S e c u r i t y w i t h y o u r b u s i n e s s i n m i n d

Clavister Security OS™

Introduction

Secure and effective information flows has become a strategic

resource for all organizations as they face increased market

competition, restricted budgets and new business opportunities.

With several years of experience from delivering core components

and systems to leading organizations in the telecom industry and

the public sector we know for a fact that secure communication is a

top business enabler

Clavister Security OS™S e c u r i t y w i t h y o u r b u s i n e s s i n m i n d

www.clavister.com

Clavister Security OS™ is the highly optimized system that empow-

ers our products with an end-to-end security technology and value

adding functionality such as secure VPN, User Authentication, Traffic

Shaping, Advanced Routing, Virtual Systems, High Availability Clus-

tering and Centralized Management.

With the multi-layered security and connectivity features that the

Clavister Security OS™ provides we can empower Your business with

a secure communication platform that delivers unparalleled perfor-

mance at the lowest TCO possible.

Product Overview

Clavister Security OS™ is a proprietary real-time network operating

system optimized for security, performance and flexible connectivity.

Clavister Security OS™ consists of a compact firmware of some

hundred kilobytes in size, which constitutes the entire software

needed for the operation of your complete Security Gateway system.

This means that inherited security vulnerabilities from an

underlying operating system are completely avoided, and that the

Clavister Security OS™, due to the compact size and optimization,

is one of the most resilient products on the market.

The Clavister Security OS™ technology is based primarily on Stateful

Inspection, the de-facto standard for firewalls today. To achieve the

highest protection and flexibility possible, Clavister Security OS™

also integrates features such as:

• Multi-layered security mechanisms

• Deep Inspection with IDS & IPS

• Virtual Private Network

• Advanced static and dynamic routing

• DHCP services

• User Authentication

• Virtual systems

• High Availability clustering

• Centralized Operations and Maintenance System

Clavister Security OS™F e a t u r e O v e r v i e w

www.clavister.com

Security Mechanisms

Every component in the Clavister Security OS™ has been designed

with security as the primary concern. That’s why you will find that

all features are tightly integrated into the core functionality and

that they all share the same conservative approach to security.

The security mechanisms that pervade the entire system are built

on a performance optimized Stateful Packet Inspection engine that,

with wire-speed capabilities, performs in-depth consistency check-

ing of every packet flowing through the device.

Due to the unique approach to integrate security in every single

component in the system you will find that the Clavister Security

OS™ provide supreme protection against for instance Denial Of

Service and Distributed Denial of Service attacks.

Multi-layered security

To protect against the increasing number of modern sophisticated

application layer attacks, Clavister Security OS™ utilize multiple

security mechanisms that work on different network layers,

including advanced Application Layer Gateways (ALGs) and state-of-

the-art Intrusion Prevention functionalities.

The combination of a highly conservative approach to security,

performance and high-availability options ensures that the Clavister

Security OS™ delivers a “worry-free” environment for your business.

Virtual Private Networks

Designed for the unique requirements of telecom operators, public

sector and large enterprises Clavister Security OS™ provides an

end-to-end IPSec, L2TP, PPTP, GRE and GTP VPN security solution

that is easy to integrate into an existing network infrastructure, and

features impressive gigabit performance combined with the latest

IPSec IKEv2 authentication, PKI key management, and high

availability clustering capabilities.

Telco-grade security solution

Clavister Security OS™ is the first telco-grade network security

solution in the market specifically designed for the requirements of

3G infrastructure, Generic Access Networks, WLAN roaming solutions

and VoIP networks. Clavister Security OS™ enables telecom

operators to leverage on emerging technologies such as Generic

Access Networks and to easily integrate advanced security features

into their network infrastructure – faster, cheaper, and more secure

than any other solutions.

Comprehensive protection

Clavister Security OS™ addresses all requirements for secure

connectivity including ASIC encryption acceleration and high

scalability, integration into existing AAA infrastructure, support for

IKEv2 and EAP authentication, NAT-T, attack prevention, and the

need for efficient management capabilities.

