Network Router VPN Security
Network Router VPN Security
Network Router VPN Security
Features
Page
5-1
Chapter 5
Product
Features
Page
Identifies users within the network and creates user registration policy bindings that help support 5-14
Cisco Secure User
Registration Tool (URT) mobility and tracking:
Cisco 1700, 2600, 3600, Wide variety of modular router platforms with options for IOS-based and hardware-enabled VPN 1-1
and security support. See individual product pages and Cisco IOS Firewall Feature Set (page
and 7200
Cisco 7100 Series
5-15).
Large branch and central site VPN router
5-16
Comprehensive suite of VPN services, including encryption, tunneling, firewall, and bandwidth
management
Embedded I/O for ease of deployment
Service module slot for IPSec and PPTP encryption coprocessing
Dedicated Site-to-Site VPN router
5-2
Chapter 5
When to Sell
Sell This Product
PIX 501
PIX 506E
PIX 515E
PIX 525
PIX 535
1. At 1400-byte packets
Key Features
SecurityPurpose-built appliance with a proprietary, hardened operating system
PerformanceStateful inspection firewall capable of up to 500,000 concurrent
connections and 1.7 Gbps of throughput (at 1400-byte packets on Cisco PIX 535
Security Appliances)
High availabilityAward-winning, active/standby firewall stateful failover
provides enterprise-class, cost-effective resiliency
Virtual Private Networking (VPN)Supports both standards-based IPsec and
L2TP/PPTP-based VPN services
Optional PIX VPN Accelerator Card+Scales 3DES/AES-256 VPN throughput
up to 495 Mbps, using specialized co-processors designed for accelerating
cryptographic operations
Free software Cisco VPN Client provides secure connectivity across a broad range
of platforms including Windows, Mac OS X, Linux and Solaris
Network Address Translation (NAT) and Port Address Translation
(PAT)Conceals internal IP addresses and expands network address space
Denial-of-Service (DoS) Attack ProtectionProtects the firewall, internal servers
and clients from disruptive hacking attempts
OSPF dynamic routing support for improved network reliability and performance
Cisco PIX Security Appliance Series
5-3
Chapter 5
Competitive Products
Check Point Software: FireWall-1 / VPN-1
NetScreen: NetScreen Security Appliances
Nokia: IP-Series Security Appliances
Specifications
Feature
PIX 501
PIX 506E
PIX 515E
PIX 525
PIX 535
Processor
RAM
Flash Memory
PCI Slots
Fixed Interfaces
(Physical)
133 MHz
16 MB
8 MB
None
Four port 10/100 switch
(inside), One 10Base-T
Ethernet (outside)
Four port 10/100 switch
(inside), One 10Base-T
Ethernet (outside)
300 MHz
32 MB
8 MB
None
Two 10Base-T
Ethernet
433 MHz
32 or 64 MB
16 MB
2
Two 10/100 Fast
Ethernet
600 MHz
128 or 256 MB
16 MB
3
Two 10/100 Fast
Ethernet
1.0 GHz
512 MB or 1 GB
16 MB
9
None
Two 10Base-T
Ethernet
Eight 10/100 FE or
GE or 10 VLANs
Ten-10/100 FE or GE
or 24 VLANs
Maximum
Interfaces
(Physical and
Virtual)
VPN Accelerator No
Card+ (VAC+)
Option
Failover Support No
No
Yes, integrated in
select models
Yes, integrated in
select models
Yes, integrated in
select models
No
Size
Desktop
Desktop
PIX 535 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX 535 Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX 535 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX 525 Unrestricted GE Bundle (Chassis, unrestricted software, two GE ports, two 10/100 ports, VPN
