VPN Firewall
Brick 1000
Brick 1000 is a member of the VPN Firewall family, the security foundation of Lucent’s IP services portfolio. Brick 1000 units interoperate seamlessly with other family members, including the Brick models 20, 80, and 201. All Bricks are integrated and centrally managed by the Lucent Security Management Server (LSMS), which simplifies provisioning and management of distributed IP networks. The Lucent IPSec Client interoperates with the entire IP services portfolio to provide remote access VPN support for telecommuters and mobile workers.
A Versatile Solution for Multiple
Business Applications
The Brick 1000 delivers state-of-the art carrier-class capabilities across the full spectrum of managed security and VPN services. It can be deployed in a variety of configurations to support the business goals of large service providers. Application areas include:
■ Managed security services—offering bullet-proof security, unprecedented scalability, inte-grated high-revenue advanced security services, centralized system monitoring, low support overhead, and mission-critical reliability ■ Remote access VPN—offering LSMS
centralized client management with scalability up to 20,000 simultaneous IPSec tunnels, and high availability software and hardware ■ Web and application data center
services—offering full 1-Gigabit throughput, advanced distributed denial-of-service (DDoS) protection, VLAN support with security policy filtering, and high availability with state-sharing
Network-Based Platform
for Advanced Security
and IP VPN Services
Lucent’s Brick 1000 is a carrier-grade integrated firewall and virtual private network (VPN) gateway appliance specifically designed for web/application data center security, large-scale managed security services, and remote access VPN services. Called the Brick because of its rugged, reliable design, this is an ideal platform for service providers seeking wide scalability, ready manageability, and industry-leading performance. Its next-generation capabilities include full 1-Gigabit throughput, VLAN support with security policy filtering, and high availability with state-sharing.
The VPN Firewall Advantage ■Purpose-built for carrier-managed IP Services ■Easy migration to high-revenue advanced security services ■Powerful capabilities for remote access VPNs ■VLAN support for
secure web/applica-tion hosting ■Best-in-class
price/performance ■Mission-critical
avail-ability and reliavail-ability ■Broad industry
Optimized for Carrier-Managed
IP Services
Bullet-Proof Security
Unlike competitive firewalls, the Brick 1000 operates as a layer 2 bridge, making it completely invisible within the network. In addition, it runs on the advanced Bell Labs Inferno®operating system, a compact, real-time kernel with built-in security features. This intrinsically secure platform is far less easily compromised than firewalls running on general-purpose operating systems and PC server platforms. The Inferno OS eliminates most points of vulnerability—resulting in a security system that is virtually impenetrable by internal or external attacks yet extremely easy to maintain. Lowest Cost of Ownership
Because it operates as a bridge, inserting a Brick 1000 into your network requires no costly routing configuration changes. That cuts deploy-ment costs, whether you’re building a new Brick infrastructure or expanding an existing network. And because the Brick 1000 doesn’t run on a standard OS, you avoid the costs associated with OS upgrades and patches.
The Brick’s streamlined design also means low-cost maintenance. Security policies are downloaded securely over the network, while the Brick’s logs are uploaded to a central collection point. Because no logs are actually stored on the Brick, it doesn’t need a hard drive—which translates to leaner pro-visioning of spares and fewer support-staff hours.
Easy Migration to High-Revenue
Advanced Security Services
Integrating a wide variety of next-generation security capabilities, the Brick 1000 offers diverse value-added managed security capabilities. Premium Authentication ServicesAdvanced security services begin with premium authentication to simplify and safeguard access privileges. The Brick 1000 provides two types of authentication: firewall and VPN. Firewall authentication is out-of-band, and can support any protocol. Authentication methods include SecurID token-based network login, RADIUS, or, at the simplest level, password-based local authentication. VPN users can be authenticated using X.509 certificates from Entrust, VeriSign and Baltimore, as well as any firewall authentication method. LSMS log records track all actions performed by users to provide an unalterable audit trail.
