VPN Firewall Brick 1200

Transcription

Lucent VPN Firewall Portfolio
Protect your enterprise
with innovative network
security solutions
Optimize IT staff time and effort –
while minimizing total cost of ownership
Benefits
• Deploy robust security safeguards enterprise-wide
• Implement large-scale VPN support with high-performance packet processing
• Streamline firewall deployment, configuration and management
• Leverage high-availability bandwidth management for consistent service quality
• Sustain business continuity with carrier-class reliability and availability
• Keep total ownership costs low
Complete, cost-effective solutions for
network security, VPN, service-quality
assurance and more
Deploy robust security
safeguards enterprise-wide
The Lucent VPN Firewall portfolio offers a broad
range of enterprise-class security solutions to protect
corporate networks and deliver mission-critical IP
applications to headquarter employees, branch offices,
trading partners, road warriors and customers.
VPN Firewall solutions can stretch IT budgets with
superb price/performance and low total ownership
costs. Leading-edge technology with timesaving,
work-saving features help maximize IT staff resources.
And ample flexibility, availability and scalability can
simplify deployment and management of diverse
applications including:
•
•
•
•
•
•
•
Advanced security
Site-to-site and remote access VPN
Bandwidth management (service quality assurance)
Mobile data
Storage network security
Secure intranets and extranets
Shared Internet connectivity
The Lucent VPN Firewall Portfolio for Enterprises forms
a unique 3-tier security architecture and includes:
• VPN Firewall Brick® platforms – Security appliances that
integrate deep packet inspection firewall functionality
with advanced VPN capabilities for small-office
through data-center requirements
• Lucent Security Management Server (LSMS) – Software
for robust, tightly synchronized firewall, VPN, service
quality, VLAN and virtual firewall policy management.
• Lucent IPSec Client – Software that provides secure
remote access VPN services for mobile workforce
and telecommuters.
IPSec Client 6.0
•
•
•
•
•
•
Easy to use IPSec w/IKE
Auto policy download
Stateful Firewall
Client “status logs”
Managed client option
Interoperable w/full
portfolio
Unlike many competitive products, VPN Firewall
Brick® platforms are built as security-specific devices.
In contrast to traditional router-based systems, they
operate as intrinsically secure Ethernet-layer bridges
that are virtually invisible to hackers scanning your
network. Completely segregated from the routing
process, these security appliances are not vulnerable to
dynamic routing protocol attacks. In many instances,
they are undetectable by any device not on the same
network segment, protecting enterprises with a high
level of stealth security.
Reinforcing this depth of defense is the platforms’
innovative, Bell Labs-developed operating system,
a compact real-time kernel with built-in security
features. Far less easily compromised than generalpurpose operating systems running on server
platforms, this exceptionally thin system eliminates
most points of vulnerability. As a result, VPN Firewall
Brick® platforms have no security-threatening back
doors, no Computer Emergency Response Team
(CERT®) advisories or reported vulnerabilities.
LSMS software adds exposure-limiting safeguards
including strong IP-specific denial-of-service attack
protection, premium firewall and VPN authentication
services, application-layer defense and content-level
security including command blocking, URL blocking
and virus scanning.
VPN Firewall
Brick® 20
VPN Firewall
Brick® 80
VPN Firewall
Brick® 150
VPN Firewall
Brick® 350
VPN Firewall
Brick® 500
VPN Firewall
Brick® 1100
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
• up to (4) GigE Fiber
or (13) GigE Copper
(7) 10/100
• 3 Gbps firewall
• 1 Gbps Fiber or 700
Mbps Copper 3DES**
• 4,000,000 sessions
• 7,150 VPN tunnels
• 1,000 virtual firewalls
(3) 10/100 ports
100 Mbps firewall
3 Mbps 3DES
1,000 sessions
55 VPN tunnels
20 virtual firewalls
(4) 10/100 ports
190 Mbps firewall
11 Mbps 3DES
30,000 sessions
200 VPN tunnels
(4) 10/100 ports
330 Mbps firewall
127 Mbps 3DES
300,000 sessions
1,000 VPN tunnels
(7) 10/100 ports
(1) 10/100/1000 port
787 Mbps firewall
404 Mbps 3DES**
1,000,000 sessions
5,400 VPN tunnels
(14) 10/100 ports
1 GigE port
975 Mbps firewall
450 Mbps 3DES**
600,000 sessions
8,000 VPN tunnels
Lucent Security Management Server (LSMS)
Software for robust, tightly synchronized firewall, VPN, service quality, VLAN and virtual firewall policy management.
Road Warrior
SOHO
ROBO
** with NEW optional encryption accelerator card and LZS compression
Small Enterprise
Mid Enterprise
Mid/Large
Enterprise
Large Enterprise
Data Center
VPN Firewall Brick® platforms deliver bullet-proof security and comprehensive, high-performance VPN capabilities for
enterprise environments ranging from small offices to large data centers.
2
VLAN 100
Extranet Server
VLAN 200
SAP Server
VLAN 300
Mail Server
CPE-based
Services
VLAN 400
Public Server
Existing
Router
Network-based
Services
Data Center
Services
VPN Firewall
Brick® 20/80/150
VPN Firewall
Brick® 1100
VPN Firewall
Brick® 1100
VLAN 400
Public Server
LSMS
Existing
Router
VPN Firewall
Brick® 350
IP Network
USA NOC
Active/Active
Management
Existing
Router
VPN Firewall
Brick® 500
LSMS
Europe NOC
Centralized Management
with LSMS
IPSec
Client
Mobile/IPSec Client
Services
Implement large-scale VPN support with
high-performance packet processing
VPN Firewall Brick® platforms deliver the performance
needed to provide vital security and VPN services for
thousands of enterprise users. High-capacity packetprocessing capabilities help maximize user efficiency
and productivity with up to 1 Gbps VPN throughput
and a full 3 Gbps firewall throughput.
Portfolio-wide scalabilityhelps protect expanding user
populations cost effectively. A single VPN Firewall
Brick® unit can support up to 4 million simultaneous
sessions and over 7,000 VPN tunnels. Its highly
efficient operating system contributes to these
outstanding processing capabilities by freeing memory
for session and policy management.
Streamline firewall deployment,
configuration and management
VPN Firewall Brick® platforms can be installed and
working at any network location with an IP address.
These flexible bridging firewalls work as quickly as a
physical connection can be made. There’s no need to resegment the network, worry about downtime during
network conversion to the new topology or wait as hosts
are directed to a new gateway. LSMS software delivers:
• Sophisticated IP services management capabilities with
low operating costs to manage security, not individual
devices – easy security deployment, management and
maintenance with centrally controlled VPN Firewall
Brick® clients
• Scalability to rapidly provision and manage up to
1,000 VPN Firewall Brick® platforms and 10,000 IPSec
Client users from one console – fewer devices to
maintain and fewer people to maintain them
The VPN Firewall portfolio offers
flexible deployment options to suit
enterprise network strategies and
users’ diverse needs.
• Seamless integration of firewall, VPN, bandwidth
management, virtual LAN (VLAN) and virtual firewall
policy management – centralized realtime monitoring,
robust logging and customized reporting capabilities
Leverage high-availability
bandwidth management for
consistent service quality
VPN Firewall Brick® platforms can increase both
network security and quality of service through
uniquely granular bandwidth management. They
incorporate — at no extra charge — robust
implementation of class-based queuing (CBQ)
technology for committed-rate bandwidth control
and traffic prioritization. Bandwidth limits to help
defend against flood attacks, and bandwidth
guarantees to enhance end-user experiences, are
enforced at the server and user levels. Traffic can
be classified by physical interface, virtual firewall,
policy rule and session, enabling simplified yet
precisely targeted security implementations.
Sustain business continuity with
carrier-class reliability and availability
A high-availability architecture is built into every
component of the Lucent VPN firewall portfolio. There
is no single point of failure solution-wide. All VPN
Firewall Brick® models support native subsecond
failover to a standby unit. In an outage, services
continue uninterrupted. Out-of-band management
capabilities help ensure continued service even if
communications are lost due to a network outage. For
added reliability, LSMS software — unlike competitive
management systems — can be distributed across
multiple geographically dispersed operations centers
for active/active network redundancy. This enables
immediate disaster recovery in the event of a
catastrophe at the primary management location.
3
Lucent VPN Firewall Portfolio
Keep your total ownership costs low
VPN Firewall solutions efficiently address the need
to contain operations outlays, make efficient use of
in-house technical expertise and protect network
investments. All solution components are built to
interoperate smoothly with existing infrastructure
elements. Introducing them requires no costly
network retrofits.
VPN Firewall Brick® products cut IT staff hours and
shortens time-to-service with its full-featured bridging
support. And because it doesn’t run on a generalpurpose operating system, it eliminates the high