Acceleration Card+)
PIX 525 Failover GE Bundle (Chassis, failover software, two GE ports, two 10/100 ports, VPN Acceleration
Card+)
PIX 525 Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX 525 Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX 525 Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX 515E Unrestricted Bundle (Chassis, unrestricted software, six 10/100 ports, VPN Accelerator Card+)
PIX 515E Failover Bundle (Chassis, failover software, six 10/100 ports, VPN Accelerator Card+)
PIX 515E Unrestricted Bundle (Chassis, unrestricted software, two 10/100 ports, VPN Accelerator Card+)
PIX 515E Restricted Bundle (Chassis, restricted software, two 10/100 ports)
PIX 515E Failover Bundle (Chassis, failover software, two 10/100 ports, VPN Accelerator Card+)
PIX 515E DMZ Bundle (Chassis, restricted software, three 10/100 ports)
PIX 506E 3DES/AES Bundle (Chassis, software, 3DES/AES license, two 10-BaseT ports)2
PIX 501 10 User/3DES/AES Bundle (Chassis, SW, 10 user/3DES/AES license, 4 port 10/100 switch)
PIX 501 50 User/3DES/AES Bundle (Chassis, SW, 50 user/3DES/AES license, 4 port 10/100 switch)
PIX 501 Unlimited User/3DES/AES Bundle (Chassis, SW, Unlimited Users 3DES/AES license, 4 port 10/100
switch)
PIX 66-MHz Single-port Gigabit Ethernet interface card (multimode fiber, SC connector)
PIX 66-MHz Four-port 10/100 Fast Ethernet interface card, RJ45
PIX Single-port 10/100 Fast Ethernet interface card
PIX DES/3DES VPN Accelerator Card (VAC)
PIX DES/3DES/AES VPN Accelerator Card+ (VAC+)
5-4
Chapter 5
PIX Accessories
PIX-506E-PWR-AC
PIX-515-PWR-DC
1. This is only a small subset of all parts available via URL listed under For More Information. Some parts have
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).
When to Sell
Sell This
Product
VPN 3005 and 3015 A fixed configuration device designed for small- to medium-sized organizations with bandwidth requirements
up to full-duplex T1/E1 (4 Mbps maximum performance) and up to 100 simultaneous remote access sessions
Concentrators
Encryption processing is performed in software
VPN 3015 is field-upgradable to the Cisco VPN 3030 and 3060 models and for redundancy
VPN 3030 and 3060 VPN 3030 is for medium- to large-sized organizations with bandwidth requirements from full T1/E1 through T3/E3
(50 Mbps max. performance) and up to 1500 simultaneous sessions; field-upgradeable to the Cisco VPN 3060
Concentrators
VPN 3060 is for large organizations, with high-performance, high-bandwidth requirements from fractional T3
through full T3/E3 or greater (100 Mbps max. performance) and up to 5000 simultaneous remote access sessions
Both have specialized SEP modules to perform hardware-based acceleration
Optimized to support large enterprise organizations that demand the highest level of performance combined
VPN 3080
with support for up to 10,000 simultaneous remote access sessions
Concentrator
Specialized SEP modules perform hardware-based acceleration
Establishes secure, end-to-end encrypted tunnels to the Cisco VPN 3000 Concentrator and other Cisco Easy
VPN 3000 Client
VPN compliant devices.
