clavister os 2005-09-23seguridad10.com/descargas/clavister.so.pdf · ipsec ikev2 authentication,...
TRANSCRIPT
S e c u r i t y w i t h y o u r b u s i n e s s i n m i n d
Clavister Security OS™
Introduction
Secure and effective information flows has become a strategic
resource for all organizations as they face increased market
competition, restricted budgets and new business opportunities.
With several years of experience from delivering core components
and systems to leading organizations in the telecom industry and
the public sector we know for a fact that secure communication is a
top business enabler
Clavister Security OS™S e c u r i t y w i t h y o u r b u s i n e s s i n m i n d
www.clavister.com
Clavister Security OS™ is the highly optimized system that empow-
ers our products with an end-to-end security technology and value
adding functionality such as secure VPN, User Authentication, Traffic
Shaping, Advanced Routing, Virtual Systems, High Availability Clus-
tering and Centralized Management.
With the multi-layered security and connectivity features that the
Clavister Security OS™ provides we can empower Your business with
a secure communication platform that delivers unparalleled perfor-
mance at the lowest TCO possible.
Product Overview
Clavister Security OS™ is a proprietary real-time network operating
system optimized for security, performance and flexible connectivity.
Clavister Security OS™ consists of a compact firmware of some
hundred kilobytes in size, which constitutes the entire software
needed for the operation of your complete Security Gateway system.
This means that inherited security vulnerabilities from an
underlying operating system are completely avoided, and that the
Clavister Security OS™, due to the compact size and optimization,
is one of the most resilient products on the market.
The Clavister Security OS™ technology is based primarily on Stateful
Inspection, the de-facto standard for firewalls today. To achieve the
highest protection and flexibility possible, Clavister Security OS™
also integrates features such as:
• Multi-layered security mechanisms
• Deep Inspection with IDS & IPS
• Virtual Private Network
• Advanced static and dynamic routing
• DHCP services
• User Authentication
• Virtual systems
• High Availability clustering
• Centralized Operations and Maintenance System
Clavister Security OS™F e a t u r e O v e r v i e w
www.clavister.com
Security Mechanisms
Every component in the Clavister Security OS™ has been designed
with security as the primary concern. That’s why you will find that
all features are tightly integrated into the core functionality and
that they all share the same conservative approach to security.
The security mechanisms that pervade the entire system are built
on a performance optimized Stateful Packet Inspection engine that,
with wire-speed capabilities, performs in-depth consistency check-
ing of every packet flowing through the device.
Due to the unique approach to integrate security in every single
component in the system you will find that the Clavister Security
OS™ provide supreme protection against for instance Denial Of
Service and Distributed Denial of Service attacks.
Multi-layered security
To protect against the increasing number of modern sophisticated
application layer attacks, Clavister Security OS™ utilize multiple
security mechanisms that work on different network layers,
including advanced Application Layer Gateways (ALGs) and state-of-
the-art Intrusion Prevention functionalities.
The combination of a highly conservative approach to security,
performance and high-availability options ensures that the Clavister
Security OS™ delivers a “worry-free” environment for your business.
Virtual Private Networks
Designed for the unique requirements of telecom operators, public
sector and large enterprises Clavister Security OS™ provides an
end-to-end IPSec, L2TP, PPTP, GRE and GTP VPN security solution
that is easy to integrate into an existing network infrastructure, and
features impressive gigabit performance combined with the latest
IPSec IKEv2 authentication, PKI key management, and high
availability clustering capabilities.
Telco-grade security solution
Clavister Security OS™ is the first telco-grade network security
solution in the market specifically designed for the requirements of
3G infrastructure, Generic Access Networks, WLAN roaming solutions
and VoIP networks. Clavister Security OS™ enables telecom
operators to leverage on emerging technologies such as Generic
Access Networks and to easily integrate advanced security features
into their network infrastructure – faster, cheaper, and more secure
than any other solutions.