Finance

Sales

Research & Development

DMZ

Sales office

LAN

DMZ

LAN

Engineering office

Internet

Features

• Carrier-grade network security solution

• Gigabit VPN performance

• Applicability in 3G core networks

• Seamless network integration and proven interoperability

Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n

Advanced Routing Capabilities

Routing constitutes an important factor for efficient network

integration and Clavister Security OS™ address the need for

effortless network integration by incorporating a wide range of

routing protocols such as static, policy based, OSPF, source based

and multicast routing.

With the extensive routing capabilities provided, including policy

based routing and OSFP, organizations are not only able to easily

integrate Clavister security devices into the network flow but also

extend their business opportunities and increase security by being

able to:

• Connect to two or more ISPs without using BGP, and

accepting inbound connections from all of them. Return

traffic is routed back out through the ISP that delivered

the incoming request.

• Route certain protocols through transparent proxies such

as web caches and anti-virus scanners, without adding

another point of failure for the network as a whole.

• Create provider-independent metropolitan area networks,

i.e. one where all users share a common active backbone,

but can use different ISPs, subscribe to different

streaming media providers, etc.

User Authentication

Clavister Security OS™ supports user authentication, making it

possible to grant or reject access to specific users from specific IP

addresses, based on their user credentials. This feature is compliant

with the RADIUS authentication protocol, which is the de-facto

standard for user authentication.

Both HTTP, HTTPS and XAuth are supported as authentication agents,

and multiple authentication servers can be defined for different

combinations of interfaces and networks. When HTTP or HTTPS is

used for authentication, fully customizable login and logout web

pages can be defined in the firewall.

Furthermore, user authentication in Clavister Security Gateway

is fully compliant with the Microsoft(R) Internet Authentication

Service(TM), which makes it possible to use, for instance,

Microsoft(R) Active Directory(TM) as user database.

Mobile Network Ready

For optimal integration into mobile networks such as 3G core net-

works and Generic Access Networks, Clavister Security Os™ provides

secure and reliable EAP/SIM and EAP/AKA authentication capabilities

that enables authentication based on SIM card data.

Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n

Traffic Management

Thanks to the versatile traffic management features included in

Clavister Security OS™, the Clavister Security devices are the perfect

solutions for lowering the cost of bandwidth and making sure that

business-critical traffic flows without disruptions.

Also in more complex solutions, where detailed control of the traffic

is required, the traffic management functionality in your Clavister

product is superior in guaranteeing Quality of Service.

Clavister ’s traffic management tool, unlike many other models, is

closely integrated with the core functionality. Hence bandwidth

can be limited, guaranteed and prioritized with the granularity of

a single security policy. All traffic that can be filtered by the system

can thus be bandwidth managed. This also includes VPN connections

and virtual LANs. The bandwidth control is performed using up to 64

independent weighted queues or “pipes ”, where each pipe has eight

different levels of priority with individual limits on bandwidth and

packets per second.

Pipes may further be subdivided in order to track individual flows.

Traffic flow grouping may be done according to IP addresses, net-

works and ports. Consequently, a network administrator can make

sure that any single user cannot consume all available bandwidth,

or that a server farm is not being overloaded by a few visitors using

high-speed Internet connections.

Furthermore, the traffic management feature in Clavister Security

OS™ supports dynamic balancing of bandwidth limits between

groups. This works by automatically adjusting the group limits with

respect to bandwidth allocation and the current number of groups.

By using this feature, available bandwidth can be fairly distributed

among all users in a network.

Virtual Systems

Virtualization technologies such as 802.1Q VLAN tagging, Virtual

Routers and Virtual Systems are highly usable in service providers

and large enterprise deployments where complex networks often

tend to lead to a nightmare in manageability. With the virtual

capabilities of Clavister Security OS™, IT security managers has the

tools for

administering even the most advanced network structure with

minimum effort.

