Executive Summary
Lucent is pleased to responed to the Happy Pharmaceuticals Request for Proposal for firewall solutions. Lucent offers a firewall solution based on our Lucent Managed Firewall v4.0 product. The Lucent Managed Firewall "Brick" is a rack-mountable box that runs on our Inferno (r) operating system - a compact, real-time system designed by Bell Labs with built-in security for distributed networks. The firewall code, both simple and compact, is embedded within the operating system kernel. With no user logins or shell, we've eliminated many normal points of network vulnerability, resulting in a security system that is virtually impenetrable, yet easy to maintain. For additional security, the Brick uses native encryption and authentication features to communicate with the Lucent Security Management Server, our centralized security management server. And since none of its four 10/100 auto-sensing Ethernet ports requires an Internet Protocol (IP) address, it becomes invisible to the network and would-be hackers. A virtual IP address must be visible on one of the four address for secure communication with the Lucent Security Management Server. The Lucent Managed Firewall Brick delivers high performance, supporting 100 Mbps, 20,000+ packets per second, and 25,000+ simultaneous connections. And it maintains this performance even with rule sets of up to 1,000 rules. These performance capabilities exceed Happy Pharmaceutical's current requirements, delivering a solution that can readily accommodate growth without requiring firewall upgrades. The Brick is available with 110/220VAC and -48 VDC power supplies. It is International Computer Security Association (ICSA) and National Security Agency (NSA) certified, and is available in a Network Equipment Building Standards (NEBS) Level 3 certified version for telco central office installations, tested to Bellcore GR-63 and GR-1089 standards. The Lucent Security Management Server can integrate and centrally manage up to 500 Lucent Managed Firewall Bricks, as well as hundreds of Lucent VPN Gateway Bricks, thousands of Lucent IPSec Client users and numerous Lucent RealSecure(tm) intrusion detection engines in your network. It can significantly simplify your security policy because it can support a single security policy on multiple firewalls, or multiple security policies on a single firewall ("virtual firewalls"), reducing both installation and operating costs. Hardware requirements for the Lucent Security Management Server are a 400 MHz processor (minimum) for NT and 333 MHz (minimum) for Solaris, 256 MB system RAM or better, 4 GB hard drive (dependent upon logging needs), a CD-ROM drive, backup device, and one Ethernet port. The Lucent Managed Firewall's modular architecture lets you configure it to satisfy your current network needs and expand it as your network grows. You can easily add firewall Bricks as you need them. And since you can manage up to 500 Lucent Managed Firewall Bricks from a single Lucent Security Management Server, you don't need to reconfigure your entire network. The Lucent Managed Firewall is ideal for growing networks because it helps maximize performance while delivering consistent high-quality service.Zoning In On Your Security
If you manage large or distributed networks, our unique security zone concept can significantly simplify security policy management. Security zones are a group of hosts protected by their own security policy. With security zones, policies are defined logically, not physically or geographically - enabling you to set policies to match your application. Furthermore, you can enforce as many different policies, or zones, as you need. The Lucent Security Management Server will maintain separate security policies, audit information and reports for each security zone. Each zone can also be assigned to a specific zone administrator, with varying degrees of view, edit and apply policy privileges, as defined by your system administrator. With security zones, you have the freedom to configure policies in a way that makes sense. One option is to apply a single security policy to multiple Bricks. In this model the Lucent Security Management Server provides an integrated view of all activity for the logical security zone, NOT separate logs and reports for each Brick. Another option is to apply multiple, separately managed security policies to a single Brick. Whatever your design, our security zone and zone administrator approach results in significantly simplified policy creation and management. The Lucent Managed Firewall includes the following features:- High-Performance Security Hardware
- Centralized, Integrated Security Management
- Exceptional Scalability
- Hybrid Firewall Technology (Combines stateful filtering with Lucent Proxy Agent for content security)
- Network Address Translation
- Dependent Rules/Multimedia Application Support
- Bridging of non-IP protocols
- Content Security
- Trend Micro's InterScan (r) VirusWall Anti-Virus Security Suite
- Log-On Data Corporation's X-Stop TM Xserver URL filtering server.
