VPN Firewall Brick 201

Powerful enough to meet the demands of thelargest corporate facilities, the Brick 201 affordsa NEBS-compliant, carrier-class solution for service providers with multi-enterprise managedIP services offerings.

The Brick 201 is a member of the VPN Firewallfamily, the security foundation of Lucent’s IPServices portfolio. Brick 201 units interoperateseamlessly with other family members. Theseinclude the Lucent Security ManagementServer (LSMS), which simplifies centralizedremote management of distributed IP networks;and the Lucent IPSec Client, which providesremote access VPNs for telecommuters andmobile workers.

A Powerful High-End IP Services SolutionThe Brick 201 delivers state-of-the art business-class capabilities across the full spectrum ofmanaged security and VPN services. It can be deployed in a variety of configurations

to facilitate both internal and external data communications. Application areas include:

� Facility firewall—to protect the enterpriseLAN against potential internal and externalthreats

� Remote access VPN—to provide securedial-up connectivity for telecommuters andmobile workers

� Web and application hosting—to enhancesecurity, performance, and availability via virtual firewall and intelligent load-balancingcapabilities

� Intranets—for secure communicationsamong branch offices worldwide, or amongdepartments across the corporate campus

� Extranets—to bolster customer, partner, andsupplier relationships via security-enhancedeCommerce, web center, or specialized applications

Optimized for Carrier-Managed IP Services Bullet-Proof SecurityUnlike competitive firewalls, the Brick 201operates as a layer 2 bridge, making it completelyinvisible within the network. In addition, it runson the advanced Bell Labs Inferno® operatingsystem, a compact, real-time kernel with built-insecurity features. This intrinsically secure plat-form is far less easily compromised than firewallsrunning on general-purpose operating systemsand PC server platforms. The Inferno OS elimi-nates most points of vulnerability—resulting ina security system that is virtually impenetrableyet extremely easy to maintain.

Advanced Security and IP VPN Servicesfor Large Offices and Data CentersLucent’s Brick 201 is a power-packed integrated firewall/VPN gatewayappliance purpose-built to maximize large office and data center networksecurity, without compromising network performance. It can be positionedbetween an existing WAN router and the LAN to provide ironclad fire-wall-based security, as well as high-speed remote access and site-to-siteVPN connectivity. Called the Brick because of its rugged, reliable design,this is an ideal carrier-grade platform for service providers deliveringmanaged security, VPN, or web/application hosting services. Whetheryou’re supporting customer premises equipment (CPE) or customer-locatedequipment (CLE) centralized within your data center, the Brick 201 offersunsurpassed throughput, scalability, manageability, and dependability.

The VPN FirewallAdvantage

� Purpose-built for carrier-managed IP services

� Easy migration to high-revenueadvanced security services

� Feature-rich remoteaccess VPN platform

� Best-in-class price/performance

� Mission-critical reliability

� Broad industry recog-nition and certification

Quick and Simple “No-Touch” CPEThe Brick 201 can be centrally staged and completely remotely managed, eliminating theneed for truck rolls or on-site assistance. TheInferno OS software installs from floppy in lessthan a minute, and the Brick reboots in less thanfifteen seconds.

Remote device deployment couldn’t be simpler.Administrators at your data center can send theInferno boot image—including the OS, digital certificates, and basic Brick configuration informa-tion—securely via e-mail to technicians at yourcustomer’s premises. A technician then saves it to floppy and can have a Brick 201 configuredand operational in less than five minutes.

Lowest Cost of OwnershipBecause it operates as a bridge, inserting a Brick 201 into your network requires no costlyrouting configuration changes. That cuts deploy-ment costs, whether you’re building a new Brickinfrastructure or expanding an existing network.And because the Brick 201 doesn’t run on a standard OS, you avoid the costs associated with OS upgrades and patches.

The Brick’s simple design also means low-costmaintenance. Security policies are downloadedsecurely over the network, while the Brick’s logsare uploaded to a central collection point. Becauseno logs are actually stored on the Brick, it doesn’tneed a hard drive. So there are no hard-drivebackups and no critical moving parts to fail—which translates to leaner provisioning of sparesand fewer support staff hours.

The Brick 201 can also operate as a high-speedrouter and easily drop into configurationsdesigned around routing firewalls.

