Aricent Firewall provides network security solutions to corporate networks using Access Filters. It is based on packet filtering mechanism that can be deployed between the private and public networks as a screening router [Figure 1]. A network administrator / user can configure the router with extensive set of rules to enforce the security policy.

Figure 1. Deployment Scenario of Aricent Firewall

Aricent Firewall can be used in both Host and Subnet firewall architectures of the Screening Routers. This helps to provide services from a host that is attached to the internal network and to provide support for DMZ respectively. It supports

• Static Filtering
• Stateful Inspection and
• Service Independent Filtering

Static Filtering : The Access Control List based Static filtering, filters the packets using statically configured filters based on the following fields:

• Range of Source and Destination addresses
• Protocol Type (e.g. TCP, UDP, ICMP, IGMP, PIM, GRE, RSVP, OSPF, IGP, EGP, NVP)
• Source and Destination Port numbers
• IP Options (source route, record route and timestamp option)
• IP Fragmentation (tiny and large)
• ICMP type and code

Stateful Inspection : These are temporary filters written on the fly by learning the traffic information, thereby allowing access to the network when required and only as long as it is required. Additionally, in the case of TCP, sequence numbers and window sizes are also included for inspection to prevent malicious packets to be passed through even when source and destination ports and addresses are matched.

Service Independent Filtering : Supports filtering against the following potential attacks from an external (Public) network :

IP Address Spoofing, Land Attack, Ping Of Death, Jolt and Jolt2, Axent Raptor Freeze, TCP NULL / XMAS scan attacks, TCP / UDP Short Header, TCP SYN Flooding, UDP Fraggle and Snork Attacks, Echo Storm, IP Smurfing, WinNuke, ICMP Redirects, Zero Length IP option and IP Source Routing, Teardrop, Tiny fragment, etc.

Implementation Features :

• A master control switch is provided to enable or disable filtering. By default, the switch is disabled.
• Switches are provided to enable/disable the following features :
  
  - IP Address Spoofing
  - Source routing attack
  - Tiny fragment attack
  - Rate limiting of TCP SYN / UDP / ICMP flooding.
  - URL Content Filtering
  - NetBIOS Filtering
  
  
• Statistics are maintained globally and on a per circuit basis.
• Support for packet filtering in the Fast-forwarding path.
• Support logical operations on the configured filters.
• Support for authentication based on simple username/password through a preliminary Telnet session. MD5 support provided for security.
• Provides extensive logging mechanism, which can be enabled/disabled on the fly.
• Provides SNMP, CLI and WebNM support.
• Supports filtering on fragments (both tiny and large).
• Filters the packets on inbound/outbound basis of a particular interface.
• Generation of ICMP error messages is a configurable option.
• Conforms to Future Software Architecture for Portability (FSAP2), thus ensuring highly portable code that uses flexible buffer and timer management libraries.
• Seamless integration with Aricent IP, Aricent QoS, Aricent NAT, Aricent SNMP, Aricent CLI and Aricent WebNM.

Aricent Firewall is easily portable across various architectures, reduces the time to market for OEMs and VARs who wish to incorporate the security services into their devices.

Other Offerings ------------------------------------------- Protocol Stacks ------------------------------------------- .... WLAN ---- 802.11i ---- 802.11F ------------------------------------------- .... IPV4 ---- IP ---- TCP ---- DNS Relay ---- IGMPv3 ------------------------------------------- .... IPv6 ---- IPv6 Host ---- IPv6 Router ---- V6R - IPv6 Routing ------------------------------------------- .... Unicast Routing ---- RIP ---- OSPF ---- OSPF-TE ---- BGP4 ---- BGP4+ ---- ISIS ------------------------------------------- .... Multicast Routing ---- PIM ---- DVMRP ------------------------------------------- .... Label Switching ---- MPLS ------------------------------------------- .... Layer2 Switching ---- VLAN (GARP, GVRP) ---- RSTP/MSTP ---- Link Aggregation ---- 802.1x ---- IGMP Snooping ------------------------------------------- .... Layer2 Switching-Multiple Instance ---- RSTP/MSTP - MI ---- VLAN - MI (GARP, GVRP) ------------------------------------------- .... Security ---- NAT ---- FIREWALL ---- DHCP ---- IPSec ---- IKE ---- RADIUS ---- TACACS+ ---- 802.1x ------------------------------------------- .... Quality Of Service ---- RSVP ---- QOS ------------------------------------------- .... Fault Tolerance ---- VRRP ---- RM ------------------------------------------- .... Management ---- SNMP ---- ENM ---- HTTP ---- RMON ---- WEB NM ------------------------------------------- .... VPN ---- L2TP ---- PPP ---- IPSec ------------------------------------------- .... WAN Access ---- L2TP ---- PPP ---- FRPVC ---- FRATM ------------------------------------------- .... Narrowband ---- V5.2 ---- ISUP ---- MTP3 ------------------------------------------- .... Optical ---- RM ------------------------------------------- .... ATM ---- UNI3 ---- UNI4 ---- IPOA ---- PNNI ---- LANE2-C ---- LANE2-S ---- MPOA-C ---- MPOA-S ---- ILMI4 ------------------------------------------- ...MORE... ------------------------------------------- OEM Ready Solutions ------------------------------------------- .... Intelligent Switch ---- ISS Overview ---- ISS Enterprise ---- ISS Workgroup ------------------------------------------- .... Enhanced Security Solution ------------------------------------------- ...MORE...