Network threats and attacks are on the rise. Organizations are using the network to gain a competitive advantage.
Convergence of network resources drives cost savings and productivity while improving customer engagement. However, an
unprotected or poorly protected network is not a competitive advantage. The network must be protected by the best security firewall available. The Nortel Switched Firewall, based on Check Point Software, a leader in firewall technology, is a key component in Nortel’s Layered Defense. The 6000 Series is ideal for deployment in large enterprise environments, and is certified under the Check Point Open Platform for Security (OPSEC) criteria and enhances the VPN- 1/Firewall-1 deployment with unique services and capabilities.
Switched Firewall — defined
The Nortel Switched Firewall 6000 Series is a key component in Nortel’s Layered Defense strategy. It separates the Policy Inspection function from the Policy Enforcement and Data Forwarding function. This results in a high-performance system that is optimized to support today’s applications and services while protecting the network from today’s threats.
The benefits of this include:
> Wire-speed packet forwarding for assured performance
> Simplified network topology for easy management and troubleshooting
> Protection from application-level attacks via Check Point SmartDefense functionality
> Availability for both site-to-site and client-to-site IPsec VPN with Check Point VPN-1 technology
> Stateful Policy Inspection — Inspecting all traffic and comparing it to defined security rules
> Policy Enforcement and Data Forwarding — Forwarding or blocking traffic based on the rules and signatures
> Intelligent security with high performance
• Throughput of up to 7 Gbps
• Connections per second of 20,000 to 100,000
• Concurrent connections of 2,000,000
Nortel Switched Firewalls are also available in non-accelerated forms. These include 5111, 5114 and 5124. Please see
the Nortel Switched Firewall 5100 Series product brief for more information.
The Nortel Switched Firewall System 6416 consists of a Switched Firewall Accelerator (SFA) 6400 and a Switched Firewall Director (SFD) 5016. The Nortel Switched Firewall System 6616 uses a Switched Firewall Accelerator 6600 with a 5016. Initial packets in any session are sent by the SFA to the SFD for policy inspection. The SFD returns the packets to the SFA with
instructions for handling subsequent packets. For most traffic, the SFA 6400 or 6600 performs deep-packet inspection
that results in up to 90 percent of all packets being safely forwarded with hardware-based inspection as prescribed by the core firewall logic in the SFD.
The resultant through put is 5.0 Gbps for the 6416 and 7.0 Gbps for the 6616. This high capacity and low latency performance, made possible through Check Point Secure XL technology, enables the system to use the core firewall resources to inspect and connect a much higher number of concurrent sessions and to deal with a higher number of connection requests per second. This type of performance is critical in any real-time services deployment such as VoIP, SIP or multimedia.
Since traditional implementations would require expensive extra resources to deal with the expected peak traffic loads, this feature distinguishes the Nortel Switched Firewall from all server-based platforms.
Ideal for VoIP, SIP and multimedia:
> High performance: 5 to 7 Gbps
> 20,000 to 100,000 connections per second
> 99.999 percent availability with in-service upgrades
> Accelerated NAT and application intelligence Initial packets are inspected by SFD.
The SFA maintains a session entry and accelerates subsequent packets from the same safe session. Up to 90 percent of
packets are accelerated.
Key applications — Nortel Switched Firewall System 6416 and 6616
Nortel’s Threat Protection System uses intrusion detection and real-time threat intelligence to analyze and detect network threats. An intelligent, automatic update to Nortel Switched Firewall blocks threats before they harm the network.
Layer 2 through Layer 7 Content Filtering
The Switched Firewall System performs full inspection of any IP application header or payload. This information is used to apply firewall rules to the network data flows. This capability enables the switched firewall to block attacks and unauthorized traffic before there is any chance for performance degradation or network outage. Up to 224 filtering rules can be configured to allow or deny traffic based on application type, protocol type and IP source/ destination addresses.
The Switched Firewall 6000 Series supports hitless upgrade, which keeps the network traffic flowing with minimal disruption in service during the upgrade process. If the upgrade process is interrupted, hitless upgrade allows for graceful rollback to the previous version without affecting traffic.
