Product Overview
The CryptoCluster line of VPN gateways represents a brand new class of products able to scale from the
most reliable small office applications up to large enterprise-gateway or service provider deployments. This
product line delivers an exceptional combination of never-before-attained reliability, scalability and
manageability, together with an outstanding price/performance ratio. CryptoCluster gateways support IPSec,
L2TP and PPTP tunneling protocols, giving customers the ability to provide secure communications for remote
users, as well as the ability to establish private VPN communication from site to site.
The CryptoCluster 2500 VPN gateways are typically deployed in regional offices or the facilities of an e-commerce business partner. By comparison, the CryptoCluster 5000 VPN gateways typically operate as a hub for implementing an enterprise-wide VPN, and the CryptoCluster 500 VPN gateways are deployed in small office environments.
The CryptoCluster 2500 VPN gateways introduce a tremendous advance in the design of networking products. Benefiting from the power of IP Clustering, CryptoCluster nodes act as one network device. Because individual gateways can be clustered together to enable the transparent distribution of IP packet flows, multiple CryptoCluster 2500 VPN gateways provide extreme scalability. In addition, the Nokia unique, patented Active Session Failover technology retains all existing sessions in the event that any node in a cluster becomes unavailable due to upgrade, maintenance, or even disaster. Both enterprise organizations and service providers can benefit from this previously unheard-of reliability. For the first time ever, VPN gateways can provide the kind of global, mission-critical communications required by large enterprises, and can do so with the level of reliability that these operations require.
An individual CryptoCluster 2500 VPN gateway can handle IPSec ESP protection of traffic using 3DES/SHA-1 at up to 45 Mbps. The tunneling capacity of a single CryptoCluster 2500 VPN gateway allows it to easily support 2,500 remote users simultaneously with individual Layer 2 Tunneling Protocol (L2TP) or Microsoft Point to Point Tunneling Protocol (PPTP) tunnels. In clustered configurations, with multiple CryptoCluster 2500 VPN gateways behaving as one device, they are able to dramatically increase the number of tunnel terminations. Because additional CryptoCluster 2500 VPN gateways can be transparently added to a pre-existing cluster while the cluster is running, zero maintenance downtime is attainable. This provides for convenient incremental expansion of the cluster as VPN requirements grow over time. Moreover, because of Active Session Failover technology, if any node in the cluster becomes unavailable, the cluster will automatically reassign the active sessions among the remaining nodes with no disruption in service. IPSec Security Associations (SA) are securely shared across the cluster, avoiding costly re-keying and frustrating flow termination.
Security Features
Authentication is available through standard Public Key Infrastructure (PKI) mechanisms, using either a
built-in certification authority (CA) feature or an external CA, such as Baltimore, Entrust, or VeriSign.
Automated secure key exchange is performed using industry standard cryptographic methods. This can be done
via the Internet Key Exchange (IKE) protocol using public-key cryptography or based on pre-shared keys, as
the administrator's policy dictates. Standard public/private key cryptography is used in authenticating ISO
X.509v3 digital certificates. All keys used in encryption and authentication of traffic are derived through
the Diffie-Hellman key exchange.
A complementary component, the CryptoConsole™ management software, gives complete, centralized control of connectivity and security policy. Administrators can configure and manage services including security modes (type of encryption and/or authentication to use), re-keying interval, key exchange method, as well as IP addressing. Per-user policy is simply configured and administered. Management of policy can be based on ISO X.509v3 certificates, IP addresses or ranges of addresses. L2TP & PPTP authentication can be done locally or via RADIUS.
Manageability and Serviceability
As with the CryptoCluster 5000 and CryptoCluster 500 VPN gateways, simplified management of the
CryptoCluster 2500 VPN gateways is achieved with the use of the CryptoConsole management software. This Java
tool provides an easy-to-use configuration utility, which allows for quick configuration of even complex
security policies, and provides a mechanism for administrators to check status or modify configuration
through point-and-click operations. The CryptoConsole tool provides remote configuration, fault, performance
and security management of the CryptoCluster gateways. All communication between the PC or laptop running
this management software and the cluster is done using Secure Sockets Layer (SSL) to ensure the authenticity
and privacy of the configuration information through the network.