Provided at no charge, installs on PCs and is available for Windows, MAC OS X and Linux/Solaris environments
Emulates the software client in hardware
VPN 3002
Hardware Client
Ideal for mixed operating system environments and where corporation does not own/control remote PC or for
very large applications requiring large number of devices due to ease of deployment, upgradability & scalability
5-5
Chapter 5
Key Features
Cisco VPN 3000 Concentrators Series
Support for industry standard IPSec DES/3DES/AES and Cisco IPSec/NAT for
VPN Access through Port Address Translation firewalls
Unlimited-use license for Cisco VPN Client distribution included at no cost with
multiple OS support including Windows, MAC OS X, Linux and Solaris; also
integrates with Zone Alarms personal firewall
Supports standard authentication: RADIUS, SDI Tokens, and Digital Certificates
VPN load balancing allows for multiple units to cluster as a single shared pool
Cisco VPN 3002 Hardware Client supports up to 253 users/stations per VPN 3002
Works with most operating systems including Windows, Linux, Solaris, and MAC OS X
Auto-upgrade capability automates upgrades with no user intervention required
Client technology employs push policy and automatic address assignment from the
central site concentrator, enabling virtually unlimited scalability
Competitive Products
Nortel: Contivity products
Netscreen: LAN to LAN environments
Nokia
Specifications
Cisco VPN 3000 Series Concentrators
Feature
VPN 3005
VPN 3015
VPN 3030
VPN 3060
VPN 3080
Simultaneous Users
Encryption Throughput
Encryption Method
Encryption (SEP) Module
Redundant SEP
Expansion Slots
Upgradeable
Memory
Hardware Configuration
Power Supply
100
4 Mbps
Software
0
No
0
No
32 MB
1U, Fixed
Single
100
4 Mbps
Software
0
No
4
Yes
128 MB
2U, Scalable
Single, with a dual
option
Unlimited
100
1500
50 Mbps
Hardware
1
Optional
3
Yes
128 MB
2U, Scalable
Single, with a dual
option
Unlimited
500
5000
100 Mbps
Hardware
2
Optional
2
N/A
256 MB
2U, Scalable
Single, with a dual
option
Unlimited
1000
10,000
100 Mbps
Hardware
4
Yes
N/A
N/A
256 MB
2U
Dual
Unlimited
Client License
LAN-to-LAN Connections 100
(internal user database)
1.75 x 17.5 x 11.5 in. 3.5 x 17.5 x 14.5 in.
Dimensions (HxWXD)
Unlimited
1000
Hardware Processor
Network Interfaces
Physical Dimensions
Power Supply
Tunneling Protocol Support
Monitoring & Configuration
Encryption Algorithms, Key
Management & Authentication
Algorithms
5-6
Chapter 5
Feature
Authentication and Accounting Support for redundant external authentication servers including RADIUS
Servers
Microsoft NT Domain authentication, X.509v3 Digital Certs (PKC7-PKCS10)
Client Modeacts as client, receives random IP address from Concentrator Pool; Uses NAPT to hide
Configuration Modes
stations 3002; Network behind 3002 is unroutable; few configuration parameters
Network Extension Modeacts as site-to-site device; Uses NAPT to hide stations only to Internet
(stations visible to central site); Network behind 3002 is routable; additional configuration
parameters
5-7
Chapter 5
When to Sell
Sell This Product When a Customer Needs These Features
Deploying VPN or routers and want to have future option for VPN
Planning to use the Internet for remote business communications (remote access VPN)
When migrating from leased lines to VPN
Reduction of network equipment to manage
Needs to integrate Voice and VPN Services (V3PN)
Specifications
Feature
Firewall with IDS; GRE and IPSec; High Availability/Failover; VPN QoS; AES in Hardware (excluding
C1700 Bundles)
Software: C1700 Bundles
Hardware: C2600XM, C2691-VPN, C3725-VPN, C3745-VPN, 7200 Bundles
C1700: 100; C2600XM, C2691-VPN: 800; C3725-VPN, C3745-VPN: 2000; 7200 Bundles: 5000
IPPCP Compression
Max Tunnel
5-8
Chapter 5
When to Sell
Sell This Product
A distributed intrusion detection system capable of directing and forwarding alarms between local,
regional, and headquarters-based monitoring consoles
A scalable architecture to allow the deployment of large numbers of sensors in order to provide
comprehensive security coverage in large network environments
Cisco network IDS appliances (Cisco IDS 4200 Series Appliances) that can be deployed throughout the
network with the ability to monitor multiple subnets using a single appliance through the support of
multiple interfaces
The Cisco IDS Switch Module (IDSM2) enables customers to perform both security monitoring and
switching functions within the same chassis
The Cisco IDS Network Module enables full features intrusion protection integrated into the Cisco
Access Routers
Broad performance range from 10 Mbps to 1 Gbps
Automated false alarm reduction capabilities through CTR (Cisco Threat Response)
Flexible IDS signature customization options
Broad range of management and monitoring options to fit any environment.