costs and time-intensive efforts associated with
OS upgrades and patches.
The performance-proven LSMS security management
solution offers one simple, economical licensing
structure — without costly additional modules or
recurring license fees. Its high-capacity processing
and high-device-count management capabilities help
minimize additional capital-equipment purchases.
And its comprehensive security safeguards
dramatically reduce network vulnerabilities that
consume IT staff time and budget.
Features
• Full-featured bridging — enables stealthy, depth-ofdefense security that conventional router-based
firewalls cannot match
• Advanced security safeguards — denial-of-service
attack protection; high-speed content security;
premium authentication services; with low
occurrences of reported advisories or vulnerabilities
and no backdoors.
• High-performance packet processing — supports up to
4 million simultaneous VPN sessions, 1000 virtual
firewalls, 7000 VPN tunnels
• Ultra-thin, highly secure operating system — virtually
impenetrable to hacker attacks; frees memory for
packet processing, policy management
• Plug-and-play deployment — implement secure
mission-critical applications without costly, timeintensive network reconfiguration
• Low ownership costs — no ongoing feature-licensing
expenses; easy installation, management and upgrades
save IT staff time and effort; high-performance, highcapacity features reduce the need to purchase
additional equipment
• Simplified management — unique client/server design;
centralized staging, real-time monitoring and no-touch
management of all VPN, security and service-quality
assurance capabilities via scalable, proven LSMS
• Virtual firewall and VLAN support — easily assign and
enforce security policies for diverse user groups
• Uniquely granular bandwidth management —
maximize service quality via flexible class-based
queuing (CBQ) technology, server-level and userlevel limits and guarantees
• Carrier-grade reliability — native high-availability
architecture with no single point of failure
To learn more about our comprehensive portfolio, contact your
Lucent Technologies sales representative, authorized reseller or
sales agent.
Copyright © 2005
Lucent Technologies Inc.
All rights reserved
You can also visit our web site at www.lucent.com/security.
LVF.ENT v3.0205
This document is provided for planning purposes only and does
not create, modify or supplement any warranties which may be
made by Lucent Technologies relating to the products and/or
services described herein. The publication of information
contained in this document does not imply freedom from patent
or other protective rights of Lucent Technologies or third parties.
VPN Firewall Brick is a registered trademark of
CERT is a registered trademark and service mark of
Carnegie Mellon University.
VPN Firewall Brick® 1200
Security, VPN, VoIP and QoS Gateways
The Lucent VPN Firewall Brick® 1200 platforms take data security to new levels by
providing up to 4.75 Gbps firewall throughput, along with integrated high-speed
VPN, VoIP Security, VLAN and virtual firewall capabilities at a breakthough price.
With QoS bandwidth management features, built in IDS/DoS protections and high
network performance, the VPN Firewall Brick® 1200 platforms provide solid
security for large enterprise, data centers and network-edge environments. This
carrier-grade IP services platform provides excellent value with low
price/performance and total ownership costs, enabling service providers,
government entities and large enterprises to deploy secure IP and VPN services
that enhance their business while maximizing returns on their capital investments.
Applications
• Advanced security services
• VPN services for site-to-site and remote access
• High-availability architecture — Eliminates any single point of
failure
• Proven Secure — No Computer Emergency Response Team
(CERT®) advisories or reported vulnerabilities
• Bandwidth management capabilities
• VoIP Security
• Secure data center Web and application hosting
• Storage network security solution
• Mobile data security
• Packet Data Gateway and Packet Data Interworking Functions
for Dual-Mode Wireless/Wifi VPN and VoIP/Data Security
Benefits
• Higher performance — Deliver an enhanced user experience
with up to 1.7Gbps IP VPN throughput, combined with best-inclass bandwidth management — with customer-level, user-level
and server-level QoS control
• Managed Security Services
• Low price/performance — Get outstanding security and
throughput for less than the per-Mbps price of major
competitors
• Unlicensed Mobile Access (UMA) and IP Multimedia
Subsystem(IMS) Security
• Low cost of ownership —One configuration supports multiple IP
services with no additional or recurring licensing fees
Features
• Integrated security platform — Provides high-speed firewall,
VPN, QoS, VLAN and virtual firewall capabilities in one
configuration
• Industry-leading throughput — Delivers up to 4.75Gbps firewall
performance, 1.7Gbps 3DES and AES VPN performance with
built-in encryption accelerator cards (EAC), depending on
version of Brick® 1200 platform selected.
• Flexible deployment — Options include premises- or networkbased services with shared or dedicated hardware environments
• Economical growth path — You can migrate to advanced
security and VPN services with no added infrastructure
investments
• Plug-and-Play interoperability — There’s no need for costly
network reconfigurations or on-site support
• Cost-effective business continuity — Take advantage of low
priced, full gigabit-rate encryption performance and maintain
carrier-class reliability for today’s data-heavy business
applications
• Innovative security services — Includes advanced distributed
denial of service attack protection, latest IKEv2 standards, strong
• Centralized, Scalable, carrier-class management — Centrally
authentication and real-time monitoring, logging and reporting
manage up to 20,000 VPN Firewall Brick® units and 500,000
Lucent IPSec Client (or 3rd party IPSec client) users with Lucent
• High capacity — Supports up to 20,000 simultaneous VPN
Security Management Server v9.0 or later.
tunnels, 4,094 VLANs, 1100 virtual firewalls, and 3 million
simultaneous sessions (HS version)
• Intrinsically secure, transparent Layer-2 bridge — Outperforms
firewalls running on routers, general purpose operating systems
or PC servers
• Central staging and secure remote management — Provides
integrated control over thousands of VPN Firewall Brick® units
and Lucent IPSec Client users, from one console, using Lucent
Security Management Server (SMS) software
VPN Firewall Brick® 1200 Platforms Technical Specifications
1.Processor/Memory
3.6 GHz Processor with 2GB of RAM for Brick 1200 HS AC & DC models
3.2 GHz Processor with 1GB of RAM for Brick 1200 AC Model
2.LAN/VPN Interfaces
Brick 1200 HS AC and DC Models:
(14) 10/100/1000-Base-TX ports
(6) GigE mini-GBIC SFP ports
(1) VPN Encryption Accelerator
Brick 1200 AC Model:
(8) 10/100/1000-Base-TX ports
(2) GigE mini-GBIC SFP ports
3.Other Ports
SVGA video, DB9 serial, PS/2 keyboard, 4xUSB
7.Services Supported
Bootp, http, irc, netstat, pop3, snmp, tftp, pptp, dns, https, kerberos,
nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp, rip2, syslog,
shell, X11, exec, gmp, login, ospf, rlogin, telnet, talk, H.323, SIP, ftp,
imap, mbone, ping, rsh, traceroute, lotus notes, VoIP, Gopher, IPSec,
netbios, pointcast, mtp, sql*net
Any IP protocol (user definable)
Any IP protocol + layer 4 ports (user definable)
Support for non-IP protocols as defined by SAP/Ethertype
8.Layer-7 Application Support
Application Filter architecture supports Layer-7 protocol inspection
for command validation, dynamic channel pinholes and application
layer address translation. Application filters include http, ftp, tftp,
H.323/H.323 RAS, Oracle SQL*Net, Net BIOS, DHCP Relay, DNS, GTP,
and SIP
9.Firewall Attack Detection and Protection
Generalized flood protection extensible to new flood attacks as
4.Performance
discovered with patent-pending Intelligent Cache Management
Brick 1200 HS AC or HS DC
Protections from over 190 attacks, including:
Concurrent sessions – 3,000,000
SYN flood protection to specifically protect inbound servers,
New sessions/second – 45,000
e.g. Web servers, from inbound TCP SYN floods
Rules – 30,000 (shared among all virtual firewalls)
Strict TCP validation to ensure TCP session state enforcement,
Max clear text throughput – 4.75Gbps (1460 byte UDP Packets)
validation of sequence and acknowledgement numbers, rejection
Max Clear Text PPS throughput – 2,200,000 pps (78 byte UDP Packets)
of bad TCP flag combinations
Max 3DES throughput with hardware encryption acceleration
Initial Sequence Number (ISN) rewriting for weak TCP stack
(Brick 1200 HS) – 1.7 Gbps (1460 byte UDP Packets)
implementations
Max AES throughput with hardware encryption acceleration
Fragment flood protection with robust fragment reassembly,
(Brick 1200 HS) – 1.7 Gbps (1460 byte UDP Packets)
ensures no partial or overlapping fragments are transmitted
Brick 1200 AC
Generalized IP packet validation including detection of malformed
packets such as ping of death, land attack, tear drop attack and over
100 other DoS signatures. Drops bad IP options as well as source
route options
Max clear text throughput – 3.0 Gbps (1460 byte UDP Packets)
10.QoS/Bandwidth Management
Max Clear Text PPS throughput – 1,750,000 pps (78 byte UDP Packets)
