Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction ..............................................................................................................................3
Business environment..............................................................................................................3
IT Environment.........................................................................................................................4
Requirements...........................................................................................................................6
Network setup ......................................................................................................................6
Internet connectivity for remote workers ...........................................................................6
Authentication and connection ..........................................................................................7
Electronic mail ..................................................................................................................8
Presentations....................................................................................................................8
Common security threats and the impact on the business ................................................9
Benefits and weaknesses of telecommuting.......................................................................11
Benefits for the company ................................................................................................11
Drawbacks for the company............................................................................................11
Benefits for employees ...................................................................................................12
Drawbacks for employees...............................................................................................12
Trade Union Issues.........................................................................................................13
Budgeted costs...................................................................................................................14
Technical design and deployment..........................................................................................23
VPN Overview ................................................................................................................24
IP Sec Overview .............................................................................................................24
Client connection ............................................................................................................24
Server authentication and connection .............................................................................25
Project plan.....................................................................................................................27
Responsibilities and duties.....................................................................................................33
Business and service management ................................................................................33
Network Management and Security ................................................................................33
Project management.......................................................................................................33
Conclusion and recommendations .....................................................................................34
Appendix A - Technical specifications ................................................................................35
References and bibliography ..............................................................................................50
Introduction
This document describes the requirement, analysis and implementation plan for the setup of
network access for sales staff operating remotely in order to provide the best possible service
to current and potential customers. This will be achieved by providing:
1. Secure remote access to its sales force operating from mobile client computers and
wireless devices;
2. Access to electronic mail;
3. Access to updated customer and transaction information through client software
installed on the remote workstations which queries the central database;
4. Access for the client software installed on remote workstations to be able to carry out
online and offline sales transactions. Synchronisation of offline transactions can be
carried out remotely or directly at the head office.
5. Suitable office applications installed on the remote workstations to enable the sales
force to display presentations on the various products to customers, report to the
companys management and carry out the general office duties as necessary.
6. Backup of remote workstations to run overnight when the network is not being used.
This will be done either through a scheduled automated backup script or manually by
the users, depending on the available technologies.
7. Training to the sales force and network administrators, in view of the proposed setup
with guidelines on security concerns and appropriate usage of the equipment
provided to reduce exposing the companys integrity at risk, as far as possible.
Business environment
Garner Insurance Ltd., herein referred to as the company, is one of Maltas leading
insurance companies established since 1999, offering various insurance products at
competitive prices intended to cover its personal and business customers on various risks at
different levels. Although relatively new to the market, the company has managed to double
its profits over the last 5 years, notwithstanding fierce competition with companies that are
more established locally.
The companys workforce employs than 300 personnel, including a sales team of 156. This is
expected to increase to 400 employees over the next 5 years according to the current
business plan.
Table 1 - Sales force projections
2005
2010
Senior
sales staff
Normal
sales staff
60
100
156
300
In addition to substantial investment in advertising and promotion, the targets set by senior
management focus on the ability and competency of its sales force to promote its products.
One of the sales distribution channels is to sell directly to its customers, on a door-to-door
selling policy.
Senior sales staff have over 5 years experience in direct sales and insurance, providing
support and supervision to the sales staff.
Normal sales staff are given extensive and continuous training on the companys products
and are expected to perform their duties within the companys sales objectives:
1. Seek potential customers in order to attract them into buying the companys products;
2. Ensure customer satisfaction to ensure customer loyalty;
3. Liaise directly with senior sales staff providing feedback obtained through customer
feedback. In turn senior sales staff analyse feedback and provide management with
recommendations to further increase the companys local market, and,
4. Seek support from senior sales staff to enable them to close sales within the
companys sales guidelines.
IT Environment
The company network at the Head Office is a client-server setup. Description of the main
servers:
Table 2 - Server Information
Server name
Main function
Description
Giorgio
SQL server
Alberto
E-mail server
Edmundo
Intranet server
Juan
Carlo
Server names are not used in this diagram for illustration purposes.
All server disks are installed with RAID level 1 (mirroring) to avoid redundancy in case of
failure. Windows 2000 Server is installed on all servers.
