Cisco Confidential


Product¹	Features	Page
PIX Firewall	Standalone, high-performance firewall appliance Secure, real-time embedded system Scalable to more than 250,000 simultaneous connections Available in two form factors for small and enterprise sites	126
Cisco IOS Firewall Feature Set	Value-added option that provides advanced firewall-specific capabilities Stateful packet filtering via context-based access control (CBAC) Intrusion detection for real-time response to network attacks Dynamic, network-to network, per-user authentication and authorization via TACACS+ and RADIUS	128
NetSonar	Network analysis of security vulnerabilities Comprehensive data analysis and reporting capabilities Scanning of Web servers, firewalls, routers, switches, and workstations User-defined implementation options	130
NetRanger	Real-time intrusion detection system Real-time blocking of unauthorized activity Transparent to legitimate traffic Support for a range of speeds and interface types Highly scalable	132
Cisco Security Manager	Policy-based security management system for Cisco PIX Firewalls Innovative approach to security management Manages multiple firewalls from a central location Part of CiscoAssure Policy Networking	134

¹See also CiscoSecure Software Product Line on page 147.

Cisco PIX Firewall

Cisco PIX Firewall, the leading product in its segment of the market, is a high-speed, dedicated firewall appliance that delivers strong security without impacting network performance. The new PIX 515 chassis expands this world-leading product line with a low-profile, lower-cost entry and midrange model. At 1RU (1.72") height, the PIX 515 saves valuable rack space without sacrificing throughput. With support for 50,000 and 100,000 connections, the PIX 515 is ideal for smaller or remote locations. In combination with the PIX 520 (which supports 250,000 connections), Cisco now offers an unmatched dedicated firewall product family.

When to Sell


Sell This Product	When a Customer Needs These Features
PIX Firewall 515R	Dedicated firewall device for small office 50,000 simultaneous connections
PIX Firewall 515UR	Dedicated firewall device for mid-size company 100,000 simultaneous connections
PIX Firewall 520	Dedicated firewall device for large enterprise 128, 1024, or 250,000+ simultaneous connections

Key Features

Highest performance
Real-time embedded operating system
Resides between the corporate network and the Internet access router, and includes Ethernet, Fast Ethernet, Token Ring, or FDDI LAN connectivity options
Protection scheme is based on the adaptive security algorithm (ASA) to ensure the utmost in security
Cut-through proxy for authentication and authorization
Support for up to 250,000 simultaneous connections
URL filtering
HP OpenView integration
Graphical user interface for configuration and management
Alert and alarm notification via e-mail and pager
VPN support with Private Link encryption card
Trust Technology Assessment Program (TTAP) compliant; National Security Agency (NSA) certified

Specifications


Feature	PIX Firewall 515R	PIX Firewall 515UR	PIX Firewall 520
Simultaneous Sessions	50,000	100,000	128, 1024, or 250,000+
Interfaces	2-port Ethernet	4-6 port Ethernet (with s/w)	2-6 port Ethernet (with s/w) 3 port Token Ring 2 port FDDI Combo Ethernet and Token Ring
PCI Slots	2	2	4
10/100 Connections on Board	2	2	0
RAM	32 MB	64 MB	128 MB
Processor Speed	200 MHz	200 MHz	350 MHz
Dimensions (HxWxD)	1.72 x 16.82 x 11.8 in.	1.72 x 16.82 x 11.8 in.	5.21 x 16.82 x 17.5 in.
Service Category	12	12	12