A robust, 24 hour x 7 day-a-week monitoring and response system with the latest attack detection
capabilities
Key Features
High-Speed Performance including support for full line rate gigabit environments
Integrated solutions for the Cisco Catalyst Switch and Cisco Access Routers
Easy Installation and Setup; Remote Configuration Capability
Comprehensive Attack Database
Notification actions; Automated response actions
Comprehensive IDS Anti-Evasion Techniques
Cisco IOS-like CLI for full featured IDS management capabilities
Competitive Products
Snort: IDS
Tipping Point
NAI: Intrushield
Network Flight Recorder, Inc.: NFR
Specifications
Feature
IDS-4215
IDS-4235
IDS-4250
Performance
Processor
80 Mbps
850 MHz
250 Mbps
1.26 GHz
500 Mbps
Dual 1.26 GHz
RAM
512 MB
1 GB
2 GB
IDS Network
IDS Module Module
(NM-CIDS)
IDS-4250-XL (IDSM-2)
1000 Mbps
Dual 1.26 GHz.
Includes
customized HW
acceleration
2 GB
600 Mbps
45Mbps
Custom Hardware 10-45 Mbps
2 GB
512 MB
5-9
Chapter 5
Monitoring
Interface
Autosensing
10/100 Base-T
Ethernet,
(upgradable to
support up to 5
monitoring
interfaces)
Command &
Control
Interface
Autosensing
10/100 Base-T
Ethernet
Autosensing
10/100/1000
Base-T Ethernet
(upgradable to
support up to 5
monitoring
interfaces)
Autosensing
10/100/1000BASETX (upgradable to
support up to 5
monitoring
interfaces)
Optional
1000-Base SX
(fiber) supported
with the SX model
Autosensing
Autosensing
10/100/1000Base- 10/100/1000BaseTX
TX
Dual
1000BASE-SX
interface with
MTRJ
PCI
Autosensing
PCI
10/100/1000BaseTX
Internal
10-/100-Mbps
Ethernet and
external
10-100-Mbps
Ethernet
10/1010/100Base T
4215 Cisco IDS 4215 Sensor (chassis, software, SSH, 2 onboard 10/100 Base-T interfaces with RJ-45
connector) 80-Mbps
Cisco IDS 4215 Sensor (chassis, software, SSH, 2 onboard 10/100BASE-Tx interfaces with RJ-45
connector plus 4FE interface card), 80-Mbps
Cisco IDS 4235 Sensor (chassis, software, SSH, 10/100/1000BASE-T with RJ-45 connector, up to 200
Mbps)
Cisco IDS 4250 Sensor (chassis, software, SSH, 10/100/1000BASE-T with RJ-45 connector)
Cisco IDS 4250 Sensor (chassis, software, SSH, 1000BASE-SX with SC connector)
Cisco IDS 4250-XL Sensor (chassis, software, SSH, hardware accelerator with dual 1000BASE-SX
and MTRJ connectors)
1. This is only a small subset of all parts available via URL listed under For More Information. Some parts have
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).
Note
5-10
Chapter 5
The Cisco Security Agent analyzes behavior rather than relying on signature matching,
its solution provides robust protection with reduced operational costs. Customers
require robust endpoint security that prevents security attacks from affecting the
network and critical applications.
As a key component of the SAFE blueprint for secure e-business, the Cisco Security
Agent provides unprecedented endpoint protection that enables businesses to participate
in e-commerce securely and take advantage of the Internet economy.