A full backup is taken every Sunday, whilst incremental backups are taken daily on DLT
tapes, during non-operational hours. Weekly backups are sent for safe keeping to an off-site
location in agreement with a service provider. The company is in the process of reviewing its
maintenance agreement and in order to provide replacement of any equipment within the
server farm.
A spare server is already available as a replacement. Due to expected heavier loads on the
SQL Server, the company is currently investigating the possibility of configuring this server to
be used in conjunction with the current database server as an active / failover cluster. This
would require upgrading the OS on the database servers to Windows Advanced Server 2000
in order to provide this functionality. The company is also evaluating the risks associated with
not having spare servers at the premises so as not to have redundant servers on the
premises.
The companys website is hosted on a domain hosted by a service provider and maintained
by a specialized marketing company.
It is companys procedure to retain at least 1 spare computer for each 10 used by its
employees. This policy also applies for desktops, laptops and desk printers. Other spare
equipment, such as scanners, networking equipment, cables and parts are held by the IT
section. Spare PDAs will be purchased as standby equipment on a 1 to 10 basis.
Duplicate equipment shall be purchased for essential networking equipment (e.g. VPN
concentrators, switches, firewalls), and where possible configured so as not to be left
redundant. However, the main purpose is to have failover equipment to prevent that the
companys communication lines are interrupted in the case that the equipment is faulty.
Ideally the switchover should be transparent to the local and remote users, so as not to
disrupt the daily running of the business.
Remote workers using laptops shall be able to login to the companys core system by logging
in to the Web server and carrying out transactions normally.
User-interface software for Personal Digital Assistants is still being developed. Testing will be
done before the installation of the software during the pilot stage of this project. Whilst
software errors may result at any phase, the client software that will be installed shall be the
accepted final version of the software that will be used.
Requirements
Network setup
Internet connectivity for remote workers
Remote users will connect to the head office network be establishing a Virtual Private
Network with the company network via Internet access.
Remote workers using laptops shall connect from home through a broadband internet
connection. They can also connect to the internet through a GPRS connection if they are not
at home. Users with PDAs shall connect through a GPRS connection. This shall be useful to
keep communication lines open whilst remote workers are travelling, on training, whilst
attending meetings and conferences and to keep in touch with their colleagues during
extended vacation periods.
Wireless technology offers a wider bandwidth than GPRS connection and this could provide a
better alternative for connecting laptops. However, this technology would be more expensive
compared to GPRS, since this is a relatively new technology in Malta. Moreover, GPRS
connection on laptops is only being considered as a backup communication line, since it is
expected that the employees will use mainly their home connection. Management has to take
preventive measures to avoid possible abuse leading to increased communication costs.
The company has to ensure that costs on the usage of GPRS connections are kept to a
minimum, by applying and enforcing a set of guidelines for remote teleworkers:
Where possible connection that is paid periodically (e.g. connection to ISP) is to be
used and GPRS connection is used only where the connection to Internet is not
available at a cheaper price e.g. attending conferences or while travelling on the
road especially abroad. The mobile operator has to be contacted beforehand for
correct usage of the device using roaming services while abroad.
Installation of Internet traffic monitoring software that reports usage statistics to the
network administrator for monitoring.
E-mails are ideally downloaded once or twice a day, except for urgent
communications, rather than continuously.
Attachments are downloaded through the broadband Internet connection, since
charges are not applicable by download size, or else at the Head Office.
GPRS connection should not be used for personal interests, although it may be
generally accepted that some communication is done on a personal level (e.g. to
keep in touch with colleagues), as long as this is acceptable by management.
Multimedia files including pictures, music files, videos are not to be downloaded
except where strictly necessary.
The mobile operator and internet service provider shall provide a reliable connection to
Internet for the remote workers. On the other hand the company is responsible for the
maintenance and integrity of the internal network and the equipment owned (or leased).
Authentication and connection
The VPN Server hardware shall authenticate the user and send unencrypted authentication
information to the MS Active Directory Server. Traffic is filtered by internal firewall and routed
to the Server Farm VLAN, by the switch connected to the internal network.
Once a user is authenticated a VPN tunnel is created and the user is connected to the
internal network. Each user will be able to access the same resources locally and remotely,
with the exception of peripherals that are only used at Head Office such as scanners, faxes
and printers.