Application-Layer Security
Perhaps the best news for you and your customers is Lucent’s commitment to support leading-edge network services. The Brick 1000 supports popular new multimedia Internet applications such as H.323 VoIP, RealAudio®, and NetMeeting®—all without compromising network security. Multimedia protocols such as H.323 require dynamically negotiated TCP and UDP ports to remain open at both endpoints, a potential security hazard. Because these ports cannot be known in
VPN Firewall
Brick 1000
Group Administrator Intrusion Detection Lucent Proxy Agent Lucent Security Management Server RSA ACE® Server LDAP Server Certificate Authority RADIUS Existing Router VPN Firewall Brick 201 HeadquartersService Provider NOC Customer #1
Existing
Router VPN Firewall Brick 1000 Existing Router VPN Firewall Brick 80 Regional/Headquarters Customer #2
Lucent IPSec Client RSA Token Card
Mobile Worker/Telecommuter Existing Router VPN Firewall Brick 20 Remote/Branch Office Customer #1000 Service Provider IP Network Public Internet
advance, the Brick looks into the protocol messages, identifies the ports and dynamically creates rules to open them, then closes the ports as soon as the session terminates. The result: absolutely ironclad security.
While competitive products support only specific H.323 applications, the Brick 1000 supports the entire H.323 v2 specification, allowing for full vendor-independent interoperability.
The bottom line: You can include these exciting new network transport technologies within your managed services portfolio. And as new technolo-gies and protocols are unveiled, you can depend on Lucent to develop support for them, broadening the range of your offerings and the return on your managed services investments.
Content Security
The Brick 1000 supports dynamic stateful packet inspection. For content-level filtering, it offers a scalable solution via load sharing across multiple Lucent Proxy Agents (LPAs)—a significant advancement over basic static firewalls. Included with the Lucent Security Management Server, the Lucent Proxy Agent uses a combination of Lucent and best-of-breed third-party applications to deliver a wide variety of heightened security services at the content level, including:
– Blocking of unwanted HTTP commands (e.g., POST, GET, etc.) and SMTP commands (e.g., DBUG or XPND)
– URL categorization and content blocking from “inappropriate” Web sites (e.g., pornography and sports)
– Antivirus control for e-mail, file attachments, and malicious Java®and ActiveX™applets The Lucent Proxy Agent packet reflection process is completely transparent, so users remain unaware that any redirect of packets has occurred.
Distributed Denial-of-Service Attack Protection
Flooding the network with packets and packet fragments from random source addresses, dis-tributed denial-of-service attacks can prevent servers from responding to legitimate sessions. The Brick deploys a three-pronged defense against this class of threat:
– SYN Flood Protection can monitor servers that may be under attack and reset unacknowledged sessions in the server’s state
– Intelligent Cache Management uses configurable thresholds to protect against packet floods that can saturate firewall memory
– Robust Fragment Reassembly limits the number of outstanding fragments that can be queued for reassembly, discarding fragments that do not belong to an established queue
Additionally, the Brick performs exhaustive packet header checks to verify the integrity and checksums
of the IP and TCP/UDP layers. Packet-based attacks such as Land or Ping-of-Death are detected and blocked in this manner. The Brick also drops packets with IP source routing. Finally, applica-tion-layer attacks are detected and blocked for certain application-layer protocols (e.g., FTP Bounce Attack).
Powerful Capabilities for Remote
Access VPNs
With its high capacity, wide scalability, and ICSA-certified IPSec encryption, the Brick 1000 opens attractive opportunities for upselling subscribers to high-revenue site-to-site and remote access VPNs. The Brick 1000 and the LSMS support the most demanding VPN environments with industry-leading scalability. Each Brick 1000 unit provides concentration support for up to 3,000 simultaneous VPN tunnels. And as many as 20,000 simultaneous VPN tunnels—from potentially hundreds of thou-sands of users—can be managed by a single LSMS.
