SecureIron Perimeter Traffic Managers
- High performance security enhancement at the enterprise perimeter with offload of traditional firewalls to extend their life and protect the investment
- Highly scalable network-based Spam mitigation and Web security to prevent abusive use of the internal network and Internet bandwidth
- Highly-advanced Internet WAN link and Firewall traffic management for maximized bandwidth use and optimized delivery of critical application traffic
Overview
Foundry Networks' SecureIron perimeter traffic managers offer an all-in-one security and traffic management solution for the enterprise perimeter. These products deliver high-performance Layer 2 through 7 switching, security, and traffic management to augment existing traditional firewalls and optimize application performance over the WAN. The SecureIron switches are designed with hardware-based architecture to protect the enterprise infrastructure against multi-gigabit network- and application-layer threats. They are purpose-built for inline deployment as a front-end to traditional firewalls for security augmentation and feature offload. With highly-advanced ISP link aggregation and bandwidth management, the SecureIron traffic managers maximize WAN utilization and optimize application performance across multiple ISP links providing Internet connectivity. The SecureIron intelligently distributes traffic over multiple ISP links and provides automatic failover for high availability Internet access without the need for complex Border Gateway Protocol (BGP) routing. The traffic managers allow organizations to customize bandwidth allocation and usage for business-critical application traffic to ensure optimized performance and always-on delivery.
The SecureIron traffic managers are designed to be deployed as front-ends to existing traditional firewalls at the network perimeter for unmatched hardware-based protection against Denial-of-Service (DoS) attacks and application level threats. The devices are capable of offloading overburdened firewalls from key security features like hardware access lists, DoS/DDoS protection, stateful IP Network Address Translation (NAT) and application rate controls to maximize firewall performance. The SecureIron traffic manager solution enhances perimeter security and scale to multi-gigabit traffic management and security performance for a fraction of the cost of PC-based security appliances or costly firewall upgrades. Additionally, the SecureIron provides SPAM mitigation and Web filtering to enhance protection at the perimeter from malicious and non-essential traffic.
The SecureIron traffic managers enforce highly-customizable Layer 7 security policies with deep packet inspection to prevent application-level attacks from penetrating into the enterprise network. These switches also feature specialized security features for protection of Web, DNS, VoIP, SIP and e-mail applications from common threats.
The SecureIron traffic manager family features switches in two performance models - SecureIron 100 and SecureIron 300 – and is powered by Foundry's SecureWorks™ software suite. These switches can be customized for port connectivity by installing a range of line modules with 10/100 Ethernet, GbE (fiber & copper) and 10 GbE speeds.
Features
Platform Features
- Datacenter Class Redundancy: High availability platform is critical for always-on security. SecureIron products provide redundant, removable and front serviceable power supplies, removable fan tray and hot-swappable modules for maximum uptime.
- Investment Protection with Expandability and Upgradeability: SecureIron products are designed for a long service life with the ability to add additional or replacement modules in the future to take advantage of new technologies and services, including upgrade to 10 GbE.
- Choice of Form Factors: Choice of modular and highly-compact 2 RU 3-slot chassis for space-constrained deployments and a fully front-serviceable 5 RU 4-slot chassis for greater expansion capacity and port density.
- High Density Ports: Support for up to 48 Gigabit (fiber and copper) ports in a single chassis to support even the most complex network design requirements
Traffic Management Features
- ISP Link Traffic Management: Distribute inbound and outbound IP traffic transparently across multiple ISP links based on real-time link health monitoring, service response time and link utilization. This application enhances overall reliability and availability of Internet access while optimizing utilization on all available links. Enterprise users will experience immediate improvements in productivity with no added bandwidth cost.
- ISP Link Aggregation: Get increased bandwidth for Internet access by aggregating multiple low-cost links with intelligent load distribution. Avoid paying steep prices for high-capacity links and minimize the risk of downtime. Increase service reliability and reduce cost by purchasing and aggregating bandwidth from multiple Internet Service Providers (ISPs).
- Optimize Application Performance: Dedicate Internet bandwidth and ISP links for critical applications to ensure available capacity and prioritized delivery of this traffic.
- Firewall Clustering and High Availability: Simultaneously utilize all deployed firewalls with intelligent load distribution to scale firewall performance and capacity without costly upgrades. Protect investment in existing firewalls and leverage commodity firewalls for performance scalability. Protect against firewall failures with real-time failover based on non-stop firewall state monitoring.
- Redundancy and with Hitless Failover: Deploy two SecureIron traffic managers in active-standby mode for redundancy and high availability during a device failure. Ensure no downtime for traffic flow and security enforcement by using stateful and hitless failover to the standby device.
