Transcript
IPSec Client Secure Remote Access VPNs for Telecommuters and Mobile Workers The Lucent IPSec Client provides a complete remote access VPN solution for individual desktop and laptop PCs running Microsoft’s Windows® 95, Windows 98, Windows 2000, or Windows NT® operating systems. Standards-based IP Security (IPSec) features and centralized management combine with matchless value-added capabilities to deliver a totally secure solution that is extremely easy to install and use. A built-in “Personal Firewall” ensures protection even for always-on cable and digital subscriber line (DSL) connections. Users can surf the Web, log into an enterprisewide intranet VPN, or connect to multi-party extranets safely and simply regardless of the connection mode—dial-up modem, WAN router, DSL, cable, or wireless link. With smooth interoperability across Lucent’s IP services portfolio, the Lucent IPSec Client assures you of the right solution for your price and performance requirements.
Purpose-Built for CarrierManaged Services The IPSec Client Advantage ■
Purpose-built for carrier-managed remote access VPN services
■
Ironclad security via a stateful firewall, strong packet encryption, and robust authentication options
■
Easy-to-install, easyto-use software— keeping ownership costs low
■
Interoperable with Lucent’s entire IP services portfolio
The remote access VPN component of Lucent’s IP services portfolio, the IPSec Client incorporates key features that allow you to readily offer secure, comprehensive managed VPN services for telecommuters and mobile workers. Centralized, Integrated Management When used with VPN Firewall Bricks and SuperPipe IP services routers, the IPSec Client is centrally managed by the Lucent Security Management Server (LSMS), which simplifies large-scale remote access VPN administration. The LSMS enables each customer to be configured as a separate and secure group, with all remote access users, VPN security policies, and tunnel endpoints included in a single group. Assigning one or more administrators to each customer group ensures appropriate coverage.
VPN security policies and firewall rules are established centrally, then downloaded automatically and securely to systems and clients in the network. Pre-configured VPN security policies—used out-of-the-box or customized— help get your VPN up-and-running quickly. Foolproof “near zero” configuration of the IPSec Client eliminates the need for complicated configuration parameters or initialization files. The LSMS even includes a detailed Client Status Log to meet accounting and troubleshooting needs. Thanks to the management system’s unparalleled scalability, up to 20,000 IPSec Clients can be supported by the LSMS. Through tightly synchronized control of multiple systems, security policies, VPN tunnels, and remote clients, VPN management is dramatically simplified, lowering your total cost of ownership—and reducing the potential for error that can result in security intrusions. Large-scale remote access services can be centrally provisioned and managed by either the service provider or the enterprise itself. No-Hassle Version Control IPSec Client software distribution and version control are trouble-free with the LSMS. Client software can be distributed on a CD-ROM or downloaded on-line from a central site, either directly from the LSMS or through a separate server. Once installed, the current version of all clients is checked during the tunnel setup process, and users are automatically notified via pop-up windows if they need to upgrade their software. With a single click, the user can
IPSec Client
de-install the previous IPSec Client version and install the latest one. Client installation features are compatible with the Microsoft SMS Windows management tool commonly used by enterprise organizations to manage software deployment to client PCs.
destined to the hosts behind the VPN Gateway. This makes it easy to administer the traffic on enterprise routers and hosts by being able to differentiate the IPSec Client traffic from the other traffic in the enterprise network.
Command-Line Interface A robust command-line interface allows administrators to enable new and existing tunnels and disable active tunnels by issuing a few simple commands from an LSMS console window. You can also use the interface to develop scripts to automate key tasks. This feature, coupled with the GRIC dialer, forms a powerful, easy-to-use secure dial access solution.
Integral Ironclad Security
Branding/Bundling The IPSec Client’s branding/bundling feature enables you to replace the “Lucent” name and logo on the application with your own Branding information. You can also bundle the Client to further simplify end-user installation. Simply enter your name and logo into electronic files, execute a small utility provided with the software, and bundle the results along with the client application into a self-extracting Zip file. When the user installs the program, your name and logo appear in the software. All the user needs to do to enable a tunnel is to enter their user name and password.
