Transcript
bintec VPN Access 25 Multifunctional like your company and with sophisticated technology to meet your demands: the new VPN Access devices
Outstanding IPSec implementation provides you with a high-end solution for your VPN, packed with a wide range of security mechanisms.
With the VPN Access Line, Funkwerk Enterprise Communications presents a new generation of VPN Gateways. All of the previous advantages of bintec devices are included. The new VPN Access devices are optimised for high availability use in a VPN environment. Higher performance CPUs and more memory makes the products "Future Proof". IPSec and PPTP encryption is already enabled. There is no need for the separate purchase and activation of licenses. In addition, there are many new features included in the new VPN Access product line.
Load Balancing For all the devices in the VPN Access line with three Ethernet interfaces, it is possible to configure two of the three interfaces as WAN interfaces. This not only provides more bandwidth, it also gives you the opportunity of distributing your data traffic on the individual lines, depending on the load or the data type. In this way, one of the lines can take care of all the traffic into the Internet, while the second line is dedicated to VPN traffic. The second WAN port can use a second ADSL or even an SDSL line to take care of your company's other data traffic. This switchover is performed seamlessly and the user will not notice a thing.There is even an option to set up a backup via an ISDN, an analogue or a GSM modem. Extensive backup options A VPN helps you to exchange businesscritical data between different company locations securely and at an affordable price. And so it is all the more important that communication is always guaranteed. In this case, Funkwerk Enterprise Communications offers a wide variety of automatic mechanisms. If two WAN lines are active, for example, then one can take over the entire data transfer for the other, should a malfunction occur. If both lines break down, the VPN traffic can be automatically forwarded via the integrated ISDN modem. This switchover is performed seamlessly and the user won’t notice a thing. And there is even an option to set up a backup via an analogue or a GSM modem. Device redundancy If the device itself should malfunction, it is possible to forward data exchange automatically to a second device. Thanks to our bintec Router Redundancy Protocol (BRRP), two devices can be operated redundantly and act as one device in the LAN. In addition to their own IP and MAC address per interface, they both also have a common virtual IP and MAC address. This address is entered as the standard gateway in all the computers in the LAN. The two VPN devices communicate using the bintec protocol. Should one device malfunction, the other would automatically take over the entire data traffic.
Secure encryption The bintec IPSec implementation offers everything that customers wish for. In addition to numerous methods of encryption, including the brand-new AES ("Advanced Encryption Standard"), Funkwerk Enterprise Communications offers the VPN Access product line with encryption codes up to 256 bits in length. This means that your enterprise will be ready to meet the demands of tomorrow today. Certificate support Of course, our devices are not limited to working with just preshared keys; they function with certificates as well. This means you can build a public key infrastructure for the greatest possible security and the greatest flexibility in the daily operation of your VPN. Thus, direct intervention to secure the system – when your staff changes or a VPN device is stolen – is only required at one central location. This makes your administration easier, increases security and reliability and reduces the costs at the same time. (By the way: the Governmental Organisations for Security in Information Technology recommend the use of certificates.) VPN with dynamic IP addresses The bintec IPSec implementation supports the building of VPN tunnels right from the beginning – even with dynamic IP addresses.As such, the central office with a static IP address can use a free ISDN callback process to have each branch office build a tunnel. This makes small branch locations permanently available, even if they are not online all the time.And even if both VPN parties have dynamic IP addresses, there is nothing to stand in the way of their communication with the bintec solution. The IP addresses are exchanged via Dynamic-DNS service providers in the Internet or intranet. Save costs with data compression To save costs, data compression was used on conventional ISDN lines in the past to increase data throughput considerably. And of course, the same applies to VPN connections. However, it is not possible to use such conventional data compression processes as VJHC, STAC or MPPC on IPSec packets. This would alter the packets so that the communications partner would identify this as a hacker attack and reject the incoming packets. The remedy to this problem is the IPCOMP process, which all the bintec VPN Access products support. IPCOMP does not increase the bandwidth of the connections; depending on the type of data, it reduces the data quantity by a factor of ten. And even if we assume a factor of only two, this would at least halve the costs for volume-based transmission rates.
