Rock VPN - Appliance

The dedicated Rock VPN Appliance forms part of the Rock VPN suite of products. Used in conjunction with other Rock VPN product models or other third party IPSec compliant products, the VPN Appliance allows you to set up secured communications between other VPN Appliances, Rock VPN Gateways, Server Protectors or user workstations running the Rock VPN Workstation Software.

Product Description

The VPN Appliance boasts in-line IPSec encryption. It connects to the network via dual Ethernet 10/100 interfaces, and it inspects traffic passing through by using a configured security policy to determine what data to encrypt. It is a standards-based product using the IETF IPSec and IKE protocols.

You can selectively enable privacy, integrity and authenticity of information sent between itself and other participants in Virtual Private Networks (VPNs). The secure traffic can be safely sent across the Internet and other untrusted networks, allowing networks to participate securely in user communities, corporate or dial-up VPNs, as well as Intranet VPNs.

The unit is delivered as a turnkey appliance using flash memory to store the hardened UNIX operating system, and can be remotely upgraded over the network. Commissioning involves network configuration using the command line interface, followed by policy setup using the Workstation Software or the Central Manager.

Benefits

The VPN appliance is easily deployed to secure sub-nets without network reconfiguration. It can be used to secure communication between branches and with business partners. It offers superior levels of reliability and manageability.

Features and Specifications

Physical Characteristics:

• Dedicated hardware unit
• Highly reliable Flash or HDD based design

Network interfaces:

• 2 x RJ45 10/100BaseT Connectors

Configuration Interface:

• RS232 port for initial configuration

Throughput (512 byte packets):

• 11 Mbit/s with AES
• 17.5 Mbit/s with Blowfish

Capacity:

• 250 simultaneous Security Associations

IPSec features supported:

• AH/ESP tunnel and transport mode
• Main, Quick and Aggressive modes
• Expiration of Security Associations (SAs) using time and/or kilobytes
• NAT Traversal
• Path MTU discovery

Encryption algorithms supported:

• DES (56 bit), 3DES (168 bit)
• IDEA (128 bit)
• Blowfish (40 - 446 bit)
• AES / Rijndael (128, 192 & 256 bit)

Authentication and Key Exchange support:

• IKE (formerly known as ISAKMP/Oakley)
• Diffie-Hellman (768, 1024 bit)
• RSA (1024, 2048 bit)
• Signatures: RSA, DSS, X.509
• Pre-shared secrets
• Perfect forward security (PFS) support for Diffie-Hellman in Quick Mode

Hash functions supported:

• MD5
• SHA1

Standards supported:

• IETF IPSec
• ISO X.509 v3
• PKCS #1, #10, #12
• SCEP / CMP

Certification Authorities supported:

• VeriSign
• RSA Data Security Certificate Server (Keon)
• Baltimore
• Entrust

Certificate Management:

• Automatic retrieval and processing of certificates and Certificate Revocation Lists (CRLs)
• X.509v3 certificates supported
• Automatic certificate enrolment using SCEP / CMP

Management:

• Network based remote management from workstation using Central Manager
• Policy + rule based configuration
• User friendly Graphical User Interface
• Management secured via IPSec
• Granular control based on IP address, subnet address, address range, port and protocol
• Live configuration
• Access control based on X.509 certificate contents
• Command Line Interface for network setup and initial configuration
• Logging to console, or using remote syslog
• SNMP queries using Unix MIB II

Download PDF Version: