Dulles,
VA. September 4, 2003 – Encore Networks
Inc. today announced the BANDIT™, a secure
broadband access router, ideally suited
for branch offices, that combines Virtual
Private Network (VPN) security, remote
diagnostics, dial backup, and extended
network management tools in a single
compact device. The BANDIT™ offers the
best combination of price and performance
as an all-in-one solution for IP routing,
VPN, firewall security, legacy data protocols,
and diagnostics, combined with SNMP based
network management for carrier, enterprise,
and small business customers.
"The BANDIT™ brings together, for
the first time, a combination of legacy
data protocols, security functions, and
management tools into a broadband VPN
access device that both the enterprise
user wants and the service provider demands," said
Abir Hnidi, Senior Director, Technology
and Applications Development at Encore. "The
BANDIT™ was designed for a managed router
service."
"Extensive support for legacy data
protocols, such as X.25, SNA, and BiSync,
together with IP data and Voice over
IP, means that the BANDIT™ enables a
large combination of VPN applications
with its standard dual Ethernet connections
and the optional serial port. IPsec encryption,
firewall with stateful packet inspection,
and network address translation (NAT)
protect both critical enterprise traffic
and servers. Remote configuration and
monitoring tools, built into the BANDIT™,
dramatically speed deployment and reduce
operating expense," continued Hnidi.
For high availability, each BANDIT™
contains an integral V.90 modem that
provides automatic dial backup and restore
capability. To minimize toll charges,
the BANDIT™ can drop the dialed call
after the main network connection recovers
from a failure or a pre-determined idle
time. The operator also can configure
the unit to wait for a command to return
to normal operation.
The BANDIT™ is the first product introduced
by Encore Networks, a private subsidiary
of Wesley Clover Corporation, a Canadian
investment company controlled by Dr.
Terence Matthews. Dr. Matthews, an entrepreneur
known for starting highly successful
technology companies including Mitel
Corp. and Newbridge Networks, has provided
funding and management guidance to over
70 companies in North America and the
United Kingdom.
According to Infonetics research, the
total size of VPN market worldwide in
2001 was $ 1.3 billion. They project
that VPN hardware revenue will reach
$2.9 billion in 2002 and $3.6 billion
in 2003.
"With VPN services projected to
grow so significantly, we're very optimistic
about the success of the BANDIT™," said
Peter Madsen, president and CEO of Encore. "I
believe that with our low-cost and feature
rich VPN solution, Encore Networks is
perfectly positioned to take advantage
of this rapidly growing sector, particularly
for managed services."
PROTOCOL POWER
Flexibility in applications depends on
the ability to adapt. The BANDIT™ fits
into IP networks with support for the
suite of IP protocols required for
connectivity. All models of the BANDIT™
include the standard routing, transport,
and support protocols:
- RIP versions 1 and 2, as well as
static routing
- Support of dynamic and static
NAT and PAT
- Telnet access to the configuration
menus
- Extended
SNMP capabilities for configuration,
maintenance, and reporting of alarms
- A
design that allows it to integrate
with standardized enterprise network
management systems
- Optimization for remote
operation as part of carrier based
Managed Service Offerings
- DHCP client and server to obtain
an IP address from the ISP and distribute
IP addresses to hosts on the LAN
- IP QoS Enforcement
- Flexible traffic monitoring
and customizable logging options
- Extensive port capture
features Guaranteed trigger trap delivery
- Guaranteed trigger trap delivery
- Bootp
to configure diskless workstations,
PAP/CHAP for authentication of BANDIT™
and local hosts to other parts of the
network
- IPsec architecture (RFC 2401)
with DES and 3DES
- Key exchange via IKE (RFC 2409)
and ISAKMP (RFC 2408)
- Tunneling via ESP (RFC 2406)
and AH (RFC 2402)
- The ability to hold chosen security
certificates for mutual authentication
based on Public Key Infrastructure
(PKI)
The BANDIT™ provides two standard (RJ-45)
10 Base-T Ethernet ports for WAN and
LAN connections. WAN protocols available
by configuration on Ethernet are Point-to-Point
Protocol (PPP), PPP over Ethernet (PPPoE),
or MultiLink PPP (MLP).
The universal serial port, available
as a factory-configured option, is highly
flexible. The proper adapter cable presents
any of the common data interfaces: RS-232,
V.35, X.21, or RS-449. In synchronous
mode, the serial port operates at bit
rates up to 2 Mbps. Like the two Ethernet
ports, a serial connection can be configured
in software as ""upstream" (to
the WAN, with format choices of IP over
Frame Relay, RFC 1490, and PPP) or "downstream" (typically
a legacy protocol).
The BANDIT™ benefits from an adaptation
of a software suite used for years in
Frame Relay access devices to enable
transport of a wide range of legacy protocols
in an IP environment. This software allows
the optional serial port to terminate
many different protocols, giving older
devices access to secure transport on
the Internet. Streams based on X.25 or
Frame Relay may contain IP, which is
routed appropriately, or other protocols
such as Airline Link Control (ALC), Synchronous
Data Link Control (SDLC), BiSync, async,
and polled async. These protocols may
be forwarded, encapsulated in IP, Frame
Relay or X.25, converted at a gateway
level, or spoofed.
"With features like plug-and-play,
legacy data protocol support, NAT, DHCP,
IP routing, and dynamic firewall, the
BANDIT™ meets the requirements of corporate
customers looking to migrate their legacy
networks to secure and cost-effective
connections via public IP services," said
Hnidi. "This product also works
for carriers who want to offer managed
services for branch offices because of
the complete remote management and easy
installation features."