The VPN Server shall have a static host or IP address since it will be accessed from all
remote connections.
IPSec protocol over VPN shall be used since it has the advantage of essentially making the
remote computer part of the corporate network. Applications run without awareness that any
encryption or Internet routing is happening. It can be a drawback, in that any security
exposure on the remote computer becomes a risk to the corporate network. Various security
controls can be configured centrally to reduce this risk.
Data will be encrypted using 168-bit 3DES algorithm, which has to be supported by the VPN
server. As the name implies, 3DES uses three stages of DES and suffices for most
applications. In 2001, National Institute of Standards and Technology replaced DES by AES
(Advanced Encryption Standard), which is hoped to remain strong enough for the next 10 to
20 years. However, 168-bit 3DES is considered to be sufficiently secure for remote teleworking.
The internal firewall shall be configured to allow traffic only from the public mailserver and the
VPN concentrator (i.e. authentication and data passed once the session has been
established).
Electronic mail
E-mail within the companys LAN is transferred by the e-mail server on Alberto. E-mail
received on this server addressed to mailboxes within the companys LAN is transferred to
those addresses on the LAN. E-mail addressed to other e-mail addresses is forwarded to the
mail server of the Internet Service Provider used by the company.
E-mail from outside the companys LAN can be received on the e-mail server not connected
directly to the companys LAN (known as the Demilitarized Zone - DMZ) where it is scanned
for viruses and spam e-mail using appropriate software and then automatically forwarded to
the e-mail server within the companys LAN. Once the data has been transferred within the
LAN, the e-mails are then erased permanently from the e-mail server within the DMZ zone.
This option shall entail the procurement of:
1. A server with disks supporting RAID level 1 (mirroring) inline with current practice,
backup hardware and backup management software;
2. Installation of Operating System, e-mail server software, anti-virus and spam-filtering
software including software licenses;
3. Setup and configuration of the network connection to the companys network;
4. Configuration of the e-mail server within the DMZ zone to relay e-mails to the server
within the internal network.
5. Testing for connectivity, security before the end-user testing within the project plan;
6. Maintenance and support agreements for the above.
Presentations
Presentations are done by Sales staff and management from time to time. A number of
overhead projectors are held at the companys premises, to be used by Senior Sales staff to
carry out presentations when required. This is particularly useful when meeting corporate
customers or carrying out presentations to students.
Ten projectors and appropriate software licenses shall be purchased and held at Head Office.
When presentations are to be done, the staff is to contact IT Department for the usage of a
projector and installation of software to be able to display presentations.
Server names are not used in this diagram for illustration purposes.
10
11
12
13
Budgeted costs
Costs are expected to include substantial capital investment as well as recurrent expenditure, especially with regards connectivity charges. Controls should
be in place to keep costs at a minimum, particularly where the company is charged on the usage as in the case of the GPRS connections.
Budgeted expense with current sales force
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Servers
E-mail Server
IBM X-Series 346
pcs
USD
16,136.00
5,300.00
Firewall server
IBM X-Series 346
pcs
USD
16,136.00
5,300.00
24
Sub-total
Yes
10
manhours
240.00
1,100.00
11,940.00
4.63%
14
Connectivity
GPRS Access fee (annual)
Mobile Connect Card (GPRS connection for
laptops)
GPRS Connection - PDA users
GPRS Connection - Laptop users
Yes
Yes
Yes
156
users
MTL
60.00
9,400.00
8
3
11
60
156
60
users
users
users
MTL
MTL
MTL
93.00
504.00
42.00
5,600.00
77,000.00
2,500.00
5
4
60
60
60
users
users
users
MTL
MTL
MTL
378.00
50.00
50.00
22,700.00
3,000.00
3,000.00
9, 13
66
laptops
Yes
2 manhours
660.00
Yes
123,860.00
48.07%
15
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Networking equipment
Cisco PIX 515E Security Appliance
including chassis, restricted license,
software, 3 10/100 interfaces, 64 Mb RAM,
10 desktop and 1 server license of Cisco
Security Agent, CiscowWorks VMS Basic
Failover Active/Active Software license
Encryption license - 168 bit 3DES
1000
80
Sub-total
Yes
10
pcs
mtrs
manhours
USD
4,591.00
1,500.00
2,000.00
350.00
80.00
5,580.00
2.17%
16
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Connectivity
GPRS Access fee (annual)
Mobile Connect Card (GPRS connection
for laptops)
GPRS Connection - PDA users
GPRS Connection - Laptop users
Yes
156
users
MTL
60.00
9,400.00
Yes
8
3, 19
60
156
users
users
MTL
MTL
93.00
504.00
5,600.00
77,000.00
Yes
11, 19
60
users
MTL
42.00
2,500.00
Yes
19
5
4
60
60
60
users
users
users
MTL
MTL
MTL
378.00
50.00
50.00
22,700.00
3,000.00
3,000.00
9, 13
66
laptops
2 manhours
660.00
Yes
123,860.00
48.07%
17
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Client equipment and software
Dell Inspiron 1150
Microsoft Office 2003 including Word,
Excel and Outlook.
