380 likes | 615 Vues
Discussion Topics. Cisco deficiencies? Why Nortel's Contivity is the market leaderCisco FUD? how to counter Cisco FUD with realityWhy Contivity products are ideal forThe EnterpriseThe Service ProviderWhere we stand?relative strengths and opportunities for ContivityAppendix. Legend. When referr
E N D
1. ContivityCompetitive Playbook The Cisco Menace
2. Discussion Topics Cisco deficiencies Why Nortels Contivity is the market leader
Cisco FUD how to counter Cisco FUD with reality
Why Contivity products are ideal for
The Enterprise
The Service Provider
Where we standrelative strengths and opportunities for Contivity
Appendix
3. Legend When referring to the terms Altiga, Compatible and VPN Routers, we typically mean:
Cisco Altiga = VPN 30XX
Cisco Compatible = VPN 50XX
Cisco VPN Routers = VPN 7120 & 7140
4. Cisco DeficienciesA Summary Why Nortels Contivity is the market leader
5. Deficiencies in Ciscos VPN solutions Lack of clear product positioning and purpose
Multiple model numbers
Confusing approach to customer needs
Absurd claim that 17 disparate products are VPN-optimized!!!
Cisco secure VPN IRE and Altiga clients do not support Windows 2000
Compatible does
Once again: disjointed strategy!
No low-end hardware available until early 2001 (to be called the 3002 another model to keep track of!)
6. Deficiencies in Ciscos VPN solutions No ICSA certification for Altiga
No proven pair-wise interoperability
Being last to the party means a lot of work
Can they even prove IOS to Altiga interoperability???
No FIPS certification
Limits government business
Related to Altigas dubious security environment???
Certificate story is a mess!
Implementation nightmare, Internet Explorer version xx only??? (is that a strategy?)
No auto-enrollment strategy!
No management features!
7. Deficiencies in Ciscos VPN solutions If Cisco plans on introducing a compression feature, then its existing $12,000 encryption card will not support compression!
Cisco would have the customer believe that developing a software based compression feature is a time-intensive effort; and hence is not being developed
Weak processor how is Altiga ever going to incorporate additional required features
DiffServ
Bandwidth Management
Multicast
8. Deficiencies in Ciscos VPN solutions Altiga is deficient in accounting capabilities
No internal accounting support
Requires purchase of separate servers and software to support RADIUS accounting
Lack of integrated firewall
Ciscos stand-alone firewall necessitates another piece of hardware!
Buy their router (VPN optimized), then buy their firewall, then
9. Deficiencies in Ciscos VPN solutions Insufficient database support for AAA in Altiga
Depends primarily upon external databases
Internal database limited to just 100 profiles
Imagine how limiting this is for 10,000 users!!
Lack common popular format such as LDAP
10. Cisco FUD How to counter Cisco FUD with reality
11. Client strategy Cisco says We have a complete and comprehensive client strategy
Reality: Cisco requires three different product platforms to provide the same client support that Contivity provides through just one platform! Theyll tell you that theyll merge without details! Easier said than done
12. UDP wrapper strategy Cisco says, We have implemented a UDP wrapper while Contivity hasnt
Reality: Contivity is correct!
Older versions of NAT are not IPsec aware
However, most new products support IPsec aware new NAT
The problem is much less severe than Cisco contends
Could be an issue for some hotel LANs or corporate LAN environments
Nortel working with Microsoft and others for INDUSTRY solution, not proprietary competitive cudgel
13. Firewall strategy Cisco says, Weve got a firewall
Reality:
Ciscos PIX firewall
Requires yet another box!
PIX has a weak VPN story
Contivity
Common stateful inspection across both NN Shasta and Contivity per NN IP VPN strategy
Consistent management
Java applet
Preside (H1, 2000)
14. Scalability strategy Cisco says Contivitys Intel based architecture doesnt allow scaling of Contivity from one model to the next
Reality: This is a non-issue and a half-truth!