Automated operational features incorporated into the CryptoConsole software include the ability to remotely manage and configure the CryptoCluster gateways. The management software allows a single, centralized point of administration, eliminating the need to visit each CryptoCluster gateway site when upgrading software. SNMP is also integrated into the CryptoCluster gateway for network management integration with administrator's current systems.
Management features
SNMPv1 MIB II and SNMPv2C
Policy Based Management
Security policy managed on a per VPN or per client basis
Security level setting (e.g., encryption modes, key lifetimes)
Connectivity Management
Device configuration
VPN peering information
Security policy creation
Secure Code Update & Cluster communication
AlchemyOS™ kernels are cryptographically signed at the factory to ensure their authenticity. The CryptoCluster 2500 VPN gateway verifies the signature before booting the image.
System flash memory card enables fast, reliable software replacement. The entire configuration, as well as the system software for the cluster node, is stored on a removable flash card. Should the box ever experience a component failure, this configuration can be easily transferred to another node and it will immediately assume the identity of the failed box.
A hardware PIN is used to secure private-key store and to derive cluster session keys used to encrypt and authenticate intra-cluster communication.
LCD provides at-a-glance determination of status, enabling viewing of operational status.
Performance Statistics & Operational Statistics
Typical secured packet latency: 500 microseconds with IPSec ESP using 3DES and SHA-1
Typical failover statistics: 250-500 millisecond recovery from the loss of any member of the cluster.
Protocol state shared (clustered): IPSec security associations (SAs), L2TP and PPTP tunnels
Cryptographic Standards
Data Encryption Standard (DES)
Triple DES (3DES
Blowfish
CAST-128
RC5
ISO X.509v3 certificates
Internet Key Exchange (IKE), including Oakley groups (1) modp-768, (2) modp-1024, and (5) modp-1536
Private/public key authentication and encryption
HMAC Secure Hash Algorithm (SHA-1)
HMAC Message Digest version 5 (MD5)
HMAC RIPEMD-160
IETF standards, drafts and RFCs supported
RFC 1305 Network Time Protocol (version 3)
RFC 1661 The point to Point Protocol (PPP)
RFC 1994 PPP Challenge Handshake Authentication Protocol (CHAP)
RFC 2401 Security Architecture for the Internet Protocol
RFC 2402 IP Authentication Header
RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
RFC 2406 IP Encapsulating Security Payload (ESP)
RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408 Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2409 The Internet Key Exchange (IKE)
RFC 2410 The NULL Encryption Algorithm and Its Use With IPSec
Layer 2 Tunneling Protocol
The Point-to-Point Tunneling Protocol
IP services
Supports DHCP/BootP relay agent, NTP, Syslog, DNS resolver (w/cache)
Physical Specifications
CPU - Intel StrongARM 233Mhz processor
Cryptographic Coprocessors - hi/fn 7751 - DES/3DES/SHA/MD5 accelerator and 100 MHz hi/fn 6500 - Public-key accelerator
Flash memory - removable 8 MB PCMCIA card
RAM - 64 MB
Interfaces - Two 10/100 auto-sensing Ethernet interfaces
Dimensions and Weight
Height - 1.75 in
Width - 19 in
Depth - 12.4 in.
Weight - 10 lbs.
Power Requirements
AC Input Voltage - 100-120 / 200-240 VAC
Frequency - 60-50 Hz
AC Input Current - 1.0 / 0.5A max. (UL) value; 0.5 / 0.25A measured actual value
Regulatory Compliance
The CryptoCluster 2500 gateway is fully compliant with:
EN50082-1 (1997), EN55022 Class A (1995), VCCI Class A (April 1997), SABS, FCC/CISPR 22/85 Class A (ANSI C63.4 1992), ICES-003 Class A, and AS/NZS 3548 Class A (1995)