Norton Internet Security 2005 - 15 month
Dell All-in-one Inkjet 922C Printer
30 day Online Security Training
Standard support package and cover
against accidents
1 Year Collect and Return Warranty
see note
16
Yes
13, 14
66
pcs
GBP
709.00
30,000.00
15
66
pcs
MTL
0.00
0.00
170
pcs
MTL
315.00
54,000.00
10
10
pcs
licenses
USD
USD
899.00
162.94
3,000.00
540.00
66
licenses
USD
37.99
830.00
18
Description
Recurrent
expenditure
Note
Qty
18
170
236
9
9
80
40
120
Yes
Unit
Currency
quoted
licenses
licenses
USD
MTL
69.00
15.00
11,700.00
3,500.00
MTL
MTL
5.00
5.00
400.00
200.00
MTL
5.00
600.00
manhours
hours
manhours
Cost per
unit
Total
10
3,300.00
Sub-total
108,070.00
41.94%
19
Description
Recurrent
expenditure
Note
Qty
Unit
Currency
quoted
Cost per
unit
Total
MTL
Network and Security Management
Software
Checkpoint Express C1 Firewall software
(up to 500 users)
Checkpoint Express Update and Support
pack (up to 500 users)
Yes
licenses
USD
15,000.00
5,000.00
licenses
USD
6,750.00
2,200.00
5.00
1,000.00
Sub-total
Total
manhours
10,17
MTL
8,200.00
257,650.00
3.18%
20
Electronic mail
Company's core system (queries)
Browsing the Internet and other
Number of weeks in a year
Expected download through GPRS
connection (yearly)
PDA
users
Mb per
week
2
3
1
6
52
312
Laptop
users
150
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
Purchases for laptops are expected to increase in 2010 when sales force is increased by 400.
If the current scenario is kept, total PDAs to be held in stock shall increase to 330, whilst the
number of laptops shall increase to 170, including spare laptops held.
21
Price variations in cost using current prices for installing remote connections as per Table 1
(pg. 3) would be as follows:
Description
Approx Cost
Increase /
MTL
Decrease in cost**
Servers
nc
Networking Equipment
nc
Connectivity
220,000
76% increase
Client equipment and software
194,000
79% increase
Network and Security Management Software
nc
** Compared to cost incurred with current sales force.
Since computer equipment prices change continually it is difficult to predict the cost that will
be incurred in five years time, however it additional equipment, software and connectivity
charges (wireless and internet) shall be required for new remote teleworkers.
22
SQL Server
Domain Controller
VPN Authentication Server
File / Application server
Switch
Checkpoint
express
running on
IBM X
Series 346
server
DMZ Zone
IBM X
Series 346
Public Mailserver
Firewall
VPN Server
Internet
OnVol (ISP)
GPRS connection
GPRS connection
ADSL Modem
Dell
Inspiron 1150
Dell Inkjet
922C
Laptop from
home
Dell
Inspiron 1150
Dell Inkjet
922C
HP iPAQ H6340
Laptop roaming
23
VPN Overview
A Virtual Private Network is a network that is connected to the Internet, but uses encryption to
scramble all the data sent through the Internet so the entire network is "virtually" private.