Easy Migration to High-RevenueAdvanced Security ServicesIntegrating a wide variety of next-generationsecurity capabilities, the Brick 201 offers asmooth, cost-effective migration path to diversevalue-added managed security offerings.

Premium Authentication ServicesAdvanced security services begin with premiumauthentication to simplify and safeguard accessprivileges. The Brick 201 provides two types of authentication: firewall and VPN. Firewallauthentication is out-of-band, and can supportany protocol. Authentication methods includeSecurID token-based network login, RADIUS or, at the simplest level, password-based localauthentication. VPN users can be authenticatedusing X.509 certificates from Entrust and VeriSign,as well as any firewall authentication method.LSMS log records track all actions performed bythe users to provide an unalterable audit trail.

Application-Layer Security Perhaps the best news for you and your customersis Lucent’s commitment to support leading-edgenetwork services. The Brick 201 supports popularnew multimedia Internet applications such asH.323 VoIP, RealAudio®, and NetMeeting®—allwithout compromising network security one iota.

Multimedia protocols such as H.323 requiredynamically negotiated TCP and UDP ports toremain open at both endpoints, a potential securityhazard. Because these ports cannot be known inadvance, the Brick looks into the protocol messages,identifies the ports and dynamically creates rulesto open them, then closes the ports as soon as thesession terminates. The result: absolutely ironcladsecurity.

VPN FirewallBrick 201

VPN Firewalls are ideal for carrier-managed services

Group Administrator

Intrusion Detection

Lucent SecurityManagementServer

AuthenticationServer

LDAPServer

CertificateAuthority

Lucent ProxyAgent

ExistingRouter

Brick 201

Large Enterprise

Service Provider Data Center

Customer #1

ExistingRouter

VPN Firewall Brick 201

ExistingRouter

Brick 80

Mid Enterprise

Customer #2

Lucent IPSec Client

Telecommuter

ExistingRouter

Brick 20

Small/Home Office

Customer #1000

SuperPipe 155

Service ProviderIP Network

Public Internet

While competitive products support only specificH.323 applications, the Brick 201 supports theentire H.323 v2 specification, allowing for fullvendor-independent interoperability.

The bottom line: You can include these excitingnew network transport technologies within yourmanaged services portfolio. And as new technolo-gies and protocols are unveiled, you can dependon Lucent to develop support for them, broaden-ing the range of your offerings and the return onyour managed services investments.

Content SecurityThe Brick 201 supports both dynamic statefulpacket inspection and content-level filtering viathe Lucent Proxy Agent, a significant advance-ment over basic static firewalls. Included with theVPN Firewall, the Lucent Proxy Agent operates on Microsoft® Windows NT® 4.0 hosts. Using a com-bination of Lucent and best-of-breed third-partyapplications, the Brick can deliver a wide varietyof heightened security services at the contentlevel, including:

– Blocking of unwanted HTTP commands (e.g., POST, GET, etc.) and SMTP commands(e.g., DBUG or XPND)

– URL categorization and content blocking from“inappropriate” Web sites (e.g., pornographyand sports)

– Antivirus control for e-mail, file attachmentsand malicious Java® and ActiveX™ applets

The Lucent Proxy Agent reflection process is completely transparent, so users remain unawarethat any redirect of packets has occurred.

Distributed Denial of Service Attack ProtectionFlooding the network with packets and packetfragments from random source addresses,Distributed Denial of Service attacks can preventservers from responding to legitimate sessions.The Brick deploys a three-pronged defense againstthis class of threat:

– SYN Flood Protection can monitor servers thatmay be under attack and reset unacknowledgedsessions in the server’s state

– Intelligent Cache Management uses configurablethresholds to protect against packet floods thatcan saturate firewall memory

– Robust Fragment Reassembly limits the numberof outstanding fragments that can be queued forreassembly, discarding fragments that do notbelong to an established queue

Powerful Capabilities for RemoteAccess VPNsWith its high capacity, wide scalability, and ICSA-certified IPSec encryption, the Brick 201 opensattractive opportunities for upselling subscribers tohigh-revenue site-to-site and remote access VPNs.

Lucent’s IP services portfolio delivers today’s mostcapable and flexible remote access VPN solutionfor both CPE and network-edge deployments. Atypical remote access VPN consists of one or moreBricks or SuperPipe IP services routers, along withLucent’s companion IPSec Client software fortelecommuters and mobile workers.