When to Sell
Sell This Product
Host intrusion protection, distributed firewall, malicious mobile code protection, operating system
hardening, file integrity and/or audit log consolidation. The Cisco Security Agent provides all of these
features in one integrated package
Protection against both known and unknown attacks
Protection for servers and/or desktops/laptops
A solution that is scalable to protect thousands of servers and desktops for large enterprise
deployments
Key Features
Provides industry-leading protection for Unix and Windows servers
Open, extensible architecture offers the capability to define and enforce security
according to corporate policy
Competitive Products
Sana Security: Primary Response
NAI: Entercept
NFR (Centrax)
Specifications
Feature
Platforms
Windows 2000 Server and Advanced Windows NT v4.0 Workstation (Service Microsoft Windows 2000 Server and
Server (up to Service Pack 3)
Pack 5 or later)
Advanced Server (up to SP 2)
Windows NT v4.0 Server and Enterprise Windows 2000 Professional (up to
Server (Service Pack 5 or later)
Service Pack 3)
Solaris 8 SPARC architecture (64-bit
Windows XP Professional (up to Service
kernel)
1)
Note
5-11
Chapter 5
Cisco Secure Access Control Server (ACS) for Windows and Cisco
Secure Access Control Solution Engine
Cisco Secure Access Control Server (ACS) version 3.2 for Windows, a key component
of Ciscos Identity Based Networking Services (IBNS) architecture, extends access
security by combining authentication, user/admin access and policy control from a
centralized identity networking framework allowing for greater flexibility and mobility,
increased security, and user productivity gains. Cisco Secure ACS also provides identity
networking support for Cisco Structured Wireless Aware Networks (SWAN), as an
extension of the local authentication provided on Cisco Aironet Access Points. ACS
allows a network administrator to manage and administer user access for Cisco IOS
routers, virtual private networks (VPNs), firewalls, dial and broadband DSL, cable
access solutions, storage, content, voice over IP (VoIP), Cisco wireless solutions, and
Cisco Catalyst switches via IEEE 802.1x access control.
Version 3.2 introduces a new, secure, hardware-based offering for Cisco Secure ACS.
The Cisco Secure ACS Solution Engine, a 1-rack-unit (1-RU) security-hardened
solution engine with a preinstalled Cisco Secure ACS license, provides essentially the
same features and functions as the Cisco Secure ACS for Windows, in a dedicated,
application-specific solution engine package. Cisco Secure ACS Solution Engine
provides a z define access control lists of any length, per user or group of users. It
extends per-user access control ero-touch installation and highly reliable AAA solution
with increased total-cost-of-ownership protection through high availability and
simplified day-to-day operation the Cisco Secure ACS service.
When to Sell
Sell This Product
Centrally manage who can log in to the network from wired or wireless connections
Privileges each user has in the network
Accounting information recorded in terms of security audits or account billing
What access and command controls are enabled for each configuration administrator
Virtual VSA for Aironet rekey
Secure server authentication and encryption
Simplified firewall access and control through Dynamic Port Assignment
Same User AAA services
Key Features
Protected Extensible Authentication Protocol (PEAP) support for Microsoft
Windows and Cisco clientsProvides support for Microsoft PEAP on Windows
98, NT, 2000 and XP by supporting client authentication with MS-CHAPv2, and
support for Cisco PEAP with one-time token authentication and support of
non-MSCHAP end-user databases such as, NDS, and ODBC.
EAP mixed configurationsAllows flexible EAP settings to be set concurrently
and processed per the 802.1X protocol presented by the end user. ACS supports
PEAP-EAP-GTC (Cisco PEAP), PEAP-EAP-MSCHAPv2 (Microsoft PEAP),
EAP-TLS, EAP-MD5, and Cisco EAP Wireless (LEAP).
Accounting Support for AironetSupports user-based accounting from the
Wireless Access Points when they are configured as RADIUS (Cisco Aironet)
AAA clients.
EAP-TLS enhancementsExtends ACS PKI capabilities with the addition of
EAP-TLS authentication against ODBC user databases, and EAP-TLS silent
session resume support which prevents users from re-authenticating during a
RADIUS session timeout.
Cisco Secure Access Control Server (ACS) for Windows and Cisco Secure
5-12
Chapter 5
Competitive Products
Funk: Steel Belted RADIUS
Lucent/Avaya: Security Management Server (LSMS)
Specifications
Feature
Hardware1
1. Cisco Secure Access Control Server Solution Engine system specifications are available in the Product Literature
1. This is only a small subset of all parts available via URL listed under For More Information. Some parts have
restricted access or are not available through distribution channels. Resellers: For latest part number and pricing
info, see the Distribution Product Reference Guide at: http://www.cisco.com/dprg (limited country availability).
