HUAWEI USG6000 Next-Generation Firewall V100R001. Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Transcription

1 HUAWEI USG6000 Next-Generation Firewall V100R001 Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

2 2014. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Huawei Industrial Base Bantian, Longgang Shenzhen People's Republic of China i

3 About This Document About This Document Product Version The following table lists the product versions of this document. Product Name The USG6000 series has the following models: USG6300 USG6310 USG6320 USG6330 USG6350 USG6360 USG6370 USG6380 USG6390 USG6500 USG6530 USG6550 USG6570 USG6600 USG6620 USG6630 USG6650 USG6660 USG6670 USG6680 Product Version V100R001C20SPC200 Intended Audience This document describes the product positioning and highlights, typical networking and application scenarios, software and hardware architecture, functions and features, standards, ii

4 About This Document and technical specifications of the USG6000. This document helps you to quickly familiarize yourself with the product. This document is intended for administrators who configure and manage NGFW. The administrators must have good Ethernet knowledge and network management experience. Symbol Conventions The symbols that may be found in this document are defined as follows. Symbol Indicates an imminently hazardous situation which, if not avoided, will result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, could result in death or serious injury. Indicates a potentially hazardous situation which, if not avoided, may result in minor or moderate injury. Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results. NOTICE is used to address practices not related to personal injury. Calls attention to important information, best practices and tips. NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration. Update History Updates between document issues are cumulative. Therefore, the latest document issue contains all updates made in previous issues. Updates in of Product Version V100R001C20SPC200 Initial commercial release. iii

5 Contents Contents About This Document... ii 1 Product Positioning and Features New Threats on Networks USG6000 Highlights USG6000 Features Application Scenarios Border Protection for Medium- and Large-sized Enterprises Intranet Control and Security Isolation Data Center Border Protection VPN Remote Access and Mobile Working Cloud Computing Agile Network Product Architecture Hardware Architecture USG USG USG6330/6350/ USG6370/6380/ USG USG6550/ USG6620/ USG6650/ USG USG Software Architecture Product Functions USG6000 Functions Advanced Content Security Defense Unified Detection Mechanism SSL Decryption Antivirus...49 iv

6 Contents Intrusion Prevention System (IPS) Data Leakage Prevention Web Security Defense Application Behavior Control Anti-Spam Flexible User Management Complete Security Functions Inherited from Traditional Firewalls Granular Traffic Management Support for Various Routing and Switching Protocols Intelligent Route Selection Policy Support for IPv Diversified VPN Access Modes High Availability Mechanism Easy-to-Use Virtual System Visualized Device Management and Maintenance Diversified Logs and Reports Device Security Protection Technical Specifications Hardware Specifications USG USG USG6330/6350/ USG6370/6380/ USG USG6550/ USG6620/ USG6650/ USG USG Standards and Protocols v

7 1 Product Positioning and Features 1 Product Positioning and Features About This Chapter This chapter describes the positioning and features of the NGFW. 1.1 New Threats on Networks This section describes new threats and security risks on new network environments. 1.2 USG6000 Highlights This section describes how the USG6000 deals with new network threats. 1.3 USG6000 Features This section describes the functions and designs of the USG New Threats on Networks This section describes new threats and security risks on new network environments. Diversified new applications bring about convenient cyber life as well as more security risks. The identity of a user at an IP address is unclear. On new networks, attackers easily manipulate zombie hosts to use legitimate IP addresses. Attackers can then launch network attacks or forge source IP addresses for spoofing and obtaining permissions. The source IP address of a packet does not represent the user identity. In addition, teleworking and mobile working have emerged. The IP address of a user may change at any time. Traffic control by IP address cannot accommodate new network requirements. The port and protocol of an application are not fixed. Traditional network services run on fixed ports. For example, HTTP runs on port 80, and FTP runs on ports 20 and 21. On new networks, ephemeral ports that are not assigned by the Internet Assigned Numbers Authority (IANA) and random ports (for example, P2P ports) are frequently used by network applications. These applications are hard to control, exhaust bandwidths, and even cause network congestion. Meanwhile, increasing unfixed services start to use well-known ports. With the development of web page technologies, more and more services with different risk levels 1

8 1 Product Positioning and Features run on ports 80 and 443 using HTTP and HTTPS, for example, WebMail, web gaming, video streaming, and web chats. The packet content is uncertain. Single-packet detection analyzes only the security of individual packets. This mechanism cannot defend against viruses or Trojan horses during the Internet access. Intranet hosts may accidentally introduce worms, Trojan horses, and viruses, which result in information leaks and losses. Therefore, network security management must identify and monitor traffic contents, in addition to traffic control based on the source and destination IP addresses. 1.2 USG6000 Highlights This section describes how the USG6000 deals with new network threats. The next-generation firewall addresses the new threats posed by new networks as follows: Uses signatures and features instead of ports and protocols to define applications and identify the actual attributes of packets and security risks. Integrates the Service Awareness (SA) function and employs the dedicated hardware systems to inspect the actual applications and contents of packets. Integrates the Intrusion Prevention System (IPS) function to ensure high performance in threat identification and blocking. Provides comprehensive visualized management, audit, and reports functions for a network administrator to learn the actual network status. The USG6000 series of Huawei uses the next generation firewall features to address new threats as follows: Security feature The USG6000 inherits and improves traditional security functions to effectively identify applications and defend against application-layer threats and attacks. Performance The Intelligent Awareness Engine (IAE) inspects packets once and extract all information needed for subsequent policy matching processes for data security, increasing processing efficiency. Control dimension The USG6000 controls services by user, application, content, and quintuple (source/destination IP address, source/destination port, and service). Detection granularity The USG6000 provides flow-based detection and real-time monitoring. It also supports cache-free technologies to detect applications, intrusion behaviors, and virus infected fragments and packets. This improves the security of network access. Cloud computing and data center The USG6000 virtualizes route forwarding, configuration management, and security services to provide comprehensive defense capabilities for the cloud computing and data center. The USG6000 can be deployed to bring about significant benefits. The USG6000 inherits the original employee management system of an enterprise to implement user-based traffic detection and control. 2

9 1 Product Positioning and Features An individual USG6000 is highly integrated and offers high performance to defend against network threats, which greatly reduces Total Cost of Ownership (TCO). The unified detection mechanism improves network security, and does not significantly delay or exert impacts on the transmission of network traffic, ensuring good user experience. The USG6000 enables visualized management over applications and contents to improve the management efficiency, help enterprises carry out services securely, and obtain more benefits. 1.3 USG6000 Features This section describes the functions and designs of the USG6000. New 10-Gigabit Multi-Core Hardware Platform The USG6000 provides the following features: High performance using a new, 10-Gigabit, and multi-core hardware platform High slot density and diversified interface cards to process massive services Key component redundancy, mature link switchover, and electrical built-in bypass cards to deliver long Mean Time Between Failures (MTBF) and build a sustainable working environment for users Professional Content Security Defense The USG6000 provides the following to maintain professional content security defense: Unified detection mechanism to ensure highly efficient Service Awareness (SA). Based on the predefined signature database and IAE, the USG6000 identifies more than 6000 common applications and the multi-channel applications. SSL decryption. The NGFW can decrypt SSL traffic and implement content security check on the decrypted traffic. Antivirus (AV). The USG6000 identifies more than 5,000,000 common viruses. Intrusion Prevention System (IPS). The USG6000 detects and defends against thousands of intrusion behaviors, worms, Trojan horses, and Botnets. URL filtering. The USG6000 blocks connections to HTTP and HTTPS URLs as configured. URLs and URL categories can be deployed locally or on a remote real-time query server. Content filtering. The USG6000 filters the packets of common file transfer protocols and mail protocols based on keywords in files and mails. File blocking. The USG6000 filters the packets of common file transfer protocols and mail protocols based on file types. Application behavior control. The USG6000 supports connection control by application to disable unwanted applications. It controls common HTTP and FTP application behaviors, such as the file upload and download through HTTP/FTP, HTTP POST, web page browsing, and HTTP proxy. Mail filtering. The USG6000 interworks with the Real-time Blacklist (RBL) server to block the spam. It filters mails by receiver address, sender address, subject, body, attachment name, attachment content, or attachment size. 3

10 1 Product Positioning and Features Integration of Security, Routing, and VPN Services The USG6000 provides the following to integrate security, routing, and VPN services: Powerful content security capabilities. The USG6000 analyzes the contents transmitted by applications and detects intrusion behaviors, viruses, files, URLs, and confidential information. The administrator can formulate security policies for various services and perform global configurations based on flows, which greatly improves management efficiency. All-round traditional firewall security functions. The USG6000 inherits all network-layer security functions of traditional firewalls to easily cope with network-layer attacks or threats. Support for various routing and switching protocols. The USG6000 applies to various network environments, and can replace existing routers or firewalls or be transparently connected to the existing network. Diversified VPN access modes. The USG6000 supports multiple VPN access modes such as IPSec, L2TP, GRE, SSL VPN, and DSVPN for secure connections between the headquarters, branches, partners, and mobile workers on the Internet to provide low-cost VLAN solutions. Highly integrated services that construct an E2E secure network environment for the enterprise Refined Management by Application and User The USG6000 provides the following to refine management by application and user: Managing users on the local, maintaining the organizational structure, implementing centralized management over VPNs or PPPoE users Interworking with common user servers such as the Active Directory (AD), Remote Authentication Dial-In User Service (RADIUS), Huawei Terminal Access Controller Access Control System (HWTACACS), Lightweight Directory Access Protocol (LDAP), SecurID, and TSM servers to import user information and implement proxy authentication Pushing web pages for user authentication or collaborating with the AD server to synchronize information about online users promptly Single Sign-on (SSO) that simplifies configurations and user logins without increasing security risks Applying security policies to the authenticated users for managing traffic by user and application Visualized Management and Diversified Logs and Reports The USG6000 provides the following to implement visualized management: New web UI for the administrator to rapidly configure, manage, maintain, commission, and troubleshoot the device. Multiple management modes such as Web UI, CLI (Console, Telnet, or SSH), and NMS (SNMP) Multiple log types such as the traffic log, threat log, URL log, content log, mail filtering log, operation log, system log, user activity log, and policy matching log for the administrator to learn about network events 4