The Brick 201 and the Lucent SecurityManagement Server (LSMS) support the mostdemanding VPN environments with industry-leading scalability. Each Brick 201 unit providesconcentration support for up to 3,000 simultaneousVPN tunnels. And as many as 20,000 simultaneousVPN tunnels—from potentially hundreds of thou-sands of users—can be managed by a single LSMS.

Virtual VPN Firewalls for SecureWeb/Application HostingThe Brick 201 delivers all the flexibility and func-tionality of multiple physical devices—all managedfrom the LSMS—on a single VPN Firewall. Itsability to support thousands of virtual firewallsand VPN tunnel endpoints (TEPs) makes it idealfor web/application hosting, wherein a singledevice needs to accommodate diverse customersand security policies.

In VPN applications, each TEP can correspond to aunique customer and an individualized securitypolicy for authentication purposes.

Best-in-Class Price/Performance Independent test results verify that VPN FirewallBricks offer industry-leading price/performancelevels.

The Brick 201 is capable of delivering up to 125Mbps of cleartext firewall throughput at 55,000packets per second. And it sustains this outstandingperformance even while handling over 100,000simultaneous connections with security policiescontaining as many as 1,000 rules.

To keep pace with expanding needs, the Brick 201is available with an optional Encryption AcceleratorCard that maintains VPN performance at 90 Mbpswith strong 3DES encryption and supports up to3,000 concurrent encrypted IPSec tunnels. Thecard provides hardware-based acceleration ofIPSec’s DES and Triple DES encryption and MD5and SHA-1 packet authentication. To speed transmission even further, data compression isautomatically initiated under suitable conditions,resulting in sustainable peak performance.

Mission-Critical Availability and ReliabilityRobust Failover Capabilities To help ensure uninterrupted service, two Brick 201 units that share a common name and IP address can be deployed as a “failover pair,”

VPN FirewallBrick 201

with the standby member of the pair continuallymonitoring the state of the active Brick. Shouldthe active unit go down, the standby takes over ina matter of seconds to quickly reestablish sessions.

Intelligent Load BalancingRedundant load-balancing maximizes fault-toler-ance and performance across a cluster of Bricks.The Lucent imminet WebDirector balances trans-mission loads among as many as 8 Brick 201 unitsto achieve a total throughput of up to 1 Gbps.Because all Bricks in the cluster load-share, trafficflow is optimized. Coupled with the Brick’s virtualfirewall capabilities, this provides an ideal solutionfor secure web/application hosting.

Out-of-Band Management The Brick 201 can be accessed out-of-band using a dial-up modem. This is particularly useful ifcommunications between the Brick and the LSMS

go down due to a network outage. A command-line interface on an ordinary terminal is used toissue management commands through a securemodem attached to the Brick’s serial port. A built-in command processor parses each command, performs the desired action(s), and reports theresult to the serial port.

Today’s Leading VPN FirewallFamilyBrick models are available to suit the specificneeds of diverse facilities and applications. Theenterprise-class Brick 201 is complemented by:

� The Brick 80 for medium-sized offices, branchand regional facilities, and extranet partners.This mid-range model delivers 60 Mbps of firewall throughput and 8 Mbps 3DES/MD5throughput, and accommodates up to 400 concurrent encrypted IPSec tunnels.

VPN FirewallBrick 201

VPN Firewalls offer advanced capabilities for secure Web/application hosting

Brick 80

Brick 20

$1495 $3995 $8995+

Road Warrior

CustomerPremises

Network Edge

SOHO ROBO Headquarters Data Center

Perf

orm

ance

/Fu

nct

ion

ally

Brick 201Brick 201 +

imminet WebDirector

*with optional encryption accelerator

IPSec Client 3.1Easy to use IPSec w/IKE,Auto policy download,Stateful Firewall Client “status logs”, Managed client option, Interoperablew/full portfolio

(3) 10/100 ports20 Mbps cleartext2 Mbps@3DES1,000 sessions50 VPN tunnels

(4) 10/100 ports60 Mbps cleartext8 Mbps@3DES25,000 sessions4000 VPN tunnels

(4) 10/100 ports125 Mbps cleartext90 Mbps@3DES*100,000 sessions3000 VPN tunnels

NEW

LSMS simplifies secure web/application hosting.