Comprehensive protection
Clavister Security OS™ addresses all requirements for secure
connectivity including ASIC encryption acceleration and high
scalability, integration into existing AAA infrastructure, support for
IKEv2 and EAP authentication, NAT-T, attack prevention, and the
need for efficient management capabilities.
Finance
Sales
Research & Development
DMZ
Sales office
LAN
DMZ
LAN
Engineering office
Internet
Features
• Carrier-grade network security solution
• Gigabit VPN performance
• Applicability in 3G core networks
• Seamless network integration and proven interoperability
Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n
Advanced Routing Capabilities
Routing constitutes an important factor for efficient network
integration and Clavister Security OS™ address the need for
effortless network integration by incorporating a wide range of
routing protocols such as static, policy based, OSPF, source based
and multicast routing.
With the extensive routing capabilities provided, including policy
based routing and OSFP, organizations are not only able to easily
integrate Clavister security devices into the network flow but also
extend their business opportunities and increase security by being
able to:
• Connect to two or more ISPs without using BGP, and
accepting inbound connections from all of them. Return
traffic is routed back out through the ISP that delivered
the incoming request.
• Route certain protocols through transparent proxies such
as web caches and anti-virus scanners, without adding
another point of failure for the network as a whole.
• Create provider-independent metropolitan area networks,
i.e. one where all users share a common active backbone,
but can use different ISPs, subscribe to different
streaming media providers, etc.
User Authentication
Clavister Security OS™ supports user authentication, making it
possible to grant or reject access to specific users from specific IP
addresses, based on their user credentials. This feature is compliant
with the RADIUS authentication protocol, which is the de-facto
standard for user authentication.
Both HTTP, HTTPS and XAuth are supported as authentication agents,
and multiple authentication servers can be defined for different
combinations of interfaces and networks. When HTTP or HTTPS is
used for authentication, fully customizable login and logout web
pages can be defined in the firewall.
Furthermore, user authentication in Clavister Security Gateway
is fully compliant with the Microsoft(R) Internet Authentication
Service(TM), which makes it possible to use, for instance,
Microsoft(R) Active Directory(TM) as user database.
Mobile Network Ready
For optimal integration into mobile networks such as 3G core net-
works and Generic Access Networks, Clavister Security Os™ provides
secure and reliable EAP/SIM and EAP/AKA authentication capabilities
that enables authentication based on SIM card data.
Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n
Traffic Management
Thanks to the versatile traffic management features included in
Clavister Security OS™, the Clavister Security devices are the perfect
solutions for lowering the cost of bandwidth and making sure that
business-critical traffic flows without disruptions.
Also in more complex solutions, where detailed control of the traffic
is required, the traffic management functionality in your Clavister
product is superior in guaranteeing Quality of Service.
Clavister ’s traffic management tool, unlike many other models, is
closely integrated with the core functionality. Hence bandwidth
can be limited, guaranteed and prioritized with the granularity of
a single security policy. All traffic that can be filtered by the system
can thus be bandwidth managed. This also includes VPN connections
and virtual LANs. The bandwidth control is performed using up to 64
independent weighted queues or “pipes ”, where each pipe has eight
different levels of priority with individual limits on bandwidth and
packets per second.
Pipes may further be subdivided in order to track individual flows.
Traffic flow grouping may be done according to IP addresses, net-
works and ports. Consequently, a network administrator can make
sure that any single user cannot consume all available bandwidth,
or that a server farm is not being overloaded by a few visitors using
high-speed Internet connections.
Furthermore, the traffic management feature in Clavister Security
OS™ supports dynamic balancing of bandwidth limits between
groups. This works by automatically adjusting the group limits with
respect to bandwidth allocation and the current number of groups.
By using this feature, available bandwidth can be fairly distributed
among all users in a network.
Virtual Systems
Virtualization technologies such as 802.1Q VLAN tagging, Virtual
Routers and Virtual Systems are highly usable in service providers
and large enterprise deployments where complex networks often
tend to lead to a nightmare in manageability. With the virtual
capabilities of Clavister Security OS™, IT security managers has the
tools for
administering even the most advanced network structure with
minimum effort.