Contivity price/performance ratio continues going down e.g., the current 2600s evolution
Contivity 2000 180 MHz Pentium; 200 tunnels
Contivity 2500 333 MHz Pentium; 400 tunnels
Contivity 2600 733 MHz Pentium; 1000 tunnels
Provides easier and tighter integration of 3rd party code for value-added features
Intel architecture is well established & open!
15. Scalability strategy Reality: This is a non-issue and a half-truth!
Only Altiga allows limited scaling
3030 -> 3060, 3060 -> 3080, 3030 -> 3080
Does not apply to 3015 -> 30xx
Does not apply to other Cisco VPN products
Benefits of scaling are dubious
Performance degrades dramatically
When going from 3060 -> 3080:
# of Altiga SEPs (encryption cards) remains the same
Hardware processing power remains the same
16. Enterprise positioning Cisco says We have the true enterprise security solution the customer already has our routers, so the customer doesnt need a whole new VPN device
Reality: VPN devices are optimized to provide security
Theyre not (primarily) routers
Theyre not (primarily) firewalls
They are primarily VPN security devices
Small enterprises/ businesses can use Contivitys routing capability instead of buying a whole router
The integrated firewall provides stateful inspection and minimizes interoperability issues
17. Enterprise positioning Bottom line:
Ciscos IOS (in general) is not enough for VPNs
Thats why it acquired Altiga
Altiga was a start-up being financed at the 3rd round in danger of folding because
there wasnt much in Altigas VPN story
Altiga is still Altiga!
No installed base
No large carrier
No large enterprise/ Fortune 500
Lacks basic VPN functionality
18. Why Contivity products are ideal
19. Contivity as the ideal VPN solution for the Enterprise Offers scalable solutions various models based upon customer needs
# of tunnels
Memory (base and expansion)
WAN connectivity
Enables e-business with ease
Set up tunnels
Branch-to-Branch
Small branch-to-head end
Vendor-to-head end
Redundancy and fail-over capability
20. Contivity as the ideal VPN solution for the Enterprise Permits tremendous savings in remote access
Performance keeps improving (lower cost per tunnel)
Superior, secure remote-access with convenient client interface: easy-to-use, easy to administer, flexible client options (Windows including Win2K, Linux, Mac, OS/2)
Partnership with vendors to offer additional features, e.g., Network ICE offers intrusion protection
Models exist without remote access
The Contivity contains multiple functions which are useful to enterprises of various sizes
Router/ internet access
Integrated firewall
VPN security
21. Contivity as the ideal VPN solution for the Service Provider Provides flexible, easy to manage solution
Management interface
Joint development (management & provisioning) with carrier community
Easy-to-use, web GUI based
Remote management control tunnels
Powerful management systems (Optivity and Preside) to manage cross-platform and/or cross-divisional, cross-enterprise VPNs
Easily provisioned VPN
Bulk loading
CLI available
Industry leading remote-access solution
Robust client (works with all kinds of laptops, desktops, clones, etc.)
50 million installed base
High availability/ low down-time
Use different models based upon different end-user needs
22. Where we stand Relative strengths & opportunities for Contivity
23. Client capabilities Over-abundance of clients for its VPN solution
VPN 1.1 IOS/PIX Client (IRE)
VPN 3000 Client (Altiga)
VPN 5000 Client (Compatible)
Artificial options Cisco still wants the customer to use IOS Compare Ciscos over-abundance with Contivitys tight focus on its industry leading Extranet Client supported on multiple operating system platforms
Supports IRE as well
24. Comprehensive product offering Nortels Contivity provides a tightly integrated set of products
4 models
Provide coverage of entire spectrum of applications
Remote Access
Branch-to-Branch
Small branch-to-head end
Integrated firewall capability
Contivity view: VPNs are LANs extending outward (not WANs extending inward Cisco)
25. Comprehensive product offering Ciscos offering is comprehensive alright!
17!!! Products claiming to provide VPN functionality
Optimized VPN functionality if it smells like a router, walks like a router, then it must be a router!