Classified by Physical Port, Virtual Firewall, Firewall Rule, Session
Bandwidth Guarantees – Into and out of Virtual Firewall, allocated
Max 3DES throughput with hardware encryption –
in bits/second
1.1 Gbps (1460 byte UDP Packets)
Bandwidth Limits – Into and out of Virtual Firewall, allocated in
Max AES throughput with hardware encyption –
bits/second, packets/session, sessions/second
1.1 Gbps (1460 byte UDP Packets)
ToS/DiffServ marking and matching
5.Virtualization
Maximum number of virtual firewalls – 1100 (Brick 1200 HS AC or DC) 11.Content Security
HTTP Filter Keyword support integrated with HTTP Application Filter
Maximum number of virtual firewalls – 500 (Brick 1200 AC)
Rules-based routing feature for HTTP, SMTP and FTP features
Number of VLANs supported – 4,094
(Lucent Security Management Server v9.1 or later)
VLAN domains – up to 16 per VLAN trunk
– Interoperates with all 3rd party Anti-virus, Content Filtering systems
VPN Firewall Brick® partitions – allows for virtualization of customer IP
– Redirects only protocol-specific packets to 3rd party systems
address range, including support for overlapping IP addresses
performing Anti-virus, Anti-spam, and content filtering services.
6.Modes of Operation
Lucent Proxy Agent (Lucent Security Management Server v9.0 or
earlier) integrates load-shared content security services for:
Bridging and/or routing on all interfaces
– Application protocol command blocking – HTTP, SMTP, FTP
All features supported with bridging
– Virus and Spam scanning
IP routing with static routes
– Content Filtering
802.1Q VLAN tagging supported inbound and outbound on
any combination of ports
Application-layer protocol command recognition and filtering
Layer-2 VLAN bridging
Application-layer command line length enforcement
Network Address Translation (NAT)
Unknown protocol command handling
Port Address Translation (PAT)
Extensive session-oriented logging for application-layer
commands and replies
Policy-based NAT and PAT (per rule)
Hostile mobile code blocking (Java®, ActiveX™)
Supports virtual IP addresses for both address translation and
VPN tunnel endpoints
PPPoE and DHCP-assignable interface/VLAN addresses
Redundant DHCP Relay capabilities
Dynamic registration of mobile VPN Firewall Brick® platform address
for centralized remote management
Nested zone rulesets for common firewall policies for all Bricks® in zone.
Link Aggregation
Mobile Brick- DHCP Client.
2
12.Firewall User Authentication
Browser-based authentication allows authentication of any
user protocol
Built-in internal database – user limit 10,000
Local passwords, RADIUS, SecurID
User assignable RADIUS attributes
Certificate Authentication
18.Certifications
ICSA V3.0A Firewall Certification in process,
ICSA V1.0D IPSec Certification in process,
FIPS 140-2 Certification in process
EAL-4 Certification in process
NEBS™ Level 3 (compliant to Telecordia GR1089-CORE and
GR-63-CORE) in process for Brick 1200 HS DC version.
13.VPN
Maximum number of dedicated VPN tunnels –
Brick 1200 HS AC or DC – 20000
Maximum number of dedicated VPN tunnels –
Brick 1200 AC – 10000
Manual Key, IKEv1, IKEv2, DoD PKI, X.509
3DES (168-bit), DES (56-bit)
AES (128, 192, 256-bit)
SHA-1 and MD5 authentication/integrity
Replay attack protection
Remote access VPN
Site-to-site VPN
IPSec NAT Traversal (UDP encapsulated IPSec)
IKEv2 IPSec NAT Traversal and Dead Peer Detection
LZS compression
Spliced and nested tunneling
Fully meshed or Hub and Spoke
19.Mean Time Between Failure
125,000 hours
14.VPN Authentication
Local passwords, RADIUS, SecurID, X.509 digital certificates
with Entrust CA
PKI Certificate requests (PKCS 12)
Automatic LDAP certificate retrieval
20.Dimensions (W x L x H)
Est. 19” x 19” x 3.5” (2U)
Est. 48.3 cm x 48.3 cm x 8.9 cm (2U)
Rack Mountable per EIA-310 specification
Est. Weight: 44 lbs (20 kg)
Est. Shipping Weight: 50 lbs (22 kg)
21.Cooling
Chassis fan (Intake & Exhaust), power supply fans
22.Operating Altitude
Up to 13,123 ft (4,000 m)
23.Environmental
Operating
Normal Operating Temperature: 0 to 40º C
Shock: 2.5g at 15 – 20 ms on any axis
Relative humidity: 5–85% at 40 C. (non-condensing)
Vibration: 5g at 2 – 200Hz on any axis
Non-Operating
Temperature: -40 to 70º C
Shock: 35g at 15 – 20 ms on any axis
15.High Availability
VPN Firewall Brick® platform to VPN Firewall Brick® platform
active/passive failover with full synchronization 400 millisecond
device failure detection and activation
24.Power
Session protection for firewall, VoIP and VPN
AC Models:
Link failure detection
Hot Swappable, Internal Dual AC to DC Power Supply: 500W max
Alarm notification on failover
Auto-ranging: 100 to 240 VAC, 47 to 63 Hz
Encryption and authentication of session synchronization traffic
Consumption: 8A @ 120 VAC; 45A @ 240 VAC
Self-healing synchronization links
DC Model:
Lucent Proxy Agent load sharing supports high availability for content
Hot Swappable, Internal Dual DC to DC Power Supply: 500W max
security services
Input Range: -40 to -60 VDC
16.Diagnostic Tools
Consumption: 10A @ -48 VDC, 8A@ -60VDC
Out of band debugging and analysis via serial
25.Safety Listings
port/modem/terminal server
USA/Canada – Certified to UL® 60950-1, First Edition
Centralized, secure remote console to any VPN Firewall
®
Canada – CAN/CSA C22.2 No. 60950-1-03
Brick platform supporting Ping, Traceroute, Packet Trace with filters
EU – CE, CB Scheme to EN/IEC 60950-1
Remote VPN Firewall Brick® platform bootstrapping
AS/NZS – 3260
Real-time log viewer analysis tool
Lucent Remote LSMS Navigator
17.3-Tier Management Architecture
Centralized, carrier-class, active/active management architecture with
Lucent Security Management Server software
Secure VPN Firewall Brick® platform to Lucent SMS communications
with Diffie-Helman and 3DES encryption, SHA-1 authentication and
integrity and digital certificates for VPN Firewall Brick® platform/
Lucent Security Management Server authentication
Up to 100 simultaneous administrators securely managing all aspects
of up to 20,000 VPN Firewall Brick® units in hierarchical management
cluster.
Secure, reliable, redundant real-time alarms, logs, reports
26.EMC Certifications
USA – FCC Part 15, Class A
Canada – IC-ES003
EU – CE, EN55022/VCC, EN300-386-2, EMC Directive Class A
AS/NZS – 3548 CISPR PUB 22
Japan – VCCI Class A
3
Lucent Security Management Server
and Lucent Proxy Agent
1.Software Requirements
Sun Solaris™ 2.8, 2.9 or 2.10 on SPARC processors
Microsoft Windows® 2000 Professional, Windows® 2000 Server,
Windows XP Professional or Windows Server 2003.
2.Hardware Requirements
Sun® workstation for Sun Solaris operating system:
Sun UltraSPARC5 (330MHz processor or better) or better
512MB of system memory (minimium)
Swap space at least as large as system memory
500MB free disk space in file system partition where software is to be
installed
50MB free disk space in root partition
1 10/100 Ethernet interface
CD-ROM drive
3.5” floppy drive, USB port and serial port.
Video card capable of supporting 1024x768 resolution
(65,535 colors)
Intel®-based workstation (for Microsoft Windows® operating systems
noted above)
400 MHz Pentium® Pro processor (minimum)
512 MB system memory (minimum), higher recommended
CD-ROM drive
Swap space at least as large as install system memory
1 GB free space on an NTSF partition
3.5” floppy, USB port and serial port.
1 Ethernet 10/100 card
(65,535 colors)
Ordering Information
1.Lucent VPN Firewall Brick® 1200 AC Platform
Part Number 109625772
2.Lucent VPN Firewall Brick® 1200 HS AC Platform
3.Lucent VPN Firewall Brick® 1200 HS DC Platform
4.Lucent Security Management Server
Available in several configurations to meet your networking
requirements.
Contact your Lucent Representative or authorized reseller for details.
5.Lucent Proxy Agent
Included in Lucent Security Management Server software v9.0 or
earlier versions.
Lucent Proxy Agent functions replaced with Rules-based routing
feature in v9.1 or later versions.
6.Lucent IPSec Client
requirements.
Contact your Lucent Representative or authorized reseller for details
To learn more, contact your
dedicated Lucent Technologies
representative, authorized reseller,
or sales agent. You can also visit
our Web site at www.lucent.com
This document is provided for planning
purposes only and does not create,
modify, or supplement any warranties,
which may be made by Lucent
Technologies relating to the products
and/or services described herein. The
publication of information contained in
this document does not imply freedom
from patent or other protective rights of
Lucent Technologies or other third
parties.
VPN Firewall Brick is a registered
trademark of Lucent Technologies Inc.
ActiveX is a trademark of Microsoft
corporation. Webshield is a trademark of
McAfee, Inc Java is a trademark of Sun
Microsystems, Inc. NEBS is a trademark
of Telcordia Technologies. Pentium is a
registered trademark of Intel
Corporation. Solaris is a trademark of
Sun Microsystems, Inc. Sun is a
registered trademark of Sun
Microsystems, Inc. UL is a registered
trademark of Underwriter’s Laboratories.
X-Stop is a trademark of Log-On Data
Corp.
Copyright © 2006
All rights reserved
Brick1200 v1.0906
Security, VPN, VoIP and QoS Gateways
The Lucent VPN Firewall Brick® 700 platforms take data security to new levels by
providing over 1.7 Gbps firewall throughput, along with integrated high-speed
VPN, VoIP Security, VLAN and virtual firewall capabilities at a breakthrough price.
