Guest

Cisco PIX 500 Series Security Appliances

Cisco PIX VPN Accelerator Card+

Table Of Contents

DATA SHEET

Market-Leading VPN Performance Reduces Business Operational Costs

State-of-the-Art Cryptography Provides Enhanced Network Security

Large-Scale VPN Tunnel Aggregation Enables Highly Scalable, Easy-to-Manage VPN Deployments

Performance Summary

Technical Specifications

System Requirements

Standards Support

Bus Interface

Environmental Operating Ranges

Operating

Nonoperating

Power

Dimensions and Weight

Regulatory and Standards Compliance

Safety

Electromagnetic Compatibility (EMC)

Ordering Information

Additional Information

Cisco PIX Security Appliance Series:

Cisco PIX Device Manager:

Current list of Cisco product security certifications:

CiscoWorks VPN Security Management Solution (VMS), Management Center for Firewalls, Auto Update Server Software, and Security Monitor:

SAFE Blueprint from Cisco:

Export Considerations

For more information, visit:

DATA SHEET


Cisco PIX VPN Accelerator Card+

The Cisco® PIX® VPN Accelerator Card+ (VAC+) delivers high-performance, hardware-accelerated IP Security (IPSec) VPN, support for state-of-the-art international cryptographic standards, and highly scalable VPN tunnel aggregation in a solution that comes integrated with, or as an upgrade for, most models of the market-leading Cisco PIX Security Appliance Series. Ranging from solutions for small to midsize businesses (SMBs) to large enterprises and service providers, the Cisco PIX Security Appliance Series offers extensible platforms that provide robust, enterprise-class integrated network security services and solid investment protection. The Cisco PIX VAC+ takes full advantage of this extensibility and maximizes platform investment protection by offloading computationally intensive VPN cryptographic functions. This enables Cisco PIX Security Appliances to deliver higher-performance stateful inspection firewall services, advanced application and protocol inspection, inline intrusion protection, and robust multimedia and voice security services (Figure 1).

Figure 1

Cisco PIX VPN Accelerator Card+

Market-Leading VPN Performance Reduces Business Operational Costs

By combining the rich VPN services provided by Cisco PIX Security Appliances with the high-performance VPN capabilities of the Cisco PIX VAC+, businesses can securely extend their networks across low-cost Internet connections to mobile users, business partners, and remote sites worldwide, while significantly cutting the operational costs associated with leased lines and alternative remote-access solutions. Delivering up to 495 Mbps of encrypted VPN throughput—performance well beyond full-duplex OC-3 line rates—the Cisco PIX VAC+ provides excellent price/performance and the scalability needed for large-scale aggregation of many site-to-site and remote-access VPN services in a single solution.

The Cisco PIX VAC+ belongs to the family of high-performance, 64-bit/66-MHz PCI-enabled cards for the Cisco PIX Security Appliance Series; the family includes the Cisco PIX 4-Port Fast Ethernet Interface Card and the Cisco PIX Gigabit Ethernet Interface Card. The Cisco PIX VAC+ allows enterprises to take full advantage of the high-performance architecture of Cisco PIX 535 Security Appliances, and delivers highly scalable security services for the most demanding enterprise environments. The potent combination of market-leading VPN features and a high level of platform extensibility makes Cisco PIX Security Appliances some of the most scalable, upgradeable, and cost-effective central-site VPN and security solutions on the market. This high level of extensibility provides significant investment protection, where individual components of the overall solution can be upgraded as requirements grow, avoiding costly "forklift" upgrades of the entire chassis to enable new features or higher performance levels.

