Contivity Competitive Playbook

1. ContivityCompetitive Playbook The Cisco Menace

2. Discussion Topics Cisco deficiencies� Why Nortel�s Contivity is the market leader Cisco FUD� how to counter Cisco FUD with reality Why Contivity products are ideal for The Enterprise The Service Provider Where we stand�relative strengths and opportunities for Contivity Appendix

3. Legend When referring to the terms Altiga, Compatible and VPN Routers, we typically mean: Cisco Altiga = VPN 30XX Cisco Compatible = VPN 50XX Cisco VPN Routers = VPN 7120 & 7140

4. Cisco DeficienciesA Summary Why Nortel�s Contivity is the market leader�

5. Deficiencies in Cisco�s �VPN solutions� Lack of clear product positioning and purpose Multiple model numbers Confusing approach to customer needs Absurd claim that 17 disparate products are �VPN-optimized�!!! Cisco secure VPN IRE and Altiga clients do not support Windows 2000 Compatible does Once again: disjointed strategy! No low-end hardware available until early 2001 (to be called the 3002 � another model to keep track of!�)

6. Deficiencies in Cisco�s �VPN solutions� No ICSA certification for Altiga No proven pair-wise interoperability Being last to the party means a lot of work Can they even prove IOS to Altiga interoperability??? No FIPS certification Limits government business Related to Altiga�s dubious security environment??? Certificate story is a mess! Implementation nightmare, Internet Explorer version xx only??? (is that a strategy?) No auto-enrollment strategy! No management features!

7. Deficiencies in Cisco�s �VPN solutions� If Cisco plans on introducing a compression feature, then its existing $12,000 encryption card will not support compression! Cisco would have the customer believe that developing a software based compression feature is a time-intensive effort; and hence is not being developed� Weak processor � how is Altiga ever going to incorporate additional required features DiffServ Bandwidth Management Multicast�

8. Deficiencies in Cisco�s �VPN solutions� Altiga is deficient in accounting capabilities No internal accounting support Requires purchase of separate servers and software to support RADIUS accounting Lack of integrated firewall Cisco�s stand-alone firewall necessitates another piece of hardware! Buy their router (VPN optimized), then buy their firewall, then�

9. Deficiencies in Cisco�s �VPN solutions� Insufficient database support for AAA in Altiga Depends primarily upon external databases Internal database limited to just 100 profiles Imagine how limiting this is for 10,000 users!! Lack common popular format such as LDAP

10. Cisco FUD How to counter Cisco FUD with reality�

11. Client strategy Cisco says �We have a complete and comprehensive client strategy� Reality: Cisco requires three different product platforms to provide the same client support that Contivity provides through just one platform! They�ll tell you that they�ll merge � without details! Easier said than done�

12. UDP wrapper strategy Cisco says, �We have implemented a UDP wrapper while Contivity hasn�t�� Reality: Contivity is correct! Older versions of NAT are not IPsec aware However, most new products support IPsec aware new NAT The problem is much less severe than Cisco contends Could be an issue for some hotel LANs or corporate LAN environments Nortel working with Microsoft and others for INDUSTRY solution, not proprietary competitive cudgel

13. Firewall strategy Cisco says, �We�ve got a firewall�� Reality: Cisco�s PIX firewall Requires yet another box! PIX has a weak VPN story Contivity Common stateful inspection across both NN Shasta and Contivity per NN IP VPN strategy Consistent management Java applet Preside (H1, 2000)

14. Scalability strategy Cisco says �Contivity�s Intel based architecture doesn�t allow scaling of Contivity from one model to the next�� Reality: This is a non-issue and a half-truth! Contivity price/performance ratio continues going down � e.g., the current 2600�s evolution Contivity 2000 � 180 MHz Pentium; 200 tunnels Contivity 2500 � 333 MHz Pentium; 400 tunnels Contivity 2600 � 733 MHz Pentium; 1000 tunnels Provides easier and tighter integration of 3rd party code for value-added features Intel architecture is well established & open!

15. Scalability strategy Reality: This is a non-issue and a half-truth! Only Altiga allows limited �scaling� 3030 -> 3060, 3060 -> 3080, 3030 -> 3080 Does not apply to 3015 -> 30xx Does not apply to other Cisco VPN products Benefits of �scaling� are dubious Performance degrades dramatically When going from 3060 -> 3080: # of Altiga SEPs (encryption cards) remains the same Hardware processing power remains the same

16. Enterprise positioning Cisco says �We have the true enterprise security solution � the customer already has our routers, so the customer doesn�t need a whole new VPN device�� Reality: VPN devices are optimized to provide security� They�re not (primarily) routers They�re not (primarily) firewalls They are primarily VPN security devices Small enterprises/ businesses can use Contivity�s routing capability instead of buying a whole router The integrated firewall provides stateful inspection and minimizes interoperability issues

17. Enterprise positioning Bottom line: Cisco�s IOS (in general) is not enough for VPNs That�s why it acquired Altiga Altiga was a start-up being financed at the 3rd round � in danger of folding because� � there wasn�t much in Altiga�s VPN story Altiga is still Altiga! No installed base No large carrier No large enterprise/ Fortune 500 Lacks basic VPN functionality

18. Why Contivity products are ideal�

19. Contivity as the ideal VPN solution for the Enterprise Offers scalable solutions � various models based upon customer needs # of tunnels Memory (base and expansion) WAN connectivity Enables e-business with ease Set up tunnels Branch-to-Branch Small branch-to-head end Vendor-to-head end Redundancy and fail-over capability