With QoS bandwidth management features, built in IDS/DoS protections and
high network performance, the VPN Firewall Brick® 700 platforms provide solid
security for both mid-size and large enterprise environments. This carrier-grade
IP services platform provides excellent value with low price/performance and
total ownership costs, enabling service providers, government entities and large
enterprises to deploy secure IP and VPN services that enhance their business
while maximizing returns on their capital investments.
Applications
• VPN services for site-to-site and remote access
• High-availability architecture — Eliminates any single point of
failure
• Proven Secure — No Computer Emergency Response Team
(CERT®) advisories or reported vulnerabilities
• Bandwidth management capabilities
• VoIP Security
• Secure data center Web and application hosting
• Packet Data Gateway and Packet Data Interworking Functions
for Dual-Mode Wireless/WiFi VPN and VoIP/Data Security
• Unlicensed Mobile Access (UMA) and IP Multimedia
Subsystem(IMS) Security
Features
• Integrated security platform — Provides high-speed firewall,
VPN, QoS, VLAN and virtual firewall capabilities in one
configuration
Benefits
• Higher performance — Deliver an enhanced user experience
with 425 Mbps IP VPN throughput, 3 DES VPN performance,
combined with best-in-class bandwidth management — with
customer-level, user-level and server-level QoS control
• Low price/performance — Get outstanding security and
throughput for less than the per-Mbps price of major
competitors
• Low cost of ownership —One configuration supports multiple IP
services with no additional or recurring licensing fees
• Flexible deployment — Options include premises- or networkbased services with shared or dedicated hardware environments
• Economical growth path — You can migrate to advanced
investments
• Plug-and-Play interoperability — There’s no need for costly
network reconfigurations or on-site support
• Industry-leading throughput — Delivers, 1.7 Gbps firewall
performance, 425 Mbps 3 DES VPN performance and 350 Mbps
• Cost-effective business continuity — Take advantage of low
AES VPN performance with built-in encryption accelerator cards
priced, full gigabit-rate encryption performance and maintain
(EAC)
carrier-class reliability for today’s data-heavy business
applications
• Innovative security services — Includes advanced distributed
denial of service attack protection, latest IKEv2 standards, strong
• Centralized, Scalable, carrier-class management — Centrally
authentication and real-time monitoring, logging and reporting
manage up to 20,000 VPN Firewall Brick® units and 500,000
Lucent IPSec Client (or 3rd party IPSec client) users with Lucent
• High capacity — Supports up to 7500 simultaneous VPN
Security Management Server v9.0 or later.
tunnels, 4,094 VLANs, 350 virtual firewalls, and 1.0 million
simultaneous sessions
• Intrinsically secure, transparent Layer-2 bridge — Outperforms
firewalls running on routers, general purpose operating systems
or PC servers
• Central staging and secure remote management — Provides
integrated control over thousands of VPN Firewall Brick® units
and Lucent IPSec Client users, from one console, using Lucent
Security Management Server (SMS) software
VPN Firewall Brick® 700 Platforms Technical Specifications
1.Processor/Memory
2.8 GHz Processor with 512MB of RAM
2.LAN/VPN Interfaces
Brick 700 BASIC Model:
(8) 10/100/1000-Base-TX ports
Brick 700 VPN AC and DC Models:
(8) 10/100/1000-Base-TX ports
3.Other Ports
SVGA video, DB9 serial, PS/2 keyboard, 4xUSB
4.Performance
Max clear text throughput –1.7Gbps (1514 byte UDP Packets)
Max Clear Text PPS throughput – 800,000 pps
(78 byte UDP Packets)
Max 3DES throughput with software encryption
(Brick 700 Basic) – 110Mbps (1460 byte UDP Packets)
Max 3DES throughput with hardware encryption acceleration
(Brick 700 VPN) – 425Mbps (1514 byte UDP Packets)
Max AES throughput with software encryption
(Brick 700 Basic) – 150Mbps (1514 byte UDP Packets)
Max AES throughput with hardware encryption acceleration
(Brick 700 VPN) – 350Mbps (1460 byte UDP Packets)
Bootp, http, irc, netstat, pop3, snmp, tftp, pptp, dns, https,
kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp, rip2,
syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet, talk,
H.323, SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus notes,
VoIP, Gopher, IPSec, netbios, pointcast, mtp, sql*net
Support for non-IP protocols as defined by SAP/Ethertype
Application Filter architecture supports Layer-7 protocol inspection
for command validation, dynamic channel pinholes and application
layer address translation. Application filters include http, ftp, tftp,
H.323/H.323 RAS, Oracle SQL*Net, Net BIOS, DHCP Relay, DNS,
GTP, and SIP
Protections from over 190 attacks, including:
SYN flood protection to specifically protect inbound servers, e.g.
Web servers, from inbound TCP SYN floods
validation of sequence and acknowledgement numbers,
rejection of bad TCP flag combinations
implementations
Fragment flood protection with robust fragment reassembly,
Generalized IP packet validation including detection of malformed
packets such as ping of death, land attack, tear drop attack and
over 100 other DoS signatures. Drops bad IP options as well as
source route options
5.Virtualization
Maximum number of virtual firewalls – 350
VPN Firewall Brick® partitions – allows for virtualization of customer 10.QoS/Bandwidth Management
IP address range, including support for overlapping IP addresses
Bandwidth Guarantees – Into and out of Virtual Firewall, allocated
in bits/second
Bridging and/or routing on all interfaces
Bandwidth Limits - Into and out of Virtual Firewall, allocated in
bits/second, packets/session, sessions/second
802.1Q VLAN tagging supported inbound and outbound on any
combination of ports
11.Content Security
HTTP Filter Keyword support integrated with HTTP Application
Filter
Rules-based routing feature for HTTP, SMTP and FTP features
(Lucent Security Management Server v9.1 or later)
– Interoperates with all 3rd party Anti-virus, Content Filtering
Supports virtual IP addresses for both address translation and VPN
systems
tunnel endpoints
– Redirects only protocol-specific packets to 3rd party systems
PPPoE and DHCP-assignable interface/VLAN addresses
performing Anti-virus, Anti-spam, and content filtering services.
Redundant DHCP Relay capabilities
Lucent Proxy Agent (Lucent Security Management Server v9.0 or
®
Dynamic registration of mobile VPN Firewall Brick platform
earlier) integrates load-shared content security services for:
address for centralized remote management
– Application protocol command blocking – HTTP, SMTP, FTP
Nested zone rulesets for common firewall policies for all Bricks® in
– Virus and Spam scanning
zone.
– Content Filtering
Link Aggregation
Mobile Brick- DHCP Client.
Extensive session-oriented logging for application-layer commands
and replies
Hostile mobile code blocking (Java®, ActiveX™)
2
Browser-based authentication allows authentication of any user
protocol
Certificate Authentication
18.Certifications
ICSA V3.0A Firewall Certification in process,
ICSA V1.0D IPSec Certification in process,
FIPS 140-2 Certification in process
EAL-4 Certification in process
NEBS™ Level 3 (compliant to Telecordia GR1089-CORE and GR-63CORE) in process for Brick 700 DC version.
13.VPN
Maximum number of dedicated VPN tunnels – 7,500
Manual Key, IKEv1, IKEv2, DoD PKI, X.509
AES (128, 192, 256-bit)
Remote access VPN
Site-to-site VPN
IKEv2 IPSec NAT Traversal and Dead Peer Detection
LZS compression
Fully meshed or Hub and Spoke
60,000 hours
Local passwords, RADIUS, SecurID, X.509 digital certificates with
Entrust CA
23.Environmental
Operating
Normal Operating Temperature: 0 to 40º C
Shock: 2.5g at 15 – 20 ms on any axis
Non-Operating
Temperature: -40 to 70º C
Shock: 35g at 15 – 20 ms on any axis
VPN Firewall Brick® platform to VPN Firewall Brick® platform
active/passive failover with full synchronization
400 millisecond device failure detection and activation
Session protection for firewall, VoIP and VPN
Lucent Proxy Agent load sharing supports high availability for
content security services
16.Diagnostic Tools
Centralized, secure remote console to any VPN Firewall
Brick® platform supporting Ping, Traceroute, Packet Trace with
filters
Remote VPN Firewall Brick® platform bootstrapping
Lucent Remote lucent SMS Navigator
Centralized, carrier-class, active/active management architecture
with Lucent Security Management Server software
Secure VPN Firewall Brick® platform to Lucent SMS communications
with Diffie-Helman and 3DES encryption, SHA-1 authentication
and integrity and digital certificates for VPN Firewall Brick® platform
/Lucent Security Management Server authentication
Up to 100 simultaneous administrators securely managing all
aspects of up to 20,000 VPN Firewall Brick® units in hierarchical
19” x 19” x 1.75” (1U)
48.3 cm x 48.23 cm x 4.4 cm (1U) Rack Mountable
per EIA-310 specification.
Weight: 27 lbs (12.3 kg)
Shipping Weight: 30 lbs (13.6 kg)
21.Cooling
Chassis fans (intake & exhaust), power supply fans
Up to 13,123 ft (4,000 m)
24.Power
AC Models:
Internal AC to DC Power Supply: 300W max
Auto-ranging: 100 to 240 VAC, 47 to 63 Hz
Consumption: 8A @ 120 VAC; 5A @240 VAC
DC Model:
Internal DC to DC Power Supply: 300W max
Input Range: -40 to -60 VDC
Consumption: 10A @ -48 VDC, 84A @ -60 VDC
25.Safety Listings