Cisco Secure Access Control Server (ACS) for Windows and Cisco Secure
5-13
Chapter 5
When to Sell
Sell This Product
Web-based LAN authentication for Windows, Macintosh, and Linux client platformsideal for mobile
users within the LAN environment
Extended security to protect user access to the logon VLAN from unregistered PCs through MAC-based
security option
RADIUS authentication and accounting support
Multiple user access per port
Key Features
Web Client Logon InterfaceSupports customizable Web-based authentication
for Windows, Macintosh, and Linux client platforms
MAC-Based Security OptionProvides extended security to protect user access
to the logon VLAN from unregistered PCs
RADIUS Authentication and Accounting SupportRADIUS authentication is
offered for Web logon
Secure Link Between Cisco Secure URT Client and VPS ServerSecurity
authentication and data encryption have been added to URT v2.5 to enable a more
secure connection from the user
LDAP Support (Active Directory and NDS directories)Cisco Secure URT v2.5
supports Windows Active Directory and Novells NDS LDAP servers
Multiple Users Per PortPrevious versions of Cisco Secure URT support only a
single user logon on a single port
Display of Windows NT GroupsThe URT Administrator interface is enhanced
to display the users belonging to a Windows NT group
MAC Address Events HistoryWith URT v2.5 MAC-address-based logon/logoff
events are added as an option and reported to the history events tool
Specifications
Feature
Windows 2000 (SP2) server, professional, and Windows XP Professional-Min H/W (Pentium III, 512MB
DRAM, 65 MB of disk space)
Netscape version 4.79 and 6.2; IE version 5.5 (SP2) or 6.0
Browser for Web Login
Client Software Requirements Windows 98 (2ndE), Windows NT4 Workstation/Server (SP6A), Windows 2000 (SP2)
Professional/server, Windows XP Professional, Windows XP Home (Web Client Only), Mac OS 10.1
(Web client only), Linux Redhat/ SuSE/ Mandrake/ VA (Web Client only)-Min H/W for Web client
(Pentium II, 256MB DRAM, 65 MB of disk space), Min H/W for traditional client (Pentium II, 64MB
DRAM, 1MB of disk space)
1900 series (1912, 1924), v9.00.05; C2800 series (2822, 2828), v9.00.05; C2900XL series (2908XL, 2916XL,
Supported Cisco Products
2912XL, 2912LRE-XL, 2924XL, 2924LRE-XL), v12.0(5)WC3b; C2948GL3 series (2948GL3, 4232)
(latest tested version)
v12.0(18)W5(22b); C2950 series, v12.1.6.EA2c; C3500XL series (3508XL, 3512XL, 3524XL, 3548XL, 3550XL),
v12.0(5)WC3b; C3550 series, v12.1.8.EA1c; C4000 series (4003, 4006, 4912g), v7.1(2); C5000 series (2900,
2926, 2948, 5000, 5002, 5500, 5505, 5509), v6.3(5); C6000 series (6006, 6009, 6506, 6509, 6513), v7.1(3)
Hardware
5-14
Chapter 5
Starter Kit: includes one (1) User Registration Tool 2.5 Software license, and one (1) Cisco 1101
VLAN Policy Server (VPS) appliance
Software only; upgrades customers from URT 2.X to 2.5; includes upgrade for both URT Admin
Server and Cisco 1100 VPS appliance
Hardware Only; Cisco 1101 VPS appliance; additional appliance needed for backup, use in
distributed deployments, or deployments requiring Web logon capabilities
URT-2.5-UP
URT-1101-HW-K9
1. This is only a small subset of all parts available via URL listed under For More Information. Some parts have
restricted access or are not available through distribution channels.
When to Sell
Sell This Product When a Customer Needs These Features
Cisco IOS Firewall
An integrated stateful firewall solution with powerful security and multiprotocol routing all on the same
platform
Scalability options from the Cisco 800 up to the Cisco 7500 and the Catalyst 6000
Low cost solution where high performance is not a requirement
For secure extranet and intranet perimeters and Internet connectivity for branch and remote offices
Secure remote access or data transfer via a Cisco IOS Software-based VPN solution
Real-time (inline) integrated intrusion detection system (IDS) to complement firewall or existing IDS (Cisco
Secure IDS)
Security and access to the network on a per-user basis
Key Features
Context-based access control (CBAC) provides secure, stateful, application-based
packet inspection, supporting the latest protocols and advanced applications
Intrusion detection for real-time inline monitoring, interception, and response to
network misuse for 100 attack signatures
Supports URL Filtering either local on the router through exclusive domains as
well as use of external Websense and N2H2 servers.
