VPN Firewall Brick®20
Security, VPN, and QoS Gateway
The VPN Firewall Brick®20 platform offers a readily affordable CPE
solution for delivering service level-assured advanced security, IP VPN,
and bandwidth management services to small-office and home-office
locations. This carrier-class IP services platform stretches investment
dollars with low price/performance and total ownership costs and
delivers service-enhancing, revenue-building features.
Applications
• Advanced security services
• Site-to-site and remote access VPN services
• Bandwidth management services
• Mobile data services
• Shared Internet connectivity
• Secure intranets and extranets
Features
• Integrates firewall, VPN, QoS, VLAN, and virtual
firewall capabilities in one configuration
• 140 Mbps firewall performance; 3 Mbps 3 DES
performance; 55 simultaneous VPN tunnels; 4,094
VLANs; 20 virtual firewalls
• Intrinsically secure, transparent Layer-2 bridge
• Central staging and secure remote management via
Lucent Security Management Server (LSMS) software;
manages thousands of VPN Firewall Brick®units and
Lucent IPSec Client users from one console
• Innovative security services: advanced distributed
denial of service attack protection; high-speed content
security (command blocking, URL filtering, virus
scanning); strong authentication; real-time
monitoring, logging, and reporting
• High-availability architecture — no single point of
failure
• No advisories or reported vulnerabilities
Benefits
• Low price/performance — less than the per-Mbps price
of major competitors
• Low cost of ownership — one configuration
supports multiple IP services with no additional or
recurring licensing fees; VLAN and virtual firewall
support for up to 20 customers at no additional cost;
management efficiencies reduce staffing and
administrative expenses
• Flexible deployment options — premises or networkbased services with shared or dedicated hardware
environments
• Economical growth path — migrate to advanced
security and VPN services with no added infrastructure
investments
• No-touch CPE — no need for costly network
reconfigurations, truck-rolls, or onsite support
• Enhanced user experiences — efficient bandwidth
management with customer-level, user-level, and
server-level QoS control
• Assured business continuity — native high availability,
carrier-class reliability
• Scalable, carrier-class management — centrally manage
up to 1,000 VPN Firewall Brick®units and 10,000
Lucent IPSec Client users
2
VPN Firewall Brick®Platform 20 Technical Specifications
1.Processor/Memory
Rise mP6 120 MHz with 64MB RAM
2.LAN Interfaces
(3) 10/100 Base-TX Ethernet (RJ-45)
3.Other Ports
SVGA video, DB9 serial, external floppy, PS/2 keyboard
4.Performance
Concurrent sessions – 3,000
New sessions/second – 300
Rules – 30,000 (shared among all virtual firewalls)
Max clear text throughput – 125 Mbps (1518 byte TCP packets)
140 Mbps (1518 byte UDP packets)
Max PPS throughput – 40,000 pps (64 byte UDP packets)
Max 3DES throughput with software encryption – 3 Mbps
(1518 byte TCP packets)
5.Virtualization
Maximum number of virtual firewalls – 20
Number of VLANs supported – 4,094
VLAN domains – up to 16 per VLAN trunk
VPN Firewall Brick
®
partitions – allows for virtualization of
customer IP address range, including support for overlapping
IP addresses
6.Modes of Operation
Bridging and/or routing on all interfaces
All features supported with bridging
IP routing with static routes
802.1Q VLAN tagging supported inbound and outbound
on any combination of ports
Layer-2 VLAN bridging
NAT (Network Address Translation)
PAT (Port Address Translation)
Policy-based NAT and PAT (per rule)
Supports virtual IP addresses for both address translation
and VPN tunnel endpoints
DHCP-assignable interface/VLAN addresses
DHCP Relay capabilities
Dynamic registration of mobile VPN Firewall Brick
®
address
for centralized remote management
PPPoE
7.Services Supported
Bootp, http, irc, netstat, pop3, snmp, tftp, pptp, dns, https,
kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp,
rip2, syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet,
talk, H.323, ftp, imap, mbone, ping, rsh, traceroute, lotus
notes, VoIP, Gopher, IPSec, netbios, pointcast, smtp, sql*net
Any IP protocol (user definable)
Any IP protocol + layer 4 ports (user definable)
Support for non-IP protocols as defined by DSAP/Ethertype
8.Layer-7 Application Support
Application Filter architecture supports Layer-7 protocol
inspection for command validation, dynamic channel pinholes
and application layer address translation. Application filters
include http, ftp, tftp, H.323/H.323 RAS, Oracle SQL*Net, Net
BIOS, DHCP Relay, DNS, GTP, SIP
9.Firewall Attack Detection and Protection
Generalized flood protection extensible to new flood attacks as
discovered with patent-pending Intelligent Cache Management
SYN flood protection to specifically protect inbound servers,
e.g. Web servers, from inbound TCP SYN floods
Strict TCP Validation to ensure TCP session state enforcement,
validation of sequence and acknowledgement numbers,
rejection of bad TCP flag combinations
Initial Sequence Number (ISN) rewriting for weak TCP stack
implementations
Fragment flood protection with Robust Fragment Reassembly,
ensures no partial or overlapping fragments are transmitted
Generalized IP Packet Validation including detection of
malformed packets such as ping of death, land attack, tear drop
attack. Drops bad IP options as well as source route options
10.Content Security
Lucent Proxy Agent integrates load-shared content security