Local Presence The IPSec Client also boasts a Local Presence feature that allows security administrators to assign an IP address to all IPSec Clients from a pre-determined IP address pool. The importance of this feature is that it enables administrators to avoid making any changes to the existing enterprise routing and policy infrastructure. The TCP/IP stack on the client machine uses the “Internal IP for local presence” as the source IP address on all the outgoing IP packets that are
The three “P’s” of network security are Protection of resources, Privacy of information, and Proof of identity. With Lucent’s IPSec Client, you can assure end-users of all three in a single, easy-touse package. Protection of Resources Firewall protection is the foundation of network security, and Lucent’s IPSec Client leads the industry by including a stateful “Personal Edition” firewall as a standard feature. Especially critical for remote users accessing an enterprise network via always-on cable modem or DSL connections, the firewall protects the user’s computer when it is connected to the Internet but no tunnels are enabled. Because every site and every user is protected by a firewall, there are no weak links in the VPN chain. The stateful firewall also allows complex protocols, such as NetMeeting, to be securely processed by the Client to only allow incoming traffic while the outgoing session is established. Privacy of Information The IPSec Client’s Encapsulating Security Payload (ESP) packet encryption and Authentication Header (AH) capabilities combine to keep private information transmitted via the Internet free from snooping and tampering. Support is included for basic 56-bit Data Encryption Standard (DES), strong encryption with Triple DES (168-bit 3DES), and digital signatures using Hashed Message Authentication Codes Message Digest (HMACMD5) and the Secure Hashing Algorithm (HMAC SHA-1). With IPSec, only authorized users have access to the keys required to encrypt and decrypt data.
Integrated IP Services Delivering the Complete Solution Managed CPE– Overlay Service Solution
Remote Access Service Solution Lucent IPSec Client
ISDN, DSL, or Cable Network
IP Network
SpringTide
CPE Router
SpringTide
Lucent VPN Firewall
IP Sec SuperPipe
CVR
CVR
IP Network
SpringTide Access Point 1000
Any Lucent CPE Frame Relay
SuperPipe
Managed CPE– Integrated WAN Solution
CVR
DSL
Access Network
T1 Private Line
Network Based Service Solution
Lucent IPSec Client interoperates with the full Lucent IP services portfolio
IPSec Client
Proof of Identity The IPSec Client supports a broad range of popular authentication methods and key management options. Users are rigorously authenticated using Remote Authentication Dial-In User Service (RADIUS), RSA SecureID ®, X.509 digital certificates, or local passwords. The IPSec Client is compliant with Internet Key Exchange (IKE) standard, and supports shared private key and Public Key Infrastructure (PKI) via third-party certificate authorities, such Entrust® and VeriSign™ for authentication. Lucent’s entire Secure VPN portfolio interoperates with Lightweight Directory Access Protocol (LDAP) servers that store digital certificates and certificate revocation lists.
Extraordinarily Easy to Install and Use The IPSec Client’s advanced capabilities are masked by a comfortable user-friendly graphical user interface. The “point-and-click” installation and intuitive GUI get users connected quickly, easily, and securely. Installation is guided by a foolproof, step-by-step process that takes less than two minutes to complete. Setting up each session is virtually transparent to the user because the LSMS centrally manages all VPN configurations and security policies. Centralizing control ensures strict enforcement of access privileges, which minimize configuration errors. To initiate a remote access VPN session, IPSec Client users enter a few simple parameters: user name, password, group key, and the desired tunnel endpoint. After the tunnel has been enabled once, the software remembers the group key and tunnel endpoint (and, if permitted, the password), so tunnel activation is even easier for all subsequent sessions.
Once the user is authenticated and the secure VPN session initiated, the LSMS automatically downloads the user’s security policy profile, which includes VPN configuration and firewall rule sets. By filling in a few credentials on a single screen, users can obtain a PKI digital certificate from a third-party certificate authority. The LSMS also loads DNS/WINS host access list entries during tunnel setup and, once a tunnel is established, the user can optionally log on to a corporate Windows NT Domain and have network drives mapped automatically. The almost effortless session initiation process also supports split tunnels that permit simultaneous cleartext sessions for public Web surfing and cyphertext sessions for the intranet or extranet VPN. The IPSec Client optionally compresses all the data sent through the tunnel using the Lempel-Ziv-Stac (LZS®) algorithm. The data is uncompressed by the VPN Firewall Brick at the other endpoint. As a result, tunnels over a slow Internet connection such as a modem dial-up can achieve optimal transmission speeds. If the primary system is unavailable, an advanced hot failover tunnel redundancy feature automatically seeks another tunnel gateway or router. On-screen answers to questions regarding system use are available through a detailed on-line “help” feature with comprehensive contents, index, and search capabilities.
