1 dual-e security © 2001, cisco systems, inc. new dual ethernet security solutions sean convery,...
TRANSCRIPT
1Dual-E Security © 2001, Cisco Systems, Inc.
New Dual Ethernet Security Solutions
Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie
New Dual Ethernet Security Solutions
Sean Convery, Michael K. Jones, Jay Bazzinotti, Holly Linden, John Huie
1www.cisco.com
2© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
AgendaAgenda
• Introduction & Market Overview – Sean Convery
• New Products:Introducing the Cisco 3002 VPN Hardware Client – Jay Bazzinotti
Introducing the Cisco PIX 501 Firewall – Michael K. Jones
Introducing the Cisco 806 Broadband Gateway Router – Holly Linden
Introducing the Cisco 1710 Security Access Router – John Huie
• Product Positioning & Competitive Products – Sean Convery
• Q&A
3Dual-E Security © 2001, Cisco Systems, Inc.
SAFE Security SAFE Security Blueprint & Cisco Blueprint & Cisco Security ProductsSecurity Products
SAFE Security SAFE Security Blueprint & Cisco Blueprint & Cisco Security ProductsSecurity Products
4© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Extending SAFEExtending SAFE
Campus Module
ISP Edge ModuleISP Edge Module
CorporateServers
CorporateUsers
PublicServices
PSTN ModulePSTN Module Corporate Internet Module
PSTN
WAN ModuleFrame/ATM Mod.Frame/ATM Mod.
ManagementServers
ISP
FR/ATM
5© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco’s Dual Ethernet Security Platforms
Cisco’s Dual Ethernet Security Platforms
• Options for implementing security in teleworker, small office, and small to medium business environments
• Both dedicated security appliances or router based solutions with integrated security
• Secure access to a corporate network or to the Internet through a broadband connection (Ethernet WAN port)
• Features to meet the requirements of the SAFE Blueprint for Small to Medium Networks and Remote Users
6© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco Dual Ethernet Security Platform Positioning
Cisco Dual Ethernet Security Platform Positioning
Cisco 2600/3600Router
Cisco 2600/3600RouterCisco 1710 RouterCisco 1710 Router
TelecommuterTelecommuterMed Biz &
Enterprise BranchMed Biz &
Enterprise Branch
Small Business/Small
Branch
Small Business/Small
Branch
Cisco 806 RouterCisco 806 Router
Cisco 3002Hardware VPN Client
Cisco 3002Hardware VPN Client
Cisco PIX 501 FirewallCisco PIX 501 Firewall
IOS Router Based Security
FW Appliance Based Security
VPN Appliance Based Security
Cisco PIX 515R FirewallCisco PIX 515R Firewall
Cisco PIX 506 FirewallCisco PIX 506 Firewall
7Dual-E Security © 2001, Cisco Systems, Inc.
Products
Cisco 3002 VPN Hardware ClientCisco PIX 501 Firewall
Cisco 806 Broadband Gateway RouterCisco 1710 Security Router
Products
Cisco 3002 VPN Hardware ClientCisco PIX 501 Firewall
Cisco 806 Broadband Gateway RouterCisco 1710 Security Router
8© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco VPN 3002 Hardware Client
Cisco VPN 3002 Hardware Client
• The Cisco VPN 3002 Hardware Client provides remote access VPN - it looks like a VPN client to the central site
• The VPN 3002 has two primary functions: It is simple to deploy – policy, config, upgrades are pushed to the device: supports DHCP client/server &
PPPoE host/client
It scales to very large networks (>50,000 units) –no central site configuration is required as forLan-to-Lan devices
• The VPN 3002 is a Broadband device with optional8 port 10/100 switch supporting up to 253users on the private LAN
• The VPN 3002 works with any Operating System
• The VPN 3002 includes Auto Upgrade allowing for fast, simple, hands- off upgrades for up to thousands of devices
• The VPN 3002 provides 2.2Mbps 3DES performance
9© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cable LockPhysically lock device like a PC
8 Port 10/100 MB Auto-sensing Ethernet LAN Switch w/ Activity LEDS - Connect to Private Ethernet network devices
Ethernet (to WAN) PortConnects to any WAN device, xDSL, Cable modem, router, etc.(auto-sensing)