Competitive Products

Checkpoint: Firewall-1
Network Associates: Gauntlet
Axent: Raptor

Distribution Part Numbers and Ordering Information


Cisco PIX Firewall Chassis Bundles¹
PIX-515-R-BUN	PIX Firewall 515 with Restricted software
PIX-515-UR-BUN	PIX Firewall 515 with Unrestricted software and 32MB RAM upgrade
PIX-515-FO-BUN	PIX Firewall 515 failover chassis and software bundle
PIX-520-128-CH	PIX Firewall 520, 128 sessions, Pentium II, two10/100 NICs (autosensing)
PIX-520-1K-CH	PIX Firewall 520, 1K sessions, Pentium II, two10/100 NICs (autosensing)
PIX-520-UR-CH	PIX Firewall 520, Unlimited sessions, 233 MHz, two10/100 NICs (autosensing)
PIX-520-FO-BUN	PIX Firewall 520 failover chassis and software bundle
Cisco PIX Upgrades
PIX-CONN-128-1K=	PIX License upgrade from 128 to 1024 connections
PIX-CONN-128-UR=	PIX License upgrade from 1024 to unlimited connections
PIX-CONN-1K-UR=	PIX License upgrade from 1024 to unlimited connections
PIX-MEM-UPG-128	Memory upgrade to 128 MB for PIX Firewalls prior to PIX 500 series
PIX-515-SW-UPG=	PIX Firewall 515 upgrade from Restricted to Unrestricted software (requires PIX-515-MEM-32)
PIX-CONN-VER=	PIX software version upgrade
SWPIX-SC=	Spare software to update inventory
PIX-515-MEM-32	32 MB RAM upgrade for the PIX 515 Firewall
PIX-MEM-5XX-128	Memory upgrade to 128 MB for PIX 510 and 520 firewalls (prior to the PIX 520-XM)
PIX-FO=	Failover cable/upgrade kit (software version 3.0 or later)
Cisco PIX Modules
PIX-1FE=	1-port 10/100 autosensing Module (RJ-45)
PIX-1TR=	1-port Token-Ring Module (4/16 Mbps)
PIX-PL2=	PIX Private Link 2 Module
Cisco PIX Documentation
DOC-PIX=	PIX complete documentation set
Cisco PIX Basic Maintenance
CON-SNT-PKG12	Cisco PIX Firewall SMARTnet Maintenance

¹For the latest part number and pricing information, see the Distribution Product Reference Guide Web site: http://www.cisco.com/dprg. (Only available in some countries at this time; worldwide rollout in place.)

For More Information

See the PIX Firewall Web site: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/pix/

Cisco IOS Firewall Feature Set

The Cisco IOS Firewall feature set enriches Cisco IOS security capabilities, integrating robust firewall functionality and intrusion detection for every network perimeter. When combined with Cisco IOS IPsec software and other Cisco IOS software-based technologies such as L2TP tunneling and quality of service (QoS), the Cisco IOS Firewall feature set provides a complete, integrated virtual private network solution. The Cisco IOS Firewall is available on a wide range of Cisco router platforms, scaling to allow customers to choose a router platform based on bandwidth, LAN/WAN density, and multiservice requirements, while benefiting from advanced security.

When to Sell


Sell This Product	When a Customer Needs These Features
Cisco IOS Firewall Feature Set	For secure extranet and intranet perimeters and Internet connectivity for branch and remote offices Secure remote access or data transfer via a Cisco IOS-based VPN solution A real-time integrated intrusion detection system to complement the firewall or an existing intrusion detection system (NetRanger) Security and access to the network on a per-user basis

Key Features

Context-based access control (CBAC) provides secure, stateful, application-based filtering, supporting the latest protocols and advanced applications
Intrusion detection for real-time monitoring, interception, and response to network misuse
Dynamic, per-user authentication and authorization for LAN and WAN-based users and VPN clients
Graphical configuration and management through the use of ConfigMaker Security Wizard
Provides strong perimeter security as an essential component of a complete Cisco IOS-based VPN solution, including IPSec, QoS, and tunnelling for a wide range of Cisco router platforms

Specifications


Feature	Cisco IOS Firewall Feature Set
Supported Network Interfaces	All network interfaces on supported platforms
Supported Platforms	Cisco 1720, 2600, 3600, 7100, and 7200 series router platforms (supports full feature set) Cisco 800, UBR900, 1600, and 2500 series router platforms include all firewall features with exception of intrusion detection and authentication proxy
Memory	Varies by platform and image
Simultaneous Sessions	No maximum; dependent on platform, network connection, and traffic