ISDN Interface Feature
Description
ISDN protocols
Euro-ISDN and other national ISDN protocols
Dialup and leased lines (BRI)
Leased lines supported: D64S, D64S2, TS02, D64S2Y
B-channel protocols
Excellent interoperability with other manufacturers (Raw HDLC, CISCO HDLC, X.75)
PPP, ML-PPP
(See Software)
Multi-CAPI
Optional: CAPI 2.0 with CAPI user concept (password requested for CAPI use) permit direct access to services such as fax and e-mail
Bit rate adaptation
V.110 (1,200 up to 38,400 bps), V.120 up to 57,600 kbps (HSCSD) for connection to GSM subscribers
Security Feature
Description
NAT/PAT
Network & Port Address Translation / Stateful Packet Inspection: Isolation of complete network from public access
CLID and callback
Calling Line Identification (CLID), callback
Access lists
Filtering of IP packets according to different criteria (source, destination, port and interface)
Stateful Inspection Firewall
filtering with monitoring and interpretation of the status of the individual connections
RADIUS
Central check of access authorization at a RADIUS server (PPP and Login Authentication)
TACACS+
Support of TACACS a security application that provides centralized validation of users
Authentication
PPP mechanisms (see Software)
H.323 proxy
Protection of the Intranet (e.g. by NAT)
Content filtering
30 day evaluation licence
VLAN
Network nodes in different network segments behave like a arbitrary group connected to the same network segment
Encryption for PPP
MPPE up to 128 bit other up to 168 bit
VPN - IPSec
inclusive, with a max. of 25 simultaneous tunnels
VPN - IPSec
Powerful encryption up to 256 bits (DES, 3DES, CAST, Blowfish, Twofish, AES)
VPN - PPTP
With PPTP
VPN - PPTP
Strong encryption up to 128 bits (MPPE), up to 168 bits (DES/3DES, Blowfish)
DynDNS / DynVPN
Router can still be reached over the Internet in spite of dyn. IP address
IKE for IPSec
Pre-Shared Keys and X.509 certificate support
X.509
X.509 v1/v3 certificates (PKCS#7/8/10, 12, CLRs, SCEP)
QoS for IPSec
Available
PKI Support for IPSec
Available
NAT Traversal for IPSec
Available
Dynamic IPSec (D/B channel)
Available, free-of-charge licence necessary
IPCOMP
IP Compression
IPSec / RADIUS
Available
IPSec Redesign
Policy manager and interface concept
L2TP
layer 2 tunneling protocol for ATM, Ethernet, PPP; user authenticatio
Maintenance and Service Feature
Description
ISDN logging
ISDN event & system logging: recording of all relevant connection data, e.g. intrusion attempts
SNMP
Complete management with MIB-II, Enterprise MIB, inclusive SNMP management software for Windows (DIME Tools and Browser)
SSH login
Secure connections for terminal applications
Local / remote administration
Complete configuration and maintenance, local and remote, over Ethernet, ISDN Login or serial interface
Trace / debugging / monitoring
Traces for ISDN B-/D-channel, R-CAPI traces, Ethernet traces, reason for call break, ISDN signaling information
Email alert
Available
DHCP
Server and client for simplified configuration for TCP/IP
Setup Tool
Integrated, menu-based, intuitive setup program, standard for the whole Bintec product portfolio
HTML Setup Tool
HTML interface accessible through a Java Script enabled browser
HTML Wizard
Browser-based configuration assistant
H.323 gatekeeper
Communication control between gateway and H.323 terminals
XADMIN
Roll out tool for larger router installations (IP+ISDN)
Activity Monitor
Controls router activities from each LAN PC
Documentation
Complete toolset and documentation on CD
Guarantee
2-year manufacturer's guarantee
Software Features Feature
Description
TCP/IP routing
Routing information updating and distribution, static or dynamic (RIP v1/v2/triggered, RFC 2091), selectable for each interface, ProxyARP, BOOTP/DHCP forwarding
Extended IP routing
Dependent on source/destination port, source IP address, TOS ..., i.e. policy-based routing
OSPF
Static/dynamic updating and distribution of routing information
Bridging
Spanning Tree & Transparent Mode
QoS
Quality of Service with DiffServ and shaping: breakdown of IP data traffic into classes with different priorities, optimized queue handling and shaping as per these priorities
Download QoS
Optimal for VoIP transmission
BRRP
Bintec Router Redundancy Protocol, back up a service offered by a single physical router to a LAN (Virtual Router)
IP load balancing
Bandwidth management
BoD
Bandwidth on Demand: Scalable bandwidth to suit data traffic load
AUX backup
Backup via GSM, GPRS or analogue modem
PPP
Authentication mechanisms (PAP, CHAP, MS-CHAP, MS-CHAP v2), standard PPP, channel bundling over Multilink PPP (ML-PPP), transparent mode, dynamic IP address assignment (server and client mode)
PPPoE
Point-to-Point Protocol over Ethernet (Client and Server) for high-speed Internet access over xDSL (RFC 2516)
Dyn. IP addresses
Simple Internet access without fixed IP addresses
Artem Access Point Discovery
detection of configuered and unconfigured Artem Access Points in the LAN
Operating systems
Support from DOS, Windows 3.x/95/98/NT/ME/2000/XP, UNIX, Macintosh and Novell
ISDN accounting
Call detail recording, number, charging information, ...
IP accounting
Source, destination, port, interface, packets/bytes counter
Event Scheduler
Budgets based on data volume or based on time
Short hold
Static and dynamic short hold saves connection costs through automatic call clearing
Keep Alive Monitoring
Saves costs by only allowing a connection to be set up if configurable IP addresses can be reached
MPPC
Software data compression also in combination with MPPE (Microsoft Point to Point Encryption), free-of-charge licence necessary
STAC
Compression for PPP connections, free-of-charge licence necessary
Cost of ownership
Minimum, e.g. full remote administration
Hardware Features Feature
Description
RISC architecture
Motorola 8241 RISC processor with 32 MB RAM
Flash ROM
8 MB on board
LAN / WAN
3 x 10/100 Mbps Ethernet twisted pair, autosensing
ISDN
1 x BRI, 2 B-channels
Console
Serial console port: RS 232 C, 8-pole Mini-DIN, 1,200 bps - 115 kbps
Power supply
External AC/DC converter 12 V DC, 1 A
On/off switch
Available
Status LEDs
Power, Status, Ethernet 1, Ethernet 2, Ethernet 3, ISDN-D, ISDN-B, HA, MA
Metal housing
Available
19-inch
Optional: suitable for mounting in 19-inch cabinet via a 19-inch rack-mount kit
Dimensions
Approx. 200 x 30 x 150 mm (W x H x D)
Weight
Approx. 900 g
Funkwerk Enterprise Communications GmbH - Suedwestpark 94 - 90449 Nuremberg - Germany Phone: +49 - 180 300 9191 0 Fax: +49 - 180 300 9193 0 E-Mail:
[email protected] - www.funkwerk-ec.com
VPN Access 25 01.09.2005 Subject to technical alterations