Virtual Systems allows partitioning devices into multiple virtual
security domains, including routers, VPNs, security policies and
IP-address assignments.
Virtual Routing enables, for instance, routing of overlapping IP
spans, convenient segmentation of security polices as well as
seamless transport of datagrams between various interface types.
Naturally, each Virtual Router can also maintain its own dynamic
routing process.
These powerful features for managing complex scenarios and/or
several customers in one device instigates a brand new business
opportunity for cost-efficient, managed security solutions with an
unsurpassed ROI.
High Availability
The ”secure-from-the-ground-up” design principles of Clavister
Security OS™ result in high reliability and uptime. However, in any
complex system, there is always a risk for failures. These may range
from manual errors to more complicated hardware component
errors. Whatever the cause, communication disruptions are, at the
very least, annoying.
We consider them totally unacceptable.
The high availability feature of Clavister Security OS™ enables you to
setup a secondary, redundant back up system, thereby eliminating a
single-point of failure and minimize the risk of service disruptions.
Upon any failure of a primary Clavister Security Gateway, the
secondary Security Gateway automatically takes control over the
data flow to guarantee network uptime. The transition takes only a
fraction of a second and is totally invisible to all traffic.
An advanced Link Monitor is able to detect dead links, interfaces
and gateways, thereby greatly enhancing the reliability of the total
system.
A dedicated ethernet interface is used for synchronization, which
guarantees that all state information, including VPN sessions, are
synchronized without delays, even in solutions with extremely high
throughput.
Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n
The sophisticated features in the Operations and Maintenance tools
provided to your Clavister Security OS™ can automatically make sure
that both the redundant back up unit and the primary unit share
the same configuration, meaning that only the primary Security
Gateway needs to be configured, thus making the deployment and
maintenance of highly available systems a simple task.
Internal LAN
Servers in DMZ
Internet
Operations and Maintenance
Operations and maintenance is a vital part in any network but it can
also be a costly and resource consuming task, and if made too
complex it can actually become a security risk due to human
mistakes.
To make your environment as secure and cost-efficient as possible,
Clavister Security OS™ has been designed to include powerful
operations and maintenance capabilities that transform a complex
mess into a few well-organized and simple tasks.
Clavister provides a wide range of tools for administration
including command line interfaces, web user interfaces and
centralized management systems. All communications are of course
encrypted to avoid eavesdropping. Comprehensive support for
authentication and auditing ensures efficient delegation of
administrative tasks.
Benefits:
• Enables consistent policy enforcement
• Offers advanced reporting and monitoring capabilities
• Decreased costs of operations
• Decreased costs of deployment
• Increased security and service availability
• High flexibility through Open API and web portal technologies
In addition to the operations and maintenance tools provided for
the Clavister Security OS™ it is also possible to integrate and interact
with third-party systems such as HP OpenView and IBM Tivoli.
In short: With Clavister Security OS™ and the operations and
maintenance tools you can easily manage all devices in your
network, no matter if they are located in the server hall next
door or thousands of kilometers away!
