Overview

Enterprise organizations almost exclusively rely on Ethernet-based IP networks to deliver applications critical to business productivity and profits. Securing this infrastructure against debilitating attacks from malicious or often ignorant users is necessary to ensure uninterrupted business operations. Mobility, convergence, and Web-centric applications are adding fuel to the fire, and rendering traditional centralized perimeter-only security models ineffective. The line between Internet and intranet is fading fast as users become more mobile and less identifiable. In such an open infrastructure, the threats are not concentrated at a single entry point at the network perimeter, but are network wide. Furthermore, attacks are increasing in sophistication, and are exploiting application-level vulnerabilities to cripple critical IP services and disrupt business operations. Today's enterprises require distributed network-wide security architectures to protect against threats from within the network, while simultaneously augmenting traditional perimeter defenses.

Foundry Networks'® SecureIron™ LAN switch family is the industry's first and only security switch to deliver value added Layer 2 through 7 security functions in a network switch architecture to help enterprises seamlessly integrate security into their network infrastructure for always-on protection. These security switches are designed to protect the core network from threats originating at the edge, and protect the edge users and devices from network-based threats. The SecureIron LAN switches are purpose-built with ASIC-based architecture for inline network-wide deployment to deliver perimeter-like security enforcement inside the LAN.

Using highly-advanced stateful flow-based security architecture, the SecureIron LAN switches enforce policies cradle-to-grave on each individual flow. They go beyond packet forwarding of traditional LAN switches to deliver comprehensive security enforcement, which includes device and user authentication prior to granting network access, identity-based service access control and deep packet inspection of application traffic for vulnerabilities. User authentication is extended to the network edge using standard-based HTTPS and RADIUS protocols, and leverages existing user directories in the enterprise network. The SecureIron LAN switches feature an optional hardware SSL acceleration module for high-volume authentication support in large campus environments. Highly scalable and modular architecture of these switches allows for segregation of functions on to different hardware modules to maximize application traffic performance and security simultaneously.

The SecureIron LAN switch family features switches in two performance models - SecureIronLS 100 and SecureIronLS 300 – and is powered by Foundry's SecureWorks™ software suite. These switches are available in a choice of form factors and port configurations for easy deployment into existing network implementations.

Back to top

Features

Platform Features

• Network Class Resiliency: High availability platform is critical for always-on security inside the LAN where traditional switches provided high resiliency. SecureIron LAN switches are no exception, and provide redundant, removable and front serviceable power supplies, removable fan tray and hot-swappable modules for maximum uptime.
• Investment Protection with Expandability and Upgradeability: SecureIron products are designed for a long service life with the ability to add additional or replacement modules in the future to take advantage of new technologies and services, including upgrade to 10 GbE.
• Choice of Form Factors: Choice of modular and highly-compact 2 Rack Unit 3-slot chassis for space-constrained deployments and fully front-serviceable 5 Rack Unit 4-slot chassis for greater expansion capacity and port density.
• High Density Ports: Support for up to 48 GbE (fiber and copper) ports or 6 10 GbE ports in a single chassis to support GbE and 10 GbE infrastructures with easy migration in the future
• Direct Desktop Protection: With high density 10/100 Ethernet ports and GbE uplinks, the SecureIron LAN switch can be deployed as a personal firewall to individual desktops at the edge of the network.

Security Features

• Web Authentication for Secure Access: Control access to network with secure authentication of all users against standard enterprise user directories. Enable high-volume authentication with hardware-based SSL support for HTTPS
• Identity Based Service Access: Prevent unauthorized and illegal access to services and applications by enforcing access control at the user level on a flow-by-flow basis.
• DHCP Snooping: Enforce user and machine identity binding post Web authentication by continuously monitoring changes in the network address state. Prevent unauthorized access to the network from spoofed IP addresses by unauthorized and unauthenticated users
• SYN-Guard Protection: Prevent deadly TCP SYN and ACK flood attacks from taking down critical Web, e-mail, and other TCP services. Gain protection against multi-gigabit wire-speed SYN flood attacks using hardware-assisted SYN-Guard™, which blocks illegal TCP connections.
• Deep Packet Inspection: Prevent application-level attacks and intrusions from affecting service by using the SecureIron's high-performance deep packet inspection. Use highly customizable and comprehensive content filtering rules to identify and block malicious content in application flows. Apply deep packet inspection rules to targeted flows, users, and services to optimize performance while increasing security protection.
• Application Anomaly Prevention: Enforce desired user and host behavior by limiting the number and rate of IP flows. Prevent abusers from accessing services using automatic and manual hold-down. Limit the number of flows permitted to specific servers and applications to match resource availability with load. Extend the benefits to all TCP and UDP applications, including Web, DNS, e-mail, and VoIP.

Advanced L2/3

• Integrated Full-Function Layer 2 Switching: Industry's most comprehensive security switch platform with advanced Layer 2 switching for cost-effective and simplified network design and device consolidation. Wire-speed layer 2/3 performance for traffic not targeted for security enforcement.
• sFlow Network Monitoring: Industry's only security switch with hardware-assisted standards-based and always-on sFlow network traffic monitoring on all application flows and Layer 2/3 switched traffic.
• Wire-speed Hardware ACLs: Enforce access policies using standard and extended ACLs at wire speed on every port. Eliminate the need to expend security processing capacity to analyze disallowed traffic and flows. Dynamically migrate access policies from other devices with easy-to-use industry-standard ACL format.