20. Contivity as the ideal VPN solution for the Enterprise Permits tremendous savings in remote access Performance keeps improving (lower cost per tunnel) Superior, secure remote-access with convenient client interface: easy-to-use, easy to administer, flexible client options (Windows � including Win2K, Linux, Mac, OS/2) Partnership with vendors to offer additional features, e.g., Network ICE offers intrusion protection Models exist without remote access The Contivity contains multiple functions which are useful to enterprises of various sizes Router/ internet access Integrated firewall VPN security

21. Contivity as the ideal VPN solution for the Service Provider Provides flexible, easy to manage solution Management interface Joint development (management & provisioning) with carrier community Easy-to-use, web GUI based Remote management control tunnels Powerful management systems (Optivity and Preside) to manage cross-platform and/or cross-divisional, cross-enterprise VPNs Easily provisioned VPN Bulk loading CLI available Industry leading remote-access solution Robust client (works with all kinds of laptops, desktops, clones, etc.) 50 million installed base High availability/ low down-time Use different models based upon different end-user needs

22. Where we stand� Relative strengths & opportunities for Contivity

23. Client capabilities Over-abundance of clients for its VPN solution VPN 1.1 IOS/PIX Client (IRE) VPN 3000 Client (Altiga) VPN 5000 Client (Compatible) Artificial options � Cisco still wants the customer to use IOS Compare Cisco�s over-abundance with Contivity�s tight focus on its industry leading Extranet Client � supported on multiple operating system platforms Supports IRE as well

24. Comprehensive product offering Nortel�s Contivity provides a tightly integrated set of products 4 models Provide coverage of entire spectrum of applications Remote Access Branch-to-Branch Small branch-to-head end Integrated firewall capability Contivity view: VPNs are LANs extending outward (not WANs extending inward � Cisco)

25. Comprehensive product offering Cisco�s offering is comprehensive alright!� 17!!! Products claiming to provide �VPN� functionality �Optimized VPN� functionality � if it smells like a router, walks like a router, then it must be a router! Cisco will continue to push IOS

26. File storage No hard drive � no features! Uses a hard disk drive Provides more memory/ larger storage space Allows easy portability of files Minimizes problems with copying configurations from one device to another Scalable: hot swap-able Backup for multiple configs to images Minimum 60 day logging

27. Carrier positioning True carrier positioning unclear Could be 7100 Could be Compatible Likely scenario to include klugey solution at Enterprise end: Where does PIX fit? Where does 7100 fit? Where does Altiga fit? No centralized management system Carrier class product Scales easily for multiple sites Centrally managed environment Ease-of-use makes it ideal for enterprises � scales easily for # of users Secure management via control tunnels

28. Remote access strategy Internal database limited to only 100 profiles Depends primarily upon external databases for Authentication, Authorization and Accounting (AAA) Lack of common format such as LDAP limits ability to import/export user and group profiles from/to external databases Supports two common formats internally LDAP for user and group profiles � scalable, i.e., one group/policy if required RADIUS for accounting (internal or external) Standards based directory structure allows Contivity to support tens of thousands of LDAP user and group profiles Product line scalable to tens of thousands of users

29. 3rd party certification Not ICSA certified No certification of cryptographic integrity No certification of interoperability Not FIPS certified ICSA certified for over the last year Passed pair-wise interoperability testing FIPS 140-1 Level 2 certified

30. Performance issues Offers no compression Tunnel protocols cause packet inflation Compression is a must especially for modem connect remote access users Minimize packet fragmentation Hardware acceleration a must for even normal operation! What about AES?� Locking into SEP hardware doesn�t help in adopting newer encryption standards! Offers superior hardware & software encryption & compression through HiFN 7751 Compression enables tremendous relief on network resources with large # of sessions � enhances remote access throughput capability Contivity provides carrier-class performance even without hardware accelerator PCI accelerator design allows faster time to market for new crypto silicon 7751 -> 7811 -> 7851

31. Security features � backdoors? Backdoors galore!if the password is lost or to gain unauthorized access Reboot the 1720 router Press ESC Run the ROM program Enter a new password Re-write the security configuration OR Simply remove the battery! � passwords get reset to factory settings Unauthorized users can�t use backdoors If a password is forgotten, the Contivity must be sent back to the factory No back door The Contivity is a SECURITY device

32. Security features - PKI Altiga support limited to IE browser based APIs for certificate management Merely import digital certificates to web-browser Only IE 4.0 and 5.0 supported No Netscape support No Features Integration of PKI function using vendor DLL Entrust Verisign Auto-enrollment Auto-renewal CRL processing

33. Security features � split tunneling Unsecured split tunneling No client side policies Susceptible to attacks Provides client side policy software Secured split tunneling possible Integrated personal firewall, intrusion protection system, etc. provide additional PC security

34. Security features � firewall Standalone PIX firewall � not integrated with VPN capability Integrated software firewall � ensures tight functioning with VPN switch Packet filtering Stateful inspection

35. VPN management capability Java based GUI only Pseudo CLI Menu driven telnet session No real command-line functionality No provision for service-provider bulk configuration (Lack of) Management options Cisco � IOS/CLI Altiga � Java/web Compatible - ??? Elegant GUI built into the Contivity server Entire enterprise control from any workstation Configure Manage Monitor Management options: Preside Bulk config CLI Optivity Carrier and Enterprise options

36. Internal accounting Altiga does not support internal accounting Separate servers and software must be purchased to support RADIUS accounting Contivity supports internal (along with external) RADIUS accounting

37. Appendix

38. Summary - Comparison of features