Power ConnectorSecurely connects power supply
Console PortConnects to PC, terminal or modem for configuration or out of band access
Processor • Motorola 8255 Power PC 150Mhz
Memory• Dual Flash Images• 16 Mb DRAM• 8 Mb Flash• 8Kb NVRAM
Recessed ResetAllows Reset to Factory Defaults
FIPS Secure ChassisConforms to FIPS-140 Level 2
Convection CooledSilent, Fan Free Operation
LEDs (front)Power, SystemHealth, Tunnel Up, PPPoE status
Cisco VPN 3002® Hardware Client Features
Cisco VPN 3002® Hardware Client Features
10© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco VPN 3002® Hardware Client Features
Cisco VPN 3002® Hardware Client Features
Access/Performance Operating System Independent – works with any OS
PPPoE client/server, DHCP client/server, supports up to 253 users per unit (with or w/o 8 port switch)
2.2Mbps 3DES performance: 10Mbps clear text
Remote Access client or Site-to-Site operation with Load Balancing and Failover
IPSec/NAT transparency
Connects Cisco devices supporting the Unified protocol specification
Security Makes a single tunnel, Outbound connections only
Use NAPT (Network Address Port Translation)
Pushes security policy from central site – remote user has no control
Supports pre-shared secret and digital certificates Management
Built in web server or CLI for local, remote config
Supports SSL/SSH over the tunnel or Out-of-Band console/modem port
Automatically upgrades itself
Eliminates the need for central site config in most cases
Scales to 10s of thousands of sites
Can be reset to factory defaults by local/remote command or by switch
SNMP, Syslog, LED and other diag/troublshooting
11© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Included
Power Cord (US or Worldwide)
Software (VPN, Client, Security)
$2008 Port 10/100 Auto-sensing Switch
Cables
$995 Cisco VPN 3002 Hardware Client
Included
Included
Included
Cisco VPN 3002® Hardware Client Features
Cisco VPN 3002® Hardware Client Features
12© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Introducing theCisco PIX® 501 Firewall
Introducing theCisco PIX® 501 Firewall
• Extends market-leading Cisco PIX Firewall
product family to remote users, providing customers an end-to-end security solution
• Extends market-leading Cisco PIX Firewall
product family to remote users, providing customers an end-to-end security solution
• Compact, reliable, plug ‘n play security appliance that provides:
• Enterprise-class security features• High-speed small office networking• Robust remote manageability
• Compact, reliable, plug ‘n play security appliance that provides:
• Enterprise-class security features• High-speed small office networking• Robust remote manageability
• Ideal security appliance for small offices, teleworkers and small businesses using broadband-based Internet connections
• Ideal security appliance for small offices, teleworkers and small businesses using broadband-based Internet connections
13© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco PIX® 501 FirewallOverview
Cisco PIX® 501 FirewallOverview
Product HighlightsProduct Highlights
• Intuitive, web-based PIX Device Manager • Scaleable, multi-firewall management using Cisco Secure Policy Manager 3.0 • Supports other standards including telnet, SSH, TFTP, SNMP and syslog
• Intuitive, web-based PIX Device Manager • Scaleable, multi-firewall management using Cisco Secure Policy Manager 3.0 • Supports other standards including telnet, SSH, TFTP, SNMP and syslog
Robust RemoteManageability
Enterprise-classSmall / Home Office Security Appliance
• Robust stateful inspection firewalling• VPN for secure access to remote networks• Intrusion protection and much more…
• Robust stateful inspection firewalling• VPN for secure access to remote networks• Intrusion protection and much more…
Plug ‘n PlaySmall OfficeNetworking
• Integrated 4-port 10/100 Mbps switch • Integrated DHCP client and server• Includes dynamic/static NAT and PAT support
