1 / 37

Nokia Internet Communications: Security Products

Nokia Internet Communications: Security Products. Jaroslaw.Prokop@nokia.com Technical Consultant NIC Eastern Europe. NIC focuses on secure TCP/IP networking. Firewalls: Nokia Security Appliance Platform (IP-xxx)

cece
Download Presentation

Nokia Internet Communications: Security Products

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nokia Internet Communications: Security Products Jaroslaw.Prokop@nokia.com Technical Consultant NIC Eastern Europe

  2. NIC focuses on secure TCP/IP networking • Firewalls: Nokia Security Appliance Platform (IP-xxx) • Intrusion Detection systems: Nokia Security Appliance Platform (IP-xxx) • Anti-Virus scanning: Webshield (AV445) • IPSec protection for IP traffic: Nokia VPN Gateway (CC-xxx) • SSL protection for WWW traffic: Clustered SSL Accelerator (CA200/CA600)

  3. Firewall and Intrusion Detection Nokia Security Appliance (IP-xxx) - networking device optimized to run security applications • Firewall: • Nokia IP Appliance + • CheckPoint Firewall-1 application • Intrusion Detection sensor: • Nokia IP Appliance + • ISS RealSecure application

  4. Nokia Appliances Explained • Hardware: Intel based • scalable performance with different models • good range of PCI/CPCI interfaces • Operating System: Nokia IPSO • derived from FreeBSD • hardened to run security application • packaged with IP routing options • Configuration: Nokia Voyager • IPSO configuration via browser • Management: Nokia Horizon Manager • Centralized software management tool for appliances • Supported as a single product (includes applications)

  5. Small Office Systems Nokia Security Appliances Future Platforms IP650 IP530 IP440 Price IP330 IP110 IP51 FW-1 SmallOffice (non-IPSO system) Performance & Functionality

  6. IPSO Appliances HW • Nokia IP110Remote Office FW-1 Appliance, 3 x 10/100 • Nokia IP330 • Entry Level Modular Appliance • 3 x 10/100 plus 1 slot (WAN, Luna, Eth.) • Nokia IP440 Highly Scalable Modular Appliance 4 slots (4x10/100, WAN, Luna, ATM, HSSI) • Nokia IP530 • High Performance Appliance • 4 x 10/100 plus 3 slots (4xEth, GbE, ATM) • Nokia IP650 Carrier-Class Hot-Swap Modules 5 hot swap CPCI slots

  7. Appliances SW: IPSO Config via Voyager

  8. Appliances SW: System Backup

  9. Appliances SW: Installed Packages

  10. IP110 as an Internet Firewall Internet External Router FrameRelay Leased Line ADSL Etc. Internal network (secure) External Network Demilitarized Zone (DMZ) WWW Server E-mail Server DNS Server

  11. IP 330as an Internet Firewall Internet FrameRelay Leased Line Internal network (secure) DMZ WWW Server E-mail Server DNS Server

  12. IP 330 as an ISS RealSecure Network Sensor Internet RealSecure Console External Router FrameRelay Leased Line ADSL Etc. Internal network (secure) External Network DMZ WWW Server E-mail Server DNS Server

  13. Nokia IP Series Platform Sizing

  14. IP650 Performance http://www.checkpoint.com/products/firewall-1/pbrief.html

  15. High Availability Firewall for Data Centers(2 x IP650, IPSO VRRP, FW-1) Session Table Synchronization Single logical IP address

  16. Appliance Sw Management - Horizon Manager

  17. IP51 for Check Point FW-1 SmallOffice • Ethernet to Ethernet firewall (4-Port 10/100 Ethernet switch) • Built-in DHCP server • SNMP support • Flash based (no moving parts) • Non-IPSO system • Configuration Management– Browser based configuration (HTTP), telnet, EasyStart. • Stateful inspection from CheckPoint • Security policy managed from GUI client • Common management server with non-SmallOffice systems

  18. IP51 Application: Small Office/Remote Office Internet Internal network segment 1 • Router: • Owned, leased • outsourced FrameRelay Leased line ADSL Etc. Internal network segment 2 External (insecure) network Segment 3 File server, Print server

  19. Anti-Virus Network Solution AV445: modified IP440 optimized to run anti-virus software (more memory, faster diskspace) • Webshield: • Nokia AV445 + • McAfee scanning engine • Scanned protocols: • SMTP • HTTP • FTP

  20. WebShield for Nokia

  21. WebShield for Nokia – Config Tool

  22. IPSec protection for IP traffic: Nokia VPN Solution • Nokia VPN Gateways • Multiple gateway devices make-up a cluster • Cluster acts as a logical VPN gateway • Four different models available • Nokia VPN Client • Installed on user machines (Win95, NT, 2000) • Connects with the VPN Gateway (Nokia or other IPSec devices) • VPN Policy Manager • Streamlines policy management • Simplifies client & gateway administration

  23. Site-to-Site VPN with IPSec tunnels Internet/Intranet

  24. Client-to-Site VPN: PC to Gateway IPSec tunnel Internet/Intranet PC + Nokia VPN Client (CryptoClient) Publiczny adres IP PC + Nokia VPN Client (CryptoClient) PC + Nokia VPN Client (CryptoClient)

