Lucent Security Management Server Security, VPN, and QoS Management Solution Lucent Security Management Server (LSMS) software brings you the most advanced carrier-grade IP services management solution at today's lowest ownership costs. Teaming with Lucent's award-winning VPN Firewall BrickTM family, LSMS lets you rapidly provision and manage high-return services for thousands of users in a single console. It integrates firewall, VPN, QoS, VLAN and virtual firewall policy management; provides industry-leading scalability and availability; delivers robust monitoring, logs and reports; and gives you flexible deployment options--all without the costly additional modules or recurring license fees that competitive products require. Applications * Advanced security services * Site-to-site and remote access VPN services * Bandwidth management (QoS) services * Secure data center web/ application hosting * Mobile data services Features Benefits * Fully integrates firewall, VPN, QoS, * One-and-done management solution--single platform provides VLAN, and virtual firewall management centralized, comprehensive management of all IP services * Comprehensive remote management capabilities with role- * Low operating costs--totally based administration secure remote management eliminates need for network * Flexible management model: reconfigurations, truck-rolls, controls policies at global, on-site support; VLAN, virtual customer, device, interface, VLAN firewall, and QoS support included and IP address range levels at no extra charge; management * Unmatched scalability: supports efficiencies cut staffing and 1,000 VPN Firewall BricksTM, and administrative expenses 10,000 Lucent IPSec Client users * Simple, economical licensing from one LSMS console model--no ongoing license fees or * Carrier-grade reliability: add-ons required for complete distributable across multiple security management network operations centers (NOCs) * Cost-saving growth--easily migrate for active/active network from basic to advanced security, redundancy with no single point of VPN, and QoS services failure * Assured business continuity--native * Real-time monitoring, robust high availability, carrier-grade logging, and customized reporting reliability, no advisories or reported * Multiple IP services deployment vulnerabilities options: premises-based, network* Proven carrier-class performance-- based, tiered, and data-center mature product with over 5 years architectures of service in the world's largest networks LSMS Technical Specifications 7.Remote Access VPN Tunnel Management 1.Mode of Operation Fully integrates remote access VPN support, including Lucent Centralizes firewall, virtual firewall, VLAN, VPN and QoS policy management IPSec Client software distribution and updates Centralizes management of all IPSec Client configurations, Proactively monitors all VPN Firewall BricksTM and IPSec Client users including personal firewall settings Provides real-time monitoring, log collection, reporting and Allows any combination of authentication methods; alarm generation configurable per user, user group or application Supports network-based and premises-based deployments Supports virtual addresses for tunnel end points 2.Performance and Capacity Allows administrator to terminate specific tunnels when Supports 1,000 customer groups each with hundreds of necessary, or terminate all tunnels in a single action unique policies 8.Site-to-Site VPN Tunnel Management Manages 1,000 VPN Firewall BricksTM and 10,000 IPSec Provides SLA probes for real-time round trip delay statistics and Client users tunnel status indicators to verify tunnel availability in real-time; Centrally collects up to 15,000 log records per second configurable with alarm notifications Supports 100 simultaneous administrators Supports virtual addresses for tunnel end points 3.Policy Management Configurable tunnel default settings Uses a group-based model to manage a collection of devices, Includes preconfigured VPN policy templates security policies, VPN tunnels, and user authentication Fully integrated with firewall policy components as a single entity 9.High Availability/Redundancy Controls policies at the global, customer, device, interface, VLAN and IP address range level Supports active/active management with geographically Includes preconfigured typical security and VPN policy distributed servers and real-time database replication templates that can be tailored to suit unique requirements Internal database automatically backs up to a local and remote Uses user-definable Host Groups, Service Groups, Application disk daily; additional backups can be scheduled at any time Filters and User Groups Backup file contains ALL policy, configuration, and security information for ALL configured devices and policies Supports global and nested policy objects 10.Central Staging with Secure Upgrades 4.Role-based Administration Securely pushes the VPN Firewall BrickTM operating system to Uses two administrative classes: each device with no truck-rolls or on-site hardware support; LSMS Administrators - full privileges over all groups, devices, maintains ALL sessions during an OS upgrade with a failover policies and users pair of VPN Firewall BricksTM Group Administrators - restricted privileges and access only to assigned group(s) 11.Application Programming Interfaces (APIs) Supports shared administration with customers Scriptable command line interface Local and remote administration via LSMS Remote Navigator Parsable ASCII log files (for per-customer reporting) utility (included); provides secure access to all LSMS utilities Supports SNMP GET v2c (read-only) and SNMP traps v1 and v2c Allows concurrent administrators to exchange messages via a real-time messenger service 12.Audit Log Management Four categories of audit logs created daily: 5.Secure 3-Tier Architecture Firewall Session Logs LSMS to VPN Firewall BrickTM communications secured with Administrative Event Logs Diffie-Helman and 3DES encryption, SHA-1 authentication and integrity, and digital certificates for VPN Firewall BrickTM to User Authentication Logs LSMS authentication Proactive Monitoring Statistic Logs LSMS Remote Navigator to LSMS communications secured with Real time logs viewable with Log Viewer; historical logs 