State-of-the-Art Cryptography Provides Enhanced Network Security

The Cisco PIX VAC+ provides high-performance hardware acceleration for a broad range of cryptographic standards, including 56-bit Data Encryption Standard (DES), 168-bit Triple DES (3DES), and all three key sizes (128-, 192-, and 256-bit) of Advanced Encryption Standard (AES), the state-of-the-art international cryptographic standard. In October 2000, the U.S. National Institute of Standards and Technology (NIST) and cryptographers from around the world selected AES as the new cryptographic standard for protecting digital information. AES, which is rapidly being adopted worldwide, provides a better combination of performance and enhanced network security than DES or 3DES by being computationally more efficient than these earlier standards. Furthermore, by supporting large key sizes of 128, 192, and 256 bits, AES offers higher security against brute-force attacks. Combining the numerous benefits of AES with support for other leading cryptographic standards, the Cisco PIX VAC+ provides businesses with an ideal VPN acceleration solution that bridges the gap between older and next-generation security standards.

Large-Scale VPN Tunnel Aggregation Enables Highly Scalable, Easy-to-Manage VPN Deployments

The Cisco PIX VAC+, in conjunction with the innovative Cisco Easy VPN technology found within Cisco PIX Security Appliances, delivers a uniquely scalable, cost-effective, and easy-to-manage remote-access VPN solution. Built upon the foundation of dynamic policy distribution and effortless provisioning, Cisco Easy VPN eliminates the operational costs associated with maintaining remote device configurations typically required by traditional VPN solutions. It enables businesses to enjoy the numerous benefits that VPNs provide, including increased employee productivity by taking advantage of high-speed broadband connectivity, and significantly reduced operational costs by eliminating expenses associated with legacy dialup architectures—without the problems commonly found with other remote-access VPN solutions. By supporting up to 2000 encrypted tunnels for mixed VPN environments, the Cisco PIX VAC+ enables businesses to securely and cost-effectively extend their networks to teleworkers, remote offices, and business partners for anytime, anywhere access to vital corporate resources.

Performance Summary

Table 1 shows maximum Cisco PIX VAC+ performance, as measured on a Cisco PIX 535 Security Appliance with Secure Hash Algorithm 1 (SHA-1) and various symmetric encryption algorithms. Note: performance varies based on several factors, including traffic mix, encryption algorithm, and Cisco PIX Security Appliance model.

Table 1  Cisco PIX VAC+ Performance

Cryptographic Algorithm (Key Size)
Performance with 300-Byte Packets (Typical Internet Traffic)
Performance with 1400-Byte Packets (Large Packets)

3DES (168-bit)

265 Mbps

425 Mbps

AES (128-bit)

315 Mbps

495 Mbps

AES (256-bit)

290 Mbps

425 Mbps


Businesses using Cisco PIX Security Appliances with the Cisco PIX VAC, the previous generation of the Cisco PIX VAC+, can double or quadruple the VPN performance of their systems through simple upgrades to the Cisco PIX VAC+. Tables 2 and 3 show the relative-gain in performance when transitioning from the Cisco PIX VAC to the Cisco PIX VAC+.

Table 2  300-Byte Packet Performance Comparison Between the Cisco PIX VAC and the Cisco PIX VAC+, as measured on Cisco PIX 515E, 525 and 535 Security Appliances.

 
Cisco PIX VAC
Cisco PIX VAC+
VAC+ Performance Improvement
Cisco PIX 515E

3DES (168-bit)

46 Mbps

95 Mbps

2X VAC throughput

AES (128-bit)

Not supported

95 Mbps

N/A

AES (256-bit)

Not supported

95 Mbps

N/A

Cisco PIX 525

3DES (168-bit)

53 Mbps

125 Mbps

2X VAC throughput

AES (128-bit)

Not supported

110 Mbps

N/A

AES (256-bit)

Not supported

110 Mbps

N/A

Cisco PIX 535

3DES (168-bit)

61 Mbps

265 Mbps

4X VAC throughput

AES (128-bit)

Not supported

315 Mbps

N/A

AES (256-bit)

Not supported

290 Mbps

N/A


Table 3  1400-Byte Packet Performance Comparison Between the Cisco PIX VAC and the Cisco PIX VAC+, as measured on Cisco PIX 515E, 525 and 535 Security Appliances.