Secure Web/Application Hosting
for Thousands of Customers
The LSMS has always been designed for service provider environments encompassing multiple customers, each with distinct (and possibly con-flicting) security policies. Now Lucent enhancesVPN Firewall
Brick 1000
Advanced Lucent Proxy Agent Array
Four features distinguish the LPA approach: 1. Unsurpassed security
The LPA/reflection architecture employs a “seg-regated” approach to providing application-layer inspection: if the LPA software is compromised, there is no risk of further intrusion into the net-work using the LPA host as a starting point. 2. Increased throughput/capacity
Since the LPA is installed on a separate host from the firewall enforcement engine, an increased load on one machine doesn't translate into a slowdown or capacity reduction on the other. 3. Increased availability
By installing multiple LPA hosts on diverse physical segments, it is possible to build a net-work without failure points between the Brick and the LPA. In conjunction with the Brick failover feature, this enables deployment of a complete security solution with no points of failure.
4. Increased scalability
The LPA allows an essentially linear increase in performance through the simple addition of hosts. This results in far greater scalability than approaches that rely on a multiprocessor system.
this capability by adding support for 802.1Q VLAN tagging. This allows Bricks to be partitioned into many “virtual firewalls”—while ensuring that each customer’s unique firewall service is com-pletely secure. Service providers can confidently offer network-based security services using a shared network infrastructure and reap all the advantages of scale—but none of the disadvantages typically associated with sharing devices across customers.
The Brick 1000 supports up to 2,000 virtual firewalls—and therefore up to 2,000 individual customers. Additional customers can be accom-modated simply by deploying additional Bricks. All Bricks, from the smallest model 20 to the model 1000, support this virtual firewall concept. The Brick 1000 can work in concert with the Lucent SpringTide IP services switch to deliver high-quality, committed-rate managed IP services in large-scale web-hosting or application-hosting environments. This combination provides for high throughput and high-capacity traffic management, state-of-the-art bandwidth management and advanced QoS management. The Brick 1000 provides ironclad security safeguards for this application including state-of-the-art VLAN-tagging, advanced denial-of-service attack protec-tion, full RADIUS support, integrated intrusion detection, and integrated content security including command blocking, URL blocking, and anti-virus control.
VPN Firewall
Brick 1000
VPN Firewall Brick 1000 Failover Pair Lucent Proxy Agent Array L2 Switch Server Farm 802.1q Tagged Trunk 802.1q Tagged Trunk Springtide IPServices Switch VLAN 100 Policy A VLAN 200 Policy B VLAN 300 Policy A VLAN 400 Policy C VLAN 500 Policy D VLAN 600 Policy DPolicy is applied to the VLAN, not just the IP address. Servers can be easily moved around physically or logically and keep the same policy. Policy Enforced by VLAN
VLAN 100/Policy A VLAN 200/Policy B VLAN 300/Policy A VLAN 400/Policy C VLAN 500/Policy D VLAN 600/Policy D
A typical VLAN-tagged secure web/application hosting services architecture.
802.1Q VLAN and VLAN-Based Firewall Policy VLAN tagging is applied at the Ethernet layer (OSI Layer-2). While it was invented to help partition large networks, a more contemporary application is to facilitate security and security-related functions.
VLAN tagging can help identify the true source of a packet, in addition to MAC and IP addresses. Because IP addresses can be altered or spoofed by the originator, it can easily be made to appear as if the packet came from a trusted source. Since the network equipment— not the end-customer network—imposes the VLAN tag, it is a far more reliable indicator. This feature is ideally suited to service providers with a large, flat, VLAN-tagged network backbone.
In a typical VLAN-tagged architecture, the Brick is placed behind the edge router, which has distinct WAN connec-tions for each customer. Packets originating from each customer’s network pass through the router into a VLAN- tagged frame on its backbone link, which passes through the Brick.
The Brick can then run a unique policy per VLAN on a single interface, and enforce a unique policy for each customer. This eliminates the need to rely on IP address information to determine the frame’s originator.