Device Load Balancing
Up to six Switched Firewall Directors can be load balanced and health checked with a single Switched Firewall Accelerator. Health checks are performed to ensure availability. In addition, Intrusion Detection Systems (IDSs) can be load balanced from the Switched Firewall System. Multiple systems may be run in parallel across multiple security zones or VLANs with the Switched Firewall System, ensuring that all sessions and all frames are sent to the same IDS system.
With IEEE 802.1q support, each VLAN is supported as a separate firewall interface. Up to 242 individual VLANs are supported. Unique security policies may be implemented and enforced for each VLAN. This makes the 6416 and 6616 ideal for deployment in multi-tenant or multi-department environments where unique security policies and inter-VLAN policy inspection are required. Examples include airports, government offices, malls, stadiums, banks, schools, universities and hospitals.
Network Address Translation
The Nortel Switched Firewall System performs Network Address Translation (NAT) to preserve and hide organizational IP addresses. With this accelerated NAT function performed in the switch hardware, the core firewall system devotes its resources to session connections and complex security concerns — there is no performance or throughput degradation. Traditional
firewalls often cause degradations in network performance and throughput when invoking NAT functions.
Layer 2/Layer 3 mode deployment
The Switched Firewall 6000 Series supports flexible deployment in both Layer 2 and Layer 3 mode. Customers easily deploy the 6000 Series into existing topologies in Layer 2 mode. No address or routing changes are required. Network segments can then be migrated port-by-port to Layer 3 mode if desired.
Gateway persistency is another very useful feature in the Switched Firewall 6000 Series. In a multiple ISP links scenario, gateway persistency ensures that the requests and responses for a particular connection always traverse the same gateway that is forwarding the packets.
Low total cost of ownership Network traffic is growing. Organizational dependence on communication and interaction means that security solutions must be cost-effective and able to grow to meet future demand. The Nortel Switched Firewall System
6416 and 6616 can both be scaled to meet this growth. An initial system with one Switched Firewall Director supports 20,000
session connection requests per second. As network traffic increases, a second Director can be easily added with automatic
configuration and no service disruption. Up to six Directors can be supported by a Switched Firewall Accelerator to provide up to 100,000 session connection requests per second and 2,000,000 total concurrent connections. Managing a Switched Firewall System is easy. A Single System Image (SSI) controls all configuration data, including physical interfaces, VLANs, IP interfaces, routing protocols and administrative settings. This data is securely and automatically shared within the Switched Firewall cluster. In addition, the cluster is managed through a single IP address, making it easy to perform configuration changes, backup configuration data and update software for all units in the cluster. Existing Check Point customers may reuse their existing license to easily move their firewall onto any Nortel Switched Firewall System.
Support for Multi-Link Trunking
To achieve resiliency in a data center environment, the Nortel Switched Firewall can be integrated with the core routers Ethernet Routing Switch 8600 using Multi-Link Trunking (MLT). By incorporating resiliency into the network core, user access points can remain connected to the network even in the event of a failure.
Enhanced VoIP and multimedia support
Companies are deploying voice over IP (VoIP) and Session Initiation Protocol (SIP) services to enhance productivity. The added flexibility and mobility from these services means that VoIP and SIP traffic will need to traverse the firewall. This can present many problems. Traditional firewalls may not support the complexity of signaling used by these services. Many existing firewall implementations add too much delay or jitter into the media path and adversely affect the voice or multimedia quality. The Nortel Switched Firewall System is optimized to support VoIP and SIP services. High packet throughput to minimize
delay, VoIP and SIP application awareness and virtually jitter-free performance are fundamental to its design and function.
In addition, the Nortel Switched Firewall has been successfully tested with Nortel’s widely deployed multimedia devices (e.g., Multimedia Communication Server 5100 and Communication Server 1000).
Carrier-class availability for assured customer connection
Network availability, reliable service and application performance are critical to any organization’s IT strategy. Active-Active High Availability in the Switched Firewall System enables automatic failover to other Switched Firewall Directors in the security cluster and provides 99.999 percent application and service availability. This eliminates single points of failure in the network. The High-Availability configuration uses two Switched Firewall Accelerators and supports in-service upgrades so that the firewall system never needs to be taken out of service. With Plug and Play (PnP) deployment and expansion with a Single
System Image, the Nortel Switched Firewall is easy to manage and maintain.