Competitive Products

Ascend: SecureAccess Firewall
Nortel: BaySecure Firewall-1
Nokia: IP400 Series

Distribution Part Numbers and Ordering Information


Cisco IOS Firewall Feature Set for 1600 Series Routers¹
CD16-CH-12.0=	IP/Firewall Feature Pack
CD16-BHP-12.0=	IP/IPX/Firewall Plus Feature Pack
CD16-QHY-12.0=	IP/IPX/AT/IBM/Firewall Plus 56 Feature Pack
CD16-QHL-12.0=	IP/IPX/AT/IBM/Firewall Plus IPSec 56 Feature Pack
Cisco IOS Firewall Feature Set for 2500 Series Routers
CD25-CH-11.3=	IP/Firewall Feature Pack
CD25-BHP-11.3=	IP/IPX/AT/DEC/Firewall Plus
CD25-AHY-11.3=	Enterprise/Firewall Plus 56 Feature Pack
CD25-AHL-11.3=	Enterprise/Firewall Plus IPSec 56 Feature Pack
Cisco IOS Firewall Feature Set for 2600 Series Routers
CD26-CH-12.0=	Cisco 2600 Series IOS IP/Firewall Feature Pack
CD26-CHL-12.0=	Cisco 2600 Series IOS IP/Firewall Plus IPSec 56 Feature Pack
CD26-CHK2-12.0=	IP/Firewall Plus IPSec 3DES
CD26-BHP-12.0=	Cisco 2600 Series IOS IP/IPX/AT/DEC/Firewall Plus Feature Pack
CD26-AHL-12.0=	Cisco 2600 Series IOS Enterprise/Firewall Plus IPSec 56 Feature Pack
CD26-AHK2-12.0=	Enterprise/Firewall Plus IPSec 3DES

For More Information

See the Cisco IOS Firewall Feature Set site: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/iosfw/

Cisco NetSonar

Proactive, Preventative Security. The NetSonar security scanner is an enterprise-class software tool offering superior network system identification, innovative data management, flexible user-defined vulnerability rules, comprehensive security reporting capabilities, and Cisco 24x7 worldwide support. The NetSonar scanner is a key component in Cisco's end-to-end network security solutions. NetSonar allows users to measure security, manage risk, and eliminate security vulnerabilities, thereby enabling more secure network environments.

When to Sell


Sell This Product	When a Customer Needs These Features
Cisco NetSonar	The ability to measure and reduce their security exposure A method to improve network security A process to define and validate security policies

Key Features

Flexible licensing designed to serve the changing needs of customers and to provide unprecedented scanning flexibility
Easy-to-use, intuitive user interface allows users to quickly configure a network scan without pre-existing knowledge of the network or security vulnerabilities
Comprehensive scanning engine that can analyze and identify specific networked systems---including Web servers, firewalls, routers, switches, and workstations
Flexible data analysis and reporting capabilities, including graphics-generating features and report wizard
User-defined implementation options, including scheduling, specialized profiles, and customized scanning rules for legacy or proprietary systems
Unique matrix browser and display technology that allows users to easily navigate through the data
Regular vulnerability updates of signature and rules files on a bi-monthly schedule to stay current in a rapidly changing security environment
Extensive network security database with descriptions of security problems and options to improve or fix them

Specifications


Component	Minimum System Requirements for Windows NT	Minimum System Requirements for Solaris
Hardware	266 MHz Pentium CD-ROM drive TCP/IP network interface Screen resolution of 800 x 600 or greater	Sun SPARC 5 266 MHz Pentium PC CD-ROM drive TCP/IP network interface Screen resolution of 800 x 600 or greater
Operating System	Windows NT 4.0 Service Pack 3	Solaris 2.5x or 2.6 (for SPARC) Solaris x86 2.5x or 2.6 (for Pentium)
Software	Netscape Navigator 2.0 or later Microsoft Internet Explorer 3.0 or later	Netscape Navigator 2.0 or later
Disk Space	2 GB hard drive	2 GB hard drive
Memory	64 MB (96 MB recommended)	64 MB (96 MB recommended)
User Privileges	Local or domain administrator	Root