USA/Canada – CSA Certified to UL® 60950-1, First Edition
Canada – CAN/CSA C22.2 No. 60950-1-03
EU – CE, CB Scheme to EN/IEC 60950-1
USA – FCC Part 15, Class A
Canada – IC-ES003
EU – CE, EN55022/VCC, EN300-386-2, EMC Directive Class A
AS/NZS – 3548 CISPR PUB 22
Japan – VCCI Class A
management cluster.
3
and Lucent Proxy Agent
Microsoft Windows® 2000 Professional, Windows® 2000 Server,
Windows XP Professional or Windows Server 2003.
500MB free disk space in file system partition where software is to
be installed
CD-ROM drive
3.5” floppy drive, USB port and serial port.
(65,535 colors)
Intel®-based workstation (for Microsoft Windows® operating
systems noted above)
CD-ROM drive
3.5” floppy, USB port and serial port.
(65,535 colors)
1.Lucent VPN Firewall Brick® 700 Basic Platform
2.Lucent VPN Firewall Brick® 700 VPN AC Platform
3.Lucent VPN Firewall Brick® 700 VPN DC Platform
requirements.
Contact your Lucent Representative or authorized reseller for
details.
Included in Lucent Security Management Server software v9.0 or
earlier versions.
Lucent Proxy Agent functions replaced with Rules-based routing
feature in v9.1 or later versions.
requirements.
Contact your Lucent Representative or authorized reseller for
details
To learn more, contact your
representative, authorized reseller,
or sales agent. You can also visit
our Web site at www.lucent.com
purposes only and does not create, modify,
or supplement any warranties, which may
be made by Lucent Technologies relating
to the products and/or services described
herein. The publication of information
contained in this document does not
imply freedom from patent or other
protective rights of Lucent Technologies or
other third parties.
ActiveX is a trademark of Microsoft
corporation. Webshield is a trademark of
McAfee, Inc Java is a trademark of Sun
Microsystems, Inc. NEBS is a trademark
of Telcordia Technologies. Pentium is a
registered trademark of Intel Corporation.
Solaris is a trademark of Sun
Microsystems, Inc. Sun is a registered
trademark of Sun Microsystems, Inc. UL
is a registered trademark of Underwriter’s
Laboratories. X-Stop is a trademark of
Log-On Data Corp.
Copyright © 2006
All rights reserved
Brick700 v1.0906
Security, VPN, and QoS Gateway
Deliver service level-assured advanced security, IP VPN, and bandwidth
management services to enterprise regional and branch office sites.
The carrier-class, VPN Firewall Brick® 150 IP services platform stretches
investment dollars and lowers total ownership costs by offering a
low price/high-performance solution with service-enhancing, revenuebuilding features.
Applications
• Site-to-site and remote access VPN services
• Bandwidth management services
• Web/application hosting
• Mobile data services
• Voice over IP (VOIP)
Features
Benefits
• Unsurpassed security services — leverages state-of-theart Bell Labs security technology for optimum
performance
• Low price/high-performance — significantly lower
price/Mbps than major competitors
• Low cost of ownership — one configuration supports
multiple IP services with no additional or recurring
licensing fees; VLAN and virtual firewall support for up
to 150 customers at no additional cost; management
efficiencies reduce staffing and administrative expenses
• Integrates high-speed firewall, VPN, QoS, VLAN, and
virtual firewall capabilities in one configuration
• Flexible deployment options — premises or network
based services with shared or dedicated hardware
environments
• 330 Mbps firewall performance; 127 Mbps 3 Data
Encryption Standard (3DES) VPN performance;
1,000 simultaneous VPN tunnels; 4,094 VLANs;
• Economical growth path — migrate to advanced
investments
• Advanced Encryption Standard (AES) encryption (via
hardware) is available when using LSMS 8.0 or higher
• No-touch Customer Premises Equipment (CPE) — no
need for costly network reconfigurations, truck-rolls,
or onsite support
• Hardware assisted encryption with built-in
accelerator chip
• Intrinsically secure, transparent Layer-2 bridge
• Enhanced user experiences — best-in-class bandwidth
management with customer-level, user-level, and
server-level QoS control
• Central staging and secure remote management via
• Assured business continuity — native high availability,
Lucent Security Management Server (LSMS) software;
carrier-class reliability
manages thousands of VPN Firewall Brick® units and
• Scalable, carrier-grade management — central
IPSec Client users from one console
management of up to 1,000 VPN Firewall Brick® units
• Advanced distributed denial of service attack protection,
and 10,000 Lucent IPSec Client users
high-speed content security (command blocking, URL
filtering, virus scanning), strong authentication, realtime monitoring, logging, and reporting
• High-availability architecture: No single point of failure
VPN Firewall Brick® 150 Technical Specifications
1.Processor/Memory
650MHz Celeron Processor with 128 MB of RAM
2.LAN Interfaces
(4) 10/100base TX Ethernet Ports
3.Other Ports
SVGA video, DB9 serial, Parallel, USB (2)
Application Filter architecture supports Layer-7 protocol
inspection for command validation, dynamic channel pinholes
and application layer address translation. Application filters
include http, ftp, tftp, H.323/H.323 RAS, Oracle SQL*Net, Net
BIOS, DHCP Relay, DNS, GTP, SIP
4.Performance
Concurrent sessions – 245,000
Max clear text throughput – 334 Mbps (1514 byte UDP packets)
94,000 pps (78 byte UDP packets)
Max 3DES throughput with hardware encryption acceleration –
implementations
127 Mbps (1460 byte UDP packets without LZS compression)
Fragment flood protection with Robust Fragment Reassembly,
44,000 pps (78 byte, UDP packets)
Hardware Assisted Encryption – Encryption Accelerator module
Generalized IP Packet Validation including detection of
malformed packets such as ping of death, land attack, tear drop
5.Virtualization
attack. Drops bad IP options as well as source route options
10.Content Security Lucent
Proxy Agent integrates load-shared content security services for:
VPN Firewall Brick® partitions – allows for virtualization of
Application protocol command blocking – HTTP, SMTP, FTP
customer IP address range, including support for overlapping
Virus scanning
IP addresses
URL screening
Bridging and/or routing on all PPPoE interfaces
Hostile mobile code blocking (JAVA, ActiveX)
URL blocking – with 8e6 Technologies’ X-Stop™ Xserver
Virus scanning – with Trend Micro’s InterScan™ VirusWall
Anti-Virus Security Suite
Bandwidth Guarantees – Into and out of Virtual Firewall,
DHCP-assignable interface/VLAN addresses
allocated in bits/second
DHCP Relay capabilities
Bandwidth Limits - Into and out of Virtual Firewall, allocated
Dynamic registration of mobile VPN Firewall Brick® addresses
in bits/second, packets/session, sessions/second
kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp,
user protocol
rip2, syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet,
talk, H.323, ftp, imap, mbone, ping, rsh, traceroute, lotus
notes, VoIP, Gopher, IPSec, netbios, pointcast, smtp, sql*net
Support for non-IP protocols as defined by DSAP/Ethertype 2
2
13.VPN
Maximum number of dedicated VPN tunnels – 1,000
Manual Key, IKE, PKI (X.509)
AES
Remote access VPN
Site-to-site VPN
LZS compression
with Entrust CA
18.Certifications
ICSA V4.0 Firewall Certified (pending), ICSA V1.0B
IPSec Certified
218,999 Hrs
Telecordia SR-332 at Standard Reference Conditions.
11” (W) x 7.18” (D) x 1.75” (H) (1U)
27.9 cm x 18.2 cm x 4.5 cm (1U)
Rack, Wall, or Table Mountable
Weight: 3 lbs. (1.4 Kg)
Shipping Weight: 5 lbs. (2.3 Kg)
21.Cooling
Chassis fan
Up to 13,123 feet (4,000 m.)
23.Environmental
VPN Firewall Brick® to VPN Firewall Brick® active/passive
Operating
failover with full synchronization
Temperature: 0 to 50 C.
Shock: 2.5g. at 15 – 20 ms on any axis
Session protection for firewall and VPN
Relative Humidity: 10 – 95% at 40 C. (non-condensing)
Vibration: 5g. at 2 – 200 Hz on any axis
Non-Operating
Temperature: -20 to 70 C.
Lucent Proxy Agent load sharing supports high availability
Shock: 35g. at 15 – 20 ms on any axis
for content security services
Vibration: 5g at 2 – 200 Hz on any axis
16.Diagnostic Tools
Centralized, secure remote console to any VPN Firewall Brick®
unit supporting Ping, Traceroute, packet trace with filters
Remote VPN Firewall Brick® bootstrapping
Centralized, carrier-grade, active/active management
architecture with Lucent Security Management Server
(LSMS) software
Secure VPN Firewall Brick® to LSMS communications with
Diffie-Helman and 3DES and AES encryption, SHA-1
authentication and integrity and digital certificates for
VPN Firewall Brick®/LSMS authentication
Up to 100 simultaneous administrators securely managing
all aspects of up to 1000 VPN Firewall Brick® units
24.Power
External AC to DC Power Supply: Rated 50W max.
Input: CV mode, 100 – 240 VAC, 47 to 63 Hz, 64 watts
Typical Consumption: 0.28A @ 115V, 0.14A @ 230V
25.Safety Listings
USA/Canada: CSA Certified to UL®60950-1, First Edition
and CAN/CSA C22.2 No. 60950-1-03
EU: CE, CB Scheme to EN/IEC 60950
USA: FCC Part 15, Class B
Canada: IC-ES003
EU: CE, EN 300-386-2; EN 55022, Class A
Japan: VCCI, Class A
3
Lucent Proxy Agent
Solaris 8
Sun workstation
333 MHz Pentium Pro processor (minimum)
CD-ROM drive
1.Firewall Brick® 150 Basic
Brick 150 Requires LSMS 7.2.317 or later.
AES feature requires LSMS 8.0 or later.
See LSMS data sheet for ordering details
Included in LSMS software
See Lucent IPSec Client data sheet for ordering details