- Strong User Authentication and Access Control
- Secure Administration
- High Availability
Lucent Managed Firewall in Your Current Network
The Lucent Managed Firewall was designed for distributed networks. A single firewall appliance can readily accommodate a T3 connection. A single Lucent Security Management Server can manage all of the Internet firewalls at each Happy Pharmaceuticals, Inc. site.Current and Future Firewall Requirements
High Availability The Lucent Managed Firewall solution proposed provides highly availability, meeting the 99.99% uptime requirement. Performance The Lucent Managed Firewall provides support for switched Fast Ethernet connections as well as 45 Mbit/s T3 connections. The Lucent Managed Firewall can support well over the 3000 user sessions required, allowing for Happy Pharmaceuticals significant additional room to grow without replacing firewalls. Protocol SupportThe firewall supports a broad list of standard protocols, but also provides the capability to customize security features to accommodate new or unknown applications using our patent pending "dependency mask feature." Network Address Translation
The Lucent Managed Firewall provides an address translation function that allows automatic remapping of source and destination addresses to other specified addresses. In addition, destination port number translation can be performed. Addresses are translated through the rules (i.e., the security policy) on a per-rule basis. The firewall can map addresses either directly, based on a fixed address mapping that the administrator specifies in the rules, or through a pool, based on a round-robin selection from a pool of addresses selected by the administrator. Destination port numbers can be mapped in the same manner (i.e., either direct or pooled). It supports single host mappings or host group mappings. The mapping can be applied to packets as they enter or leave a firewall. The network address translation methods are compliant with RFC 1631 ("The IP Network Address Translator [NAT]"). The address translation methods are also compliant with the proposed Internet Draft. Network performance in the proposed solution is not adversely affected due to NAT. Centralized and Remote Management
Centralized management of all the firewalls, central site as well as remote site, is critical since there is limited resource available on the IT team and travel between sites is very costly. Each firewall's rule base should be stored and updated in one single location and distributed securely to each firewall as needed. Figure 1 shows the proposed location of the firewalls throughout the upgraded network. Logging and Reporting
Lucent provides a strong security logging capability and log file analysis with built-in report generation. The creation of a Lucent Managed Firewall customized management report is greatly simplified by the use of "wizards." The report wizards enable administrators to filter and sort reports so that administrator-requested data is presented in a format that eliminates tedious review of thousands of superfluous records. Reports are presented in HTML format in a separate browser window. Reports can be "memorized" by the Lucent Managed Firewall - there is no need to specify report parameters each time the administrator wants to review recent information in an already-defined report. Many distinct reports-with vastly different details-can be created from the filtering options contained in the reports. The log files from the Lucent Managed Firewall can be read by 3rd-party reporting tools. "TELEMATE.Net" and "WebTrends for Firewalls and VPNs" are popular log analysis tools that interpret the Lucent Managed Firewall's log files for advanced log analysis. The format of the log files is available to those who wish to create custom scripts from the log files. The log files may be scheduled for automatic off-load via File Transport Protocol (FTP). Alarms If an attempted attack or break in occurs and is logged, the Lucent Managed Firewall can notify an administrator by several means: pager, syslog, e-mail, console display, and SNMP Trap (which can be passed to a standard network management platform).
Solution Summary
As shown in Figure 1, Lucent proposes using four Lucent Managed Firewall appliances and one Lucent Security Management Server. The total solution cost is less than US $45,000: 4 Lucent Managed Firewall Model 201 "Bricks" (hardware devices) @ US $8,995 ea. 1 Lucent Security Management Server v4.0 software @ US $8,995 Total Product List Price: US $44,975 The RFPVendor responses:
|
|
|
|
Firewall RFP
See what the vendors are responding to. Includes links to all the RFP responses.
Review: Firewalls
Raptor Firewall 6.0 takes top honors in our testing. Network World, 7/19/99.
Issues and trends
Where the firewall market is headed and what to look for. Network World, 7/19/99.
Interactive buyer's guide
Detailed specs on 52 models. Find the one that meets your criteria or compare two or more models on different specs.
Forum: Firewalls
Post your firewalls questions and discuss their use in this forum.
Firewalls to the rescue
Interviews with firewall users. Network World Fusion, 7/19/99.