11 1 Product Positioning and Features Carrier-Class Reliability Flexible Scalability Multiple report formats such as the traffic report, threat report, application report, URL report, and user report for the administrator to gain visibility into the network traffic status and security defense effect The USG6000 provides carrier-class reliability as follows: Huawei has used its considerable telecommunications experience to develop the USG6000. The USG6000 provides various carrier-class reliability technologies at the hardware, software, and link layers to ensure high availability. The USG6000 supports technologies such as dual-system hot backup, fault detection, power supply redundancy, and hardware bypass. Based on multiple reliability technologies, the traffic direction is changed in time upon a device fault to ensure normal transmission. The USG6000 provides flexible scalability with the following features: Multiple expansion interface card slots for enhancing hardware forwarding capabilities and device performance Key content security components such as the IAE, application signature database, antivirus signature database, threat signature database, RBL query server, and URL category database. These components can be updated or queried online to ensure that the USG6000 can cope with the latest security risks. Virtual system. A physical device is divided into multiple virtual devices. Each is independent and locally isolated to implement system-level expansion, and each meets the requirements of device leasing and cloud computing. 5

12 2 Application Scenarios 2 Application Scenarios About This Chapter This chapter describes typical networking and application scenarios of the NGFW. 2.1 Border Protection for Medium- and Large-sized Enterprises This section describes how to use the USG6000 as the egress gateway of a medium- or large-sized enterprise to ensure network security. 2.2 Intranet Control and Security Isolation This section describes how to deploy the USG6000 on the intranet to isolate networks and implement refined control over intranet traffic. 2.3 Data Center Border Protection Internet Data Center (IDC) is an infrastructure that involves maintenance services to collect, store, process, and send data on the Internet. The IDC is constructed by a network server provider to provide the server hosting and virtual domain name services for small and medium-sized enterprises and individual customers. 2.4 VPN Remote Access and Mobile Working Secure and low-cost remote access and mobile working can be implemented through VPN technologies. 2.5 Cloud Computing The USG6000 can function as the cloud computing gateway on the cloud computing network. 2.6 Agile Network The agile network is a new enterprise networking solution for legacy enterprise networks. It is easier, more flexible, and faster in configuration, maintenance, and service response compared with traditional enterprise networks. 6

13 2 Application Scenarios 2.1 Border Protection for Medium- and Large-sized Enterprises This section describes how to use the USG6000 as the egress gateway of a medium- or large-sized enterprise to ensure network security. The medium- or large-sized enterprise has the following service features: Large number of employees, complex services, and various flows Services available to external users, for example, the website and mail services Exposure to DDoS attacks and great losses after the attacks succeed High requirements on device reliability for service continuity when traffic is heavy or the device is faulty The USG6000 works as the egress gateway of a medium- or large-sized enterprise to cope with the issues listed in this section. Figure 2-1 shows the typical application scenario. Figure 2-1 Typical networking of border protection for large and medium-sized enterprises You can set up border protection for large and medium-sized enterprises as follows: Divide the network where employees reside, the network where servers reside, and the Internet into different security zones to detect and protect flows among security zones. Enable the content security defense function according to the services to be provided for external users. For example, you can enable file and data filtering for the file server in Figure 2-1, the mail file ring for the mail server, and antivirus and intrusion prevention for all servers. When intranet users access the Internet, enable the following to defend against Internet threats and prevent information leaks to ensure network security: URL filtering, file blocking, and data filtering 7

14 2 Application Scenarios Antivirus Application behavior control Establish VPN tunnels between the USG6000, mobile workers, and branches to protect service data during the transmission over the Internet. Enable the anti-ddos function to defend against heavy-traffic attacks launched by the Internet hosts to ensure the normal operating of services. Apply bandwidth policies to traffic between the intranet and the Internet to control the bandwidth and number of connections to avoid network congestion and defend against DDoS attacks. Deploy the esight network management system (to be purchased independently) to log the network operating. The logs help the administrator adjust configurations, audit traffic and identify risks. Deploy the dual-system hot backup network to improve availability. When a single-point failure occurs, service traffic can be smoothly switched from the active device to the standby device to ensure continuity. 2.2 Intranet Control and Security Isolation This section describes how to deploy the USG6000 on the intranet to isolate networks and implement refined control over intranet traffic. Within the medium- or large-sized enterprise, security levels are assigned to the subnets of the intranet. For example, the USG6000 isolates the R&D network, production network, and marketing network and monitors traffic among the networks to: Take different security policies for networks based on their features and risks. Control traffic among the networks to avoid information leaks. Isolate networks to prevent the spread of viruses. Divide networks to reduce detection load and improve detection efficiency for network connectivity. Most traffic is generated within one network and the traffic within one network does not require much intervention. The USG6000 can meet these requirements. Figure 2-2 shows the typical application scenario. 8

15 2 Application Scenarios Figure 2-2 Typical networking of intranet control and security isolation You can set up intranet control and security isolation as follows: Deploy one or more USG6000s on the intranet to function as the border gateways of different networks to isolate the networks. Establish a user management system to control user rights on accessing intranet hosts. Add networks of the same security level into the same security zone and configure security functions. For example, R&D departments 1 and 2 belong to security zone Research, and the packet filtering, blacklist and whitelist, and antivirus functions can be applied between the two networks. Add networks of different security levels into different security zones and configure security functions according to actual service requirements. For example, only some R&D hosts can access the marketing department, and the antivirus, file blocking, and data filtering functions are applied between the Research and the Marketing, Production, and Server. Apply bandwidth policies to security zones to control the bandwidth and number of connections to avoid intranet congestion. Apply intrusion prevention, antivirus, file blocking, data filtering, application behavior control, and URL filtering functions between the intranet security zones and the Internet. 2.3 Data Center Border Protection Internet Data Center (IDC) is an infrastructure that involves maintenance services to collect, store, process, and send data on the Internet. The IDC is constructed by a network server provider to provide the server hosting and virtual domain name services for small and medium-sized enterprises and individual customers. 9

16 2 Application Scenarios The network structure of the IDC has the following features: Provides network services for external users, which is the key function of the IDC. The normal access from the Internet to servers in the IDC must be guaranteed. Therefore, the border protection device must have high performance and reliability and ensure network access when attacks are launched on the IDC. Protects servers in the IDC and applies security functions according to the service type. May deploy servers of multiple enterprises in an IDC and are easily targets for hackers. The IDC traffic is complex. The administrator cannot effectively adjust configurations if the traffic is not clear. The USG6000 works as the border gateway of an IDC to cope with the previous issues. Figure 2-3 shows the typical application scenario. Figure 2-3 Typical networking of data center border protection You can set up border protection for data centers as follows: Enable the traffic statistics function to collect statistics on traffic by IP address, user, and application to formulate security policies. Apply traffic limiting on the basis of the IP address and application to ensure the stable operating of servers and avoid network congestion. Enable the intrusion prevention and antivirus functions to protect servers from viruses, Trojan horses, and worms. Enable the anti-ddos and other attack defense functions to defend against attacks from the Internet. Enable the mail filtering function to protect mail servers on the intranet from the spam and prevent the servers from being blacklisted by anti-spam organizations due to unintentional spam forwarding. Enable file blocking and data filtering to prevent information leaks. 10

17 2 Application Scenarios Deploy the esight network management system (to be purchased independently) to log the network operating. The logs help the administrator adjust configurations, identify risks, and check traffic. Deploy the dual-system hot backup network to improve availability. When a single-point failure occurs, service traffic can be smoothly switched from the active device to the standby device to ensure continuity. 2.4 VPN Remote Access and Mobile Working Secure and low-cost remote access and mobile working can be implemented through VPN technologies. Remote access and mobile working have the following features: Branches need access to the headquarters. Partners must be flexibly authorized to limit the accessible network resources and transmittable data types according to the services. Employees on the move need to be connected anywhere, anytime, and at any IP address. In addition, employees on the move are not protected by information security measures. Enterprises must implement strict access authentication on these employees and accurately control their accessible resources and permissions. Enterprises must implement encryption protection on data transferred during remote access communications to prevent network eavesdropping, tampering, forgery, and replay as well as information leaks. The USG6000 works as the VPN access gateway of an enterprise to cope with the issues listed in this section. Figure 2-4 shows the typical application scenario. Figure 2-4 Typical networking of VPN remote access and mobile working You can set up VPN remote access and mobile working as follows: Establish IPSec or L2TP over IPSec permanent tunnels for the branches and partners with fixed VPN gateways. If access account verification is required, the L2TP over IPSec tunnel is recommended. 11