To learn more about our comprehensive
portfolio of security products, please
contact your Lucent Technologies Sales
Representative or visit our web site at
www.lucent.com or
www.lucent.com/security.
This document is for planning purposes
only, and is not intended to modify or
supplement any Lucent Technologies
specifications or warranties relating to
these products or services. This
publication of information in this
document does not imply freedom from
patent or other protective rights of
Lucent Technologies or others.
NEBS is a trademark of
Telcordia Technologies, Inc.
X-Stop is a trademark of
Log-On Data Corp.
InterScan is a registered trademark of
Trend Micro, Inc.
UL is a registered trademark of
Underwriters Laboratories Inc.
Copyright © 2004
All rights reserved
VPN v1.0304
Security, VPN, and QoS Gateway
1.Firewall Brick 50 Basic
®
Brick 50 requires a 9.0 patch release
(see http://www.lucent.com/security)
See LSMS data sheet for ordering details
Deliver service level-assured advanced security, IP VPN, and bandwidth
Included in LSMS software
management services to small office and home office locations. The
See Lucent IPSec Client data sheet for ordering details
investment dollars and lowers total ownership costs by offering a
carrier-class, VPN Firewall Brick® 50 IP services platform stretches
low price/high-performance solution with service-enhancing, revenuebuilding features.
Applications
• Site-to-site and remote access VPN services
• Bandwidth management services
• Web/application hosting
To learn more about our comprehensive
portfolio of security products, please
contact your Lucent Technologies
Sales Representative or visit our web
site at www.lucent.com or
www.lucent.com/security.
This document is for planning purposes
only, and is not intended to modify or
supplement any Lucent Technologies
specifications or warranties relating to
these products or services. This
publication of information in this
document does not imply freedom from
patent or other protective rights of
Lucent Technologies or others.
• Mobile data services
• Voice over IP (VOIP)
Features
• Unsurpassed security services — leverages state-of-theart Bell Labs security technology for optimum
performance
• Low price/high-performance — significantly lower
price/Mbps than major competitors
• Low cost of ownership — one configuration supports
multiple IP services with no additional or recurring
licensing fees; VLAN and virtual firewall support for up
to 50 customers at no additional cost; management
efficiencies reduce staffing and administrative expenses
• Integrates high-speed firewall, VPN, QoS, VLAN, and
virtual firewall capabilities in one configuration
• Flexible deployment options — premises or network
based services with shared or dedicated hardware
environments
• 195 Mbps firewall performance; 75 Mbps 3 Data
Encryption Standard (3DES) VPN performance;
1,000 simultaneous VPN tunnels; 4,094 VLANs;
• Economical growth path — migrate to advanced
investments
• Advanced Encryption Standard (AES) encryption
(via hardware) – 60 Mbps VPN performance
(AES 128, AES 192, AES 256)
UL is a registered trademark of
Underwriters Laboratories Inc.
• Hardware assisted encryption with built-in
accelerator chip
Copyright © 2006
All rights reserved
• Intrinsically secure, transparent Layer-2 bridge
VPN v1.0106
Benefits
• No-touch Customer Premises Equipment (CPE) — no
need for costly network reconfigurations, truck-rolls,
or onsite support
• Enhanced user experiences — best-in-class bandwidth
management with customer-level, user-level, and
server-level QoS control
• Assured business continuity — native high availability,
• Central staging and secure remote management via
carrier-class reliability
Lucent Security Management Server (LSMS) software;
• Scalable, carrier-grade management — central
manages thousands of VPN Firewall Brick® units and
management of up to 20,000 VPN Firewall Brick® units
IPSec Client users from one console
and up to 500,000 simultaneously connected VPN users
• Advanced distributed denial of service attack protection,
high-speed content security (command blocking, URL
filtering, virus scanning), strong authentication, realtime monitoring, logging, and reporting
• High-availability architecture: No single point of failure
VPN Firewall Brick® 50 Technical Specifications
1.Processor/Memory
466MHz AMD Geode Processor with 64 MB of RAM
2.LAN Interfaces
(3) 10/100base TX Ethernet Ports
Application Filter architecture supports Layer-7 protocol
inspection for command validation, dynamic channel pinholes
and application layer address translation. Application filters
include http, ftp, tftp, H.323/H.323 RAS, Oracle SQL*Net, Net
BIOS, DHCP Relay, DNS, GTP, SIP
3.Other Ports
DB9 serial, USB (1)
4.Performance
Concurrent sessions – 135,000
Max clear text throughput – 195 Mbps (1514 byte UDP packets)
88,000 pps (78 byte UDP packets)
Max 3DES throughput with hardware encryption acceleration –
implementations
75 Mbps (1460 byte UDP packets without LZS compression)
Fragment flood protection with Robust Fragment Reassembly,
9,200 pps (78 byte, UDP packets)
Maximum AES 256 throughput with hardware encryption
Generalized IP Packet Validation including detection of
acceleration – 60 Mbps (1024 byte UDP packets without
malformed packets such as ping of death, land attack, tear drop
LZS compression) 9,200 pps (78 byte UDP packets without
attack. Drops bad IP options as well as source route options
LZS compression)
Hardware Assisted Encryption – Encryption Accelerator module
5.Virtualization
VPN Firewall Brick® partitions – allows for virtualization of
customer IP address range, including support for overlapping
IP addresses
Bridging and/or routing on all PPPoE interfaces
DHCP-assignable interface/VLAN addresses
DHCP Relay capabilities
Dynamic registration of mobile VPN Firewall Brick® addresses
kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, ldap, ntp,
rip2, syslog, shell, X11, exec, gmp, login, ospf, rlogin, telnet,
talk, H.323, ftp, imap, mbone, ping, rsh, traceroute, lotus
notes, VoIP, Gopher, IPSec, netbios, pointcast, smtp, sql*net
Support for non-IP protocols as defined by DSAP/Ethertype 2
2
10.Content Security
Lucent Proxy Agent integrates load-shared content security
services for:
Application protocol command blocking – HTTP, SMTP, FTP
Hostile mobile code blocking (JAVA, ActiveX)
Bandwidth Guarantees – Into and out of Virtual Firewall,
allocated in bits/second
Bandwidth Limits - Into and out of Virtual Firewall, allocated
in bits/second, packets/session, sessions/second
user protocol
13.VPN
Maximum number of dedicated VPN tunnels – 1000
Manual Key, IKE, PKI (X.509)
AES
Remote access VPN
Site-to-site VPN
LZS compression
DoD PKI
409,688 Hrs
Telecordia SR-332 at Standard Reference Conditions.
8.5” (W) x 5.9” (D) x 1.1” (H) (1U)
21.6 cm x 15 cm x 2.8 cm (1U)
Wall, or Table Mountable
Weight: 2 lbs., 3 oz. (1.0 Kg)
Shipping Weight: 4 lbs., 12 oz. (2.2 Kg)
20.Cooling
Passive cooling
Up to 13,123 feet (4,000 m.)
22.Environmental
Operating
Temperature: 0 to 50 C.
Shock: 2.5g. at 15 – 20 ms on any axis
Vibration: 5g. at 2 – 200 Hz on any axis
VPN Firewall Brick® to VPN Firewall Brick® active/passive
failover with full synchronization
Non-Operating
Session protection for firewall and VPN
Temperature: -40 to 70 C.
Shock: 35g. at 15 – 20 ms on any axis
Vibration: 5g at 2 – 200 Hz on any axis
Lucent Proxy Agent load sharing supports high availability
23.Power
for content security services
External AC to DC Power Supply: Rated 25W max.
Input: CV mode, 100 – 254 VAC, 47 to 63 Hz, 64 watts
16.Diagnostic Tools
Typical Consumption: 1.2A max. @ 115V, 0.6A @ max. 230V
24.Safety Listings
Centralized, secure remote console to any VPN Firewall Brick®
USA: UL60950-1, First Edition
unit supporting Ping, Traceroute, packet trace with filters
Canada: CAN/CSA C22.2 No. 60950-1-03
Remote VPN Firewall Brick® bootstrapping
EU: EN 60950-1
Pacific Rim: IEC 60950-1
Centralized, carrier-grade, active/active management
USA: FCC Part 15 Subpart B Class B
architecture with Lucent Security Management Server
Canada: ICES-003 Class B
(LSMS) software
EU: EN 55024, EN55022 Class B
Secure VPN Firewall Brick® to LSMS communications with
Diffie-Helman and 3DES and AES encryption, SHA-1
Japan: VCCI Class B
authentication and integrity and digital certificates for
Australia/New Zealand (AS/NZS): AS/NZS CISPR Pub 22
VPN Firewall Brick®/LSMS authentication
Up to 100 simultaneous administrators securely managing
all aspects of up to 20,000 VPN Firewall Brick® units
3
Security, VPN, and QoS Management Solution
Lucent Security Management Server (SMS) software brings you advanced
carrier-grade IP services management at a low total ownership cost.
Teaming with Lucent’s award-winning VPN Firewall Brick® portfolio,
Lucent Security Management Server lets you rapidly provision and
manage high-return services for thousands of users in a single console.
It integrates firewall, VPN, QoS, VLAN and virtual firewall policy
management; provides industry-leading scalability and availability;
delivers robust monitoring, logs and reports; and gives you flexible
deployment options — all without the costly additional modules or
recurring license fees that competitive products require.
Applications
• VPN services for site-to-site and
remote access
• Bandwidth management
capabilities
• VoIP Security
• Secure data center Web and
application hosting
• Packet Data Gateway and Packet