Security Features – Firewall Offload and Augmentation
- Firewall Performance Upgrade: Offload traditional firewalls from key security functions like ACLs, IP NAT, DoS and DDoS protection to the hardware-based SecureIron switch to regain performance and capacity on the firewalls, and avoid costly firewall upgrades
- SYN-Guard Protection: Prevent deadly TCP SYN and ACK flood attacks from taking down critical Web, e-mail, and other TCP services. Gain protection against multi-gigabit wire-speed SYN flood attacks using hardware-assisted SYN-Guard™, which blocks illegal TCP connections.
- Deep Packet Inspection: Prevent application-level attacks and intrusions from affecting service by using the SecureIron's high-performance deep packet inspection. Use highly customizable and comprehensive content filtering rules to identify and block malicious content in application flows. Apply deep packet inspection rules to targeted flows, users, and services to optimize performance while increasing security protection.
- Application Anomaly Prevention: Enforce desired user and host behavior by limiting the number and rate of IP flows. Prevent abusers from accessing services using automatic and manual hold-down. Limit the number of flows permitted to specific servers and applications to match resource availability with load. Extend the benefits to all TCP and UDP applications, including Web, DNS, e-mail, and VoIP.
- E-mail Spam Mitigation: Block spam at the edge of the network on the basis of IP reputation lists. Download reputation lists as large as 8 million IP addresses and prefixes (representing tens or hundreds of millions of addresses) in real time, and block e-mail traffic from known spammers. Protect other applications from attacks by known e-mail abusers.
- URL Filtering: Filter outbound Web traffic against industry-standard Web filtering database and software for propriety and priority before allowing access
- DoS and DDoS Protection: Prevent DoS and distributed DoS (DDoS) attacks at the MAC,IP, and TCP/UDP layers by filtering traffic using more than 30 signatures, including TCP,ICMP,and UDP attacks and floods. Use customizable DoS signatures to block traffic that has illegal protocol headers, flags, and payload.
Advanced L2/3
- Integrated Full-Function Layer 2/3 Switching and Routing: Industry's most comprehensive security switching platform with advanced Layer 2/3 switching and routing for cost-effective and simplified network design with device consolidation. Wire-speed layer 2/3 performance for traffic not targeted for security enforcement.
- sFlow Network Monitoring: Industry's only security switch with hardware-assisted standards-based and always-on sFlow network traffic monitoring on all application flows and Layer 2/3 switched traffic.
- Wire-speed Hardware ACLs: Enforce access policies using standard and extended ACLs at wire speed on every port. Eliminate the need to expend security processing capacity to analyze disallowed traffic and flows. Dynamically migrate access policies from other devices with easy-to-use industry-standard ACL format.
Specifications
| SecureIron 100C | SecureIron 100 | SecureIron 300C | SecureIron 300 | |
|---|---|---|---|---|
| Management Module* | SSM6-1 | SSM6-1 | SSM6 | SSM6 |
| Stateful Flow Capacity | 1,000,000 | 1,000,000 | 5,000,000 | 5,000,000 |
| Layer 4 CPS | 40,000 | 40,000 | 120,000 | 120,000 |
| Layer 7 CPS | 15,000 | 15,000 | 45,000 | 45,000 |
| DDoS & DoS (SYN Flood) Protection (SYN/Sec) | 1,000,000 | 1,000,000 | 3,000,000 | 3,000,000 |
| Layer 2/3 Throughput | Wire-Speed | Wire-Speed | Wire-Speed | Wire-Speed |
| Layer 4 Throughput | 2.0 Gbps | 2.0 Gbps | 6.0 Gbps | 6.0 Gbps |
| Layer 7 (Inbound) Throughput | 350 Mbps | 350 Mbps | 1.0 Gbps | 1.0 Gbps |
| Layer 7 (Bidirectional) Throughput | 180 Mbps | 180 Mbps | 550 Mbps | 550 Mbps |
| Maximum 10/100 Ports | 48 | 48 | 48 | 48 |
| Maximum Gigabit Fiber Ports | 32 | 48 | 32 | 48 |