18 2 Application Scenarios Apply SSL VPN technologies to employees on the move (with unfixed addresses). The VPN client installation is not required. These employees can use only web browsers to establish tunnels with the headquarters, which is convenient. Meanwhile, resources accessible to the employees on the move are controlled in a refined manner. Use the IPSec or SSL encryption algorithm to protect network data in the previous tunnels. Apply access authentication on the access users of VPN tunnels to ensure user legitimacy and apply access authorization on the basis of user permissions. Enable the intrusion prevention, antivirus, file blocking, data filtering, and anti-ddos functions to prevent remote access users from introducing network threats as well as information leaks. Enable the user behavior audit function to discover risks promptly for future tracking. 2.5 Cloud Computing The USG6000 can function as the cloud computing gateway on the cloud computing network. Cloud computing can be applied in multiple modes. Typically, an ISP provides hardware resources and computing capabilities for users. Each user can use only one terminal to access the cloud, similar to operating a PC. The core technology of cloud computing provides independent and complete services for a large number of users based on the server cluster, which involves multiple virtualization technologies. The USG6000 works as the cloud computing gateway and Figure 2-5 shows the typical application scenario. 12

19 2 Application Scenarios Figure 2-5 Typical networking of cloud computing In this scenario, the USG6000 is the cloud computing gateway. With the system virtualization function, you can divide a physical device into multiple independent logical devices. Each logical device, called a virtual system, has its own interface, system resource, and configuration file and implements traffic forwarding and security defense independently. Virtual systems are logically isolated and each cloud terminal has an exclusive firewall. These virtual systems share the same physical entity. Therefore, traffic forwarding between virtual systems is highly efficient. In the scenario shown in Figure 2-5, the USG6000 offers the rapid data switching among virtual systems, protects traffic between the cloud terminal and the cloud server, and provides value-added security services for cloud computing. 2.6 Agile Network Service Mobility The agile network is a new enterprise networking solution for legacy enterprise networks. It is easier, more flexible, and faster in configuration, maintenance, and service response compared with traditional enterprise networks. Based on customer requirements, agile networks fall into three scenarios: service mobility, service chain, and security collaboration. The NGFW plays different roles in different scenarios. Service mobility (also called service mobility) enables consistent enterprise resource access permissions and experience (the same priority and bandwidth for users to access enterprise 13

20 2 Application Scenarios resources) regardless of where the users access the enterprise network. As shown in the service mobility scenario in Figure 2-6, the firewalls are deployed at the borders of the headquarters, branch office, and data center to provide user identification and permission control functions. Apart from the user identification and permission control functions, the firewalls at the borders of the headquarters and branch office provide L2TP VPN, L2TP over IPSec VPN, and SSL VPN services for mobile employees and allocate bandwidth resources to access users to ensure that the traffic of VIP users is preferentially forwarded. Figure 2-6 Service mobility application scenario Service Chain Service chain is a scenario in which all security check devices are centrally deployed in the security resource pool, with each device responsible for different security check tasks. Enterprises can schedule the traffic going through the core switch in a specific order for the core switch to send the traffic to these security devices for security checks. Figure 2-7 shows the service chain scenario. In this scenario, the firewall resides in the security resource pool to provide the content security check. The firewalls are deployed in off-line mode next to the core switch and each firewall establish a GRE tunnel with each core switch. When receiving the traffic to be checked, the core switch diverts the traffic over one GRE tunnel to the corresponding firewall. After security checks, the firewall injects the traffic over the other GRE tunnel to the core switch. 14

21 2 Application Scenarios Figure 2-7 Service chain scenario Security Collaboration Security collaboration is a solution for improving overall intranet security defense capabilities. This solution provides visibility into network health conditions, security event quantity and types, and security risk trends and monitors and handles security events. As shown in Figure 2-8, the firewall sends to the controller syslogs about security events, such as viruses, intrusions, Trojans, and data leaks. After receiving security logs, the controller delivers security warning and actions, such as isolate or block, to the aggregation switch, so that the aggregation switch can block these risks. 15

22 2 Application Scenarios Figure 2-8 Security collaboration scenario 16

23 3 Product Architecture 3 Product Architecture About This Chapter This chapter describes the software and hardware structures of the NGFW. 3.1 Hardware Architecture The USG6000 has a multi-core hardware architecture to ensure high performance and stable operating. 3.2 Software Architecture The USG6000 adopts the new multi-plane software architecture to ensure high-speed packet processing and stability. 3.1 Hardware Architecture USG6310 Appearance The USG6000 has a multi-core hardware architecture to ensure high performance and stable operating. The USG6310 is a 1-U desktop device with an integrated structure. The device provides fixed ports, a built-in fan module, and uses an external power adapter to supply power. The device does not support port expansion. Figure 3-1 illustrates the appearance of the USG

24 3 Product Architecture Figure 3-1 Appearance of USG6310 Ports USG6320 Appearance The USG6310 provides the following fixed ports: 1 console port (RJ45) 1 USB 2.0 port 8 10/100/1000M autosensing Ethernet electrical ports The USG6320 is a 1-U desktop device with an integrated structure. The device provides fixed ports, a built-in fan module, and uses an external power adapter to supply power. The device does not support port expansion. Figure 3-2 illustrates the appearance of the USG6320. Figure 3-2 Appearance of USG

25 3 Product Architecture Ports The USG6320 provides the following fixed ports: 1 console port (RJ45) 1 USB 2.0 port 8 10/100/1000M autosensing Ethernet electrical ports USG6330/6350/6360 Appearance USG6330/6350/6360 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disks, additional power module, and expansion cards, to improve system reliability and add more ports. Figure 3-3 illustrates the appearance of the USG6330/6350/6360. Figure 3-3 Appearance of USG6330/6350/6360 Table 3-1 describes the functions of the USG6330/6350/6360 components. Table 3-1 Functions of the USG6330/6350/6360 components Name Fixed interface board The fixed interface board is the core component for system control and management and provides the management, forwarding, and control planes. The interface board also has an intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm 19

26 3 Product Architecture Name Expansion slot Power module Hard disk combination processing, system loading, and system upgrades. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-2 lists the supported expansion cards. Build-in 150 W power module is provided by default, but you can optionally add a 170 W power module for 1+1 power redundancy. If two power modules are used and PWR6 power module fails, the other can support the entire system so that you can replace the PWR6 faulty power module without interrupting device operation. Hard disks are used to store logs and reports. The device supports optional hard disk combination SM-HDD-SAS300G-B. Ports The fixed interface board provides the following ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 1 USB 2.0 ports 2 GE Combo ports 4 10/100/1000M autosensing Ethernet electrical ports Table 3-2 lists the supported types of expansion cards. Table 3-2 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. 20

27 3 Product Architecture Expansion Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit SFP ports. Provides two electrical bypass links. WSIC: Wide Service Interface Card USG6370/6380/6390 Appearance The USG6370/6380/6390 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disks, additional power module, and expansion cards, to improve system reliability and add more ports. Figure 3-4 illustrates the appearance of the USG6370/6380/6390. Figure 3-4 Appearance of USG6370/6380/6390 Table 3-3 describes the functions of the USG6370/6380/6390 components. Table 3-3 Functions of the USG6370/6380/6390 components Name Fixed interface board The fixed interface board is the core component for system control and management and provides the management, forwarding, and control planes. The interface board also has an intelligent awareness engine. Management plane: provides ports for configuration, test, 21

28 3 Product Architecture Name Expansion slot Power module Hard disk combination and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-4 lists the supported expansion cards. By default, AC power module is provided. Two power modules are supported to provide 1+1 power redundancy. If one power module fails, the other can support the entire system so that you can replace the faulty power module without interrupting device operation. Hard disks are used to store logs and reports. The device supports optional hard disk combination SM-HDD-SAS300G-B. Ports The fixed interface board provides the following ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 2 USB 2.0 ports 4 GE optical ports 8 10/100/1000M autosensing Ethernet electrical ports Table 3-4 lists the supported types of expansion cards. Table 3-4 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 22

29 3 Product Architecture Expansion Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links. WSIC: Wide Service Interface Card USG6530 Appearance The USG6530 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disks, additional power module, and expansion cards, to improve system reliability and add more ports. Figure 3-5 illustrates the appearance of the USG6530. Figure 3-5 Appearance of USG6530 Table 3-5 describes the functions of the USG6530 components. Table 3-5 Functions of the USG6330/6350/6360 components Name Fixed interface board The fixed interface board is the core component for system control and management and provides the management, forwarding, and control planes. The interface board also has an 23

30 3 Product Architecture Name Expansion slot Power module Hard disk combination intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-6 lists the supported expansion cards. Build-in 150 W power module is provided by default, but you can optionally add a 170 W power module for 1+1 power redundancy. If two power modules are used and PWR6 power module fails, the other can support the entire system so that you can replace the PWR6 faulty power module without interrupting device operation. Hard disks are used to store logs and reports. The device supports optional hard disk combination SM-HDD-SAS300G-B. Ports The fixed interface board provides the following ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 1 USB 2.0 ports 2 GE Combo ports 4 10/100/1000M autosensing Ethernet electrical ports Table 3-6 lists the supported types of expansion cards. Table 3-6 Supported expansion cards Expansion Card 24