Back to top

Specifications

	SecureIronLS 100-4802	SecureIronLS 300-32GC02	SecureIronLS 300-32GC10G
Management Module*	LS-SSM6-1	LS-SSM6	LS-SSM6
Stateful Flow Capacity	1,000,000	5,000,000	5,000,000
Layer 4 CPS	40,000	120,000	120,000
Layer 7 CPS	15,000	45,000	45,000
DDoS & DoS (SYN Flood) Protection (SYN/Sec)	1,000,000	3,000,000	3,000,000
Layer 2/3 Throughput	Wire-Speed	Wire-Speed	Wire-Speed
Layer 4 Throughput	2.0 Gbps	6.0 Gbps	6.0 Gbps
Layer 7 (Inbound) Throughput	350 Mbps	1.0 Gbps	1.0 Gbps
Layer 7 (Bidirectional) Throughput	180 Mbps	550 Mbps	550 Mbps
Pre-Equipped 10/100 Ports	48	0	0
Pre-Equipped Gigabit Fiber Ports	2	2	0
Pre-Equipped Gigabit Copper Ports	0	32	32
Pre-Equipped 10 Gigabit Ports	0	0	2
Total Ports	50	34	34
Physical dimensions	8.75"h x 17.5"w x 15"d(22.2 x 44.5 x38.1 cm)	8.75"h x 17.5"w x 15"d(22.2 x 44.5 x38.1 cm)	8.75"h x 17.5"w x 15"d(22.2 x 44.5 x38.1 cm)
Weight	60 lbs fully loaded (29.9 kg)	60 lbs fully loaded (29.9 kg)	60 lbs fully loaded (29.9 kg)
Power Requirements	4-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz	4-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz	4-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz

* Dual Active SSM6 and SSM6-1 Management Modules may be used for Doubling L4, L7 & DoS Performance and Session Capacity

Optional Hardware SSL Acceleration Modules

	SRVC-SSL-1	SRVC-SSL-2
SSL Connection Performance (CPS)	LS-SSM6-1	LS-SSM6-1
SSL Bulk Throughput	500 Mbps	1 Gbps
Concurrent SSL Sessions	16,000	32,000

Back to top

System Options

Part Number	Description
SecureIron LAN Switch Base Platforms
SCILS-100-4802	4-slot SecureIronLS chassis equipped with one LS-SSM6-1 (1BP) management module, one AC power supply, one 48-port 10/100 RJ45 Module, and one 2-port SFP Gigabit JetCore line Module
SCILS-300-32GC02	4-slot SecureIronLS chassis equipped with one LS-SSM6 (3BP) management module, one AC power supply, two 16-port 100/1000 Mbps RJ45 Modules, and one 2-port SFP Gigabit JetCore line module
SCILS-300-32GC10G	4-slot SecureIronLS chassis equipped with one LS-SSM6 (3BP) management module, one AC power supply, two 16-port 100/1000 Mbps RJ45 Modules, and one 2-port 10 Gigabit XENPAK line module
SecureIron LAN Switch Module Options
J-B2Gx	2-port 1000Base-X (mini-GBIC) JetCore line Module
J-B4Gx	4-port 1000Base-X (mini-GBIC) JetCore line Module
J-BxG	8-port 1000Base-X (mini-GBIC) JetCore line Module
J-B16Gx	16-port 1000Base-X (mini-GBIC) JetCore line Module
J-B16GC	16-port 100/1000Base-T (RJ45) JetCore line Module
B10Gx1	1-port 10-Gigabit Ethernet Base Module (optics required)
B10Gx2	2-port 10-Gigabit Ethernet Base Module (optics required)
J-B48E-A	48-port 10/100Base-TX (RJ45) double-wide JetCore line
J-B2404CF	24-port 10/100Base-TX (RJ-45) and 4-port Gigabit (copper and fiber combo) double-wide JetCore line Module
SecureIron LAN Switch System Options
LS-SSM6	SecureIronLS Security LAN Switch Management module (LS-SSM6) with 3 security processors. Use this module for dual-active LS-SSM6 in a SecureIronLS, or for spares.
LS-SSM6-1	SecureIronLS Security LAN Switch Management module (LS-SSM6-1) with 1 security processor. Use this module for dual-active LS-SSM6-1 in a SecureIronLS, or for spares.
SRVC-SSL6-1	Hardware-based SSL acceleration service module with one SSL processor for high-volume Web authentication
SRVC-SSL6-2	Hardware-based SSL acceleration service module with two SSL processors for high-volume Web authentication
SecureIron LAN Switch 10-Gigabit Ethernet Optics
10G-XNPK-SR	850nm serial XENPAK plug-in transceiver (SC), target range of 300m over MMF
10G-XNPK-LR	1310nm serial pluggable XENPAK optic only (SC) for up to 10km over SMF
10G-XNPK-ER	1550nm serial pluggable XENPAK optic only (SC) for up to 40km over SMF
SecureIron LAN Switch Mini GBIC Options
E1MG-SX	1000Base-SX mini-GBIC optic, MMF, LC connector
E1MTG-SX	1000Base-SX mini-GBIC optic, MMF, MTRJ connector
E1MG-LX	1000Base-LX mini-GBIC optic, SMF, LC connector
E1MG-LHA	1000Base-LHA mini-GBIC optic, SMF, LC connector
E1MG-LHB	1000Base-LHB mini-GBIC optic, SMF, LC connector, 150km Maximum reach
E1MG-TX	1000BASE-TX Mini-GBIC Copper, RJ-45 Connector

* Redundant power, DC power and spare chassis options available

Back to top