Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX Firewall VPN Accelerator Card

 

Data Sheet


Cisco Secure
PIX Firewall VPN
Accelerator Card


Overview

The VPN Accelerator Card (VAC) for the Cisco Secure PIX Firewall series provides high-performance, tunneling and encryption services suitable for site-to-site and remote access applications. This hardware-based VPN accelerator is optimized to handle the repetitive but voluminous mathematical functions required for IPsec. Offloading encryption functions to the card not only improves IPsec encryption processing, but also maintains high-end firewall performance. As an integral component of the Cisco virtual private network (VPN) solution, the VPN Accelerator Card provides platform scalability and security while working seamlessly with services necessary for successful VPN deployments—encryption, tunneling, and firewall.


High Performance

The VPN Accelerator Card, which fits in a PCI slot inside the PIX chassis, encrypts data using the 56-bit Data Encryption Standard (DES) or 168-bit 3DES algorithms at speeds up to 100 Mbps. A PIX equipped with a VAC supports as many as 2,000 encrypted tunnels for concurrent sessions with mobile users or other sites. In addition to encryption, the card handles a variety of other IPsec-related tasks—hashing, key exchange, and storage of security associations—which free the PIX main processor and memory to perform other perimeter security functions.

  • Encryption—DES and 3DES encryption are very CPU intensive, potentially impacting firewall performance in high-throughput configurations. The VAC makes it possible to send DES or 3DES encrypted data at high speed while still providing the full range of perimeter security services available from the Cisco Secure PIX Firewall.
  • Authentication—RSA and Diffie-Hellman are CPU-intensive protocols that are used when a new IPsec tunnel is established. RSA authenticates the remote device while Diffie-Hellman exchanges keys that will be used for DES or 3DES encryption. The VPN Accelerator Card implements these protocols in specialized hardware ensuring fast tunnel setup and high overall encryption throughput.
  • Tunneling—The PIX and VAC support IPsec tunneling protocol enabling high-performance, flexible network designs for both remote access and site-to-site VPNs. Site-to-site solutions can be designed with PIX or combinations of PIX with Cisco VPN appliances or VPN-enabled multi-service routers. Remote access solutions can utilize Cisco's VPN client or other 3rd party clients supporting the IPsec tunneling protocol.

Increased Security

The PIX VAC provides an extra level of security by segregating sensitive VPN information from standard system processing. Encryption, authentication, and key generation mechanisms are handled by onboard memory and processors. In addition, a hardware random number generator provides high quality input to crypto functions resulting in strong security while ensuring high throughput during process-intensive re-keying operations.

Easy Implementation

PIX Firewall automatically detects the presence of the VPN Accelerator Card and transfers encryption activities to the VAC without configuration changes. Throughput is enhanced through the use of specialized hardware to perform the complex mathematical transformations necessary to generate keys, authenticate devices, authenticate packets, and encrypt and decrypt data. The VPN Accelerator Card is fully compatible with network-layer IPsec and the Layer 3 encryption software services of the Cisco Secure PIX Firewall Software.

Performance Summary

168-bit 3DES IPsec VPN throughput: 100 Mbps

Simultaneous VPN tunnels: 2,000

System Requirements

Operating System: PIX OS v5.3(1) or later (with DES or 3DES license)

Platforms: PIX 515/515E, 520, 525, 535 (limit one per chassis)

Standards Support

Protocols: IPsec, IKE, PKCS #11

Symmetric Algorithms: 56-bit DES, 168-bit 3DES

Hashing algorithms: MD-5, SHA-1

Asymmetric Algorithms: RSA, Diffie-Helman, DSA

Technical Specifications

Processor: IRE 2141

Random Access Memory: 2 MB of SDRAM

PCI Interface: 32-bit, 33-MHz PCI v2.1 (short form)

Environmental

Operating

Temperature: 32º to 122º F (0º to 50º C)

Relative Humidity: 10% to 90% noncondensing

Nonoperating

Temperature: 32º to 158º F (0º to 70º C)

Power

Input

Range Line Voltage: 5V +/-10%, 3.3V +/-10%

Nominal Line Voltage: 5V +/-10%, 3.3V +/-10%

Power: 1.5W

Dimensions and Weight

Height: 4.2 inches (10.7 cm)

Depth: 6.875 inches (17.5 cm)

Weight: ~ .5 pounds (.2 kg)

Certifications

Safety: UL 1950, CSA C22.2 No. 950, EN 60950, IEC 60950, AS/NZS3260, TS001, IEC60825, EN 60825, 21CFR104

EMI: CFR 47 Part 15 Class A (FCC), ICES 003 Class A with UTP, EN55022 Class A with UTP, CISPR 22 Class A with UTP, AS/NZ 3548 Class A with UTP, VCCI Class A with UTP, EN55024, EN50082-1 (1997), CE marking, EN55022 Class B with FTP, Cispr 22 Class B with FTP, AS/NZ 3548 Class B with FTP, VCCI Class B with FTP

Ordering Information

PIX-VPN-ACCEL

IPsec Hardware VPN Accelerator Card (VAC)

PIX-VPN-3DES

168-bit 3DES IPsec VPN software license

PIX-VPN-DES

56-bit DES IPsec VPN software license

Additional Information

For more information about PIX Firewall, go to
http://www.cisco.com/go/pix

Export Considerations

The PIX VPN Accelerator Card and associated software may be export controlled. Refer to the export compliance Web site at: http://www.cisco.com/wwl/export/crypto/ for guidance. For specific export questions, contact export@cisco.com