31 3 Product Architecture Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links USG6550/6570 Appearance WSIC: Wide Service Interface Card The USG6550/6570 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disks, additional power module, and expansion cards, to improve system reliability and add more ports. Figure 3-6 illustrates the appearance of the USG6550/6570. Figure 3-6 USG6550/6570 appearance Table 3-7 describes the functions of the USG6550/6570 components. Table 3-7 Functions of USG6550/6570 components Name 25

32 3 Product Architecture Name Fixed interface board Expansion slot Power module Hard disk combination The fixed interface board is the core component for system control and management and provides the management, forwarding, and control planes. The interface board also has an intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-8 lists the supported expansion cards. By default, an AC power module is provided. Two power modules are supported to provide 1+1 power redundancy. If one power module fails, the other can support the entire system so that you can replace the faulty power module without interrupting device operation. Hard disks are used to store logs and reports. The device supports optional SM-HDD-SAS300G-B hard disks. Ports The fixed interface board provides the following ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 2 USB 2.0 ports 4 GE optical ports 8 10/100/1000M autosensing Ethernet electrical ports Table 3-8 lists the supported types of expansion cards. 26

33 3 Product Architecture Table 3-8 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links USG6620/6630 Appearance WSIC: Wide Service Interface Card. USG6620/6630 uses an integrated chassis that contains the fixed interface board, power module, and fan module. You can also add some optional modules, such as hard disks, additional power module, and expansion cards, to improve system reliability and add more ports. Figure 3-7 illustrates the appearance of the USG6620/6630. Figure 3-7 Appearance of USG6620/6630 Table 3-9 describes the functions of the USG6620/6630 components. 27

34 3 Product Architecture Table 3-9 Functions of the USG6620/6630 components Name Fixed interface board Expansion slot Power module Hard disk combination The fixed interface board is the core component for system control and management and provides the management, forwarding, and control planes. The interface board also has an intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-10 lists the supported expansion cards. By default, AC power module is provided. Two power modules are supported to provide 1+1 power redundancy. If one power module fails, the other can support the entire system so that you can replace the faulty power module without interrupting device operation. Hard disks are used to store logs and reports. The device supports optional hard disk combination SM-HDD-SAS300G-B. Ports The fixed interface board provides the following ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 2 USB 2.0 ports 4 GE optical ports 8 10/100/1000M autosensing Ethernet electrical ports Table 3-10 lists the supported types of expansion cards. 28

35 3 Product Architecture Table 3-10 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links USG6650/6660 Appearance WSIC: Wide Service Interface Card The USG6650/6660 uses an integrated chassis that contains the SPUA (main processing unit), interface card, power module, and fan module. You can also add some optional modules, such as hard disk and expansion cards, to improve system reliability and add more ports. Figure 3-8 illustrates the appearance of the USG6650/

36 3 Product Architecture Figure 3-8 Appearance of USG6650/6660 Table 3-11 describes the functions of the USG6650/6660 components. Table 3-11 Functions of the USG6650/6660 components Name 30

37 3 Product Architecture Name SPUA (the main processing unit) Interface card (mandatory) Expansion slot Power module Fan module Filler panel SPUA is the core component for system control and management and provides the management, forwarding, and control planes and an intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. It can use the hard disk SM-HDD-SAS300G-A to record logs and reports in real time. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. The interface card provides gigabit and 10-gigabit electrical and optical ports. The interface card is installed before shipment and can be moved to another slot. The interface card is not hot-swappable. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-12 lists the supported expansion cards. By default, the USG6650 has two AC power modules and does not support DC. By default, the USG6660 has two DC or AC power modules for 1+1 power redundancy so that if one power module is faulty, it can be hot-swapped. The fan module provides air flow for heat dissipation. The fan module supports hot-swapping and can be replaced without interrupting device operation. However, to prevent overheating, do not operate the device without a functioning fan module for more than one minute. Ensures normal air flow and keeps out dust. Ports The SPUA provides the following fixed ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 31

38 3 Product Architecture 1 console port (mini USB) 2 USB 2.0 ports By default, the USG6650/6660 has a 2XG8GE interface cards and an 8GEF interface card to provide the following service ports: 8 GE optical ports 8 10/100/1000M autosensing Ethernet electrical ports 2 10GE optical ports The six expansion slots on the USG6650/6660 support the expansion cards listed in Table The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper part. Table 3-12 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links USG6670 Appearance The USG6670 uses an integrated chassis that contains the SPUA (main processing unit), interface card, power module, and fan module. You can also add some optional modules, such as hard disk and expansion cards, to improve system reliability and add more ports. Figure 3-9 illustrates the appearance of the USG

39 3 Product Architecture Figure 3-9 Appearance of USG6670 Table 3-13 describes the functions of the USG6670 components. Table 3-13 Functions of the USG6670 components Name 33

40 3 Product Architecture Name SPUA (the main processing unit) Interface card (mandatory) Expansion slot SPUA is the core component for system control and management and provides the management, forwarding, and control planes and an intelligent awareness engine. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. It can use the hard disk SM-HDD-SAS300G-A to record logs and reports in real time. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. The interface card provides gigabit and 10-gigabit electrical and optical ports. The interface card is installed before shipment and can be moved to another slot. The interface card is not hot-swappable. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-14 lists the supported expansion cards. Power module Two DC or AC power modules are mandatory to provide 1+1 power redundancy. If one power module fails, the other can support the entire system so that you can replace the faulty power module without interrupting device operation. Fan module Filler panel The fan module provides air flow for heat dissipation. The fan module supports hot-swapping and can be replaced without interrupting device operation. However, to prevent overheating, do not operate the device without a functioning fan module for more than one minute. Ensures normal air flow and keeps out dust. Ports The SPUA provides the following fixed ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 34

41 3 Product Architecture 1 console port (mini USB) 2 USB 2.0 ports The USG6670 by default has two 2XG8GE interface cards and one 8GEF interface card to provide the following service ports: 8 GE optical ports 16 10/100/1000M autosensing Ethernet electrical ports 4 10GE optical ports The five expansion slots on the USG6670 support the expansion cards listed in Table The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper part. Table 3-14 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links USG6680 Appearance The USG6680 uses an integrated chassis that contains the SPUA (main processing unit), SPUB (service engine), interface card, power module, and fan module. You can also add some optional modules, such as hard disk and expansion cards, to improve system reliability and add more ports. Figure 3-10 illustrates the appearance of the USG

42 3 Product Architecture Figure 3-10 Appearance of USG6680 Table 3-15 describes the functions of the USG6680 components. Table 3-15 Functions of the USG6680 components Name 36

43 3 Product Architecture Name SPUA (the main processing unit) SPUB (the service engine) Interface card (mandatory) Expansion slot SPUA is the core component for system control and management and provides the management, forwarding, and control planes. Meanwhile, both SPUA and SPUB have an intelligent awareness engine (IAE) and provide intelligent awareness service. Management plane: provides ports for configuration, test, and maintenance and implements such functions as running status monitoring, environment monitoring, log and alarm processing, system loading, and system upgrades. It can use the hard disk SM-HDD-SAS300G-A to record logs and reports in real time. Forwarding plane: parses and processes packets and associates with other planes to forward, discard, or translate packets. Control plane: obtains user authentication information and sends authentication results to the forwarding plane, so that the forwarding plane can process packets based on user information. Intelligent awareness engine: is aware of the service of each packet, parses the content to identify the application of the packet as well as the file, virus, URL, field, intrusion, and attack information in the packet or flow, and provides the forwarding plane with the detection result for further processing. SPUB has an IAE to provide content security. The CPU resources of SPUB on the USG6680 are dedicated for the IAE. Therefore, USG6680 has a higher performance than other USG products. The interface card provides gigabit and 10-gigabit electrical and optical ports. The interface card is installed before shipment and can be moved to another slot. The interface card is not hot-swappable. Expansion slots are reserved for expansion cards to provide more ports or functions. Table 3-16 lists the supported expansion cards. Power module Two DC or AC power modules are mandatory to provide 1+1 power redundancy. If one power module fails, the other can support the entire system so that you can replace the faulty power module without interrupting device operation. Fan module The fan module provides air flow for heat dissipation. The fan module supports hot-swapping and can be replaced without interrupting device operation. However, to prevent overheating, do not operate the device without a functioning fan module for more than one minute. 37

44 3 Product Architecture Ports The SPUA provides the following fixed ports: 1 out-of-band management port (RJ45) 1 console port (RJ45) 1 console port (mini USB) 2 USB 2.0 ports The USG6680 by default has two 2XG8GE interface cards and one 8GEF interface card to provide the following service ports: 8 GE optical ports 16 10/100/1000M autosensing Ethernet electrical ports 4 10GE optical ports The five expansion slots on the USG6680 support the expansion cards listed in Table The slots are divided into two types: one for Wide Service Interface Cards (WSIC) and the other for Extended Service Interface Cards (XSIC). An XSIC is twice as high as a WSIC. An XSIC slot can also hold a WSIC card, but only in the lower part, and in this case, no other card can be installed in the upper part. Table 3-16 Supported expansion cards Expansion Card 8GE WSIC Interface Card 2XG8GE WSIC Interface Card 8GEF WSIC Interface Card 4GE-BYPASS WSIC Card Provides eight gigabit RJ45 Ethernet ports. Provides eight gigabit RJ45 ports and two 10-gigabit SFP+ ports. Provides eight gigabit SFP ports. Provides two electrical bypass links. 3.2 Software Architecture The USG6000 adopts the new multi-plane software architecture to ensure high-speed packet processing and stability. 38

