VPN Firewall Brick® 20
Security, VPN, and QoS Gateway
The VPN Firewall Brick® 20 platform offers a readily affordable CPE solution for delivering service level-assured advanced security, IP VPN, and bandwidth management services to small-office and home-office locations. This carrier-class IP services platform stretches investment dollars with low price/performance and total ownership costs and delivers service-enhancing, revenue-building features.
Applications |
Benefits |
•Advanced security services
•Site-to-site and remote access VPN services
•Bandwidth management services
•Mobile data services
•Shared Internet connectivity
•Secure intranets and extranets
Features
•Integrates firewall, VPN, QoS, VLAN, and virtual firewall capabilities in one configuration
•140 Mbps firewall performance; 3 Mbps 3 DES performance; 55 simultaneous VPN tunnels; 4,094 VLANs; 20 virtual firewalls
•Intrinsically secure, transparent Layer-2 bridge
•Central staging and secure remote management via Lucent Security Management Server (LSMS) software; manages thousands of VPN Firewall Brick® units and Lucent IPSec Client users from one console
•Innovative security services: advanced distributed denial of service attack protection; high-speed content security (command blocking, URL filtering, virus scanning); strong authentication; real-time monitoring, logging, and reporting
•High-availability architecture — no single point of failure
•No advisories or reported vulnerabilities
•Low price/performance — less than the per-Mbps price of major competitors
•Low cost of ownership — one configuration supports multiple IP services with no additional or recurring licensing fees; VLAN and virtual firewall
support for up to 20 customers at no additional cost; management efficiencies reduce staffing and administrative expenses
•Flexible deployment options — premises or networkbased services with shared or dedicated hardware environments
•Economical growth path — migrate to advanced security and VPN services with no added infrastructure investments
•No-touch CPE — no need for costly network reconfigurations, truck-rolls, or onsite support
•Enhanced user experiences — efficient bandwidth management with customer-level, user-level, and server-level QoS control
•Assured business continuity — native high availability, carrier-class reliability
•Scalable, carrier-class management — centrally manage up to 1,000 VPN Firewall Brick® units and 10,000 Lucent IPSec Client users
VPN Firewall Brick® Platform 20 Technical Specifications
1.Processor/Memory
Rise mP6 120 MHz with 64MB RAM
2.LAN Interfaces
(3) 10/100 Base-TX Ethernet (RJ-45)
3.Other Ports
SVGA video, DB9 serial, external floppy, PS/2 keyboard
4.Performance
Concurrent sessions – 3,000 New sessions/second – 300
Rules – 30,000 (shared among all virtual firewalls)
Max clear text throughput – 125 Mbps (1518 byte TCP packets) 140 Mbps (1518 byte UDP packets)
Max PPS throughput – 40,000 pps (64 byte UDP packets)
Max 3DES throughput with software encryption – 3 Mbps (1518 byte TCP packets)
8.Layer-7 Application Support
Application Filter architecture supports Layer-7 protocol inspection for command validation, dynamic channel pinholes and application layer address translation. Application filters include http, ftp, tftp, H.323/H.323 RAS, Oracle SQL*Net, Net BIOS, DHCP Relay, DNS, GTP, SIP
9.Firewall Attack Detection and Protection
Generalized flood protection extensible to new flood attacks as discovered with patent-pending Intelligent Cache Management
SYN flood protection to specifically protect inbound servers, e.g. Web servers, from inbound TCP SYN floods
Strict TCP Validation to ensure TCP session state enforcement, validation of sequence and acknowledgement numbers, rejection of bad TCP flag combinations
Initial Sequence Number (ISN) rewriting for weak TCP stack implementations
Fragment flood protection with Robust Fragment Reassembly, ensures no partial or overlapping fragments are transmitted
5.Virtualization
Maximum number of virtual firewalls – 20 Number of VLANs supported – 4,094 VLAN domains – up to 16 per VLAN trunk
VPN Firewall Brick® partitions – allows for virtualization of customer IP address range, including support for overlapping IP addresses
6.Modes of Operation
Bridging and/or routing on all interfaces
All features supported with bridging
IP routing with static routes
802.1Q VLAN tagging supported inbound and outbound on any combination of ports
Layer-2 VLAN bridging
NAT (Network Address Translation)
PAT (Port Address Translation)
Policy-based NAT and PAT (per rule)
Supports virtual IP addresses for both address translation and VPN tunnel endpoints
DHCP-assignable interface/VLAN addresses
DHCP Relay capabilities
Dynamic registration of mobile VPN Firewall Brick® address for centralized remote management
PPPoE
7.Services Supported
Bootp, http, irc, netstat, pop3, snmp, tftp, pptp, dns, https, kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp, rip2, syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet, talk, H.323, ftp, imap, mbone, ping, rsh, traceroute, lotus notes, VoIP, Gopher, IPSec, netbios, pointcast, smtp, sql*net
Any IP protocol (user definable)
Any IP protocol + layer 4 ports (user definable)
Support for non-IP protocols as defined by DSAP/Ethertype
Generalized IP Packet Validation including detection of malformed packets such as ping of death, land attack, tear drop attack. Drops bad IP options as well as source route options
10.Content Security
Lucent Proxy Agent integrates load-shared content security services for:
Application protocol command blocking – HTTP, SMTP, FTP Virus scanning
URL screening
Application-layer protocol command recognition and filtering Application-layer command line length enforcement Unknown protocol command handling
Extensive session-oriented logging for application-layer commands and replies
Hostile mobile code blocking (Java®, ActiveX™)
URL blocking – with 8e6 Technologies’ X-Stop™ Xserver
Virus scanning – with Trend Micro’s InterScan™ VirusWall Anti-Virus Security Suite
11.QoS/Bandwidth Management
Classified by Physical Port, Virtual Firewall, Firewall Rule, Session
Bandwidth Guarantees – Into and out of Virtual Firewall, allocated in bits/second
Bandwidth Limits - Into and out of Virtual Firewall, allocated in bits/second, packets/session, sessions/second
ToS/DiffServ marking and matching
12.Firewall User Authentication
Browser-based authentication allows authentication of any user protocol
Built-in internal database – user limit 10,000 Local passwords, RADIUS, SecurID
User assignable RADIUS attributes
2