VPN Firewall
Brick 1000
VPN Firewall Family
Brick 80 Brick 20 Road Warrior Customer Premises Network EdgeSOHO ROBO Headquarters Data Center
Performance/Functionally Brick 201 8/2000–Best Carrier–Class 4/2001–Best Enterprise–Class Brick 1000
*with optional encryption accelerator
IPSec Client
Easy to use IPSec w/IKE, Auto policy download, Stateful Firewall Client “status logs”, Managed client option, Interoperable w/full portfolio (3) 10/100 ports 20 Mbps cleartext 2 Mbps@3DES 1,000 sessions 50 VPN tunnels 20 Virtual firewalls (4) 10/100 ports 60 Mbps cleartext 8 Mbps@3DES 25,000 sessions 400 VPN tunnels 100 Virtual firewalls (4) 10/100 ports 125 Mbps cleartext 90 Mbps@3DES* 100,000 sessions 3,000 VPN tunnels 200 Virtual firewalls (4) Gigabit Ports (5) 10/100 ports 1.7 Gbps cleartext 90 Mbps@3DES* 2,000,000 sessions 3,000 VPN tunnels (EAC upgrade planned) 2000 Virtual firewalls NEW NEW Firewall IPSec CommWeb TESTER'S CHOICE
Best-in-Class Price/Performance
Independent test results verify that VPN Firewall Bricks offer industry-leading price/performance levels.The Brick 1000 is capable of delivering up to 1.7 Gbps of cleartext firewall throughput. And it sustains this outstanding performance even while handling 2 million simultaneous sessions.
To keep pace with expanding needs, the Brick 1000 is available with an optional Encryption Accelerator Card that maintains VPN performance at 90 Mbps with strong 3DES encryption and supports up to 3,000 concurrent encrypted IPSec tunnels. The card provides hardware-based acceleration of IPSec’s DES and Triple DES encryption and MD5 and SHA-1 packet authentication. To speed trans-mission even further, data compression is auto-matically initiated under suitable conditions, resulting in sustainable peak performance.
Mission-Critical Availability
and Reliability
Robust Stateful Failover Capabilities To help ensure uninterrupted service, two Brick 1000 units that share a common name and IP address can be deployed as a “failover pair,” with the standby member of the pair continuously monitoring the state of the active Brick. Should the active unit go down, the standby takes over, reestablishing sessions in approximately 400 msec. Active/standby Bricks are deployed in parallel: all corresponding interfaces on both bricks are connected to the same LAN segment, through either hubs or switches. Heartbeats are sent bi-directionally between all interfaces on both bricks. Only one Brick actively processes packets, so it is not necessary to connect the Bricks with any special “heartbeat” or “sync” cable. This mechanism is
self-healing: if the designated link is not available, the Brick makes an intelligent decision as to which link to use, based on least load and highest speed. With the addition of state-sharing, the active Brick chooses a single interface on which to share state with its standby. (The administrator can specify a preference for this link.)
When processing packets, the active Brick sends notice of all stateful information to the standby, including session information, dynamic channel creation (e.g., for FTP and H.323), address transla-tion, and VPN tunnel status. Firewall policy and configuration, as well as entire operating system downloads, are also shared to provide a truly transparent standby device. Unlike competitive failover approaches, the sessions here are shared at full line speed. The LSMS allows the customer to download new versions of software with zero interruption to service, and it monitors the health of both the active and standby Bricks through its enhanced status-monitor feature.
Should the active Brick suffer a catastrophic failure, the standby ceases receiving heartbeats and auto-matically converts to the active state. Since all dynamic information on the formerly active Brick has already been sent to the now active Brick, the latter can continue to process sessions that were passing through the former, with little or no interruption in overall service.
Out-of-Band Management
The Brick 1000 can be accessed out-of-band using a dial-up modem. This is particularly useful if communications between the Brick and the LSMS go down due to a network outage. A command-line interface on an ordinary terminal is used to issue management commands through a secure modem attached to the Brick’s serial port. A built-in command processor parses each command, performs the desired action(s), and reports the result to the serial port.
Today’s Leading VPN
Firewall Family
Brick models are available to suit the specific needs of diverse facilities and applications. The enterprise-class Brick 1000 is complemented by: ■ The Brick 201for headquarters and large
regional facilities or extranet partners. This model delivers 125 Mbps of firewall throughput and 90 Mbps 3DES/MD5 throughput, accom-modates up to 3,000 concurrent encrypted IPSec tunnels, and supports 200 simultaneous virtual firewalls.
■ The Brick 80for medium-sized offices, branch and regional facilities, and extranet partners. This mid-range model delivers 60 Mbps of firewall throughput and 8 Mbps 3DES/MD5 throughput, accommodates up to 400 concurrent encrypted IPSec tunnels, and supports 100 simultaneous virtual firewalls.