Cisco will continue to push IOS
26. File storage No hard drive no features! Uses a hard disk drive
Provides more memory/ larger storage space
Allows easy portability of files
Minimizes problems with copying configurations from one device to another
Scalable: hot swap-able
Backup for multiple configs to images
Minimum 60 day logging
27. Carrier positioning True carrier positioning unclear
Could be 7100
Could be Compatible
Likely scenario to include klugey solution at Enterprise end:
Where does PIX fit?
Where does 7100 fit?
Where does Altiga fit?
No centralized management system Carrier class product
Scales easily for multiple sites
Centrally managed environment
Ease-of-use makes it ideal for enterprises scales easily for # of users
Secure management via control tunnels
28. Remote access strategy Internal database limited to only 100 profiles
Depends primarily upon external databases for Authentication, Authorization and Accounting (AAA)
Lack of common format such as LDAP limits ability to import/export user and group profiles from/to external databases Supports two common formats internally
LDAP for user and group profiles scalable, i.e., one group/policy if required
RADIUS for accounting (internal or external)
Standards based directory structure allows Contivity to support tens of thousands of LDAP user and group profiles
Product line scalable to tens of thousands of users
29. 3rd party certification Not ICSA certified
No certification of cryptographic integrity
No certification of interoperability
Not FIPS certified ICSA certified for over the last year
Passed pair-wise interoperability testing
FIPS 140-1 Level 2 certified
30. Performance issues Offers no compression
Tunnel protocols cause packet inflation
Compression is a must especially for modem connect remote access users
Minimize packet fragmentation
Hardware acceleration a must for even normal operation!
What about AES?
Locking into SEP hardware doesnt help in adopting newer encryption standards! Offers superior hardware & software encryption & compression through HiFN 7751
Compression enables tremendous relief on network resources with large # of sessions enhances remote access throughput capability
Contivity provides carrier-class performance even without hardware accelerator
PCI accelerator design allows faster time to market for new crypto silicon
7751 -> 7811 -> 7851
31. Security features backdoors? Backdoors galore!if the password is lost or to gain unauthorized access
Reboot the 1720 router
Press ESC
Run the ROM program
Enter a new password
Re-write the security configuration
OR
Simply remove the battery! passwords get reset to factory settings Unauthorized users cant use backdoors
If a password is forgotten, the Contivity must be sent back to the factory
No back door
The Contivity is a SECURITY device
32. Security features - PKI Altiga support limited to IE browser based APIs for certificate management
Merely import digital certificates to web-browser
Only IE 4.0 and 5.0 supported
No Netscape support
No Features Integration of PKI function using vendor DLL
Entrust
Verisign
Auto-enrollment
Auto-renewal
CRL processing
33. Security features split tunneling Unsecured split tunneling
No client side policies
Susceptible to attacks Provides client side policy software
Secured split tunneling possible
Integrated personal firewall, intrusion protection system, etc. provide additional PC security
34. Security features firewall Standalone PIX firewall not integrated with VPN capability Integrated software firewall ensures tight functioning with VPN switch
Packet filtering
Stateful inspection
35. VPN management capability Java based GUI only
Pseudo CLI
Menu driven telnet session
No real command-line functionality
No provision for service-provider bulk configuration
(Lack of) Management options
Cisco IOS/CLI
Altiga Java/web
Compatible - ??? Elegant GUI built into the Contivity server
Entire enterprise control from any workstation
Configure
Manage
Monitor
Management options:
Preside
Bulk config
CLI
Optivity
Carrier and Enterprise options
36. Internal accounting Altiga does not support internal accounting
Separate servers and software must be purchased to support RADIUS accounting Contivity supports internal (along with external) RADIUS accounting
37. Appendix
38. Summary - Comparison of features