Dynamic, per-user authentication/authorization for LAN, WAN, and VPN clients
Authentication proxy for https, ftp and telnet connections
Supports Security Device Manager (SDM)
Graphical configuration and management via the VPN/Security Management
Solution (VMS) and the IP Solution Center (ISC)
Provides strong perimeter security for a complete Cisco IOS Software-based VPN
solution, including IPSec, QoS, and tunnelling
Competitive Products
Nortel: BaySecure Firewall-1
5-15
Chapter 5
Specifications
Feature
Simultaneous Sessions
When to Sell
Sell This Product
Cisco 7120
Entry-level Cisco 7100 Series Router designed for large branch or central site VPN with VPN services
throughput of up to 50 Mbps
Designed primarily for site-to-site VPN deployments with incidental remote access requirements
High-end site-to-site VPN platform for central site VPN applications with VPN services throughput up to
140 Mbps
Provides superior routing and VPN services performance for central site environments, as well as dual
power supplies for increased solution reliability
Cisco 7140
Key Features
Comprehensive suite of VPN servicestunneling, data encryption, security,
firewall, quality of service, and service level validationintegrated with industry
leading routing
High performance RISC processor delivering high-speed, scalable VPN services
and routing throughput and extensive memory for reliable, high-speed VPN
services delivery
Dual autosensing 10/100BASE-T Fast Ethernet ports for connectivity to the
corporate LAN; the Cisco 7120 Series also has an integrated 4-port T1/E1 serial
WAN interface
Integrated Services Module (ISM) is included for support up to 2000 simultaneous
tunneling sessions with 90 Mbps encryption performance and Windows
95/98/NT4.0 and Windows 2000 compatibility for remote access; an optional
Cisco 7100 Series
5-16
Chapter 5
Integrated Services Adapter (ISA) may be installed in the Cisco 7140 to provide
dual encryption acceleration performance up to 3000 tunnels and 140 Mbps 3DES
encryption throughput
Competitive Products
Check Point: VPN-1 Appliance
Nortel: Contivity 4500
Nokia: IP440
Specifications
Feature
Cisco 7120
Cisco 7140
Autosensing, RJ-45
None
1 slot
Same as Cisco 7120
1 slot
Integrated Services Module (ISM)
1 of each, RJ-45 interface
64 MB packet
128 MB system (expandable to 256 MB)
48 MB
2
Single AC
3.5 in. x 17.5 in. x 18.25 in.
Dual AC
3.5 in. x 17.5 in. x 18.25 in.
Feature Pack
Description
IOS Image
Release
Flash Memory
Required
DRAM Memory
Required
CD71-CL-12.1.6E=
CD71-CK2-12.1.6E=
CD71-CHK2-12.1.6E=
CD71-AL-12.1.6E=
CD71-AK2-12.1.6E=
CD71-AHK2-12.1.6E=
IP IPSEC 56
IP IPSEC 3DES
IP/FW/IDS IPSEC 3DES
Enterprise IPSEC 56
Enterprise IPSEC 3DES
Enterprise/FW/IDS IPSEC 3DES
12.1(6)E
12.1(6)E
12.1(6)E
12.1(6)E
12.1(6)E
12.1(6)E
16MB
16MB
16MB
16MB
16MB
16MB
64MB
64MB
64MB
64MB
64MB
64MB
1. For the complete list of IOS Feature Sets, refer to the parts list, via the URL listed under For More Information. For
users with CCO access, search by IOS feature or release via the Feature Navigator at http://www.cisco.com/go/fn
5-17
Chapter 5
1. This is only a small subset of all parts available via URL listed under For More Information. Some parts have
restricted access or are not available through distribution channels.
5-18