Total threat protection
The Nortel Switched Firewall is a key component of the Nortel Layered Defense Architecture. It provides the highest level of security, combined with high performance and low latency, as demanded by today’s leading enterprise and carrier customers. The Nortel Switched Firewall is an important pillar in the complete Nortel security solution that includes the Nortel Application
Switch, Nortel Secure Network Access Switch and Nortel Threat Protection System. When combined, the comprehensive
solution provides total threat protection.
Part numbers and description
• EB1639174E5 – Switched Firewall System 6616, complete with Accelerator and Director
• EB1639113E5 – Switched Firewall Accelerator 6600, to upgrade an existing Director or to create a High Availability configuration
• EB1639173E5 – Switched Firewall System 6416, complete with Accelerator and Director
• EB1639067E5 – Switched Firewall Accelerator 6400, to upgrade an existing Director or to create a High Availability configuration
• EB1639130E5 – Switched Firewall Director 5016, 4 x 10/100/1000BASE-TX ports
• EB1639131E5 – Switched Firewall/VPN Director 5026, 4 x 10/100/1000BASE-TX ports and VPN Acceleration card
• 10/100/1000BASE-TX Port 10/100/1000 full or half-duplex (auto-negotiation) with RJ-45 UTP port
• 1000BASE-SX Port 1-port 1000BASE-SX SFP GBIC (Con. Type: LC)
• 1000BASE-LX Port 1-port 1000BASE-LX SFP GBIC (Con. Type: LC)
• RS-232C Console DB-9 serial connection, female DCE interface for out-of-band management
• 10BASE-T/100BASE-TX/1000BASE-TX Port 10/100/1000 full or half-duplex (auto-negotiation) with RJ-45 UTP port
• RS-232C Console DB-9 serial connection, female DCE interface for out-of-band management
• IP routing interfaces: 256
• Default gateways: 4
• VLANs: 242
• Trunk groups: 12
Network protocol and standards compatibility
• 10BASE-T/100BASE-TX/1000BASE-TX (IEEE 802.3-2000)
• 1000BASE-SX/LX (IEEE 802.3z)
• Logical link control (IEEE 802.2)
• Flow control (IEEE 802.3x)
• Link negotiation (IEEE 802.3z)
• Port Trunking (IEE 802.3d)
• VLANs (IEEE 802.1Q): Frame tagging on all ports when LANs enabled
• IP (RFC 791)
• ICMP (RFC 792)
• ARP (RFC 826)
• RIP 1 (RFC 1058), RIP 2 (RFC 1723)
• OSPF with md5 authentication (RFC 2328)
• VRRP (RFCC 2338)
• CIDR (RFC 1519)
• TFTP (RFC 783), FTP (RFC 959)
• Telnet (RFC 854)
• SSH v1/v2
• SSL/TLS (RFC 2246)
• DVMRP (RFC 1075)
• IGMP (RFC 2236)
• BootP/DHCP Relay (RFC 2131)
• SNMPv2c (RFCs 1901, 1905, 1906, 1907, 2578, 2579, 2580)
• SNMPv3 (RFCs 2570, 2571, 2572, 2573, 2574, 2575)
• Auto-ranging power supply: 00-240 VAC @ 3.5 Amps, 50-60 Hz
• Maximum power consumption: 250 Watts
• MTBF: >50,000 hours
• Operating temperature: 10º to 35º C (+45° to +100° F)
• Operating humidity: 8% to 80% (non-condensing)
EMC: (Electromagnetic requirements)
• USA: FCC Part 15, Subpart B Class A
• Australia: AS/NZS CISPR 22:2002
• Canada: ICES-003
• Japan: VCCI Class A
• Europe: EN 300 386 v1.3.1 (2001-09)
• Taiwan: BSMI Registration Certificate
• Rest of World: CISPR 22 Class A
• US — FCC Class B
• Canada — DOC Class B
• Europe — CE Mark to EN55022/EN50082-1/ICE 801-2/ICE 801-3/ICE 801-4
• IEC 60950 (International)
• National Deviation per CB Member Countries to IEC 60950
• UL 1950 (USA)
• CSA 22.2, No. 950 (Canada)
• EN 60950 (Europe)