• Integrated 4-port 10/100 Mbps switch • Integrated DHCP client and server• Includes dynamic/static NAT and PAT support
14© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco PIX® 501 FirewallSpecifications
Cisco PIX® 501 FirewallSpecifications
• Supports full Cisco PIX Firewall feature-set• Runs same software images as all other PIX platforms• First PIX platform with new plug ‘n play factory default configuration
• Supports full Cisco PIX Firewall feature-set• Runs same software images as all other PIX platforms• First PIX platform with new plug ‘n play factory default configuration
SoftwareFeatures
HardwareFeatures
• 133 MHz AMD Processor• 16 MB SDRAM, 8 MB Flash Memory• Silent, convection cooled design – no fan needed• Compact 6.25x5.5x1” (WxDxH”) form factor• Integrated lock slot for improved physical security
• 133 MHz AMD Processor• 16 MB SDRAM, 8 MB Flash Memory• Silent, convection cooled design – no fan needed• Compact 6.25x5.5x1” (WxDxH”) form factor• Integrated lock slot for improved physical security
• 10 Mbps cleartext firewall throughput• 6 Mbps DES VPN performance• 3 Mbps 3DES VPN throughput• 3,500 concurrent connections
• 10 Mbps cleartext firewall throughput• 6 Mbps DES VPN performance• 3 Mbps 3DES VPN throughput• 3,500 concurrent connections
PerformanceMetrics
15© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco PIX® 501 FirewallProduct Pricing
Cisco PIX® 501 FirewallProduct Pricing
10 to 50 user license upgrade, $700Encryption license: DES $0, 3DES $100Spare AC power supply, $60
10 to 50 user license upgrade, $700Encryption license: DES $0, 3DES $100Spare AC power supply, $60
Upgrades /Spares
Bundles PIX 501 with 10 user and DES licenses, $595PIX 501 with 10 user and 3DES licenses, $695PIX 501 with 50 user and DES licenses, $1195PIX 501 with 50 user and 3DES licenses, $1295
PIX 501 with 10 user and DES licenses, $595PIX 501 with 10 user and 3DES licenses, $695PIX 501 with 50 user and DES licenses, $1195PIX 501 with 50 user and 3DES licenses, $1295
PIX 501 chassis with PIX OS 6.1(1) software, $595User license: 10 users $0, 50 users $600Encryption license (optional): DES $0, 3DES $100
PIX 501 chassis with PIX OS 6.1(1) software, $595User license: 10 users $0, 50 users $600Encryption license (optional): DES $0, 3DES $100
ConfigurableChassis andOptions
16© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 806 Broadband Gateway Router
Cisco 806 Broadband Gateway Router
Secure, shared broadband gateway with the power of Cisco IOS® technologies for Small Offices and Telecommuters
Multi-user access
Business-class Security & VPN
Manageability & reliability with Cisco IOS Software
Video, voice, and traffic management with QoS One standardized router platform
for diverse broadband technologies
17© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 806 ArchitectureCisco 806 Architecture
Cable LockPhysically secures router
10 MB Ethernet LAN HubConnect to Ethernet network devices
Ethernet WAN PortConnects to broadband modem or Ethernet Switch
Locking Power ConnectorSecurely connects power supply
Console PortConnects to PC or terminal for configuration
To Hub/To PC Button Determines the Ethernet device and cable type used for Ethernet Hub
Processor •RISC MPC855T@50MHz
Memory•Runs from DRAM•DRAM Default: 16MB •DRAM Max: 24MB•FLASH Default: 12 MB•FLASH Max: 12 MB
18© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 806 FeaturesCisco 806 Features
Multiuser Access
Network Address Translation (NAT)
4-port hub
PPPoE client/server, DHCP client/server, unlimited users (20 recommended)
Business-Class Security
NAT, Extended ACLs, Stateful Firewall, DoS detection, IPSec DES/3DES
Reliability & Manageability with Cisco IOS Software
Remote Monitoring, troubleshooting, and s/w management
Web configuration tool (CRWS) & Cisco Config Express
Interoperates with IOS routers and Cisco VPN 3000 concentrators
Video, Voice, and Traffic Management with QoS
Multicast support, QoS for IP phones*
*QoS features in Q4 CY ‘01
19© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
$100IP Firewall
Cisco 806 US List PricesCisco 806 US List PricesCisco 806 US List PricesCisco 806 US List Prices
IP Feature Set
$250*IP Firewall Plus IPSec 3DES
$100 IP Plus
$649 Cisco 806 + IP Software
Included
$350VPN Security Bundle – Includes IP FW Plus 3DES Image plus Memory
*Requires additional Memory
20© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Introducing the Cisco 1710 Security Access Router
Introducing the Cisco 1710 Security Access Router
• Comprehensive SecurityVPN Encryption and Tunneling
Stateful Inspection Firewall
Intrusion Detection
Virtual LAN Support
• High-Performance VPNWire-speed 3DES VPN Encryption at T1/E1 speed
• Advanced routing and QoS Features
• Remote Management
Business-class security and advanced routing through the power of Cisco IOS® Technologies
21© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 1710 ArchitectureCisco 1710 Architecture
• Dual-Ethernet (10/100 LAN, 10BT WAN)
• IEEE 802.1Q VLAN
• Onboard/Default Memory
16MB Flash/32MB DRAM
• Hardware Encryption (IPSec 3DES up to T1/E1 and 100 Tunnels)
• Console Port and Auxiliary Port up to 115 kbps
22© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 1710 Comprehensive Features
Cisco 1710 Comprehensive Features
• Secure Internet, Intranet, ExtranetVPN, Stateful Firewall/IDS
• Tunneling IPSec, L2TP, GRE, L2F
• IP/Host ManagementPPPoE Server/Client, DHCP Server/Client, NAT/PAT
• Protocol Support Routed: IP, IPX, AT, IBM/SNA
Routing: RIP, OSPF, IGRP
• Traffic Management (QoS)IP Multicast, LLQ, WFQ, CAR
23© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco 1710 Pricing Cisco 1710 Pricing
• Cisco 1710: US List $1,295
(IP Plus/Firewall/IDS/IPSec 3DES)
• IOS Software Upgrade: US List $400
(IP/IPX/AT/IBM/Plus/FW/IDS/IPSec 3DES)
24Dual-E Security © 2001, Cisco Systems, Inc.
Product Positioning & Competitive Information
Product Positioning & Competitive Information
25© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
When to SellWhen to Sell
The Cisco 3002 VPN Hardware Client is best for any company with multiple branch offices, home offices or remote sites desiring secure remote access VPN and high scalability, simple deployment and minimal ongoing management
The Cisco PIX 501 Firewall is best for small office and teleworker environments that require market-leading security capabilities including stateful inspection firewalling, VPN, intrusion protection and more in a compact, cost-effective, all-in-one security appliance
The Cisco 806 Broadband Gateway Router is best for Small Office & Teleworker Customers who require integrated security with firewall & VPN support in a Cisco IOS router based solution
The Cisco 1710 Security Router is best for customers who require a comprehensive security and advanced routing solution which features high-performance VPN, integrated firewall, Cisco IOS routing, QoS, and VLAN support in an all-in-one device for small and medium-sized businesses and branch offices
26© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Key Technical DifferencesKey Technical Differences
• Cisco IOS based Ethernet to Ethernet routersPro: Best deployed in environments when a rich set of QoS, routing, and general networking features are needed in addition to VPN and security.Con: Configuration of security and VPN services on a general purpose OS is more prone to user error. Network based model limits individual user accountability.
• Cisco PIX FirewallsPro: Best deployed in environments that need comprehensive network security services including firewall, VPN, intrusion protection and more in a purpose-built appliance.Con: Limited networking features beyond security and VPN. Network based model limits individual user accountability.
•Cisco Hardware VPN Client Pro: Dynamic, user-based policy push allows large scale deployments. Best used when manageability of the remote sites is key.Con: No stateful firewall, limited networking features beyond VPN.
27© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Dual Ethernet Security – Key Competitors
Dual Ethernet Security – Key Competitors
• NetScreen – Security appliance, aggressively priced, good performance, no routing functionality, does not have as robust security features as PIX 501 ($495-$995)
• SonicWALL – Security appliance, good performance, no routing functionality, higher costs for 10 & 50 user licenses with VPN, does not have as robust security features as PIX 501 ($495-$1490)
• Nortel - VPN hardware device, large footprint, noisy, expensive ($750-$1495)
• Nokia/Check Point – Check Point SW with Nokia HW, high cost, scaled down” version of Check Point FW, only allows static IPs, no VPN Capabilities ($895 (base hardware) plus SW $299 - $2499)
• Linksys – Low cost consumer router, no VPN support, extremely limited “firewall” capabilities, poor performance ($150-$250)
28© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
SummarySummary
• Cisco has the most complete portfolio of security products to meet the needs of enterprise teleworkers, branch offices and small to midsized businesses
• Cisco allows customers to choose from dedicated security appliances and router based security solutions
• Cisco’s dual ethernet security platforms fit into the SAFE Blueprint for Small & Midsized Networks and Remote Users
29Dual-E Security © 2001, Cisco Systems, Inc.
Q & AQ & A
30Dual-E Security © 2001, Cisco Systems, Inc.
Additional SlidesAdditional Slides
31© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Cisco Dual Ethernet Security Platform Comparison
Cisco Dual Ethernet Security Platform Comparison
Product PIX 501 VPN 3002 806 1710Base MSRP $595 or $1,195 $995 or $1,195 $649 $1,2953DES MSRP $100 Included $350 (SW + 4Mb) IncludedPhysical Size (WxDxH") 6¼ x5½x1” 8x6x2” 9¾x8½x2” 11x3x8.7"Inside Interface 4-FE Switch 1-FE or 8-FE Switch 4-10BaseT Hub FEOutside Interface 10BaseT, Half FE 10BaseT, Half 10BaseT, HalfClear-text (Mbps) 10 10 9 93DES (Mbps) 3 2.2 400 Kbps 4Users 10 or 50 Unlimited Unlimited, 20 sugg. UnlimitedConcurrent VPN Tunnels 5 VPN Peers 1 10 100Stateful Firewall Yes, PIX No Yes, IOS FW Yes, IOS FWContent Filtering Yes, Java/ActiveX No Yes, CBAC Yes, CBACURL Filtering Yes, 3rd Party No No NoIntrusion Protection Yes No No YesAAA Support Yes Yes Yes YesNAT/PAT Yes Yes Yes YesSite-to-Site VPN Yes Network Ext Mode Yes YesVPN User Termination Yes No Yes YesVPN NAT Transparency No Yes No NoIndividual User Auth Yes, Cut-through Proxy Yes Yes, Lock&Key Yes, Lock&KeyLocal Security Policy Editing Optional Now in Beta (FCS Dec) Optional OptionalDHCP Client & Server Yes (32 or 128 leases) Yes (253 Leases) Yes (253 Leases) Yes (253 Leases)IP Phone DHCP Support No (Q1) Yes Yes YesPPPoE Support No (Q1) Yes Yes YesVLAN (802.1Q) No No No YesQoS / Rate Limiting TOS Preservation TOS Preservation Yes + Q4:LLQ, CAR YesWeb-Based GUI Yes (No VPN) Yes Setup Only NoSNMP & Syslog Support Yes Yes Yes YesVPNSC Support Limited Yes Yes YesConfig Express Support No No Yes Yes
32© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Internet Creates a Security Risk
Internet Creates a Security Risk
“
”
The 2000 survey conducted by the Computer Security Institute revealed
90 percent of respondents detected at least one security breach in the last
year.
Computer Security Institute
33© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
Worldwide BroadbandMarket Forecast
Worldwide BroadbandMarket Forecast
0M
20M
40M
60M
80M
100M
120M
2000 2001 2002 2003 2004
Su
bs
cri
be
rs
DSL Cable Fixed Wireless• IDC, 2001
34© 2001, Cisco Systems, Inc. Cisco ConfidentialDual-E Security
275% VPN Market Growth275% VPN Market Growth
YearYear
Expenditures(U.S. $)
$41B
$11B$10B
$20B
$30B
$40B
$50B
2001 2002 2003 2004 2005
$2B
$7B
ServicesServices
Products Products $3B
$5B $6B
$20B
$30B
$36B
Source: IDC May 2001