Virtual Systems allows partitioning devices into multiple virtual

security domains, including routers, VPNs, security policies and

IP-address assignments.

Virtual Routing enables, for instance, routing of overlapping IP

spans, convenient segmentation of security polices as well as

seamless transport of datagrams between various interface types.

Naturally, each Virtual Router can also maintain its own dynamic

routing process.

These powerful features for managing complex scenarios and/or

several customers in one device instigates a brand new business

opportunity for cost-efficient, managed security solutions with an

unsurpassed ROI.

High Availability

The ”secure-from-the-ground-up” design principles of Clavister

Security OS™ result in high reliability and uptime. However, in any

complex system, there is always a risk for failures. These may range

from manual errors to more complicated hardware component

errors. Whatever the cause, communication disruptions are, at the

very least, annoying.

We consider them totally unacceptable.

The high availability feature of Clavister Security OS™ enables you to

setup a secondary, redundant back up system, thereby eliminating a

single-point of failure and minimize the risk of service disruptions.

Upon any failure of a primary Clavister Security Gateway, the

secondary Security Gateway automatically takes control over the

data flow to guarantee network uptime. The transition takes only a

fraction of a second and is totally invisible to all traffic.

An advanced Link Monitor is able to detect dead links, interfaces

and gateways, thereby greatly enhancing the reliability of the total

system.

A dedicated ethernet interface is used for synchronization, which

guarantees that all state information, including VPN sessions, are

synchronized without delays, even in solutions with extremely high

throughput.

Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n

The sophisticated features in the Operations and Maintenance tools

provided to your Clavister Security OS™ can automatically make sure

that both the redundant back up unit and the primary unit share

the same configuration, meaning that only the primary Security

Gateway needs to be configured, thus making the deployment and

maintenance of highly available systems a simple task.

Internal LAN

Servers in DMZ

Internet

Operations and Maintenance

Operations and maintenance is a vital part in any network but it can

also be a costly and resource consuming task, and if made too

complex it can actually become a security risk due to human

mistakes.

To make your environment as secure and cost-efficient as possible,

Clavister Security OS™ has been designed to include powerful

operations and maintenance capabilities that transform a complex

mess into a few well-organized and simple tasks.

Clavister provides a wide range of tools for administration

including command line interfaces, web user interfaces and

centralized management systems. All communications are of course

encrypted to avoid eavesdropping. Comprehensive support for

authentication and auditing ensures efficient delegation of

administrative tasks.

Benefits:

• Enables consistent policy enforcement

• Offers advanced reporting and monitoring capabilities

• Decreased costs of operations

• Decreased costs of deployment

• Increased security and service availability

• High flexibility through Open API and web portal technologies

In addition to the operations and maintenance tools provided for

the Clavister Security OS™ it is also possible to integrate and interact

with third-party systems such as HP OpenView and IBM Tivoli.

In short: With Clavister Security OS™ and the operations and

maintenance tools you can easily manage all devices in your

network, no matter if they are located in the server hall next

door or thousands of kilometers away!

Performance Max Concurrent Connections 5 000 000 Plaintext Throughput (Mbps) 4 000 AES Throughput (Mbps) 2 000 3DES Throughput (Mbps) 2 000

Interfaces Max Number of Ethernet Interfaces 64 Symmetric Design • VLAN (IEEE 802.1Q) Support • Max Number of virtual (VLAN) interfaces 4 096 per interface Access and bandwidth control per VLAN - Interface Grouping •

Filtering Capabilities Maximum Number of Rules 10 000 Time-Scheduled Rules • Custom Protocol Number Filter • TCP/UDP Port Filter Source / Destination Ports or Port Ranges, or Groups Pre-defined ICMP Filters Echo Request, Echo Reply, Destination unreachable, Source Quenching, Redirect, Time Exceeded, Parameter Problem Custom ICMP Message Filter • Custom ICMP Code Filter • Pre-defined Service Definitions •

