109625806 VPN Firew all Brick 1200HS DC Model
300912549 1000BaseT Copper SFP Transceiver
300912979 1000BaseSX MMF SFP Transceiver
300533866 1000BaseLX SMF SFP Transceiver
Contact your Alcatel-Lucent Alcatel-Lucent Security Management Server
Representative or authorized Brick 1200 and 1200HS security appliances require v9.0 (patch level 276) or later version.
reseller for details Available in several configurations to meet your networking requirements.
Alcatel-Lucent IPSec Client
Available in several configurations to meet your networking requirements.
ACA TS 001 1997
5Alcatel-Lucent VPN Firewall Brick 1200 Security Appliance 5
To learn more, contact your dedicated Alcatel-Lucent representative, authorized reseller, or sales agent.
You can also visit our Web site at www.alcatel-lucent.com.
This document is provided for planning purposes only and does not create, modify, or supplement any
warranties, which may be made by Lucent Technologies relating to the products and/or services
described herein. The publication of information contained in this document does not imply freedom
from patent or other protective rights of Lucent Te chnologies or other third parties.
Brick is a registered trademar k of Alcatel-Lucent. ActiveX is a trademark of Microsoft corporation. Java
is a trademark of Sun Microsystems, Inc. NEBS is a trademark of Telcordia Technologies. Pentium® is a
registered trademark of Intel Corporation. Solaris is a trademark of Sun Microsystems, Inc. Sun® is a
registered trademark of Sun Mi crosystems, Inc. UL® is a registered trademark of Underwriter’s
Laboratories. Windows® is a registered trademark of Microsoft.
www.alcatel-lucen t.com
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other
trademarks are the property of their respective owners. Alcatel-Lucent assumes no responsibility f or
the accuracy of the information presented, which is subject to change without notice.
© 2007 Alcatel-Lucent . All rights reserved. 031932-00 Rev. D 11/07
Loading...