| Maximum Gigabit Copper Ports | 32 | 48 | 32 | 48 |
| Maximum 10 Gigabit Ports | 4 | 6 | 4 | 6 |
| Maximum Total Ports | 48 | 64 | 48 | 64 |
| Advanced Layer 3 Features | OSPF, RIPv2, VRRP, VRRP-E, Static Routing | OSPF, RIPv2, VRRP, VRRP-E, Static Routing | OSPF, RIPv2, VRRP, VRRP-E, Static Routing | OSPF, RIPv2, VRRP, VRRP-E, Static Routing |
| Physical dimensions | 3.5"h x 17.5"w x 23"d(22.2 x 44.5 x38.1 cm) | 8.75"h x 17.5"w x 15"d(22.2 x 44.5 x38.1 cm) | 3.5"h x 17.5"w x 23"d(22.2 x 44.5 x38.1 cm) | 8.75"h x 17.5"w x 15"d(22.2 x 44.5 x38.1 cm) |
| Weight | 40 lbs fully loaded (20 kg) | 60 lbs fully loaded (29.9 kg) | 40 lbs fully loaded (20 kg) | 60 lbs fully loaded (29.9 kg) |
| Power Requirements | 3-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz | 4-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz | 3-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz | 4-slot Chassis with Single (1) Power Supply: Input Voltage and Current Power Supply Rating -70 to -40 VDC: 17A 100 to 120 VAC (auto-ranging): 8A 200 to 240 VAC (auto-ranging): 4A AC line frequency: 47-63 Hz |
* Dual Active SSM6 and SSM6-1 Management Modules may be used for Doubling L4, L7 & DoS Performance and Session Capacity
System Options
| Part Number | Description |
|---|---|
| SecureIron Traffic Manager Base Platforms | |
| SCI-100C | 3-slot (2RU) SecureIron chassis equipped with one SSM6-1 (1BP) management module and one AC power supply |
| SCI-100 | 4-slot SecureIron chassis equipped with one SSM6-1 (1BP) management module and one AC power supply |
| SCI-300C | 3-slot (2RU) SecureIron chassis equipped with one SSM6 (3BP) management module and one AC power supply |
| SCI-300 | 4-slot SecureIron chassis equipped with one SSM6 (3BP) management module and one AC power supply |
| SecureIron Traffic Manager Module Options | |
| J-B2Gx | 2-port 1000Base-X (mini-GBIC) JetCore line Module |
| J-B4Gx | 4-port 1000Base-X (mini-GBIC) JetCore line Module |
| J-BxG | 8-port 1000Base-X (mini-GBIC) JetCore line Module |
| J-B16Gx | 16-port 1000Base-X (mini-GBIC) JetCore line Module |
| J-B16GC | 16-port 100/1000Base-T (RJ45) JetCore line Module |
| B10Gx1 | 1-port 10-Gigabit Ethernet Base Module (optics required) |
| B10Gx2 | 2-port 10-Gigabit Ethernet Base Module (optics required) |
| J-B48E-A | 48-port 10/100Base-TX (RJ45) double-wide JetCore line |
| J-B2404CF | 24-port 10/100Base-TX (RJ-45) and 4-port Gigabit (copper and fiber combo) double-wide JetCore line Module |
| SecureIron Traffic Manager System Options | |
| SSM6 | SecureIron Security Switch Management module (SSM6) with 3 security processors. Use this module for dual-active SSM6 in a SecureIron, or for spares and performance upgrades. |
| SSM6-1 | SecureIron Security Switch Management module (SSM6-1) with 1 security processor. Use this module for dual-active SSM6-1 in a SecureIron, or for spares. |
| SecureIron Traffic Manager 10-Gigabit Ethernet Optics | |
| 10G-XNPK-SR | 850nm serial XENPAK plug-in transceiver (SC), target range of 300m over MMF |
| 10G-XNPK-LR | 1310nm serial pluggable XENPAK optic only (SC) for up to 10km over SMF |
| 10G-XNPK-ER | 1550nm serial pluggable XENPAK optic only (SC) for up to 40km over SMF |
| SecureIron Traffic Manager Mini GBIC Options | |
| E1MG-SX | 1000Base-SX mini-GBIC optic, MMF, LC connector |
| E1MTG-SX | 1000Base-SX mini-GBIC optic, MMF, MTRJ connector |
| E1MG-LX | 1000Base-LX mini-GBIC optic, SMF, LC connector |
| E1MG-LHA | 1000Base-LHA mini-GBIC optic, SMF, LC connector |
| E1MG-LHB | 1000Base-LHB mini-GBIC optic, SMF, LC connector, 150km Maximum reach |
| E1MG-TX | 1000BASE-TX Mini-GBIC Copper, RJ-45 Connector |
* Redundant power, DC power and spare chassis options available
Literature
Datasheets
- SecureIron Traffic Managers Datasheet (PDF 698K)
- Optics Family (PDF 171K)
White Papers
How To Buy
- Interested in this product? Contact sales to learn more!
- Contact Sales