Data Interworking Functions for
Dual-Mode Wireless/Wifi VPN
and VoIP/Data Security
• Unlicensed Mobile Access (UMA)
and IP Multimedia Subsystem
(IMS) Security
Features
Benefits
• Fully integrates firewall, VPN, QoS, • One management solution — single
VLAN, and virtual firewall
platform provides centralized,
management
comprehensive management of all
IP services
• Comprehensive remote
management capabilities with role- • Low operating costs — secure
based administration
remote management reduces need
for network reconfigurations, truck• Flexible management model:
rolls, on-site support; VLAN, virtual
controls policies at global,
firewall, and QoS support included
customer, device, interface, VLAN
at no extra charge; management
and IP address range levels
efficiencies cut staffing and
• High scalability: supports 20,000
administrative expenses
Lucent VPN Firewall Brick units
• Simple, economical licensing
and up to 500,000 simultaneously
model — no ongoing license fees or
connected VPN users from one
add-ons required for complete
Lucent Security Management
security management
Server console.
• Cost-saving growth — easily
• Carrier-class reliability:
migrate from basic to advanced
distributable across up to four
security, VPN, and QoS services
network operations centers (NOCs)
• Assured business continuity —
for active/active network
native high availability, carrierredundancy with no single point of
class reliability, no advisories or
failure
reported vulnerabilities
• Real time monitoring, robust
logging, and customized reporting • Proven carrier-class performance —
mature product with over 7 years
• Multiple IP services deployment
service in the world’s largest
options: premises-based, networknetworks
based, tiered, and data-center
architectures
Lucent Security Management Server Technical Specifications
1.Mode of Operation
Centralizes firewall, virtual firewall, VLAN, VPN and
QoS policy management
Proactively monitors all VPN Firewall Brick® platforms and
IPSec Client users
Provides real-time monitoring, log collection, reporting and
alarm generation
Supports network-based and premises-based deployments
6.Authentication
Built-in internal database – 10,000 users
user protocol
DoD PKI
2.Performance and Capacity
Supports 1,000 customer groups each with hundreds of
unique policies
Centrally collects up to 15, 000 log records per Lucent Security
Management Software or Compute Server for a maximum of
300,000 log records per second.
Central management of up to 20,000 VPN Firewall Brick®
units and 500,000 simultaneously connected VPN users
7.Remote Access VPN Tunnel Management
Supports IKEv1 and IKEv2 remote access VPN, including
Lucent IPSec Client software distribution and updates
Centralizes management of all IPSec Client configurations,
including personal firewall settings
Allows any combination of authentication methods;
configurable per user, user group or application
Supports virtual addresses for tunnel end points
Allows administrator to terminate specific tunnels when
necessary, or terminate all tunnels in a single action
3.Policy Management
Uses a group-based model to manage a collection of devices,
security policies, VPN tunnels, and user authentication
components as a single entity
Controls policies at the global, customer, device, interface,
VLAN and IP address range level
Includes preconfigured typical security and VPN policy
templates that can be tailored to suit unique requirements
Uses user-definable Host Groups, Service Groups, Application
Filters and User Groups
Supports global and nested policy objects
4.Role-based Administration
Uses two administrative classes:
Lucent Security Management Server Administrators – full
privileges over all groups, devices, policies and users
Group Administrators – restricted privileges and access
only to assigned group(s)
Supports shared administration with customers
Local and remote administration via Lucent Security
Management Server Remote Navigator utility (included);
provides secure access to all Lucent Security Management
Server utilities
Allows concurrent administrators to exchange messages via a
real-time messenger service
8.Site-to-Site VPN Tunnel Management
Provides SLA probes for real-time round trip delay statistics and
tunnel status indicators to verify tunnel availability in real-time;
configurable with alarm notifications
Supports virtual addresses for tunnel end points
Configurable tunnel default settings
Includes preconfigured VPN policy templates fully integrated
with firewall policy
Supports IKEv1 and IKEv2 site-to-site tunnels
9.High Availability/Redundancy
Supports active/active management with up to four
geographically distributed servers and real-time database
replication
Internal database automatically backs up to a local and remote
disk daily; additional backups can be scheduled at any time
Backup file contains ALL policy, configuration, and security
information for ALL configured devices and policies
10.Central Staging with Secure Upgrades
Securely pushes the VPN Firewall Brick® operating system to
each device with no truck-rolls or on-site hardware support;
maintains ALL sessions during an OS upgrade with a failover
pair of VPN Firewall Brick® units
5.Secure 3-Tier Architecture
Lucent Security Management Server to VPN Firewall Brick®
11.Application Programming Interfaces (APIs)
platform communications secured with Diffie-Helman and 3DES
Scriptable command line interface
encryption, SHA-1 authentication and integrity, and digital
Parsable ASCII log files (for per-customer reporting)
®
certificates for VPN Firewall Brick platform to Lucent Security
Supports SNMP GET v2c (read-only) and SNMP traps v1 and v2c
Management Server authentication
TL1 Alarm Interface
Lucent Security Management Server Remote Navigator to
Lucent Security Management Server communications secured
with 3DES encryption and SHA-1 authentication and integrity,
and either local password or external database authentication
with SecurID or RADIUS servers
Transfers logs in real-time over reliable and secured connections
2
17.Alarms (continued)
12.Audit Log Management
VPN Log
Configurable notification methods:
Console Alarm (via the Lucent Security Management Server
Four categories of audit logs created daily:
Remote Navigator)
Firewall Session Logs
Email
Administrative Event Logs
Out-of-band modem-dialed alphanumeric message sent to
User Authentication Logs
pager (via the TAP protocol)
Proactive Monitoring Statistic Logs
SNMP Trap
Real time logs viewable with Log Viewer; historical logs
SYSLOG Message (with configurable SYSLOG level)
viewable with Log Viewer or Reporting System (see below).
Alarm triggers can be mapped to any combination of
Log viewing and manipulation follows administrative
notification methods
permissions model
Configurable log file disk management
18.Real-Time Status Monitors
Automated log scheduling and forwarding for post-processing
Support real-time and historical dynamically-updating text and
graphical monitoring
13.Real-time Log Viewer
VPN Firewall Brick® monitor – provides windows for each device
Displays log records as received from all VPN Firewall Brick®
and aggregate collection of devices; monitors statistics for each
platforms; messages can be filtered, sorted and highlighted
physical port, packet, byte, and session; includes Quality-ofIncludes historical record search capabilities with specified
Service graphs to monitor throughput and performance relative
time parameters
to configured guarantees and limits
VPN Tunnel monitor – provides status of each VPN tunnel;
14.Reporting System
monitors Service-Level Agreements (SLAs) for VPN tunnel
Automatically merges data from geographically distributed log
round-trip delay
servers
Administrator and Lucent Security Management Server
Generates HTML-based reports with full filtering, sorting and
monitor – views all logged-in administrators and connection
scheduling capabilities; configurable per administrator
statistics; reports connection status of each Lucent Security
Reports include sessions over time, policy snapshots,
Management Server in real-time
administrator events and configuration changes
Includes preconfigured reports for fast initial deployment
19.Command Line Interface
Allows administrators to script the configuration of many
15.Customer Specific Report Generation and Delivery
Lucent Security Management Server components and policy
Integrates with the WebTrends Firewall Reporting Suite; uses
objects using a text file-based interface
the WebTrends Enhanced Log Format (WELF)
Fully automates generation and delivery of customer-specific, 20.SNMP Agent
traffic statistic graphic reports to customers via FTP, e-mail or
Accesses limited configuration and statistic information
http server
regarding the system and associated VPN Firewall Brick®
platforms in a Read-Only fashion via the Lucent Security
16.Policy Change Control
Management Server. Absolutely NO information may be
configured via SNMP. VPN Firewall Brick® platforms do NOT
Records all administrative activity to audit logs
respond to SNMP or any variation thereof. Available in SNMP
Captures all policy and configuration changes in detailed,
v2c format.
user-configurable history files that are secured from
tampering/modification and support policy roll-back
21.VPN Firewall Brick® Remote Console
Provides a secure remote console to any VPN Firewall Brick®
17.Alarms
model and executes debugging/troubleshooting commands
