Alcatel-Lucent Alcatel-Lucent VPN 1200, Технические характеристики

Страница: 3 / 6

T E C H N I C A L S P E C I F I C A T I O N S
Services Supported
• Bootp, http, irc, netstat, pop3, SNMP, tftp, pptp,
dns, https, kerberos, nntp, rip, ssh, who, RADIUS,
eigrp, ident, LDAP, ntp, rip2, syslog, shell, X11,
exec, gmp, login, OSPF, rlogin, telnet, talk, H.323,
SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus
notes, VoIP/SIP, Gopher, IPSec, netbios, pointcast,
mtp, sql*net
• Any IP protocol (user definable)
• Any IP pr layer 4 ports (user definable)
• Support for non-IP protocols as defined by
SAP/Ethertype
Layer-7 Application Support
• Application Filter architecture supports layer-7
protocol inspection (deep packet inspection) for
command and protocol validation, protocol a
nomaly detection, dynamic channel pinholes and
application layer address translation. Application
filters include http, ftp, RPC, tftp, H.323/H.323
RAS, SMTP, Oracle SQL*Net, NetBIOS, ESP, DHCP
Relay, DNS, GTP, and SIP
Firewall Attack Detection
and Protection
• Generalized Day 0 anomaly-based flood
protection with patent-pending Intelligent Cache
Management Protections
• SYN flood protection to specifically protect
inbound servers, e.g. Web servers, from inbound
TCP SYN floods
• Strict TCP validation to ensure TCP session state
enforcement, validation of sequence and ac
knowledgement numbers,
• Rejection of bad TCP flag combinations
• Initial Sequence Number (ISN) rewriting for weak
TCP stack implementations
• Fragment flood protection with robust
fragment reassembly, ensures no partial
or overlapping fragments are transmitted
• Generalized IP packet validation including
detection of malformed packets
• DoS mitigations for over 190 DoS attacks,
including ping of death, land attack, tear drop
attack, etc.
• Drops bad IP options as well as source route
options
• Connection rate limits to minimize effects of new
attacks.
QoS/Bandwidth Management
• Classified by physical port, virtual firewall,
firewall rule, session bandwidth guarantees – Into
and out of virtual firewall, allocated in bits/second
• Bandwidth limits - Into and out of virtual
firewall, allocated in bits/second, packets/
session, sessions/second
• ToS/DiffServ marking and matching
• Integrated with application layer filters
Content Security
• HTTP Filter Keyword support integrated with HTTP
Application Filter
• Basic content filtering with configurable
whitelist/blacklist and content keyword matching.
• URL redirection for blacklist sites
• Rules-based routing feature for HTTP, SMTP
and FTP features (Security Management Server
v9.1 or later)
¬ Interoperates with all 3rd party Anti-virus,
Anti-Spam, and Content Filtering systems
¬ Redirects only protocol-specific packets to
3rd party systems performing Anti-virus,
Anti-spam, and content filtering services.
• Application-layer protocol command
recognition and filtering
• Application-layer command line length
enforcement
• Unknown protocol command handling
• Extensive session-oriented logging for
application-layer commands and replies
• Hostile mobile code blocking (Java®, ActiveX™)
Firewall User Authentication
• Browser-based authentication allows
authentication of any user protocol
• Built-in internal database – user limit 10,000
• Local passwords, RADIUS, SecurID
• User assignable RADIUS attributes
• Certificate authentication
VPN
• Maximum number of dedicated VPN
tunnels – 7,500
• Manual Key, IKEv1, IKEv2, DoD PKI, X.509
• 3DES (168-bit), DES (56-bit)
• AES (128, 192, 256-bit)
• SHA-1 and MD5 authentication/integrity
• Replay attack protection
• Remote access VPN
• Site-to-site VPN
• IPSec NAT Traversal/UDP encapsulated IPSec
• IKEv2 IPSec NAT Traversal and dead peer
detection
• LZS compression
• Spliced and nested tunneling
• Fully meshed or hub and spoke site-to-site VPN
VPN Authentication
• Local passwords, RADIUS, SecurID, X.509 digital
certificates
• PKI Certificate requests (PKCS 12)
• Automatic LDAP certificate retrieval
• DoD PKI
High Availability
• VPN Firewall Brick security appliance to VPN Firewall
Brick security appliance active/passive failover with
full synchronization
• 400 millisecond device failure detection and
activation
• Session protection for firewall, VoIP and VPN
• Link failure detection
• Alarm notification on failover
• Encryption and authentication of session
synchronization traffic
• Self-healing synchronization links
• Pre-emption and IP tracking for improved health
state checking
• Seamless system upgrade with no downtime for
redundant deployments
3 Alcatel-Lucent VPN Firewall Brick 1200