Address Translation NAT, True Dynamic Address Translation (RFC 1631) • SAT, Static Address Translation • Per-rule Address Translation •

Application Layer Gateways FTP • - Run-time Active/Passive FTP Transformation • HTTP • - ActiveX / Java Applet Filtering • - JavaScript / VBScript / Cookie Filtering • - Pattern-based URL Filtering • H.323 • - Gatekeeper Support • - Version Support H.323 v5, H.225.0 v5, H.245 v10 - Application Sharing (T.120) • - NAT and SAT Support •

Addressing and Routing Static IP Addresses • CIDR Support • IP Ranges • IP and Network Grouping • Static ARP Entries 1 024 Dynamic ARP Entries 4 000 Published IP Addresses • Proxy ARP • DHCP Client • DHCP Server • DHCP Relay • PPPoE • GRE • Static Routing • Number of Routes 4 096 Policy-based Routing • Metric-based route failover with link and ARP monitoring • Time-Scheduled Policy-based Routing • Max Numbers of Virtual Routers 1 000 OSPF • - OSPF over IPSec • - RFC 2328 Compliant • - RFC 1583 Compatibility Mode • - Multiple OSPF Routing Processes Support • - Dynamic Routing Policy Rules •

Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n

Consistency Checks and DoS Prevention Illegal Addresses • Checksum Control • TTL Control • Layer Size Consistency • IP Option Sizes • IP Source Route • IP Timestamp • IP Reserved flag • TCP Blind Spoofing Protection • TCP Header Option Sizes • TCP MSS Control • TCP Window Scale • TCP Selective ACK • TCP Timestamp • TCP Alternate Checksum • TCP Connection Count • TCP Bad Options • TCP Flag combinations • TCP Reserved Field • TCP NULL Packets • ICMP Response Control • ARP Spoofing Protection • Strict Interface Matching • Connection Timeout Control • Payload Size Control • Reassembly Timing Control • Illegal Fragments • Duplicate Fragments •

VPN – Virtual Private Networking Concurrent PPP (L2TP/PPTP) Tunnels 50 000 IPSec VPN - Encryption Algorithms AES (Rijndael), 3DES, DES, Twofish, Blowfish, CAST-128, NULL Encryption - Authentication SHA-1, MD5 - Concurrent IPSec VPN Tunnels 1 - IKE Modes Main, Aggressive - Perfect Forward Secrecy DH Groups 1,2,5 - Security Associations Per Net, Host - Keying X.509 certificates, Pre-Shared Keys - Peer Authentication Built-in Database; IP, DNS-name, E-mail or X.500 Distinguished Name - LAN-to-LAN VPN • - Roaming Clients • - Star VPN Design Support • - DNS Resolving of Remote Gateway • - PKI Certificate Requests (PKCS#7, PKCS#11) • - Self-signed Certificates • - IPsec NAT Traversal • - VPN Policy Selection through Routing / Policy-based Routing - DHCP over IPsec (”Virtual IP”) • - VPN Tunnel Keep-alive • - Compliant with Security Architecture for the Internet Protocol (RFC 2401), The use of HMAC-MD5-96 within ESP (RFC 2403), The use of HMAC-SHA-1-96 within ESP (RFC 2404), The ESP DES-CBC Cipher Algorithm With Explicit IV (RFC 2405), IP Encapsulating Payload (ESP) (RFC 2406), The Internet IP Security Domain of Interpretation for ISAKMP (RFC 2407), Internet Security Association and Key Management Protocol (ISAKMP) (RFC 2408), The Internet Key Exchange (IKE) (RFC 2409), The NULL Encryption Algorithm and Its Use With IPsec (RFC 2410), The OAKLEY Key Determination Protocol (RFC 2412), The ESP CBC-Mode Cipher Algorithms (RFC 2451)

Technical Specifications Clavister Security OS™

Clavister Security OS™A d d i t i o n a l I n f o r m a t i o n

L2TP VPN - Authentication Algorithms CHAP, PAP, MS CHAPv1, MS CHAP v2 - MPPE Support •