Lucent Proxy Agentw/Virus Scanning

LSMS

WebServer Farm

Access Point 1000

VPN Firewall Farm

imminetWebDirector

imminetWebDirector

� The Brick 20 for small and home offices. Thisvalue-priced model offers 20 Mbps of firewallthroughput and 2 Mbps 3DES/MD5 throughput,and is capable of handling up to 50 concurrentencrypted IPSec tunnels.

Broad Industry Recognition AndCertification

All Brick models and the LSMS are certified bythe ICSA (V3.0A Firewall and V1.0A IPSec). TheModel 201 is certified by the National SecurityAgency (NSA EAL2 Government ProtectionProfile), and is on the US Army’s Approved SecureProducts list.

Opinion shapers across the industry have recog-nized that the VPN Firewall and the LSMS offertoday’s highest levels of functionality and perfor-mance at today’s lowest costs. This recognition has resulted in numerous honors and awards,including:

– Well Connected Award Finalist from NetworkComputing

– Tester’s Choice Award from Commweb.com

– Best-In-Test Award (Carrier Class VPNs) fromBusiness Communication Review

– Networks-As-Advertised Award from MierCommunications

Delivering Next-Generation IP Services PlatformsVPN Firewall products and LSMS and IPSec Clientsoftware are members of the Lucent family ofnext-generation IP services platforms. Lucentoffers a comprehensive portfolio of solutions withservice intelligence to deliver basic access routing,IP services routing, and IP services switching for a full range of IP services applications and siteconfigurations. The Lucent family gives serviceproviders wide flexibility, functionality, and scalability in deploying managed IP services fromthe network edge to the customer premises. Andto facilitate IP services design and deployment,Lucent Worldwide Services provides a full suite ofglobal professional services and customer support.

VPN FirewallBrick 201

For information on other IP Services solutions, refer to the following brochures:

Brochure Part NumberVPN Firewall Family Part # 01-VPNFAM

VPN Firewall Brick 20 Part # 01-VPN20

VPN Firewall Brick 80 Part # 01-VPN80

Lucent IPSec Client Part # 01-VPNIPSEC

Lucent Security Part # 01-VPNLSMSManagement Server

You can also visit our web site atwww.lucent.com/securityor call 1-800-621-9578, option 3.

Entrust is a registered trademark of Entrust Technologies Inc.FirstWatch is a registered trademark of VERITAS Software Corporation.Inferno is a trademark of Lucent Technologies, Inc.InterScan is a registered trademark of Trend Micro Inc.Java is a trademark, and Sun registered trademark and Solaris are

trademarks, of Sun Microsystems, Inc.Microsoft, Windows NT and NetMeeting are registered trademarks, and

ActiveX is a registered trademark,of Microsoft Corporation.RealAudio is a registered trademark of Real Networks, Inc.

RealSecure is a trademark of Internet Security Systems. SecurID is a registered trademark of Security Dynamics, Inc.UL is a registered trademark of Underwriters Laboratories.VeriSign is a trademark of VeriSign Inc.WebTrends is a trademark of WebTrends.X-Stop is a trademark of 8e6 Technologies.

This document is for planning purposes only and is not intended to modifyor supplement any specifications or warranties relating to LucentTechnologies products or services.

Firewall IPSec

VPN Firewall Brick 201

Power MouseUSB

Keyboard

Serial

ENet 3

ENet 2VGAMonitor

Parallel

Serial

ENet 1 EncryptionAccelerator

Card

ENet 0

Hardware SpecificationsVPN FirewallBrick 201

© 2001 Lucent Technologies, Inc.Printed in the U.S.A.05/01 • 01-VPN201

Processor/MemoryPentium II 400 MHz with 64MB of RAM

LAN InterfaceEthernet: (4) 10/100 Base-TXEthernet (RJ-45)

PerformanceMaximum number of IPSec remoteaccess tunnels: 3,000

Max throughput without EncryptionAcceleration: 10 Mbps @ 3DES/MD5

Max throughput with EncryptionAcceleration: 90 Mbps @ 3DES/MD5

Max clear text throughput: 125Mbps, 100,000 active sessions

Hardware Assisted EncryptionOptional Encryption Acceleratormodule

Other PortsSVGA video, DB9 serial, PS/2 keyboard

DimensionsHeight: 6.97" (17.7 cm)Width: 17" (43.18 cm)Length: 19.24" (48.87 cm)Height: 32 lbs. (14.56 kg)

CoolingTwo-fan design. Chassis exchangefan (100 CFM) provides positivepressure for enclosure. Power supplyfan (32 CFM) provides power supplycooling and chassis exhaust.