 
Cisco PIX VAC
Cisco PIX VAC+
VAC+ Performance Improvement
Cisco PIX 515E

3DES (168-bit)

62 Mbps

135 Mbps

2X VAC throughput

AES (128-bit)

Not supported

130 Mbps

N/A

AES (256-bit)

Not supported

130 Mbps

N/A

Cisco PIX 525

3DES (168-bit)

72 Mbps

145 Mbps

2X VAC throughput

AES (128-bit)

Not supported

135 Mbps

N/A

AES (256-bit)

Not supported

135 Mbps

N/A

Cisco PIX 535

3DES (168-bit)

100 Mbps

425 Mbps

4X VAC throughput

AES (128-bit)

Not supported

495 Mbps

N/A

AES (256-bit)

Not supported

425 Mbps

N/A


Technical Specifications

System Requirements

Operating system: Cisco PIX Security Appliance Software Version 6.3(1) or later (with DES or 3DES/AES encryption license)

Platforms: Cisco PIX 515/515E, 520, 525, and 535 Security Appliances

Standards Support

Protocols: IPSec, Internet Key Exchange (IKE)

Symmetric encryption algorithms: 56-bit DES; 168-bit 3DES; 128, 192, and 256-bit AES

Asymmetric encryption algorithms: RSA, Diffie-Hellman, DSA

Hashing algorithms: MD-5, SHA-1

Bus Interface

PCI interface: 64-bit, 66-MHz PCI Version 2.1 (short form), compatible with 32-bit, 33-MHz PCI bus

Environmental Operating Ranges

Operating

Temperature: 32 to 122ºF (0 to 50ºC)

Relative humidity: 10 to 90 percent, noncondensing

Nonoperating

Temperature: 32 to 158ºF (0 to 70ºC)

Power

Power Consumption: 5W

Dimensions and Weight

Height: 5 in. (10.7 cm)

Depth: 6.5 in. (17.5 cm)

Weight: .5 lb. (.2 kg)

Regulatory and Standards Compliance

Safety

UL 1950, CSA C22.2 No. 950, EN 60950, IEC 60950, AS/NZS3260, TS001, IEC60825, EN 60825, 21CFR1040

Electromagnetic Compatibility (EMC)

CFR 47 Part 15 Class A (FCC), ICES 003 Class A with UTP, EN55022 Class A with UTP, CISPR 22 Class A with UTP, AS/NZ 3548 Class A with UTP, VCCI Class A with UTP, EN55024, EN50082-1 (1997), CE marking, EN55022 Class B with FTP, CISPR 22 Class B with FTP, AS/NZ 3548 Class B with FTP, VCCI Class B with FTP

Ordering Information

Table 4 lists part numbers for the Cisco PIX VAC+ and associated encryption licenses.

Table 4  Cisco Part Numbers for Cisco PIX VAC+ and Associated Encryption Licenses

Part Number
Description
PIX-VAC-PLUS

Cisco VPN Acceleration Card+ for Cisco PIX Security Appliances

PIX-VPN-DES

Cisco PIX DES VPN/SSH/SSL Encryption License

PIX-VPN-515-3DES

Cisco PIX 515E 3DES/AES VPN/SSH/SSL Encryption License

PIX-VPN-3DES

Cisco PIX 525/535 3DES/AES VPN/SSH/SSL Encryption License


Additional Information

For more information, please visit the following links.

Cisco PIX Security Appliance Series:

http://www.cisco.com/go/pix

Cisco PIX Device Manager:

http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pixd3_ds.pdf

Current list of Cisco product security certifications:

http://www.cisco.com/go/securitycert

CiscoWorks VPN Security Management Solution (VMS), Management Center for Firewalls, Auto Update Server Software, and Security Monitor:

http://www.cisco.com/go/vms

SAFE Blueprint from Cisco:

http://www.cisco.com/go/safe

Export Considerations

The Cisco PIX VAC+ and associated license keys may be export controlled.

For more information, visit:

http://www.cisco.com/wwl/export/crypto/

For specific export questions, contact export@cisco.com.