PPTP VPN - Authentication Algorithms CHAP, PAP, MS CHAPv1, MS CHAP v2 - MPPE Support •

Traffic Shaping Mode of Operation Weighted Queues (Pipes) Policy-based Traffic Shaping • Time-Scheduled Traffic Shaping • Number of Pipes 64 Priority Levels 8 per pipe Applicable Limits Bandwidth, Packets per second Granularity Per firewall rule / 1 Kbps / 1 pps Dynamic Bandwidth Limit Balancing • Pipe Chaining •

High Availability High Availability Support • State Synchronization • VPN Synchronization • Device Failure Detection • Dead Link Detection • Dead Gateway Detection • Dead Interface Detection • Synchronization Method • Average Fail-over Time •

Logging Network Logging • Clavister Firewall Logger • Syslog • Real-time Log Viewer • Number of Log Receivers 8 Log Receiver Grouping • Per-rule Logging • Drop Entry Byte Dump (150 bytes) • Automatic Log File Compression • Log File “Wrapping” • Graphical Log Analyzer Included in Clavister Firewall Manager Command Line Log Query Tools Microsoft Windows, Linux Log Export File Format CSV NetIQ WebTrends Support •

Torggatan 10, Box 393 • SE-891 28 ÖRNSKÖLDSVIK • SWEDENPhone: +46 (0)660 29 92 00 • Fax: +46 (0) 660 122 50

info@clavister.com • www.clavister.com

Copyright © 1998-2005 Clavister AB. All rights reserved. Information in this document is subject to change without prior notification.

Monitoring Real-time Performance Monitoring Included in Clavister Firewall Manager SNMP Polling • Counter Entities CPU Load, Forwarded bps, Forwarded pps, Buffer usage, Connections, Rule usage, pps in/out/total per interface/VLAN/VPN Tunnel/Pipe, bps in/out/total per interface/VLAN/VPN Tunnel/Pipe, Drops, IP errors, Send fails, ICMP received, Frags received, Frag reass OK, Frag reass fail, Num users, Dyn Limit bps, Delayed Packets, Dropped Packets, Dyn User Limit Bps, Rx/Tx Ring Counters

User Authentication External RADIUS User Database • Multiple RADIUS Servers • CHAP • PAP • RADIUS Challenge/Response (HTTP) • Customizable HTTP(s) Front-end • VPN IKE XAuth • Microsoft Active Directory integration (via MS IAS) •

Management Local Console RS232 Local Console Authentication Password Graphical Enterprise Remote Management • Remote Access Encryption / Auth. Algorithm CAST-128 / SHA-1 Remote Access Authentication Yarrow-generated PSK, Source Interface and Source IP Remote Fail-safe Operation Revert to last known-good configuration Multiple Administrators Yes Number of Administrators Unlimited Multi-Firewall Management Yes Administrative Networks Unlimited Revision History Complete configurations Centrally Archived Configurations Yes Firewall Core Upgrades Complete remote software upgrades, authenticated and encrypted Command-line based Remote Management Microsoft Windows, Linux Miscellaneous HTTP Poster (logon to service providers / DynDNS client etc) • SNTP and UDP Time Synchronization •

Technical Specifications Clavister Security OS™

Clavister is a leading developer of high-performance IT/IP security. The products, based on unique technology, include carrier-class firewalls and VPN solutions. They have been awarded preferred choice by international press and are in use today by thousands of satisfied customers. In short; In a world where people depend on information, Clavister provides complete security solutions more cost-efficient than any competitor, always with Your business in mind.

Clavister was founded 1997 in Sweden. Its R&D and headquarters is situated in Örnskölds-vik, Sweden and its solutions are marketed and sold through sales offices, distributors and resellers in Europe and Asia. Clavister also offers its technology to OEM manufacturers.

About ClavisterAbout Clavister