Virtual Private Networking provides four critical functions to ensure security for data:
Authentication. Ensuring that the data originates at the source that it claims.
Access Control. Restricting unauthorized users from gaining admission to the
network.
Confidentiality. Preventing anyone from reading or copying data as it travels across
the Internet.
Data Integrity. Ensuring that nobody tampers with data as it travels across the
Internet.
Tunnelling allows senders to encapsulate data in IP packets that hide the underlying routing
and switching infrastructure of the internet from both senders and receivers. These
encapsulated packets can be protected against snooping by outsiders by encrypting data
transferred.
IP Sec Overview
IPSec is often considered the best VPN solution for IP environments, as it includes strong
security measures, particularly encryption, authentication and key management. Encryption
is the processing and altering data so only the intended recipient can read or use it. The
recipient of the encrypted data must have the proper decryption key and program to decipher
the data back to its original form. Keys are used to authenticate users and devices (PDAs
and laptops) when connecting to the VPN Server.
Client connection
The user shall connect to Internet through the Windows dial-up interface and the VPN client
shall be configured with the settings to connect to the corporate VPN server.
Client IP Address
Description
Comments
External IP address.
Server IP Address
vpn.garner.com.mt OR
IP address allocated
24
Description
Authentication
Encryption
Comments
Firewall software shall be installed on the laptops. For the time being the software bundled
with the hardware being recommended can be used and during the evaluation.
Split tunnelling shall be disabled, since the laptop computers are intended to be used to
connect to the company network. Should the user be authorized to use the laptop on, say,
his personal home network, it should be only used when disconnected from the company
network.
25
Internal IP addresses are masqueraded from the public network as an external IP address.
Digital certificates can be revoked by the administrator if suspected to have been
compromised. The user can be given a new certificate to be able to authenticate.
Internal firewall
Checkpoint Express (software) shall be used to accept connections coming only from devices
on the DMZ Zone VLAN. It shall also allow VPN tunnel connections, which have been
authenticated by the external firewall, to be made for the remote users to connect to the
internal network. The purpose of the internal firewall using different technology is that one
firewall may have bugs that would allow a malicious attacker to bypass the external firewall.
The firewall protecting the internal network is an extra security layer to reduce this risk, since
hackers are continually finding new ways of penetrating networks.
Before Checkpoint is installed, the underlying OS must be secured for the highest security
level possible, particularly by disabling unnecessary services and applying security patches
regularly.
The DMZ zone cannot contain anything the company cannot bear to loose, particularly critical
business data. The purpose of establishing an island is to be aware of attempted breaches
of security before they reach the internal network.
The firewall server shall be installed over Microsoft Server 2003. Although the general trend
is to go for Unix-based Operating Systems, such as Red Hat Linux, the Operating System is
being recommended with a view to use the server for applications currently in use that use
Windows-based technology.
Most of the time, security measures and protection are a reactive measure rather than a
proactive measure.
Further recommendations
Up to 10 network segments can be allocated to each user and this provides the possibility of
further splitting the internal network into separate VLANs for each department e.g. VLAN2a
for Motor Insurance, VLAN2b for Life Insurance, VLAN3 for Administration, VLAN4 for
Network Management Staff etc. This has the advantage of adding more internal security and
improving network performance. Moreover, one of the PCs within the LAN could be used to
store all the users files (for that section) rather than a centralized server.
Currently the business does not have a disaster recovery server (standby) for the File /
Application server (Carlo) and Active Directory server (Juan) see figure 1 on page 5. The
server being purchased can possibly be used as a disaster recovery machine for these critical
machines.
26
Project plan
Set-up and configuration of the remote working system, including selection of suppliers,
installation of equipment and software and testing should take less than four months, within
the proposed scenario.
1. Project approval
An overview of the project plan shall be delivered by the Network Manager to the companys
senior management.
Once the project is approved a Project Team is selected, and it is also decided whether
external resources shall be required to assist the Network Team within the required
timeframe.
The Project Team shall consist of a number of persons from the following departments
sections, the number of people depending on the focus of the task in hand, as is being
recommended:
Project Coordinator
IT (Hardware) Team
IT (Software) Team
IT Support Team
Financing Department
Budget and schedule for the resources required shall be monitored to ensure that it is
delivered on time and on budget.