■ The Brick 20for small and home offices. This value-priced model offers 20 Mbps of firewall throughput and 2 Mbps 3DES/MD5 throughput, handles up to 50 concurrent encrypted IPSec tunnels, and supports 20 simultaneous virtual firewalls.
Consistent Industry Recognition
and Certification
All Brick models and the LSMS are certified by the ICSA (V3.0A Firewall and V1.0B IPSec). The Model 1000 is certified by the National Security Agency (NSA EAL2 Government Protection Profile), and is on the US Army’s Approved Secure Productslist.
Opinion shapers across the industry have recog-nized that the VPN Firewall and the LSMS offer today’s highest levels of functionality and perfor-mance at today’s lowest costs. This recognition has resulted in numerous honors and awards, including:
– Well ConnectedAward Finalist from Network Computing
– Tester’s ChoiceAward from Commweb.com – Best-In-TestAward (Carrier Class VPNs) from
Business Communication Review – Networks-As-AdvertisedAward from Mier
Communications
Delivering Next-Generation
IP Services Platforms
The VPN Firewall, LSMS and IPSec Client are members of the Lucent family of next-generation IP services platforms. Lucent offers a comprehensive portfolio of solutions with service intelligence to deliver basic access routing, IP services routing and switching for a full range of IP services appli-cations and site configurations.
The Lucent family gives service providers wide flexibility, functionality, and scalability in deploying managed IP services from the network edge to the customer premises. And to facilitate IP services design and deployment, Lucent Worldwide Services provides a full suite of global professional services and customer support.
VPN Firewall
Brick 1000
Firewall IPSec
VPN Firewall Brick 1000
Power USB (2) Serial (2)
ENet 4 Enet 3 Fiber Gigabit 3 Fiber Gigabit 0 Power Enet 0 10/100 Base-TX Ethernet
Management Interface VGA Monitor
ENet 2 Enet 1
Fiber Gigabit 1 Fiber Gigabit 2
Hardware Specifications
Processor/Memory
Pentium III 1GHz with 1GB of RAM LAN Interface
Four Configurations are supported: 1. "(9/2)" Configuration containing
(2) Fiber Gigabit,
(8) 10/100 Base-TX Ethernet (RJ-45), (1) Management 10/100 Base-TX Ethernet interfaces 2. "(5/4)" Configuration containing
(4) Fiber Gigabit,
(4) 10/100 Base-TX Ethernet (RJ-45), (1) Management 10/100 Base-TX Ethernet interfaces 3. "(7/2)" Configuration containing
(2) Fiber Gigabit,
(6) 10/100 Base-TX Ethernet (RJ-45), (1) Management 10/100 Base-TX Ethernet interfaces, (1) Encryption Accelerator Card 4. "(3/4)" Configuration containing
(4) Fiber Gigabit,
(2) 10/100 Base-TX Ethernet (RJ-45), (1) Management 10/100 Base-TX Ethernet interfaces, (1) Encryption Accelerator Card Performance
Maximum number of IPSec remote access tunnels: 3,000
Max throughput without Encryption Acceleration: 25 Mbps @ 3DES/MD5 Max throughput with Encryption Acceleration: 90 Mbps @ 3DES/MD5 Max clear text throughput: 1,700 Mbps; 2,000,000 active sessions Hardware Assisted Encryption Optional Encryption Accelerator module
Other Ports
SVGA video, DB9 serial, PS/2 keyboard Dimensions Height: 7" Width: 17" Length: 17.75" Weight: 40.3 lbs. Cooling
System unit includes chassis, power supply, and CPU fan
Altitude
10,000 ft. (3,048 m) Environmental Operating:
Temperature: 0 to 45 º C
Shock: 2.5G at 15-20 ms on any axis Relative Humidity: 95%
Vibration: 5G at 2-200 Hz on any axis Non-Operating:
Temperature: -40 to 70 º C Shock: 35G at 15-20 ms on any axis Relative Humidity: 95%
Vibration: 5G at 2-200 Hz on any axis Power
Input: AC
Auto-Sensing for 90 – 264 VAC, 47–63Hz
3A at 115VAC; 1.5A at 230VAC Input: DC
Optional