Interoperates with Lucent’s Entire IP Services Portfolio The IPSec Client is completely interoperable across Lucent’s entire IP services portfolio of products, including not only the VPN Firewall family but also the SpringTide IP services switch and Access Point and SuperPipe IP services routers. Products in the Lucent portfolio support a variety of LAN and WAN interfaces and configuration options at a broad range of price/performance points to suit every need—from small office/ home office (SOHO) environments to the network edge. The entire Lucent portfolio is unmatched in its ease of implementation, scalability, reliability, security, and performance. And to facilitate IP services design and deployment, Lucent provides a full suite of global professional services and customer support.
IPSec Client
Technical Specifications Platforms Windows 95, Windows 98, Windows NT, Windows 2000 Notifications Notifies Client of administratorspecified message Software Upgrade Management Notifies when Client upgrade available; one-click upgrade uninstalls previous version and installs next version Tray Icon Icon in system tray indicates tunnel activity and provides continuous traffic statistics
Local Address Assignment Provides Client users with an address on the local LAN, so that all return packets to the user are routed to the specific device where the client’s Security Association, which is required for encryption and decryption, resides Firewall “Personal Edition” stateful firewall controls clear text traffic; also controls traffic when Client is not connected to the VPN IPSec Encryption/Authentication IPSec Encapsulating Security Payload (ESP) with DES and Triple-DES IPSec Authentication Header (AH) with HMAC-MD5 and HMAC SHA-1 authentication
For information on other IP Services solutions, refer to the following brochures:
Key Management IKE, PKI CA Support of Entrust and VeriSign, X.509 digital certificates User Authentication RADIUS, SecurID®, X.509 digital certificates, local passwords Connection Technologies Dial-up modem, DSL, cable, wireless link or various NIC and PCMCIA Cards High Availability Fails over to secondary tunnel endpoint if primary is not available
LZS is a registered trademark of Hi/fn, Inc. Entrust is a registered trademark of Entrust Technologies Inc.
Brochure
Part Number
VPN Firewall Family
Part # 01-VPNFAM
VPN Firewall Brick 20
Part # 01-VPN20
VPN Firewall Brick 80
Part # 01-VPN80
VPN Firewall Brick 201
Part # 01-VPN201
Lucent IPSec Client
Part # 01-VPNIPSEC
Lucent Security Management Server
Part # 01-VPNLSMS
SuperPipe 95
Part # 01-188
RealSecure is a trademark of Internet Security Systems.
SuperPipe 155
Part # 01-187a
SecurID is a registered trademark of Security Dynamics, Inc.
SuperPipe 170
Part # 01-SP170
SuperPipe 175
Part # 01-SP175
Access Point Family
Part # 01-APF
Springtide 5000
Part # 01-317
FirstWatch is a registered trademark of VERITAS Software Corporation. Inferno is a trademark of Lucent Technologies, Inc. InterScan is a registered trademark of Trend Micro Inc. Java is a trademark, and Sun registered trademark and Solaris are trademarks, of Sun Microsystems, Inc. Microsoft, Windows NT and NetMeeting are registered trademarks, and ActiveX is a registered trademark, of Microsoft Corporation. RealAudio is a registered trademark of Real Networks, Inc.
UL is a registered trademark of Underwriters Laboratories. VeriSign is a trademark of VeriSign Inc. WebTrends is a trademark of WebTrends. X-Stop is a trademark of 8e6 Technologies.
You can also visit our web site at www.lucent.com/security or call 1-800-621-9578, option 3. This document is for planning purposes only and is not intended to modify or supplement any specifications or warranties relating to Lucent Technologies products or services.
To learn more, contact your Lucent Technologies Representative, Authorized Reseller, or Sales Agent. Or, visit our Web site. www.lucent.com Specifications subject to change without notice. © 2001 Lucent Technologies, Inc. Printed in the U.S.A. 05/01 • 01-VPNIIPSC