Generates alarms based on VPN Firewall Brick® log messages
No policy modifications can be made from this Remote Console
and locally generated log messages from Lucent Security
or any VPN Firewall Brick® console interface
Management Server subsystems; configurable per-administrator
Includes preconfigured alarms for fast initial deployment
22.Rules Based Routing
Configurable alarm triggers include:
Provides capability to configure a rule for HTTP, FTP, or SMPT
Lucent Security Management Server Error
protocol traffic. Routes all packets matching the rule to a proxy
VPN Firewall Brick® Error
server, router or other device utilizing third party software to
VPN Firewall Brick® Lost/Found
perform content filtering functions such as command blocking,
URL filtering, and virus scanning. Allows transparent interaction
VPN Firewall Brick® Interface Up/Down
with any third party equipment.
Proactive Monitoring Threshold Crossing
VPN Firewall Brick® Redundancy Alarms
Lucent Security Management Server Redundancy Alarms
3
Hardware and Software Requirements
Microsoft Windows® 2000 Professional, WindowsR 2000 Server, Windows XP
Professional or Windows Server 2003.
500MB free disk space in file system partition where software is to be installed
CD-ROM drive
3.5" floppy drive, USB port and serial port.
Video card capable of supporting 1024x768 resolution (65,535 colors)
Intel®-based workstation (for Microsoft Windows® operating systems noted above)
CD-ROM drive
3.5" floppy, USB port and serial port.
Video card capable of supporting 1024x768 resolution (65,535 colors)
Lucent SMS 9.1 Package (includes license to manage
up to 5 VPN Firewall Brick® products, and
100 simultaneous IPSec Client tunnels)
Lucent SMS 9.1 Redundancy Package
(for High Availability applications)
Lucent SMS 9.1 Compute Server Base Package
Additional 5 VPN Firewall Brick® management licenses
Upgrade Lucent SMS 9.0 to Lucent SMS 9.1
Lucent IPSec Client
See Lucent IPSec Client
data sheet for ordering details
To learn more, please contact
your Lucent Technologies
Sales Representative or
Lucent Sales Business Partner.
Or visit our web site at
www.lucent.com.
purposes only and is not intended to
modify or supplement any Lucent
Technologies specifications or warranties
relating to the products or services
described herein.
Specifications are subject to change
without notice.
Windows is a registered trademark of
Microsoft Corporation.
WebTrends is a registered trademark of
WebTrends, Inc.
Copyright © 2006
All rights reserved
Lucent SMS v2 08/06
Lucent IPSec Client
Remote Access IP VPN Solution
Lucent IPSec Client software lets you provide high-value remote access
VPN services for telecommuters and mobile workers with PCs running
Microsoft® Windows® operating systems. Unlike competitive products,
the Lucent IPSec Client is expressly built to support carrier-managed IP
services. It combines standards-based IP Security (IPSec) features, a built-in
“personal firewall,” and centralized management to deliver a totally
secure, scaleable solution that is easy to install, administer, and use.
Applications
• Managed VPN services
• Remote private intranet access
• Private extranet access
• Public Internet access
Features
• Integral IP security: stateful
firewall, strong packet encryption,
robust authentication options
Benefits
• Quick and simple implementation—
complete, fully integrated solution;
point-and-click installation; “nearzero” configuration
• Built-in “personal firewall”
provides complete protection, even • Connection versatility—supports
for always-on cable and DSL
any connection mode: dial-up
connections
modem, WAN router, DSL, cable,
wireless link
• Completely integrated, centralized
management options with Lucent • Streamlined VPN administration—
Security Management Server
centrally provisioned and
software and VPN Firewall Brick®
managed for large-scale remote
hardware
access services
• Automatic security policy profile
download at user log-in
• Intuitive graphical user interface
(GUI)
• Cost-saving flexibility—
Interoperable with Lucent IP
services solutions spanning SOHO
to data center to central office
requirements; ensures the right
solution at the right
price/performance point
• Online help with comprehensive
contents, index, and search
capabilities
• Carrier-grade availability—
automatic failover to secondary
tunnel endpoint
• Interoperable with full Lucent IP
services portfolio
• Ease of use—user-friendly GUI;
near-effortless session initiation;
online help
• Detailed client status logs for
accounting and troubleshooting
Lucent IPSec Client Technical Specifications
1.Platforms
Windows 98/SE, Windows NT®, Windows ME®, Windows 2000, Windows Server
2003, Windows XP
2.Interoperability
Lucent VPN Firewall Bricks®
3.Connection Technologies
Dial-up modem, DSL/ADSL, cable modem, wireless link or various NIC and PCMCIA cards
4.Supported Standards
IPSec Encapsulating Security Payload (ESP) with DES, Triple-DES and AES
IPSec Authentication Header (AH) with HMAC-MD5 and HMAC SHA-1 authentication
Diffie-Helman Group 1 and Group 2
IPComp (LZS compression)
X.509
PKCS #12
5.User Authentication
Local passwords, RADIUS, SecurID, X.509 digital certificates with
Entrust CA PKI and Verisign CA PKI
Entrust secure USB tokens
CAPI Store Integration
6.RADIUS Parameter Download
User-specific parameters configurable in administrator’s RADIUS database applicable
to IPSec Client user tunnels:
– Local Presence address
– Primary/Secondary DNS
– Primary/Secondary WINS
– Login Timeout
– Idle Timeout
– User Group
7.Notifications
Delivers administrator-specified message when tunnel established; must be
acknowledged to continue
8.Software Upgrade Management
Notifies when Client upgrade available; single click upgrades IPSec Client software
with newer version
9.Logging
Maintains local logs of connection attempts, including detailed IKE and IPSec
negotiation
10.Tray Icon
Indicates tunnel activity, firewall setting in effect and provides continuous traffic
statistics
11.DNS/WINS
Automatically configures local primary and secondary DNS (Domain Name Server) and
WINS (Windows Information Name Server) addresses
12.Windows Domain Authentication
Can automatically log users to a remote Windows Domain; when authenticated, user
can access any configured domain resources, including file and print servers
2
13.Custom Branding
Customizes the IPSec Client GUI with customer-specific images and text, both in
installation process and runtime software
14.Personal Firewall
Includes a stateful personal firewall
Configurable for active and inactive tunnels; active tunnel configuration controlled
by administrator; inactive tunnel configuration controlled by end-user
Configurations:
– Block all
– Pass All
– Pass only Client-initiated (outbound sessions only)
15.UDP Encapsulation of IPSec
Allows a telecommuter using an Internet Service Provider that assigns a private
address and performs NAT on outbound connections, to transparently use the
IPSec Client
For non-IPSec aware PAT devices, tunnels IPSec inside User Datagram Protocol (UDP)
packets; repackages the IPSec packet into a new UDP packet destined to the Tunnel
End Point and UDP port specified by the tunnel administrator
16.Local Presence
Assigns a local network address to the IPSec Client user’s PC
Allows complex connections, such as X-Windows, to be directed back from other
hosts to the client host, using established network routing paths
Assigns local addresses using a local pool managed by the LSMS, or one-at-a-time
using the RADIUS parameter download feature
17.Split Tunneling
Permits simultaneous clear-text and encrypted traffic; system administrator configures
all personal firewall settings and endpoint IP network behind tunnel; can disallow
clear-text traffic entirely
Can be configured and saved with a number of tunnels
Each tunnel can have its own backup tunnel endpoint, in case the primary is
not reachable
19.Scriptable Command Line Interface
Allows full external script control of Client tunnel set-up and tear-down
20.Mobile IP Support
Along with IPUnplugged Mobile IP Client, Lucent IPSec Client supports seamless and
secure VPN tunnel in the Mobile IP environments.
Lucent IPSec Client 100-User License
Lucent IPSec Client 500-User License
Lucent IPSec Client 1,000-User License
Lucent IPSec Client 10,000-User License
See Lucent Security Management
Server for ordering details
3
To learn more, please contact your
representative, authorized
reseller, or sales agent. You
can also visit our web site at
www.lucent.com.
This document is provided for
planning purposes only and does not
create, modify, or supplement any
warranties which may be made by
Lucent Technologies relating to the
products and/or services described
herein. The publication of information
contained in this document does not
imply freedom from patent or other
protective rights of Lucent Technologies
or other third parties.
VPN Firewall Brick and Access Point
are registered trademarks of
Lucent Technologies.
Microsoft, Windows, Windows NT, and
Windows ME are registered trademarks
of Microsoft Corporation.
Copyright © 2006
All rights reserved
IPSec v9 08/06

VPN Firewall Brick 1200

Transcription

Similar documents

Read more

The Safest Way to Surf

Secure Connect Columbitech Mobile VPN

Configuring the Cisco VPN client

Multi-Homing Gateway MHG-1500

as PDF

Establishing a VPN with IPSecuritas and the Netgear FVS318

Datasheet

Unified Threat Management (UTM) UTM-1000

Columbitech Mobile VPN