Lucent Technologies VPN Firewall Brick 20 User Manual

VPN Firewall Brick®20
Security, VPN, and QoS Gateway
The VPN Firewall Brick®20 platform offers a readily affordable CPE solution for delivering service level-assured advanced security, IP VPN, and bandwidth management services to small-office and home-office locations. This carrier-class IP services platform stretches investment dollars with low price/performance and total ownership costs and delivers service-enhancing, revenue-building features.
Applications
• Advanced security services
• Site-to-site and remote access VPN services
• Bandwidth management services
• Mobile data services
• Shared Internet connectivity
• Secure intranets and extranets
Features
• Integrates firewall, VPN, QoS, VLAN, and virtual firewall capabilities in one configuration
• 140 Mbps firewall performance; 3 Mbps 3 DES performance; 55 simultaneous VPN tunnels; 4,094 VLANs; 20 virtual firewalls
• Intrinsically secure, transparent Layer-2 bridge
• Central staging and secure remote management via Lucent Security Management Server (LSMS) software; manages thousands of VPN Firewall Brick®units and Lucent IPSec Client users from one console
• Innovative security services: advanced distributed denial of service attack protection; high-speed content security (command blocking, URL filtering, virus scanning); strong authentication; real-time monitoring, logging, and reporting
• High-availability architecture — no single point of failure
• No advisories or reported vulnerabilities
Benefits
Low price/performance — less than the per-Mbps price of major competitors
Low cost of ownership — one configuration supports multiple IP services with no additional or recurring licensing fees; VLAN and virtual firewall support for up to 20 customers at no additional cost; management efficiencies reduce staffing and administrative expenses
Flexible deployment options — premises or network­based services with shared or dedicated hardware environments
Economical growth path — migrate to advanced security and VPN services with no added infrastructure investments
No-touch CPE — no need for costly network reconfigurations, truck-rolls, or onsite support
Enhanced user experiences — efficient bandwidth management with customer-level, user-level, and server-level QoS control
Assured business continuity — native high availability, carrier-class reliability
Scalable, carrier-class management — centrally manage up to 1,000 VPN Firewall Brick®units and 10,000 Lucent IPSec Client users
2
VPN Firewall Brick®Platform 20 Technical Specifications
1.Processor/Memory Rise mP6 120 MHz with 64MB RAM
2.LAN Interfaces (3) 10/100 Base-TX Ethernet (RJ-45)
3.Other Ports SVGA video, DB9 serial, external floppy, PS/2 keyboard
4.Performance Concurrent sessions – 3,000 New sessions/second – 300 Rules – 30,000 (shared among all virtual firewalls) Max clear text throughput – 125 Mbps (1518 byte TCP packets)
140 Mbps (1518 byte UDP packets) Max PPS throughput – 40,000 pps (64 byte UDP packets) Max 3DES throughput with software encryption – 3 Mbps
(1518 byte TCP packets)
5.Virtualization Maximum number of virtual firewalls – 20 Number of VLANs supported – 4,094 VLAN domains – up to 16 per VLAN trunk VPN Firewall Brick
®
partitions – allows for virtualization of customer IP address range, including support for overlapping IP addresses
6.Modes of Operation Bridging and/or routing on all interfaces All features supported with bridging IP routing with static routes
802.1Q VLAN tagging supported inbound and outbound on any combination of ports
Layer-2 VLAN bridging NAT (Network Address Translation) PAT (Port Address Translation) Policy-based NAT and PAT (per rule) Supports virtual IP addresses for both address translation
and VPN tunnel endpoints DHCP-assignable interface/VLAN addresses DHCP Relay capabilities Dynamic registration of mobile VPN Firewall Brick
®
address
for centralized remote management PPPoE
7.Services Supported Bootp, http, irc, netstat, pop3, snmp, tftp, pptp, dns, https,
kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp, rip2, syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet, talk, H.323, ftp, imap, mbone, ping, rsh, traceroute, lotus notes, VoIP, Gopher, IPSec, netbios, pointcast, smtp, sql*net
Any IP protocol (user definable) Any IP protocol + layer 4 ports (user definable) Support for non-IP protocols as defined by DSAP/Ethertype
8.Layer-7 Application Support Application Filter architecture supports Layer-7 protocol
inspection for command validation, dynamic channel pinholes and application layer address translation. Application filters include http, ftp, tftp, H.323/H.323 RAS, Oracle SQL*Net, Net BIOS, DHCP Relay, DNS, GTP, SIP
9.Firewall Attack Detection and Protection Generalized flood protection extensible to new flood attacks as
discovered with patent-pending Intelligent Cache Management SYN flood protection to specifically protect inbound servers,
e.g. Web servers, from inbound TCP SYN floods Strict TCP Validation to ensure TCP session state enforcement,
validation of sequence and acknowledgement numbers, rejection of bad TCP flag combinations
Initial Sequence Number (ISN) rewriting for weak TCP stack implementations
Fragment flood protection with Robust Fragment Reassembly, ensures no partial or overlapping fragments are transmitted
Generalized IP Packet Validation including detection of malformed packets such as ping of death, land attack, tear drop attack. Drops bad IP options as well as source route options