services for:
Application protocol command blocking – HTTP, SMTP, FTP
Virus scanning
URL screening
Application-layer protocol command recognition and filtering
Application-layer command line length enforcement
Unknown protocol command handling
Extensive session-oriented logging for application-layer
commands and replies
Hostile mobile code blocking (Java®, ActiveX™)
URL blocking – with 8e6 Technologies’ X-Stop™ Xserver
Virus scanning – with Trend Micro’s InterScan™ VirusWall
Anti-Virus Security Suite
11.QoS/Bandwidth Management
Classified by Physical Port, Virtual Firewall, Firewall Rule, Session
Bandwidth Guarantees – Into and out of Virtual Firewall,
allocated in bits/second
Bandwidth Limits - Into and out of Virtual Firewall, allocated in
bits/second, packets/session, sessions/second
ToS/DiffServ marking and matching
12.Firewall User Authentication
Browser-based authentication allows authentication of any
user protocol
Built-in internal database – user limit 10,000
Local passwords, RADIUS, SecurID
User assignable RADIUS attributes
3
VPN Firewall Brick®20 platform – Back Panel
13.VPN
Maximum number of dedicated VPN tunnels – 55
Manual Key, IKE, PKI (X.509)
3DES (168-bit), DES (56-bit)
SHA-1 and MD5 authentication/integrity
Replay attack protection
Remote access VPN
Site-to-site VPN
IPSec NAT Traversal (UDP encapsulated IPSec)
LZS compression
Spliced and nested tunneling
14.VPN Authentication
Local passwords, RADIUS, SecurID, X.509 digital
certificates with Entrust CA
PKI Certificate requests (PKCS 12)
Automatic LDAP certificate retrieval
15.High Availability
VPN Firewall Brick
®
platform to VPN Firewall Brick
®
platform active/passive failover with full synchronization
400 millisecond device failure detection and activation
Session protection for firewall and VPN
Link failure detection
Alarm notification on failover
Encryption and authentication of session
synchronization traffic
Self-healing synchronization links
Lucent Proxy Agent load sharing supports high
availability for content security services
16.Diagnostic Tools
Out of band debugging and analysis via serial
port/modem/terminal server
Centralized, secure remote console to any VPN Firewall Brick
®
unit supporting Ping, Traceroute, packet trace with filters
Remote VPN Firewall Brick®platform bootstrapping
Real-time log viewer analysis tool
17.3-Tier Management Architecture
Centralized, carrier-class, active/active management
architecture with Lucent Security Management Server
(LSMS) software
Secure VPN Firewall Brick
®
platform to LSMS
communications with Diffie-Helman and 3DES encryption,
SHA-1 authentication and integrity and digital certificates
for VPN Firewall Brick®platform/LSMS authentication
Up to 100 simultaneous administrators securely managing
all aspects of up to 1000 VPN Firewall Brick®units
Secure, reliable, redundant real-time alarms, logs, reports
18.Certifications
ICSA V3.0A Firewall Certified, ICSA V1.0B IPSec Certified
National Security Agency EAL2 Government Protection Profile
Certified, EAL4 in progress
19.Mean Time Between Failure
127,000 Hrs.
20.Dimensions (W x L x H)
6.2” x 8.6” x 1.3” 16 cm x 22 cm x 3 cm
21.Cooling
Passive heatsink
22.Operating Altitude
Up to 13,123 ft (4,000 m)
23. Environmental
Operating
Temperature: 0 to 40º C
Shock: 2.5g at 15 – 20 ms on any axis
Relative Humidity: 5–95%
Vibration: 5g at 2 – 200Hz on any axis
Non-Operating
Temperature: 0 to 70º C
Shock: 35g at 15 – 20 ms on any axis
Relative Humidity: 5–95%
Vibration: 5g at 2 – 200Hz on any axis
24.Power
External AC to DC Power Supply: rated 25W Max
Switching mode, 100–240V AC, 50–60Hz
Consumption: 0.19A typical at 115VAC
25.Safety Listings
USA – UL®1950
Canada – CSA 22.2 No. 950
EU – EN/IEC 60950
Japan – CB Scheme IEC 60950
26.EMC Certifications
USA – FCC Part 15, Class B
Canada – IC-ES003
EU – EMC Directive
Japan – VCCI
To learn more, contact your
dedicated Lucent Technologies
representative, authorized
reseller, or sales agent. You
can also visit our Web site at
www.lucent.com/security.
This document is provided for planning
purposes only and does not create,
modify, or supplement any warranties
which may be made by Lucent
Technologies relating to the products
and/or services described herein.
The publication of information
contained in this document does not
imply freedom from patent or other
protective rights of Lucent Technologies
or other third parties.
VPN Firewall Brick is a registered
trademark of Lucent Technologies Inc.
ActiveX is a trademark of
Microsoft corporation.
InterScan is a registered trademark
of Trend Micro, Inc.
Java is a trademark of
Sun Microsystems, Inc.
Pentium is a registered trademark
of Intel Corporation.
Solaris is a trademark of
Sun Microsystems, Inc.
Sun is a registered trademark of
Sun Microsystems, Inc.
UL is a registered trademark of
Underwriter's Laboratories.
X-Stop is a trademark of
Log-On Data Corp.
Copyright © 2004
Lucent Technologies Inc.
All rights reserved
VPN v4.04/04
Lucent Proxy Agent
1.Software Requirements
Solaris™ 8
2.Hardware Requirements
Sun®workstation
333 MHz Pentium®Pro processor (minimum)
512 MB system memory (minimum), higher recommended
CD-ROM drive
1 Ethernet 10/100 card
Ordering Information
1.VPN Firewall Brick®20 platform
Part Number 300323748
2.External 3.25” Floppy Drive
Part Number 300318953
3.Lucent Security Management Server
See LSMS data sheet for ordering details
4.Lucent Proxy Agent
Included in LSMS software
5.Lucent IPSec Client
See Lucent IPSec Client data sheet for ordering details
Loading...