3DES encryption and SHA-1 authentication and integrity, and viewable with Log Viewer or Reporting System (see below). either local password or external database authentication with Log viewing and manipulation follows administrative SecurID or RADIUS servers permissions model Transfers logs in real-time over reliable and secured connections Configurable log file disk management Automated log scheduling and forwarding for post-processing 6.Authentication Built-in internal database - 10,000 users Browser-based authentication allows authentication of any user protocol Local passwords, RADIUS, SecurID, X.509 digital certificates with Entrust CA PKI PKI Certificate requests (PKCS 12) Automatic LDAP certificate retrieval User assignable RADIUS attributes 2 13.Real-time Log Viewer Displays log records as received from all VPN Firewall BricksTM; messages can be filtered, sorted and highlighted Includes historical record search capabilities with specified time parameters 14.Reporting System Generates HTML-based reports with full filtering, sorting and scheduling capabilities; configurable per administrator Reports include sessions over time, policy snapshots, administrator events and configuration changes Includes preconfigured reports for fast initial deployment 15.Customer Specific Report Generation and Delivery Integrates with the WebTrends Firewall Reporting Suite from NetIQ Corporation; uses the WebTrends Enhanced Log Format (WELF) Fully automates generation and delivery of customer-specific, traffic statistic graphic reports to customers via FTP, e-mail or http server 16.Policy Change Control Records all administrative activity to audit logs Captures all policy and configuration changes in detailed, user-configurable history files that are secured from tampering/modification and support policy roll-back 17.Alarms Generates alarms based on VPN Firewall BrickTM log messages and locally generated log messages from LSMS subsystems; configurable per-administrator Includes preconfigured alarms for fast initial deployment Configurable alarm triggers include: LSMS Error VPN Firewall BrickTM Error VPN Firewall BrickTM Lost/Found VPN Firewall BrickTM Interface Up/Down Proactive Monitoring Threshold Crossing VPN Firewall BrickTM Redundancy Alarms LSMS Redundancy Alarms ISS RealSecure Alarms Configurable notification methods: Console Alarm (via the LSMS Remote Navigator) Email Out-of-band modem-dialed alphanumeric message sent to pager (via the TAP protocol) SNMP Trap SYSLOG Message (with configurable SYSLOG level) Alarm triggers can be mapped to any combination of notification methods 19.Command Line Interface Allows administrators to script the configuration of many LSMS components and policy objects using a text file-based interface 20.SNMP Agent Accesses limited configuration and statistic information regarding the system and associated VPN Firewall BricksTM in a Read-Only fashion via the LSMS. Absolutely NO information may be configured via SNMP. VPN Firewall BricksTM do NOT respond to SNMP or any variation thereof. Available in SNMP v2c format. 21.VPN Firewall BrickTM Remote Console Provides a secure remote console to any VPN Firewall BrickTM and executes debugging/troubleshooting commands No policy modifications can be made from this Remote Console or any VPN Firewall BrickTM console interface LSMS Hardware Requirements Microsoft Windows NT 4.0 (Server or Workstation), Windows 2000 (Professional or Server) 500 MHz Pentium Pro processor (minimum) 512MB system memory or higher recommended 128 MB system swap space (minimum) 4-GB hard drive CD-ROM drive 3.5 inch floppy drive 1 Ethernet card Video card capable of 1024 X 768 resolution with 65,535 colors Sun Solaris 7, or 8 333 MHz processor (minimum) 512MB system memory or higher recommended 500 MB free disk space in the partition in which the server software is installed Swap space as large as the amount of RAM (minimum) CD-ROM drive 3.5-inch floppy drive 1 Ethernet card 18.Real-Time Status Monitors Support real-time and historical dynamically-updating text and graphical monitoring VPN Firewall BrickTM monitor - provides windows for each device and aggregate collection of devices; monitors statistics for each physical port, packet, byte, and session; includes Quality-of-Service graphs to monitor throughput and performance relative to configured guarantees and limits VPN Tunnel monitor - provides status of each VPN tunnel; monitors Service-Level Agreements (SLAs) for VPN tunnel round-trip delay Administrator and LSMS monitor - views all logged-in administrators and connection statistics; reports connection status of each LSMS in real-time 3 Ordering Information LSMS Basic (includes license to manage up to Part Number 300532629 5 VPN Firewall BrickTM 20, 80, 201, 300 and 500, unlimited LAN-to-LAN VPN tunnels and 5 simultaneous IPSec Client tunnels) LSMS Premium (includes license to manage all Part Number 300531761 models of up to 5 VPN Firewall BricksTM, unlimited LAN-to-LAN VPN tunnels, 105 simultaneous IPSec Client tunnels and Lucent IPSec Client Custom Branding Package) LSMS Basic Redundancy Package Part Number 300532637 (for High Availability applications) LSMS Premium Redundancy Package Part Number 300532603 (for High Availability applications) Additional 5 VPN Firewall BrickTM management license Part Number 300532918 Additional 25 VPN Firewall BrickTM management license Part Number 300532934 Additional 50 VPN Firewall BrickTM management license Part Number 300532967 Additional 100 VPN Firewall BrickTM management license Part Number 300533023 Upgrade LSMS Basic to LSMS Premium Part Number 300532611 Lucent Proxy Agent Included in LSMS software Lucent IPSec Client See Lucent IPSec Client data sheet for ordering details To learn more, please contact your Lucent Technologies Sales Representative or Lucent BusinessPartner. Or visit our web site at www.lucent.com. This document is provided for planning purposes only and is not intended to modify or supplement any Lucent Technologies specifications or warranties relating to the products or services described herein. Specifications are subject to change without notice. VPN Firewall Brick is a trademark of Lucent Technologies Inc. Copyright (c) 2002 Lucent Technologies Inc. All rights reserved LSMS v1 07/02