10.Content Security Lucent Proxy Agent integrates load-shared content security
services for: Application protocol command blocking – HTTP, SMTP, FTP Virus scanning URL screening Application-layer protocol command recognition and filtering Application-layer command line length enforcement Unknown protocol command handling Extensive session-oriented logging for application-layer
commands and replies Hostile mobile code blocking (Java®, ActiveX™) URL blocking – with 8e6 Technologies’ X-Stop™ Xserver Virus scanning – with Trend Micro’s InterScan™ VirusWall
Anti-Virus Security Suite
11.QoS/Bandwidth Management Classified by Physical Port, Virtual Firewall, Firewall Rule, Session Bandwidth Guarantees – Into and out of Virtual Firewall,
allocated in bits/second Bandwidth Limits - Into and out of Virtual Firewall, allocated in
bits/second, packets/session, sessions/second ToS/DiffServ marking and matching
12.Firewall User Authentication Browser-based authentication allows authentication of any
user protocol Built-in internal database – user limit 10,000 Local passwords, RADIUS, SecurID User assignable RADIUS attributes
3
VPN Firewall Brick®20 platform – Back Panel
13.VPN Maximum number of dedicated VPN tunnels – 55 Manual Key, IKE, PKI (X.509) 3DES (168-bit), DES (56-bit) SHA-1 and MD5 authentication/integrity Replay attack protection Remote access VPN Site-to-site VPN IPSec NAT Traversal (UDP encapsulated IPSec) LZS compression Spliced and nested tunneling
14.VPN Authentication Local passwords, RADIUS, SecurID, X.509 digital
certificates with Entrust CA PKI Certificate requests (PKCS 12) Automatic LDAP certificate retrieval
15.High Availability VPN Firewall Brick
®
platform to VPN Firewall Brick
®
platform active/passive failover with full synchronization 400 millisecond device failure detection and activation Session protection for firewall and VPN Link failure detection Alarm notification on failover Encryption and authentication of session
synchronization traffic Self-healing synchronization links Lucent Proxy Agent load sharing supports high
availability for content security services
16.Diagnostic Tools Out of band debugging and analysis via serial
port/modem/terminal server Centralized, secure remote console to any VPN Firewall Brick
®
unit supporting Ping, Traceroute, packet trace with filters Remote VPN Firewall Brick®platform bootstrapping Real-time log viewer analysis tool
17.3-Tier Management Architecture Centralized, carrier-class, active/active management
architecture with Lucent Security Management Server (LSMS) software
Secure VPN Firewall Brick
®
platform to LSMS communications with Diffie-Helman and 3DES encryption, SHA-1 authentication and integrity and digital certificates for VPN Firewall Brick®platform/LSMS authentication
Up to 100 simultaneous administrators securely managing all aspects of up to 1000 VPN Firewall Brick®units
Secure, reliable, redundant real-time alarms, logs, reports
18.Certifications ICSA V3.0A Firewall Certified, ICSA V1.0B IPSec Certified National Security Agency EAL2 Government Protection Profile
Certified, EAL4 in progress
19.Mean Time Between Failure 127,000 Hrs.
20.Dimensions (W x L x H)
6.2” x 8.6” x 1.3” 16 cm x 22 cm x 3 cm
21.Cooling Passive heatsink
22.Operating Altitude Up to 13,123 ft (4,000 m)
23. Environmental
Operating
Temperature: 0 to 40º C Shock: 2.5g at 15 – 20 ms on any axis Relative Humidity: 5–95% Vibration: 5g at 2 – 200Hz on any axis
Non-Operating
Temperature: 0 to 70º C Shock: 35g at 15 – 20 ms on any axis Relative Humidity: 5–95% Vibration: 5g at 2 – 200Hz on any axis
24.Power External AC to DC Power Supply: rated 25W Max Switching mode, 100–240V AC, 50–60Hz Consumption: 0.19A typical at 115VAC
25.Safety Listings USA – UL®1950 Canada – CSA 22.2 No. 950 EU – EN/IEC 60950 Japan – CB Scheme IEC 60950
26.EMC Certifications USA – FCC Part 15, Class B Canada – IC-ES003 EU – EMC Directive Japan – VCCI
To learn more, contact your dedicated Lucent Technologies representative, authorized reseller, or sales agent. You can also visit our Web site at www.lucent.com/security.
This document is provided for planning purposes only and does not create, modify, or supplement any warranties which may be made by Lucent Technologies relating to the products and/or services described herein. The publication of information contained in this document does not imply freedom from patent or other protective rights of Lucent Technologies or other third parties.
VPN Firewall Brick is a registered trademark of Lucent Technologies Inc.
ActiveX is a trademark of Microsoft corporation.
InterScan is a registered trademark of Trend Micro, Inc.
Java is a trademark of Sun Microsystems, Inc.
Pentium is a registered trademark of Intel Corporation.
Solaris is a trademark of Sun Microsystems, Inc.
Sun is a registered trademark of Sun Microsystems, Inc.
UL is a registered trademark of Underwriter's Laboratories.
X-Stop is a trademark of Log-On Data Corp.
Copyright © 2004 Lucent Technologies Inc. All rights reserved
VPN v4.04/04
Lucent Proxy Agent
1.Software Requirements Solaris™ 8
2.Hardware Requirements Sun®workstation 333 MHz Pentium®Pro processor (minimum) 512 MB system memory (minimum), higher recommended CD-ROM drive 1 Ethernet 10/100 card
Ordering Information
1.VPN Firewall Brick®20 platform Part Number 300323748
2.External 3.25” Floppy Drive Part Number 300318953
3.Lucent Security Management Server See LSMS data sheet for ordering details
4.Lucent Proxy Agent Included in LSMS software
5.Lucent IPSec Client
See Lucent IPSec Client data sheet for ordering details
Loading...