Competitive Products

ISS: Internet Scanner
Axent: NetRecon
NAI: CyberCop Scanner

Distribution Part Numbers and Ordering Information


Cisco NetSonar¹
NS-20-NT-2500	NetSonar for NT (Up to 2500 Addresses)
NS-101-S-2500	NetSonar for Solaris (Up to 2500 Addresses)
Cisco NetSonar Software Application Support (SAS) Maintenance
CON-SAS-NS-NT	NetSonar for NT (Up to 2500 Addresses SAS Maintenance)
CON-SAS-NS-SOL	NetSonar for Solaris (Up to 2500 Addresses SAS Maintenance)
Cisco NetSonar Software Application Support plus Upgrades (SAU) Maintenance
CON-SAU-NS-NT	NetSonar for NT (Up to 2500 Addresses SAU Maintenance)
CON-SAU-NS-SOL	NetSonar for Solaris (Up to 2500 Addresses SAU Maintenance)

For More Information

See the NetSonar Web site: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/nsonar/

Cisco NetRanger

NetRanger is an enterprise-scale, real-time, intrusion detection system designed to detect, report, and terminate unauthorized activity throughout a network.

NetRanger can operate in both Internet and intranet environments to protect an organization's entire network. NetRanger consists of two components: NetRanger Sensor and NetRanger Director. Transparent to network performance, NetRanger Sensors analyze the content and context of individual packets to determine if the traffic is unauthorized. If a network's data stream experiences unauthorized activity, such as a SATAN attack, a ping sweep, or a secret research project code word, NetRanger Sensors detect the policy violation in real time, forward alarms to a NetRanger Director management console, and remove the offender from the network.

When to Sell


Sell This Product	When a Customer Needs These Features
Cisco NetRanger	A network-based, real-time intrusion detection system capable of monitoring an entire enterprise network A robust, 24 hour x 7 day-a-week monitoring and response system with the latest attack detection capabilities A distributed intrusion detection system capable of directing and forwarding alarms between local, regional, and headquarters-based monitoring consoles A scalable architecture to allow the deployment of large numbers of Sensors and Directors in order to provide comprehensive security coverage in large network environments. An intrusion detection system designed to integrate smoothly with existing network management tools and practices

Key Features

Real-time intrusion detection transparent to legitimate traffic/network usage
Real-time response to unauthorized activity blocks offenders from accessing the network or terminates offending sessions
Comprehensive attack signature list detects a wide range of attacks and can detect content and context-based attacks
Support for a range of speeds and interface types, including 10/100-Mbps Ethernet, Token Ring, and FDDI
Alarms include attacker and destination IP addresses, destination port, attack description, and 256 characters of keystroke session capture before attack
Scalability for even extremely large, distributed networks

Specifications


Feature	Cisco NetRanger
Monitoring Network Interface Cards	Ethernet Token Ring Fast Ethernet Single Attached FDDI Dual Attached FDDI
Control Network Interface Card	10/100BaseT Ethernet
Processor Speed (type)	Single or Dual 400 MHz (Intel Pentium)
Memory	64 MB for single-processor units; 128 MB for dual-processor units
Hard Drive	4.55 GB Ultra Wide SCSI
Floppy Drive	1.44 MB
CD-ROM Drive	12X SCSI CD ROM

Competitive Products

Axent: NetProwler
Internet Security Systems (ISS): Real Secure
Network Flight Recorder, Inc.: NFR