Altitude10,000 ft (3,048 meters)

EnvironmentalOperating:

Temperature: 0–50º C

Shock: 2.5G at 15–20ms on any axisHumidity: 5–95% at 40º C (non-condensing)

Vibration: 5G at 2–200 Hz on any axis

Non-Operating:

Temperature: 0–70º C

Shock: 35G at 15–20ms on any axis

Humidity: 5–95% at 40º C (non-condensing)

Vibration: 5G at 2–200 Hz on any axis

PowerInput: ACSelectable for 95–135VAC or180–265VAC. 47–63Hz5A 115VAC; 2.5A at 230VAC

Input: DC Optional –48VDC; 250W

Safety ListingsUnited States:

UL 1950, Underwriters LaboratoriesInc. and bears the UL® mark

Canada:

Standard CSA 22.2 No 950

Underwriters Laboratories Inc. and bears the UL mark (equivalentto the CSA mark; indicates that it islisted by UL as meeting the CSAspecification)

European Union and non-membercountries:

VDE/CB (EN 60950, IEC 60950)

EMC CertificationsFCC Part 15, Class B (USA) (Radiated Emissions)

FCC Part 15, Class B (USA)(Conducted Emissions)

VCCI Class B (Japan) (Radiated &Conducted Emissions)

EN 55022 Class B (Europe) (Radiated& Conducted Emissions)

IEC 1000-4-2 (Europe) (ElectrostaticDischarge)

IEC 1000-4-3 (Europe) (RadiatedImmunity)

IEC 1000-4-4 (Europe) (ElectricalFast Transients)

ICES 003 Issue 3.0 (Canada)(Radiated & Conducted Emissions)

ASINZS 3548 (Data for Australiaderived from EN 55022) (Radiated & Conducted Emissions)

NEBS CertificationNEBS Level 3 Certified

ICSA CertificationICSA V3.0A Firewall Certified, ICSAV1.0A IPSec Certified

NSA CertificationNational Security Agency EAL2Government Protection ProfileCertified

Export Licensing Brick 201:License Exception (No LicenseRequired)ECCN# EAR99HTS# 8517509000

Brick 201 with EncryptionAccelerator Card:

ECN License Exception ECCN# 5A002.a.1HTS# 8517904400

To learn more, contact your Lucent Technologies Representative, AuthorizedReseller, or Sales Agent. Or, visit our Web site.www.lucent.com

Specifications subject to change without notice.

Software Specifications

Services Supportedbootp, http, irc, netstat, pop3, snmptftp, pptp, dns, https, kerberos, nntp,rip, ssh, who, RADIUS, eigrp, ident,ldap, ntp, rip2, syslog, shell, X11,exec, igmp, login, ospf, rlogin, telnet,talk, H.323, ftp, imap, mbone, ping,rsh, traceroute, lotus notes, VoIP,Gopher, IPSec, netbios, pointcast,smtp, sql*net, ica,

In addition, VPN Firewalls supportservices that invoke complex protocolinteractions, multimedia applications(such as RealAudio®), and H.323-based applications (such asNetMeeting®).

Load Balancing Brick load balancing may be config-ured using the Lucent imminet WebDirector product

FirewallDynamic stateful packet filter with content security proxies for:command blocking

URL blocking–with 8e6 Technologies’X-Stop‘ Xserver Virus scanning–withTrend Micro’s InterScan™ VirusWallAnti-Virus Security Suite

ManagementSSL, Java based interface and 3DESencrypted session to Lucent SecurityManagement Server (LSMS). 3DESencrypted and digital certificateauthenticated session between LSMSand Bricks. Out-of-band debuggingand analysis tool via serial port/modem.

IPSec Encryption/AuthenticationIPSec ESP with DES, Triple-DES andRC4 encryption, MD5 and SHA1authentication

Key ManagementIKE, PKI CA Support of Entrust andVeriSign, X.509 digital certificates

User AuthenticationRADIUS, SecurID®, X.509 digital certificates, local passwords

LDAPInteroperates with LDAP directoriesto store X.509 digital certificates andcertificate revocation lists

NATSource, Destination and PortMapping with direct or pooled translation

High AvailabilityDirect active/standby failover isavailable natively on the Brick