The Human Resources Department shall pre-advise the staff involved of the impending
changes as soon as the project is approved, in order to gather feedback and liaise with the
Project Team.
Expected duration: 2 weeks
27
28
29
The Project Team shall require resources from the IT (Hardware) Team, IT (Software) Team,
Network Team, the Internet Service Provider, the Mobile Operator and users who shall carry
out the testing and provide feedback to the Project Team, in order to move on to the next
stage.
Expected duration: 3 weeks.
30
17. Training
Laptops and PDAs can be distributed to the current remote workers and a short training
course organized to introduce the new way of working to the employees. This shall include a
briefing on connecting remotely, changes in working procedures and any changes in working
conditions.
IT support Staff shall be given an overview of the changes implemented and supplemented
with the necessary technical documentation.
The Project Team shall require resources from Human Resources Department, IT (Support)
Team and obviously the users themselves.
Expected duration: 1 week.
18. Live
Once the users are generally satisfied with the new setup, feedback shall be gathered from
users and support staff, to be collated and included in the final report for management. It
would be safe to plan an IS Audit at this stage.
31
Week Week Week Week Week Week Week Week Week Week Week Week Week
Timeline
1
2
3
4
5
6
7
8
9
10
11
13
14
Task
1 Project approval by management
2 Selection of suppliers - hardware
3 Selection of software - suppliers and packages
4 Purchasing orders for server and networking equipment
5 Purchasing orders for laptops and PDAs
6 Negotiate and conclude agreements with ISP and mobile operator
7 Negotiation of hardware and maintenance agreements
8 Acceptance of client software for PDAs
9 Equipment received and confirmed
10 Laptops and PDAs received and confirmed
11 Installation and configuration of e-mail server
12 Laboratory setup of network equipment and preliminary testing
13 Installation and configuration of DMZ zone
14 Migration to new network setup
15 Pilot test
16 Software installation on clients
17 Training
18 Live
Activities
Managerial
Administrative / Technical
Technical
Administrative
Live
Figure 5 Schedule (overview)
32
Project management
The project shall be monitored by the Network Manager or his delegate and he shall take
active part in the project to gather and use the project resources.
Decisions including choosing the appropriate suppliers and providers will require his input
during the initial stages of the project, particularly with regards network equipment and their
maintenance, connectivity and security.
Negotiation with suppliers of networking equipment and connectivity shall require his direct
intervention in order to guide management to the most appropriate options available on the
market. He shall liaise closely with other departments throughout this project in order to
obtain the best possible package for the remote teleworking system.
33
34
Server
Hardware
Servers on which firewall and
public mailserver are to be
installed.
Specifications purchased allows
for further uses of the server (see
Further recommendations on
previous page).
Processors
Two Dual 2.8 Ghz Mhz with 800 Mhz frontside bus.
1Mb L2 Cache Intel Xeon Processor
Memory
Controller
Diskette drive
Optical drive
Ethernet
System Management
Power Supply
35
Operating System
Storage adapter
Weight 64 lbs
Height 3.36
Width 17.5
Depth 27.5
Features
Support
36
Client
Hardware
Laptop used by remote
teleworkers.
Processor
Display
15 XGA
Support service
Memory
Hard drive
Optical drive
Modem
Network Interface
Primary Battery
Power supply
Keyboard
Security Software
37
Warranty
Carry case
1. This can be useful for sending faxes and for the eventual set-up of an emergency
dial-up connection to the Internet Service Provider.
2. To enable connection to the network points at Head Office.
3. The case purchased is suitable to carry the printer and cabling as well.
(Source: Dell, United Kingdom)
38
Client
Hardware (peripheral)
Printer used by laptop users.