Performance Max Concurrent Connections 5 000 000 Plaintext Throughput (Mbps) 4 000 AES Throughput (Mbps) 2 000 3DES Throughput (Mbps) 2 000
Interfaces Max Number of Ethernet Interfaces 64 Symmetric Design • VLAN (IEEE 802.1Q) Support • Max Number of virtual (VLAN) interfaces 4 096 per interface Access and bandwidth control per VLAN - Interface Grouping •
Filtering Capabilities Maximum Number of Rules 10 000 Time-Scheduled Rules • Custom Protocol Number Filter • TCP/UDP Port Filter Source / Destination Ports or Port Ranges, or Groups Pre-defined ICMP Filters Echo Request, Echo Reply, Destination unreachable, Source Quenching, Redirect, Time Exceeded, Parameter Problem Custom ICMP Message Filter • Custom ICMP Code Filter • Pre-defined Service Definitions •
Address Translation NAT, True Dynamic Address Translation (RFC 1631) • SAT, Static Address Translation • Per-rule Address Translation •
Application Layer Gateways FTP • - Run-time Active/Passive FTP Transformation • HTTP • - ActiveX / Java Applet Filtering • - JavaScript / VBScript / Cookie Filtering • - Pattern-based URL Filtering • H.323 • - Gatekeeper Support • - Version Support H.323 v5, H.225.0 v5, H.245 v10 - Application Sharing (T.120) • - NAT and SAT Support •
Addressing and Routing Static IP Addresses • CIDR Support • IP Ranges • IP and Network Grouping • Static ARP Entries 1 024 Dynamic ARP Entries 4 000 Published IP Addresses • Proxy ARP • DHCP Client • DHCP Server • DHCP Relay • PPPoE • GRE • Static Routing • Number of Routes 4 096 Policy-based Routing • Metric-based route failover with link and ARP monitoring • Time-Scheduled Policy-based Routing • Max Numbers of Virtual Routers 1 000 OSPF • - OSPF over IPSec • - RFC 2328 Compliant • - RFC 1583 Compatibility Mode • - Multiple OSPF Routing Processes Support • - Dynamic Routing Policy Rules •
Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n
Consistency Checks and DoS Prevention Illegal Addresses • Checksum Control • TTL Control • Layer Size Consistency • IP Option Sizes • IP Source Route • IP Timestamp • IP Reserved flag • TCP Blind Spoofing Protection • TCP Header Option Sizes • TCP MSS Control • TCP Window Scale • TCP Selective ACK • TCP Timestamp • TCP Alternate Checksum • TCP Connection Count • TCP Bad Options • TCP Flag combinations • TCP Reserved Field • TCP NULL Packets • ICMP Response Control • ARP Spoofing Protection • Strict Interface Matching • Connection Timeout Control • Payload Size Control • Reassembly Timing Control • Illegal Fragments • Duplicate Fragments •
VPN – Virtual Private Networking Concurrent PPP (L2TP/PPTP) Tunnels 50 000 IPSec VPN - Encryption Algorithms AES (Rijndael), 3DES, DES, Twofish, Blowfish, CAST-128, NULL Encryption - Authentication SHA-1, MD5 - Concurrent IPSec VPN Tunnels 1 - IKE Modes Main, Aggressive - Perfect Forward Secrecy DH Groups 1,2,5 - Security Associations Per Net, Host - Keying X.509 certificates, Pre-Shared Keys - Peer Authentication Built-in Database; IP, DNS-name, E-mail or X.500 Distinguished Name - LAN-to-LAN VPN • - Roaming Clients • - Star VPN Design Support • - DNS Resolving of Remote Gateway • - PKI Certificate Requests (PKCS#7, PKCS#11) • - Self-signed Certificates • - IPsec NAT Traversal • - VPN Policy Selection through Routing / Policy-based Routing - DHCP over IPsec (”Virtual IP”) • - VPN Tunnel Keep-alive • - Compliant with Security Architecture for the Internet Protocol (RFC 2401), The use of HMAC-MD5-96 within ESP (RFC 2403), The use of HMAC-SHA-1-96 within ESP (RFC 2404), The ESP DES-CBC Cipher Algorithm With Explicit IV (RFC 2405), IP Encapsulating Payload (ESP) (RFC 2406), The Internet IP Security Domain of Interpretation for ISAKMP (RFC 2407), Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2408), The Internet Key Exchange (IKE) (RFC 2409), The NULL Encryption Algorithm and Its Use With IPsec (RFC 2410), The OAKLEY Key Determination Protocol (RFC 2412), The ESP CBC-Mode Cipher Algorithms (RFC 2451)