Distribution Part Numbers and Ordering Information


NetRanger¹
NRD-DIR	NetRanger Director Software
NRD-DIR-U	NetRanger Director S/w upgrade w/o S/w App Sprt
NRS-2E	NetRanger Sensor, 2-port 10bT
NRS-2E-DM	NetRanger Sensor, 2-port 10bT, Device Mgmt
NRS-2FE	NetRanger Sensor, 2-port 10/100bT
NRS-2FE-DM	NetRanger Sensor, 2-port 10/100bT, Device Mgmt
NRS-BASIC-U	NetRanger Sensor S/w upgrade w/o S/w App Sprt
NRS-DFDDI	NetRanger Sensor, 1-port 10/100bt & 1-port FDDI (DAS)
NRS-DFDDI-DM	NetRanger Sensor, 1-port 10/100bT & 1-port FDDI, Device Mgmt
NRS-DM	NetRanger Sensor Device Mgmt Software
NRS-DM-U	NetRanger Device Mgmt S/w upgrade w/o S/w App Sprt
NRS-SFDDI	NetRanger Sensor, 1-port 10/100bT & 1-port FDDI (SAS)
NRS-SFDDI-DM	NetRanger Sensor, 1-port 10/100bT & 1-port FDDI, Device Mgmt
NRS-TR	NetRanger Sensor, 1-port 10bT & 1-port Token Ring
NRS-TR-DM	NetRanger Sensor, 1-port 10bT & 1-port TR, Device Mgmt

For More Information

See the NetRanger Web site: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/nranger/

Cisco Security Manager v1.0

Cisco Security Manager is a scalable, powerful security policy management system for Cisco PIX Firewalls. With Security Manager, Cisco customers can define, distribute, enforce, and audit security policies for multiple distributed firewalls from a central location. As the management cornerstone of the Cisco end-to-end security product line and a fundamental element of CiscoAssure Policy Networking, Security Manager can dramatically simplify management of the PIX Firewall---the highest-performance, enterprise-class firewall available.

Cisco Security Manager also introduces the policy-based management foundation that will be extended in the future to support additional Cisco security solutions such as IPSec encryption, user identity and authentication, and intrusion detection technologies.

When to Sell


Sell This Product	When a Customer Needs These Features
Cisco Security Manager	Security administration for multiple PIX firewalls within their corporate network An easy way to define network security policies based on their business objectives A simple way to enforce and monitor their established network security policies

Key Features

Provides a powerful security management system for networks containing multiple, distributed Cisco PIX firewalls
Offers scalability by providing management support for up to 100 Cisco PIX firewalls
Offers a distributed architecture to support PIX firewalls in Internet, intranet, and extranet environments
Provides configuration of remote PIX firewalls
Provides an easy mechanism to define and manage Network Address Translation (NAT) policies for Cisco PIX firewalls
Offers high-level security policy management that allows an administrator to easily define security policies based on business objectives
Includes an auditing and reporting system to validate and monitor that status of network security policies

Specifications


Feature	Recommended Requirements for Cisco Security Manager
Operating System Support	Policy Manager client: Windows 98 or Windows NT 4.0 with Service Pack 4 Policy server: Windows NT 4.0 with Service Pack 4
Web Browser Support	Microsoft Internet Explorer v4.01¹
Processor Speed (type)	400 MHz or faster (Pentium II)
Memory	128 MB RAM or greater
Hard Drive	4 GB free space available (for the application and database)
Video Display	1024 x 768 video adapter card capable of at least 64,000 colors
Devices Supported	PIX firewalls with software v4.2.4

¹Microsoft Internet Explorer is used for the embedded on-line HTML help system and is required for product installation.

Competitive Products

Checkpoint: Firewall-1
Axent: Raptor Firewall and Raptor Firewall Management Console
Network Associates, Inc.: Gauntlet firewall

Distribution Part Numbers and Ordering Information


Cisco Security Manager¹
SECMGR-1²	Security Manager supporting 1 PIX firewall
SECMGR-10	Security Manager supporting up to 10 PIX firewalls
SECMGR-100	Security Manager supporting up to 100 PIX firewalls
SECMGR-UPG-10-100	Upgrade of Security Manager support from 10 to 100 firewalls

For More Information

See the Security Manager Web site: http://www.cisco.com/warp/customer/cc/cisco/mkt/security/csm/

Table of Contents