–48VDC normal (can range from –40VDC to –56VDC; 230W at –48V
Safety Listings USA – UL60 950
Canada – CSA 22.2 No. 950 EU – EA60950
Japan – CB Scheme 1EC6950 EMC Certifications USA – FCC Part 15, Class A Canada – IC-ES003 EU – EMC Directive Japan – VCCI ICSA Certification
ICSA V3.0A Firewall Certified, ICSA V1.0B IPSec Certified NSA Certification
National Security Agency EAL2 Government Protection Profile Certified
Export Licensing Brick 1000:
License Exception (No License Required)
ECCN# EAR99 HTS# 8517509000 Brick 1000 with Encryption Accelerator Card:
ECN License Exception ECCN# 5A002.a.1 HTS# 8517904400
Mean Time Between Failure (MTBF) 7 years
Software Specifications
Services Supported bootp http irc netstat pop3 snmp tftp pptp dns https kerberos nntp rip ssh whoRADIUS eigrp ident
ldap ntp rip2
syslog shell X11
exec igmp login
ospf rlogin telnet
talk H.323 ftp
imap mbone ping
rsh traceroute lotus notes
VoIP Gopher IPSec
netbios pointcast smtp sql*net ica
In addition, VPN Firewalls support services that invoke complex protocol interactions, multimedia applications (such as RealAudio®), and
H.323-based applications (such as NetMeeting®).
Firewall
Dynamic stateful packet filter with content security proxies for: command blocking URL blocking—with 8e6 Technologies’ X-Stop™Xserver
Virus scanning—with Trend Micro’s InterScan™VirusWall Anti-Virus
Security Suite Management
SSL, Java based interface and 3DES encrypted session to Lucent Security Management Server (LSMS). 3DES encrypted and digital certificate authenticated session between LSMS and Bricks. Out-of-band debugging and analysis tool via serial port/modem.
IPSec Encryption/Authentication IPSec ESP with DES, Triple-DES and RC4 encryption, MD5 and SHA1 authentication
Key Management
IKE, PKI CA Support of Entrust, VeriSign and Baltimore X.509 digital certificates
User Authentication
RADIUS, SecurID®, X.509 digital
certificates, local passwords LDAP
Interoperates with LDAP directories to store X.509 digital certificates and certificate revocation lists
NAT
Source, Destination and Port Mapping with direct or pooled translation
High Availability
Direct active/standby failover is available natively on the Brick
VPN Firewall
Brick 1000
VPN Firewall
Brick 1000
© 2001 Lucent Technologies, Inc. Printed in the U.S.A.
08/01 • 01-VPN1000b
For information on other IP services solutions, refer to the following brochures: Brochure Part Number
VPN Firewall Family Part # 01-VPNFAM VPN Firewall Brick 20 Part # 01-VPN20 VPN Firewall Brick 80 Part # 01-VPN80 VPN Firewall Brick 201 Part # 01-VPN201 Lucent IPSec Client Part # 01-VPNIPSEC
Lucent Security Part # 01-VPNLSMS
Management Server Software Requirements Solaris 8
Hardware Requirements Sun workstation:
333 MHz Pentium Pro processor (minimum)
512 MB system memory (minimum), higher recommended CD-ROM drive 1 Ethernet 10/100 card Supported Applications Virus scanning URL screening
Application-layer protocol command recognition and filtering
Application-layer command line length enforcement
Unknown protocol command handling
Extensive session-oriented logging for application-layer commands and replies
Hostile mobile code blocking (JAVA, ActiveX)
Protocols support HTTP, SMTP, FTP
Lucent Proxy Agent Technical Specifications
To learn more, contact your Lucent Technologies Representative, Authorized Reseller, or Sales Agent. Or, visit our web site at http://www.lucent.com or call 1-888-4Lucent. The names, logos, and taglines identifying Lucent Technologies products and services are propri-etary marks of Lucent Technologies Inc. or its subsidiaries. All third party marks are the property of their respective owners. Specifications subject to change without notice.