45 3 Product Architecture Figure 3-11 Software architecture The software architecture has the following components: Hardware and drive Software architecture offers the hardware and drive support for packet forwarding. Management plane The USG6000 provides the configuration, test, and maintenance interfaces for the administrator. The new Web UI provides diversified management functions. The administrator can gain visibility into configurations, logs, and reports to intelligently detect and diagnose faults. Intelligent awareness engine (IAE) The USG6000 implements service awareness and content parsing on packets to identity the carried application, virus, URL, file, mail field, intrusion, and attack. The results are transferred to the forwarding plane for further processing. With the continuous updates of the signature database, the USG6000 can identify the latest applications, viruses, and intrusion behaviors to improve security defense capabilities. Forwarding plane The forwarding plane implements basic parsing and processing on packets. This plane works with other planes to forward, discard, or convert the packets, covering network-layer header parsing, transport-layer parsing, entry query, address translation, VPN tunnel establishment, and anti-ddos at the network layer. 39

46 3 Product Architecture If a packet matches a security policy and the corresponding configuration file exists, the forwarding plane forwards the packet to the IAE for service awareness. You can obtain all the data necessary for follow-up processing after one inspection. The forwarding plane processes the packet according to the inspection results and policies. Packets are forwarded at a high speed and with extremely low delay, even if the forwarding plane is isolated from the IAE. The forwarding plane preferentially forwards packets to process burst traffic. Control plane The control plane interacts with a user, obtains authentication information about the user, and sends the information to the forwarding plane. Then the forwarding plane processes packets based on the user. The independent control plane ensures the rapid access of a large number of users and improves the response speed. The control plane interacts with the remote URL category server to obtain the latest URL categories. 40

47 4 Product Functions 4 Product Functions About This Chapter This chapter describes the functions of the NGFW. 4.1 USG6000 Functions This section describes the main functions supported by the USG Advanced Content Security Defense The biggest advantage of the next generation firewall is the sophisticated application security capability built on deep application and content inspection. 4.3 Flexible User Management IP addresses no longer reflect user identities, which poses a security risk. However, user-specific management delivers an effective solution to this issue. 4.4 Complete Security Functions Inherited from Traditional Firewalls The USG6000 inherits the security functions from traditional firewalls at the network layer. Although simple, these security mechanisms are effective and sufficient to tackle the threats at the network layer. 4.5 Granular Traffic Management Network services are ever-increasing, but network bandwidth is not. Therefore, bandwidth usage must be controlled to reduce the bandwidth for low-priority services and ensure available bandwidth for high-priority services. 4.6 Support for Various Routing and Switching Protocols The USG6000 supports a wide range of routing and switching protocols, ensuring the adaptability to various network environments and deployment requirements. 4.7 Intelligent Route Selection Policy The USG6000 has multiple egress links and can dynamically select outbound interfaces based on intelligent route selection policies. This implementation ensures that traffic is forwarded based on preset policies, increases link usage, and improves users' Internet access experience. 4.8 Support for IPv6 The USG6000 supports Internet Protocol Version 6 (IPv6) and multiple IPv6 networking modes to effectively secure IPv6 networks. 41

48 4 Product Functions 4.9 Diversified VPN Access Modes Virtual private network (VPN) is a low-cost solution for securing private networks, which plays an important role on modern enterprise networks. The USG6000 supports multiple VPN technologies High Availability Mechanism The proper working of networks directly affects the revenue of enterprises, especially enterprises that rely on the network to provide online information, online game, and e-commerce services. Therefore, ensuring the stability and high availability of network devices becomes critical for such enterprises Easy-to-Use Virtual System A virtual system divides a physical device into multiple, logically independent, virtual devices. Each virtual device has its own administrator, routing table, and security policy Visualized Device Management and Maintenance Huawei has improved and enhanced the Web UI of the USG6000. Administrators can easily deploy, configure, maintain, troubleshoot, monitor the status of, and upgrade the device on the Web UI Diversified Logs and Reports The USG6000 provides diversified logs and reports for administrators to trace and analyze the events that have occurred on the device Device Security Protection This section describes the security of the data system as well as operation and maintenance of the NGFW. 4.1 USG6000 Functions This section describes the main functions supported by the USG6000. Table 4-1 USG6000 functions Category Function Content Security Application identification SSL traffic decryption Identifies more than 6000 common applications based on the predefined signature database. Supports the constant update of the predefined signature database and the user-defined applications. Parses the packets of tens of protocols and identifies the contents during the protocol negotiation and supports common multi-channel protocols. Decrypts SSL traffic and implements content security check on verified traffic. Antivirus Identifies more than 5,000,000 common viruses. 42

49 4 Product Functions Category Function Updates the signature database constantly. Intrusion prevention Detects and defends against thousands of common intrusion behaviors, worms, Trojan horses, and Botnets. Updates the predefined signature database constantly and supports user-defined signatures. URL filtering Blocks connections to HTTP and HTTPS URLs as required. Adds URLs and URL categories on the local and supports the query of the latest URLs and URL categories from the remote URL category server. Updates URL categories constantly. Data filtering Supports common file transfer protocols, including HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP, RTMPT, and FLASH. Filters contents in the files transferred over the previous protocols based on keywords. Filters contents in the HTTP and FTP files based on keywords. File blocking Supports common file transfer protocols, including HTTP, FTP, SMTP, POP3, NFS, SMB, IMAP, RTMPT, and FLASH. Identifies common documents, code files, executable files, multimedia files, real types of the compressed files, and file name extensions over the previous protocols. Identifies common files transferred over the previous protocols based the real types and file name extensions. Application behavior control Controls HTTP behaviors, including the file upload and download, POST, web page browsing, and HTTP proxy. Controls FTP behaviors, including FTP file upload and download. Mail filtering Supports the mail server whitelist and blacklist on the local to block the spam. Works with the RBL server to remotely query whether a received or sent mail is spam in real time. Filters mails based on the sender addresses, receiver addresses, and the size and number of mail attachments. User Management Local user management Supports user creation and management and organization structure maintenance. Supports centralized management of VPN and 43

50 4 Product Functions Category Function PPPoE users. Interworking the user server User authentication Interworks with common user servers such as AD, RADIUS, HWTACACS, LDAP, SecurID, and TSM to import user information and implement proxy authentication. Pushes web pages for user authentication or works with the AD server to, in real time, synchronize information about online users. Network-Lay er Security Protection Packet filtering Supports packet filtering based on policies. NAT Translates the source IP addresses, destination IP addresses, and ports of packets. Maps private IP addresses and ports to public IP addresses and ports, so that the internal server can provide services for external users. Automatically translates the IP addresses and ports negotiated in the packets of multi-channel protocols. Traffic Management DDoS attack defense Single-packet attack defense Blacklist and whitelist IP-MAC address binding IP address- and user-based bandwidth management IP address- and user-based connection quantity Defends against various DoS and DDoS attacks: Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP flood Application-layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP flood Implements packet validity checking to defend against various single-packet attacks, including IP spoofing attacks, LAND attacks, Smurf attacks, Fraggle attacks, Winnuke attacks, Ping of Death attacks, Teardrop attacks, address scanning attacks, port scanning attacks, IP option control attacks, IP fragment control attacks, TCP label validity check attacks, ICMP packet control attacks, ICMP redirect packet attacks, ICMP unreachable packet attacks, and TRACERT packet attacks. Rapidly filters packets based on the whitelist and blacklist of IP addresses. Supports IP-MAC address binding to prevent IP spoofing. Limits the maximum bandwidth and guaranteed bandwidth for an IP address or a user. Limits the maximum number of connections for an IP address or a user. 44

51 4 Product Functions Category Function management Intelligent Uplink Selection Routing, Switching, and Packet Forwarding IPv6 Interface-based bandwidth management Traffic quota management Smart DNS DNS Transparent Proxy PBR Global route selection policies ISP address library link selection Link health check Switching protocols Routing protocols IP forwarding Basic IPv6 technologies IPv6 transition technologies Limits the maximum bandwidth for an interface. Allocate fixed online duration and traffic quota for specific users. Modifies DNS reply packets, so that the address obtained by a user is in the same ISP network with the user. This implementation minimizes web access latency and optimizes user experience. Changes the destination addresses of DNS requests and forwards the DNS requests to different ISPs for load balancing. Forwards packets based on applications, services, users, inbound interfaces, source security zones, source IP addresses, destination IP addresses, and time ranges. Supports PBR with a single outbound interface or multiple outbound interfaces. For PBR with multiple outbound interfaces, intelligent uplink selection can be performed based on link bandwidths, weights, qualities, or priorities. Supports intelligent uplink selection based on equal-cost default routes and supports route selection based on link bandwidths, weights, or priorities. Supports the selection of an outbound interface based on the carrier network of the destination address. Supports link availability detection based on multiple protocols. Supports common data-link layer protocols including ARP, VLAN protocol, PPP, and PPPoE. Supports static routing, routing policies, policy-based routing, RIP, IS-IS, OSPF, BGP, and multicast. Supports basic IP protocols including DNS, DHCP, ICMP, and URPF. Supports the resolution and forwarding of IPv6 packets, the static routing, routing policies, and PBR of IPv6, and the IPv6 dynamic routing protocols such as RIPng, OSPFv3, BGP4+, and IS-ISv6. Supports IPv6 transition technologies such as 4to6, 6to4, and NAT64, constructs complete IPv6 networks, and functions as the border device of IPv4 and IPv6 networks. 45