  25. Market Leading Performance • Single node • CC500 5 mbps • CC2500 52 mbps • CC5200 180 mbps • CC5205 220 mbps • Multicast mode (2 node cluster) • CC500 10 mbps • CC2500 87 mbps • CC5200 180 mbps (Note: the line speed is the bottleneck) • CC5205 440 mbps Under normal mixed-packet-size Ethernet conditions(IPSec ESP (3DES/SHA-1), bi-directional)

  26. Nokia VPN CC5205 Gateway • 800MHz Intel PIII (256KB Cache) • 512MB RAM • 2 x PC-Card Flash (8MB Flash Card Standard) • 2 x Hi/fn 7811 Cryptographic co-processors • 1 x Hi/fn 6500 Public key co-processor • 2 x 1000Base-SX Gigabit network interfaces • 1 x Console port • 3 Rack units high • (5 in (H) x 19 in (rack W) x 17in (body W) x 16.5 in (d), 17lbs.) • 440 Mbpsunder normal mixed-packet-size Ethernet conditions (2 nodes) • Terminates in excess of 30,000 simultaneous tunnels • Supports over 1000 users

  27. Nokia VPN CC5200 Gateway • 800MHz Intel PIII (256KB Cache) • 512MB RAM • 2 x PC-Card Flash (8MB Flash Card Standard) • 2 x Hi/fn 7811 Cryptographic co-processors • 1 x Hi/fn 6500 Public key co-processor • 2 x 10/100Base-T network interfaces • 1 x Console port • 2 Rack units high • (3.5 in (h) x 19 in (rack w) x 17in (body w) x 16.5 in (d), 17lbs.) • 180 Mbpsunder normal mixed-packet-size Ethernet conditions (2 nodes) • Terminates in excess of 30,000 simultaneous tunnels • Supports over 1000 users

  28. Nokia VPN CC2500 Gateway • 236MHz StrongArm processor • 64MB RAM • 2 x PC-Card Flash (8MB Flash Card Standard) • 1 x Hi/fn 7751 Cryptographic co-processors • 1 x Hi/fn 6500 Public key co-processor • 2 x 10/100Base-T network interfaces • 1 x Console port • 1 Rack unit high • 1.75 (h) x 19 in (rack w) x 12.4 in (d), 10lbs • 87 Mbpsunder normal mixed-packet-size Ethernet conditions (2 nodes) • Terminates in excess of 1,000 simultaneous tunnels • Supports 100 to 1000 users

  29. Nokia VPN CC500 Gateway • 236MHz StrongArm processor • 16MB RAM • 8MB Integrated Flash • 2 x 10/100Base-T network interfaces • 1 x Console port • 1 Rack unit high (w/ rack mount supports attached) • 1.13 in (h) x 8.50 in (w) x 5.75 in (d), 1.5 lbs. • 5 Mbpsunder normal mixed-packet-size Ethernet conditions (1 node) • 10 Mbpsunder normal mixed-packet-size Ethernet conditions (2 nodes) • Terminates in excess of 100 simultaneous tunnels • Supports 1 to 100 users

  30. Nokia VPN Features • Nokia VPN Gateway • Clustered NAPT for translating private IP addresses • Clustered routing • SNMP MIBS and Traps for collecting data • Internal CA for issuing certificates • VPN Client • Legacy user authentication for remote users (CRACK) • IP address pools for remote users • High performance ( > 10 Mbps IPSec traffic) • IPSec, PPTP, L2TP • VPN Policy Manager • Policy deployment for complex topologies (automatic filter setup) • VPN scheduler for scheduling policyupdates • Performance monitor

  31. Advantages of Nokia VPN Solution • Patented IP Clustering Technology • Active Session Failover™ • Dynamic Load Balancing • Non-stop availability (upgrades with zero downtime) • Market Leading Performance • Excellent encryption speeds • Return on Investment • Complete package for one low price • Encryption gateway, PC Client Sw, Management Sw • Global Support

  32. PRICE OF SECURITY SSL encryption can devastateWeb server performance: Connections per secondat 100 percent CPU utilization Pentium Running Linux and Apache 322 2.4 Sun 450 Running Linux and Apache 501 3 HTTP Secure HTTP SSL protection for Web browsing: the Problem Server Farm LoadBalancer Internet Source: Networkshop, 1999

  33. Internet The Solution: Nokia Clustered SSL Accelerator • Hardened, purpose-built O/S for optimal performance • Patented IP Clustering for ultimate availability • Integral load balancing for optimized performance • High performance, high scalability • Network-transparent Server Farm LoadBalancer

  34. CA 200, CA 600 – How does it work? Browser Tri-cluster CA200 Load balancer Server Farm Internet http://serwer.nokia.com https://serwer.nokia.com

  35. Nokia Clustered SSL Accelerators Nokia CA200 Duo-Cluster and Tri-Cluster • 200 Transactions Per Second per node • 16000 concurrent sessions per node • 500 milliseconds failover of all active SSL sessions

  36. Nokia Clustered SSL Accelerators NokiaCA600 Duo-Cluster • 600 Transactions Per Second per node • 16000 concurrent sessions per node • 500 milliseconds failover of all active SSL sessions

  37. Thank you! Nokia Internet Communications Eastern Europe Technical Issues: Jaroslaw.Prokop@nokia.com Business Issues: Pawel.Marciniak@nokia.com

More Related