Media Type
Printer Type
Depth
Features
Height
Weight
10 lbs
Connectivity Technology
Cable
Dimensions (WxDxH):
Max Speed:
Media Feeder(s):
Operating System
100 pages
Support
Included
39
USB
Input Tray: 100 pages, Output Tray: 50 pages
Copying Speed
40
Features
Benefit
Purpose-Built
Security Appliance
Fast Ethernet
Expansion Options
Hardware VPN
Acceleration
Delivers high speed VPN services through the addition of either a VPN
Accelerator Card (VAC) or a VPN Accelerator Card+ (VAC+)-Unrestricted
(UR), Failover (FO) and Failover-Active/Active (FO-AA) models have
integrated hardware VPN acceleration services
Integration with
Leading Third-Party
Solutions
Industry
Certifications and
Evaluations
41
Stateful
Inspection
Firewall
Advanced
Application and
Protocol
Inspection
Modular Policy
Framework
Security Contexts
Layer 2
Transparent
Firewall
42
Multi-Vector Attack
Protection
Authentication,
Authorization,
and Accounting (AAA)
Support
Integrates with popular AAA services via TACACS+ and RADIUS, with
support for redundant servers for increased AAA services resiliency
Provides highly flexible user and administrator authentication services,
dynamic per-user/per-group policies, and administrator privilege
control through tight integration with Cisco Secure Access Control
Server (ACS)
43
Native Integration
with Popular User
Authentication
Services
Resilient Architecture
Active/Active and
Active/Standby
Stateful Failover
Ensures resilient network protection for businesses through the awardwinning high availability services provided by certain models of Cisco PIX
515E Security Appliances
Supports Active/Standby failover services as a cost-effective high
availability solution, where one failover pair member operates in hotstandby mode acting as a complete redundant system that maintains
current session state information for the active unit
Delivers advanced Active/Active failover services where both Cisco PIX
Security Appliances in a failover pair actively pass network traffic
simultaneously and share state information bi-directionally, enabling
support for asymmetric routing environments and effectively doubling the
throughput of the failover pair for bursty network traffic conditions
Supports long-distance failover enabling geographic separation of failover
pair members, providing another layer of protection
Maximizes VPN connection uptime with new Active/Standby stateful
failover for VPN connections
Synchronizes all security association (SA) state information and session
key material between failover pair members, providing a highly resilient
VPN solution
This feature is available on Unrestricted (UR), Failover (FO), and
Failover-Active/Active (FO-AA) models only.
Zero-Downtime
Software Upgrades
VLAN-Based Virtual
Interfaces
QoS Services
Delivers per-flow, policy-based QoS services, with support for LLQ and
traffic policing for prioritizing latency-sensitive network traffic and limiting
bandwidth usage of administrator-specified applications
Enables businesses to have end-to-end QoS policies for their extended
network
44
OSPF Dynamic
Routing
DHCP Relay
Forwards DHCP requests from internal devices to an administratorspecified DHCP server, enabling centralized distribution, tracking and
maintenance of IP addresses
NAT/PAT Support
Provides rich dynamic, static, and policy-based NAT, and PAT services
Cisco Adaptive
Security Device
Manager (ASDM)
Auto Update
Allows customers to use existing Cisco IOS Software CLI knowledge for
easy installation and management without additional training
Supports improved ease-of-use with services such as command
completion, context-sensitive help, and command aliasing
Accessible through variety of methods including console port, Telnet, and
SSHv2
Command-Level
Authorization
45
46
Client
Software
VPN Client installed on laptops
Features
Description
Operating
System
Connection
types
Internet-attached Ethernet
Protocol
IP
Tunnel
protocol
IPSec
Windows NT
Feature
Description
Password
expiration
information
Start before
logon
Automatic VPN
disconnect on
logoff
47
Server
Software
Internal network firewall software.
VPN-1 SecureRemote
Firewall 1
SmartDefense
SmartCenter
System requirements
Operating System
Disk space
VPN-1 Express
SmartCenter Express
SmartDashBoard
SecurePlatform
VPN-1 Express
SmartCenter Express
SmartDashBoard
SecurePlatform
Memory
300 Mb
300 Mb
100 Mb
4G
128Mb
128Mb
128Mb
Recommended 512Mb
48
AnthaVPN Client
Server / Client
Software / Hardware
Purpose
Client
Software
Client VPN software for PDAs.
An IPSec-based client designed for wireless devices with support for multiple VPN gateways.
IPSec. It supports current and legacy encryption algorithms and was designed to meet
government security.
PKI certificates are supported and it can run on Windows Pocket 2003, which will be installed
on the PDAs.
(source: AnthaSoft)
49
50