52 4 Product Functions Category Function IPv6 network security protection Supports security policies based on IPv6 addresses to protect IPv6 networks. Implements packet filtering and content security inspection on packets based on the IPv6 addresses, with the functions and defense effect similar to those of IPv4. VPN IPSec/IKE Supports IKEv1 and IKEv2. Supports encryption algorithms such as DES, 3DES, and AES, and checksum algorithms such as MD5 and SHA1 to provide powerful packet encryption and verification capabilities. Supports L2TP over IPSec and GRE over IPSec. L2TP GRE DSVPN SSL VPN Functions as the LAC or LNS. Supports the across-network RIP, OSPF, and BGP over GRE. Supports MGRE tunnel establishment between spokes in normal mode or shortcut mode. Supports web proxy and network extension. MPLS Supports MPLS L3VPN. Supports L2TP, IPSec, and GRE access to MPLS VPN. Supports IPSec VPN over MPLS. High Availability Virtual System Hardware reliability Dual-system hot backup Link status check Function virtualization Virtual administrator Supports 1+1 power backup. Supports the hardware bypass card. Supports dual-system hot backup protocols such as VRRP, VGMP, and HRP. Provides a complete dual-system hot backup mechanism to ensure that services are smoothly switched to the standby device when the active device is faulty. Checks the link connection status in real time by sending ARP or ICMP packets and switches traffic when the link is faulty. Virtualizes major functions except the hardware and network resources that must be managed in a centralized manner. Each virtual system has its configurations, entries, and resources. Supports the creation of virtual administrators. Each administrator can be assigned permission to manage the specified virtual system. Each administrator has an independent configuration page for maintaining the device. Virtual systems are isolated, and their 46

53 4 Product Functions Category Function configuration does not conflict. Visualized Management and Maintenance Log and Report New Web UI Remote management modes Update center Remote management Log Report Provides a new Web UI that offers diversified, easy-to-use, and virtualized management and maintenance functions. On the Web UI, you can easily view logs and reports, manage configurations, and diagnose faults. You can rapidly configure the common configurations of some functions by using the configuration wizard. Supports multiple management modes such as Web UI, CLI (Console, Telnet, or SSH), and NMS (SNMP). On the Web UI, you can update the system software, application signature database, threat signature database, antivirus signature database, and URL category database in various modes to enhance defense capabilities. You can log in to the device through the console, Telnet, SSH, or in Web mode for management. Supports SNMP. You can use standard NMS software for management. Supports syslogs. You can use the log server to collect and manage logs. Supports NQA and Netstream. Supports multiple types of logs such as the traffic log, threat log, URL log, content log, mail filtering log, operation log, system log, user activity log, and policy matching log for the administrator to learn about network events. Supports multiple types of reports such as the traffic report, threat report, URL report, and policy matching report for the administrator to gain visibility into the network traffic status and security defense effect. 4.2 Advanced Content Security Defense The biggest advantage of the next generation firewall is the sophisticated application security capability built on deep application and content inspection Unified Detection Mechanism The unified detection mechanism of the USG6000 provides effective content security function and high performance even when these functions are completely enabled. 47

54 4 Product Functions The unified detection mechanism refers to the process of data retrieval for content security functions within only one detection cycle, which greatly enhances the performance of the device, as shown in Figure 4-1. Figure 4-1 Unified detection mechanism SSL Decryption SSL traffic is encrypted for transmission. Therefore, the NGFW cannot directly implement content security checks on SSL traffic. However, if you configure SSL decryption policies, the NGFW can decrypt the SSL traffic that matches the policies and then implement content security checks on the decrypted SSL traffic. As shown in Figure 4-2, when the client's HTTPS request packet matches SSL decryption policy, the NGFW functions as an SSL proxy. The NGFW functions as a proxy server to complete the SSL handshake and establish an SSL connection with the client. At the same time, the NGFW functions as a proxy client to complete the SSL handshake and establish an SSL connection with the server. Upon receiving follow-up application data transmitted between the client and server, the NGFW decrypts the HTTPS traffic from the client (or server), implements content security checks, encrypts the traffic, and sends the encrypted traffic to the server (or client). The NGFW implements content security checks on only the SSL traffic with application protocol HTTP. 48

55 4 Product Functions Figure 4-2 Schematic diagram of SSL decryption Antivirus The antivirus function scans the files transmitted over the network and records or removes the identified viruses in the files. A virus is a set of self-replicable instructions or program codes compiled independently or embedded in certain computer programs to adversely affect the computer use by damaging certain functions or data of the computer. Commonly, viruses are embedded in files and are spread through s, web pages, and file transfer protocols. If hosts on the intranet are infected with viruses, the entire system may crash, relevant services may be interrupted, and important data may be leaked, bringing tremendous loss to enterprises. The antivirus function of the USG6000 detects and scans the file transfer and file sharing protocols that are commonly used to transfer viruses. The USG6000 blocks multiple detection-evasive mechanisms used by viruses, enhancing the antivirus capability of the network. The antivirus capabilities of the USG6000 are as follows: Support of abundant protocols and applications at the application layer The USG6000 supports virus scanning for files transmitted through HTTP, FTP, SMTP, POP3, IMAP, NFS, and SMB. In addition, the USG6000 supports the configuration of exceptions for certain HTTP-based applications. Virus scanning for compressed files The USG6000 supports the decompression of ZIP or GZIP files with a maximum of 3 decompressable layers before it performs virus scanning. Signature database with massive signatures The predefined signature database of the USG6000 supports the detection of over 15,000 main-stream virus families, covering over 5,000,000 common viruses. 49

56 4 Product Functions The signature database with massive signatures ensures the advanced virus detection capability of the USG6000. The professional virus analysis team of the Huawei traces and analyzes the latest type of viruses and updates the virus signature database for network administrators. This ensures that the USG6000 obtains the latest signature database and has the capability to identify the maximum number of viruses. Different defense measures for traffic flows of various kinds and antivirus policies based on application and virus exceptions Through security policy configuration, you can create and apply granular defense policies for different traffic flows to provide pointed network protection. In addition, the administrator can adjust the antivirus policy to ensure the transmission of service packets by configuring extra actions for certain HTTP-based applications or adding certain false-positive viruses to the virus exception list Intrusion Prevention System (IPS) The IPS function prevents attacks or intrusions, such as cache overflow attacks, Trojan horses, backdoor attacks, and worms, at the application layer. Through the IPS function, the USG6000 monitors or analyzes system events, detects attacks and intrusions at the application layer and, in real time, takes actions to terminate the attacks in real time. The intrusion prevention capabilities of the USG6000 are as follows: Different deployment modes with the configuration of unique defensive measures for different traffic flows The USG6000 can work in in-line and off-line modes. When in in-line mode, the USG6000 acts as IPS device. It detects threats in real time and blocks the transmission of relevant traffic flows to protect the intranet. When in off-line mode, the USG6000 acts as an IDS device in off-line mode. It records suspicious events and informs the administrator of these events but does not block the suspicious traffic. Through the configuration of security policies, the administrator can make granular defense policies for different traffic flows. In-depth packet resolution at the application layer The USG6000 has a constantly updated application signature database. It performs in-depth packet resolution on the traffic flows from thousands of common applications for attacks and intrusions. According to configured application-specific security policies, the USG6000 takes corresponding actions to the traffic flows from different applications. In this case, the administrator can flexibly deploy the IPS function. The device supports threat detection after packet fragment reassembly and TCP stream reassembly. Certain attacks make use of IP packet fragments and TCP stream reassembly to evade threat detection. To tackle this problem, the USG6000 reassembles the IP packet fragments into original packets or streams into original traffic flows before performs threat detection. Signature database containing thousands of signatures, including the user-defined ones The IPS device uses signatures to detect attack traffic. Therefore the capacity of the signature database represents the threat identification capabilities. To cope with endlessly emerging attacks and threats, Huawei has a professional security team to closely trace the security bulletins of the renowned security organizations and software vendors, analyze and verify the threats, and generate the signature database for the protection of the software systems. These systems include operating systems, application programs, and databases. In addition, the Huawei captures the latest attacks, worms, viruses, and Trojan horses, extracts signatures from them, and determines the 50

