Lucent Technologies Alcatel-Lucent VPN 1200 User Manual

T E C H N I C A L

S P E C I F I C A T I O N S

Services Supported

•

Bootp, http, irc, netstat, pop3, SNMP, tftp, pptp,

dns, https, kerberos, nntp, rip, ssh, who, RADIUS,

eigrp, ident, LDAP, ntp, rip2, syslog, shell, X11,

exec, gmp, login, OSPF, rlogin, telnet, talk, H.323,

SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus

notes, VoIP/SIP, Gopher, IPSec, netbios, pointcast,

mtp, sql*net

• Any IP protocol (user definable)

•

Any IP protocol + layer 4 ports (user definable)

•

Support for non-IP protocols as defined by

SAP/Ethertype

Layer-7 Application Support

• Application Filter architecture supports layer-7

protocol inspection (deep packet inspection) for

command and protocol validation, protocol a

nomaly detection, dynamic channel pinholes and

application layer address translation. Application

filters include http, ftp, RPC, tftp, H.323/H.323

RAS, SMTP, Oracle SQL*Net, NetBIOS, ESP, DHCP

Relay, DNS, GTP, and SIP

Firewall Attack Detection

and Protection

• Generalized Day 0 anomaly-based flood

protection with patent-pending Intelligent Cache

Management Protections

• SYN flood protection to specifically protect

inbound servers, e.g. Web servers, from inbound

TCP SYN floods

• Strict TCP validation to ensure TCP session state

enforcement, validation of sequence and ac

knowledgement numbers,

• Rejection of bad TCP flag combinations

• Initial Sequence Number (ISN) rewriting for weak

TCP stack implementations

• Fragment flood protection with robust

fragment reassembly, ensures no partial

or overlapping fragments are transmitted

• Generalized IP packet validation including

detection of malformed packets

• DoS mitigations for over 190 DoS attacks,

including ping of death, land attack, tear drop

attack, etc.

• Drops bad IP options as well as source route

options

• Connection rate limits to minimize effects of new

attacks.

QoS/Bandwidth Management

•

Classified by physical port, virtual firewall,

firewall rule, session bandwidth guarantees – Into

and out of virtual firewall, allocated in bits/second

•

Bandwidth limits - Into and out of virtual

firewall, allocated in bits/second, packets/

session, sessions/second

•

ToS/DiffServ marking and matching

• Integrated with application layer filters

Content Security

• HTTP Filter Keyword support integrated with HTTP

Application Filter

• Basic content filtering with configurable

whitelist/blacklist and content keyword matching.

• URL redirection for blacklist sites

•

Rules-based routing feature for HTTP, SMTP

and FTP features (Security Management Server

v9.1 or later)

¬ Interoperates with all 3rd party Anti-virus,

Anti-Spam, and Content Filtering systems

¬ Redirects only protocol-specific packets to

3rd party systems performing Anti-virus,
Anti-spam, and content filtering services.

• Application-layer protocol command

recognition and filtering

• Application-layer command line length

enforcement

• Unknown protocol command handling

• Extensive session-oriented logging for

application-layer commands and replies

• Hostile mobile code blocking (Java®, ActiveX™)

Firewall User Authentication

• Browser-based authentication allows

authentication of any user protocol

• Built-in internal database – user limit 10,000

• Local passwords, RADIUS, SecurID

• User assignable RADIUS attributes

• Certificate authentication

VPN

•

Maximum number of dedicated VPN

tunnels – 7,500

•

Manual Key, IKEv1, IKEv2, DoD PKI, X.509

•

3DES (168-bit), DES (56-bit)

• AES (128, 192, 256-bit)

•

SHA-1 and MD5 authentication/integrity

•

Replay attack protection

• Remote access VPN

• Site-to-site VPN

•

IPSec NAT Traversal/UDP encapsulated IPSec

•

IKEv2 IPSec NAT Traversal and dead peer

detection

•

LZS compression

•

Spliced and nested tunneling

• Fully meshed or hub and spoke site-to-site VPN

VPN Authentication

• Local passwords, RADIUS, SecurID, X.509 digital

certificates

• PKI Certificate requests (PKCS 12)

• Automatic LDAP certificate retrieval

• DoD PKI

High Availability

• VPN Firewall Brick security appliance to VPN Firewall

Brick security appliance active/passive failover with

full synchronization

• 400 millisecond device failure detection and

activation

• Session protection for firewall, VoIP and VPN

• Link failure detection

• Alarm notification on failover

• Encryption and authentication of session

synchronization traffic

• Self-healing synchronization links

• Pre-emption and IP tracking for improved health

state checking

• Seamless system upgrade with no downtime for

redundant deployments

3

Alcatel-Lucent VPN Firewall Brick 1200