SECURITY IS THE ESSENCE OF A VPN
There
are two fundamental forms of security
on wide area networks (WANs):
- Isolation:
prevent customers from seeing each
other
- Encryption: prevent customers from
reading each other's traffic, even
if seen.
The
BANDIT™ supports both forms of security.
To isolate a user's traffic as it travels
the core network, the information is
confined to a circuit that limits the
connection to its assigned end points.
Only the service provider can set up
a circuit. No other customer of the network
is able to share that circuit, thus providing
a secure, private connection. Originally,
circuits were "real" That is,
they consisted of dedicated network capacity,
such as a leased line or a TDM circuit.
On packet networks (such as Frame Relay,
ATM, or MPLS), virtual circuits (VCs)
behave the same as far as isolating users
from each other. The BANDIT™ supports
a VPN built on Frame Relay VCs, with
IP and other protocols encapsulated in
Frame Relay.
The BANDIT™ also supports encrypted
tunnels. On the Internet (and on most
service providers' IP networks), encrypted
tunnels form the basis of VPNs. But,
encryption requires processing power-in
fact, so much so that it can slow the
throughput of a router that both encrypts
in software and routes packets on the
same microprocessor. The BANDIT™ contains
a separate, dedicated security processor
that relieves the routing processor of
that extra burden. Dual processors ensure
secure, multi-protocol networking without
compromising overall performance.
"The BANDIT's hardware-based encryptor
ensures full throughput, whether the
connection is over a digital Subscriber
Line (DSL) service, cable modem, or other
broadband access facility," pointed
out Hnidi. "We designed the product
so that turning on one essential feature,
encryption, wouldn't slow any other essential
feature, such as routing. Throughput
stays high with either DES or the more
secure triple DES (3DES) encryption method."
The BANDIT™ uses IPsec standards, letting
it interoperate with other standards-based
IPsec equipment and off-the-shelf IPsec
software clients. The BANDIT™ can provide
security for hosts on a corporate LAN,
while allowing mobile or home-based personnel
to reach the enterprise intranet over
a tunnel from any ISP. The result is
a secure network, but one that allows
authorized users to gain full access
to resources they need.
With the BANDIT's main processor freed
from encryption responsibilities, it
can easily take on three additional functions
that add to the security of transmitted
traffic and of the hosts on the LAN side:
- Packet
Filtering by IP address, to block specific
hosts or ranges of IP addresses from
sending packets through the BANDIT™
- Firewall, with stateful inspection of
TCP, UDP, and ICMP sessions to detect
attempts to capture an open port
User-defined responses to denial of
service (DoS) attacks (for example, the
SYN attack)
The BANDIT™ supports up to 30 tunnels
at one time, enough to allow one or more
units to act as the central site VPN
tunnel termination for small to medium
networks. At remote or branch sites,
the ability to set up many tunnels can
improve the usage efficiency of local
loops by reducing the need to relay traffic "in
and out" at intermediate sites.
There are no additional software license
fees to use all tunnels or triple DES
encryption.
MANAGEMENT DESIGNED FOR MANAGERS
"With comprehensive, built-in diagnostics
and troubleshooting capabilities, in-band
and out-of-band access to maintenance
functions, and plug-and-play features,
carriers and enterprise users can significantly
reduce the cost of deploying VPN services
and managing their networks," Hnidi
said.
There is no need to learn complex configuration
commands-the craft interface is menu
driven, and it's the same whether the
operator attaches locally to the dedicated
serial port, reaches the BANDIT™ via
Telnet, or dials into the modem port.
This design aims to meet the needs of
large enterprises and of service providers
who want to offer remotely controlled
equipment as part of a managed service.
Extensions to MIB-II for Simple Network
Management Protocol (SNMP) give network
managers complete, centralized control
of each device. Because there are no
functions that require a command line
interface (CLI), the BANDIT™ has no CLI.
The operator selects the desired value
from a menu display or enters variables
such as IP addresses and encryption certificates.
DIAL BACKUP, TOO
The calculated Mean Time Between Failures
(MTBF) for BANDIT™ is greater than
10 years. To live up to that high availability,
it needs to compensate for the lower
reliability of access lines. For this
purpose, every BANDIT™ contains an
integral V.90 modem for a dial backup
circuit. Upon loss of the main WAN
link, either Ethernet or serial, this
modem automatically sets up a replacement
connection, typically dialing into
a Remote Access Server (RAS) maintained
by an ISP. If the RAS supports compression,
the BANDIT™ negotiates to turn it on,
to optimize throughput. To avoid unnecessarily
large phone bills, the BANDIT™ hangs
up the backup connection when the main
link is restored (or will wait for
a command, if so configured).
Because of the symmetrical design of
the BANDIT's hardware, all ports appear
as equals to the internal routing function.
That is, any physical port may be input
or output. As a result, the modem and
serial ports serve in several capacities,
depending on the application.
- Serial port: provides either network
uplink or access to legacy terminals
and protocols; carries any serial protocol
- Modem port: acts as main network
uplink (dial on demand on dial on traffic),
dial backup upon loss of main uplink,
1-port RAS for remote user, or dial-in
management (craft interface)
With the multi-link PPP capability invoked,
two of these ports act as a single link.
The serial port and the Ethernet, for
example, will load-share as a virtual
uplink to the network. If one physical
link fails, all traffic moves to the
remaining active link, without interrupting
transmission.
MODELS AND AVAILABILITY
Two versions of the BANDIT™ will join
the Encore Networks product line in
October 2002. Both include the full
suite of IP and legacy protocols, all
security features, and an integral
modem. The basic model, without the
optional serial port, is list priced
at $1,495. The expanded BANDIT™, with
the serial port, is $1,645. Reseller
inquiries are invited—contact sales@encorenetworks.com. |