57 4 Product Functions trend of the threats with the help of the globally scattered honeynet. (A honeynet is a website that lures hackers and collects data for producing signatures.) Based on the preceding features, Huawei can release the signature of a virus that attacks a newly identified vulnerability and update the signature database in the shortest time. The signature can prevent all attacks, known or unknown, that take advantage of the vulnerability, delivering zero-day protection. The predefined signature database helps the USG6000 identify thousands of attacks at the application layer, whereas the constant updates of the signature database ensure that the USG6000 identifies and defends against latest attacks and threats. In addition, the administrator can define signatures of their own as required to enhance the intrusion prevention function of the USG6000. Low false positive rate False positive rate is an important metric of the accuracy of signatures and the quality of the signature database. False positives compromise legitimate services and bury valuable information in the false information, making it harder to isolate real attacks. False positives are usually caused by inaccurate signatures or detecting mechanisms. Huawei has a host of security professionals and data sources to analyze samples, create signatures, and perform false negative tests to achieve near-zero false positive rate. Due to the extremely low false positive rate, a large percentage of the signatures are enabled by default on the USG6000 to maximize protection without compromising legitimate services. The administrators do not need to check a bunch of logs for false negatives or to determine whether some signatures should be disabled Data Leakage Prevention Data Leakage Prevention (DLP) prevents the leak of specified data or information assets. Leaks are a violation of the security regulations and policies imposed by enterprises on their networks. The main purpose of DLP is to protect the key data of enterprises and individuals. DLP is implemented through a set of technologies to defend against data leaks of various kinds. The DLP function of the USG6000 prevents data leaks. For example, data leaks may occur when Secret data is transmitted from intranet to extranet through network communication tools. Most data leaks are intentionally or accidentally caused by employees of enterprises. Hackers from extranets invade the hosts on the intranet, obtain the permissions to control them, and even monitor their running status for a significant time. The hosts on the intranet are infected with viruses, Trojan horses, or other spyware and the secret data stored on the hosts is automatically searched and spread by these malicious programs. The hackers listen to or intercept the communication between the hosts on the intranet and those on the extranet. To prevent data leaks, the USG6000 addresses the possible data leak causes as follows: Table 4-2 Data leakage prevention technology Data Leak Channel Through file transfer protocols, such as Technology Application identification, file The USG6000 uses application identification to perform in-depth packet 51

58 4 Product Functions Data Leak Channel HTTP, FTP or network communication tools, such as the IM software Through texts or attachments Through hacker invasion Through the hosts infected with viruses Through eavesdropping during the normal data transmission between the intranet and extranet Technology blocking, and data filtering Mail filtering, file blocking, and data filtering Intrusion prevention Antivirus VPN inspection on network communication applications and file transfer protocols and identify the files and information included inside the packets. Data filtering helps filter out files according to the keywords they contain, whereas file blocking helps filter out files according to the file properties such as file type. Mail filtering helps filter out mails according to the addresses of the mail senders and receivers and the size and number of attachments. File blocking helps filter out mails according to the types of attached files. Data filtering helps filter out mails according to the keywords in addresses, subjects, bodies, and the names of the attached files. The device monitors the network application layer attacks and intrusions, blocks the intrusions from extranets, and prevents data leaks from within. For details on intrusion prevention, see Intrusion Prevention System (IPS). The device scans and identifies Trojan horses and other spyware to prevent the infection and spread of viruses with the similar intentions. For details on antivirus, see Antivirus. The device implements the VPN encryption technology to prevent network eavesdropping, tampering, forgery, and replay. For details on the VPN encryption technology, see 4.9 Diversified VPN Access Modes. In addition to proactive defense measures, the USG6000 monitors, manages, traces, and collects evidence of data leaks through application behavior audits. The preceding technologies of the USG6000 plus the management of storage devices, file encryption, user authentication, and user authorization ensure the E2E data protection and form a complete DLP solution. 52

59 4 Product Functions Web Security Defense The development of cloud technology precipitates the migration of more and more applications from desktop to the Web. The migration also turns the Web from a pure web browsing service to a comprehensive platform that integrates multiple services related to finance, social networking, music, video, and online games. The enrichment and development of the web service bring various security threats. To avoid possible harms, the combination of multiple technologies can protect websites and control the access to them. Illegal and malicious websites are the most significant problems related to the Web. An illegal website is one that contains information, such as violence or pornography, that has been considered illegal by local laws and regulations or the management system of enterprises. Websites of this kind adversely affect social stability, lowers work efficiency, and consumes the bandwidth of and resources on the intranet. A malicious website is the one that hosts Trojan horses and phishing web pages, implants Trojan horses into the access hosts, initiates SQL injections and cross-site scripting attacks, takes advantage of the vulnerabilities in the browsers or operating systems, and scam money from victims. Websites of this kind may cause significant loss to users or enterprises. A prominent feature of the malicious websites is their capability to cause significant loss to users without their knowledge. In that, the USG6000 provides the following technologies to tackle Web-related problems. Table 4-3 Web security defense technology Possible Risk Technology Illegal website URL filtering URL filtering helps control the access to certain URLs. The administrator can define their own URL categories and corresponding actions according to the URLs in the predefined URL category database of the USG6000. Malicious website Intrusion prevention, antivirus, URL filtering The intrusion prevention and antivirus functions monitor web access initiated by users in real time. Upon the detection of virus download or intrusion, it sends you an alarm or blocks the access, protecting hosts on the intranet. In addition, the URL categories provided by the USG6000 contains a large number of known URLs of the Trojan horses and phishing website. With the preceding data, the device automatically searches for the URLs accessed by users in the URL category database and takes appropriate actions to the accesses. 53

60 4 Product Functions To cope with the dynamically changed URLs and the constant increase of these URLs, Huawei traces the changes on the Internet and updates the URL category database in real time to constantly enhance the URL filtering function. In addition, the administrator can establish a local URL category searching server and use the server to learn complete URL categories from the searching server of Huawei. Then, local USG6000s perform URL queries on the local searching server. This deployment scheme reduces bandwidth consumption, improves the query speed, and ensures the availability of the query service even when the USG6000 is disconnected from the Internet Application Behavior Control Anti-Spam Application behavior control over specific network behaviors on enterprise networks helps avoid security risks and improve management efficiency. The network serves as an indispensable platform and instrument for modern enterprises. However, network abuse causes many problems as follows: Browsing and downloading non-work-related web content during working hours lowers down work efficiency and wastes network resources of enterprises. Outgoing transfer of texts and files by employees may leak secret information from enterprises. Posting inappropriate opinions violated local laws and regulations or the management policies imposed by enterprises causes significant loss to corporate image or interests. Application behavior control of the USG6000 effectively monitors and controls network access behaviors, reduces the loss caused to corporate interests, and improves work efficiency of enterprises. The details on the control are as follows: HTTP behavior control Supports the blocking of the operations, such as message post, form submit, and user login, through HTTP POST. Supports the blocking of requests to browse certain web pages. Supports the blocking of network access through HTTP proxy. Supports the alerting and blocking of file upload and download through HTTP according to the size of the uploaded and downloaded files. FTP behavior control Supports the alerting and blocking of file upload and download through FTP according to the size of the uploaded and downloaded files. Supports the blocking of the operation of deleting files through FTP. The anti-spam function blocks junk mails according to the IP address of the outgoing mail server and mail content. Any unsolicited mail sent to user inbox can be regarded as the junk mail. However, massive junk mails nowadays bring adverse impacts to the network as follows: Congests the mail server and lowers the performance of the entire network. Infringes upon the privacy, consumes the storage space of the inbox, and wastes the time, efforts, and money of receivers. Certain junk mail uses the addresses of others as the senders' addresses, destroying the reputation of the actual owners of these address. 54

61 4 Product Functions Contains Trojan horses and viruses and turn to be network attacks if they are manipulated by hackers. Severely affects the credibility of an ISP. The hosts that frequently send junk mails are listed in the international junk mail database by its supervisor ISP. In this case, the hosts cannot access certain resources on the network. If the current ISP does not build a comprehensive anti-spam mechanism, the users who receive junk mails may turn to other ISPs. Spreads false, anti-social, and pornographic content, causing damages to the society. The USG6000 provides the following mail filtering mechanisms: Controls the permitted mail server through locally defined blacklist and whitelist. Checks whether a mail server is the one that usually forwards junk mail through a remote RBL query server on the Internet. The RBL query server provides a comprehensive and constantly updated list of mail servers that forward junk mails. Filters s based on the sender, subject, and the keywords in the mail body. 4.3 Flexible User Management IP addresses no longer reflect user identities, which poses a security risk. However, user-specific management delivers an effective solution to this issue. In the initial phase of network development, an IP address was a unique identifier of a specific host on the network, and the firewall performs traffic control based on IP addresses. However, the popularization of telecommuting, offices on the move, and wireless offices makes the integrated management of IP addresses a demanding task. Furthermore, IP addresses are included in the packets in plain text and can be easily tampered with. Therefore, an increasing number of network frauds are implemented through IP spoofing. The user-specific security measures implemented by the USG6000 resolve the preceding issues. Among these measures, users are required to enter user name and password to pass the authentication process before they can access the network. The combination of user name and password represents the identity of a real user, and the policies configured on the device are user-specific. In such a case, the implementations of resource authorization, security defense, and traffic management become further accurate. Figure 4-3 User-specific policy deployment 55