Technical Specifications Clavister Security OS™
Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n
L2TP VPN - Authentication Algorithms CHAP, PAP, MS CHAPv1, MS CHAP v2 - MPPE Support •
PPTP VPN - Authentication Algorithms CHAP, PAP, MS CHAPv1, MS CHAP v2 - MPPE Support •
Traffic Shaping Mode of Operation Weighted Queues (Pipes) Policy-based Traffic Shaping • Time-Scheduled Traffic Shaping • Number of Pipes 64 Priority Levels 8 per pipe Applicable Limits Bandwidth, Packets per second Granularity Per firewall rule / 1 Kbps / 1 pps Dynamic Bandwidth Limit Balancing • Pipe Chaining •
High Availability High Availability Support • State Synchronization • VPN Synchronization • Device Failure Detection • Dead Link Detection • Dead Gateway Detection • Dead Interface Detection • Synchronization Method • Average Fail-over Time •
Logging Network Logging • Clavister Firewall Logger • Syslog • Real-time Log Viewer • Number of Log Receivers 8 Log Receiver Grouping • Per-rule Logging • Drop Entry Byte Dump (150 bytes) • Automatic Log File Compression • Log File “Wrapping” • Graphical Log Analyzer Included in Clavister Firewall Manager Command Line Log Query Tools Microsoft Windows, Linux Log Export File Format CSV NetIQ WebTrends Support •
Torggatan 10, Box 393 • SE-891 28 ÖRNSKÖLDSVIK • SWEDENPhone: +46 (0)660 29 92 00 • Fax: +46 (0) 660 122 50
[email protected] • www.clavister.com
Copyright © 1998-2005 Clavister AB. All rights reserved. Information in this document is subject to change without prior notification.
Monitoring Real-time Performance Monitoring Included in Clavister Firewall Manager SNMP Polling • Counter Entities CPU Load, Forwarded bps, Forwarded pps, Buffer usage, Connections, Rule usage, pps in/out/total per interface/VLAN/VPN Tunnel/Pipe, bps in/out/total per interface/VLAN/VPN Tunnel/Pipe, Drops, IP errors, Send fails, ICMP received, Frags received, Frag reass OK, Frag reass fail, Num users, Dyn Limit bps, Delayed Packets, Dropped Packets, Dyn User Limit Bps, Rx/Tx Ring Counters
User Authentication External RADIUS User Database • Multiple RADIUS Servers • CHAP • PAP • RADIUS Challenge/Response (HTTP) • Customizable HTTP(s) Front-end • VPN IKE XAuth • Microsoft Active Directory integration (via MS IAS) •
Management Local Console RS232 Local Console Authentication Password Graphical Enterprise Remote Management • Remote Access Encryption / Auth. Algorithm CAST-128 / SHA-1 Remote Access Authentication Yarrow-generated PSK, Source Interface and Source IP Remote Fail-safe Operation Revert to last known-good configuration Multiple Administrators Yes Number of Administrators Unlimited Multi-Firewall Management Yes Administrative Networks Unlimited Revision History Complete configurations Centrally Archived Configurations Yes Firewall Core Upgrades Complete remote software upgrades, authenticated and encrypted Command-line based Remote Management Microsoft Windows, Linux Miscellaneous HTTP Poster (logon to service providers / DynDNS client etc) • SNTP and UDP Time Synchronization •
Technical Specifications Clavister Security OS™
Clavister is a leading developer of high-performance IT/IP security. The products, based on unique technology, include carrier-class firewalls and VPN solutions. They have been awarded preferred choice by international press and are in use today by thousands of satisfied customers. In short; In a world where people depend on information, Clavister provides complete security solutions more cost-efficient than any competitor, always with Your business in mind.
Clavister was founded 1997 in Sweden. Its R&D and headquarters is situated in Örnskölds-vik, Sweden and its solutions are marketed and sold through sales offices, distributors and resellers in Europe and Asia. Clavister also offers its technology to OEM manufacturers.
About ClavisterAbout Clavister