62 4 Product Functions The USG6000 integrates the storage and management solution for user information, user authentication, permission management, and traffic management as follows: 1. Storage and management of user information, such as user name and password You can create users and user groups on the USG6000. A maximum of three levels of organizations are supported. You can manage users and user groups on a third-party authentication server and synchronize or import the data from the server to the USG6000. The supported authentication servers are AD, RADIUS, LDAP, HWTACACS, SecurID and TSM. 2. User authentication Supports local authentication. You can create and manage users on the device. Then the USG6000 pushes the authentication page to browsers to authenticate users. Supports the authentication through proxy. You can create and manage users on a third-party authentication server. In such a case, the USG6000 serves as an agent to forward the authentication requests to and obtains the authentication results from the server. You can configure policies for the users only after you import them from the authentication server to the USG6000. Supports the real-time synchronization from the AD server. The USG6000 can obtain the authentication result from the AD server after the server authenticates the user. No further authentication is required. Supports the re-authentication of users that access the network through VPN tunnels according to their access modes. 3. Permission control and traffic management You can create or import the following policies: Security policy: controls network access permissions and provides content security. Bandwidth policy: controls the used bandwidth and number of connections and adjusts the traffic forwarding priorities of specific users. Policy-based routing: specifies the outgoing interface of user traffic. Audit policy: audits user online behaviors. 4.4 Complete Security Functions Inherited from Traditional Firewalls Packet Filtering The USG6000 inherits the security functions from traditional firewalls at the network layer. Although simple, these security mechanisms are effective and sufficient to tackle the threats at the network layer. Packet filtering is one of the basic security functions of a firewall. It can permit or deny packets based on certain conditions. You can add the user and application fields to the packet filtering condition of the USG6000. This enables the administrator to perform rapid packet filtering based on the sender of the traffic and the actual application. The USG6000 integrates packet filtering and content security into security policy configuration. You can perform unified configuration and management based on the configured policies, reducing the requirement for administrative efforts to improve network management efficiency. 56

63 4 Product Functions NAT Attack Defense NAT changes the IP address of packets. In such a case, NAT hides intranet topology and saves public IPv4 addresses. The NAT functions available on the USG6000 are as follows: Source NAT The address translation facilitates the mutual access between intranet (private IP address) and extranet (public IP address). Through NAT, the device can translate private IP addresses into public IP addresses, slowing down the exhaustion of IP addresses. The USG6000 can implements the translation in either of the following ways: One-to-one translation: automatically assigns a public IP address to each of the hosts on the intranet. Many-to-one translation: ensures that multiple hosts share the same public IP address with different ports. This translation is also termed as Port Address Translation (PAT). Easy IP translation: ensures that multiple hosts share the public IP address of the network egress but use different ports. Server mapping Although NAT hides the intranet topology and shields the hosts on the intranet, certain hosts may need to serve as the website or FTP servers and provide services for extranet users. Through NAT, you can flexibly add intranet users. When extranet users access intranet servers, the device performs operations as follows: NAT ALG The device translates the destination IP address of the request packet to the private IP address of the intranet server. Then the device translates the source IP address of the response packet to the assigned public IP address. Certain multi-channel protocols use the control channel between the client and server to automatically negotiate IP addresses and ports during packet transmission. These IP addresses or ports are arbitrarily assigned, and therefore no NAT policy can be configured in advance. In this case, the USG6000 must be able to identify the packets during the automatic negotiation and enable corresponding policies for them. This function is termed as NAT ALG. The USG6000 has advanced capability to identify applications. The integration of NAT ALG enables the USG6000 to identify the packets transmitted through common multi-channel protocols, such as FTP, H.323, and PPTP. Defense against DDoS attacks The USG6000 can detect DDoS attacks, prevent them by discarding the attack packets or taking other actions, and log the attack events. Currently, the USG6000 can prevent following DDoS attacks: Non-application-layer DDoS attacks: SYN flood, UDP flood, ICMP flood, and ARP flood Application layer DDoS attacks: HTTP flood, HTTPS flood, DNS flood, and SIP flood Scan attack defense 57

64 4 Product Functions Blacklist and whitelist By scanning and sniffing, the attacker can roughly learn about the types of services the target system provides and potential vulnerabilities for further intrusions. The USG6000 can detect such scanning and sniffing packets through comparison and analysis, preventing subsequent attacks. Malformed packet attack defense The USG6000 can prevent the attacks through various malformed packets by checking their validity. Attacks of this type take advantage of the defects of software systems in packet handling and use abnormal packets, such as runt and giant packets, special packets, and packets in abnormal formats, to crush the intranet hosts or degrade their performance. Attacks through common malformed packets include IP spoofing, IP fragments, teardrop, smurf, ping of death, fraggle, WinNuke, Land, packets with illegitimate flag bits, and ARP spoofing. Special packet attack defense The USG6000 can defend against the attacks through giant ICMP packets, ICMP unreachables, and ICMP redirects, sniffing network structure through tracert, IP packets with source route option, IP packets with IP route record option, and IP packets with timestamp option to ensure access validity. Blacklist After adding certain users, packets to or from blacklisted users, IP addresses, and ports will be discarded. The USG6000 can use the blacklist to perform rapid packet filtering. Simple conditions makes packet filtering highly efficient, and the blacklist is applicable to massive attacks from malicious users. The users or IP addresses can be added into the blacklist as follows: Whitelist IP-MAC Address Binding Manually added by administrators. Automatically added after three consecutive failed login attempts. Automatically added if a user or IP address keeps accessing different IP addresses or ports, which will be regarded as IP address or port scanning attacks. Automatically added if being detected of intrusion activities. The whitelist is a list of trusted IP addresses. The IP addresses added to the list are exempted from inspection. The IP addresses are easily tampered with because they are included in the IP packets in plain text. To prevent IP spoofing, the IP addresses can be bound with MAC addresses of the hosts on the intranet. In this case, the device discards the packets whose source IP address and MAC address do not match. The USG6000 forwards only packets whose source IP address match the bound MAC addresses. 4.5 Granular Traffic Management Network services are ever-increasing, but network bandwidth is not. Therefore, bandwidth usage must be controlled to reduce the bandwidth for low-priority services and ensure available bandwidth for high-priority services. 58

65 4 Product Functions Currently, common problems that administrators encounter are as follows: P2P applications consume the most bandwidth. DDoS attacks make services unavailable to legitimate users. Stable bandwidth usage or number of connections cannot be ensured for certain special services. Overload traffic degrades device performance and user experience. A few users occupy most bandwidth, causing resource waste and low work efficiency. Use the following traffic management technologies of the USG6000 can be used to tackle the common problems administrators encounter. Reduce the bandwidth for P2P traffic by allocating the bandwidth and number of connections based on IP addresses, users, applications, and time. Limit the bandwidth for security zones or interfaces to prevent overwhelming traffic from degrading or paralyzing servers and network devices. Set guaranteed and maximum bandwidths for applications to ensure proper bandwidth allocation and the availability of special services. The advanced capability of the USG6000 in application identification ensures the granular bandwidth management. Allocate fixed online duration and traffic quota for specific users to implement reasonable bandwidth allocation and usage. The USG6000 flexibly allocates bandwidth through bandwidth policies. Each bandwidth channel represents a bandwidth range or connection number range. Each bandwidth policy assigns a bandwidth channel for the traffic of a specific type. If multiple bandwidth policies share a bandwidth channel, traffic flows defined in the policies obtain the bandwidth and number of connections through preemption to ensure the full use of the network resources. In addition, the maximum bandwidth for each IP address or user can be restricted to ensure smooth global traffic transmission and the individual network access experience. If a bandwidth policy takes over a bandwidth channel, the traffic flow of certain special services or hosts defined in the policy is not affected by other traffic flows. The takeover of a bandwidth channel ensures the availability of high-priority services. 4.6 Support for Various Routing and Switching Protocols Switching Protocols The USG6000 supports a wide range of routing and switching protocols, ensuring the adaptability to various network environments and deployment requirements. The USG6000 supports the following protocols. Table 4-4 Switching Protocols Protocol ARP Address Resolution Protocol (ARP) is a mechanism to map an IP address to the corresponding MAC address. Each host or router on the intranet has a 32-bit IP address for its communication with other devices. The IP address is independent from 59

66 4 Product Functions Protocol VLAN PPP/PPPoE the MAC address of the host. On Ethernet, the host or router sends and receives Ethernet frames using a 48-bit MAC address. The MAC address is also called a physical or hardware address. The address is burned into the NIC during device manufacturing. Therefore, a mechanism for address resolution is required to map these two types of addresses. Users can divide VLANs on the USG6000 as required to implement the following functions: Controlling the range of the broadcast domain: Restricting the broadcast packets of the Local Area Network (LAN) within a VLAN reduces bandwidth consumption and improves network processing capability. Enhancing intranet security: Because packets are isolated by the broadcast domains at the data link layer, hosts of each VLAN cannot directly communicate with each other, which ensures intranet security. Flexibly creating virtual workgroup: You can use VLAN to create virtual workgroups across physical networks. The communication within a VLAN is not controlled by the access control policy. The communication across VLANs is controlled by the access control policy. Point-to-Point protocol (PPP): a link-layer protocol that carries the network-layer packets on the point-to-point link. It helps authenticate users and supports synchronous and asynchronous transmission. PPP defines a set of protocols as follows: Link Control Protocol (LCP): used to establish, remove, and monitor data links. Network Control Protocol (NCP): used for negotiating the format and type of data packets transmitted on data links. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP): used to authenticate network security. Point-to-Point Protocol over Ethernet (PPPoE) uses the Ethernet to form a network of a large number of hosts and connects the network to the Internet through a remote access device. After the configuration of PPPoE, a PPP session with the remote device can be created to implement access control and accounting. The USG6000 serves as a PPPoE server, to which various PPPoE clients connect in the Ethernet environment. The USG6000 can be used as a PPPoE client to perform the dialing function. 60

67 4 Product Functions Static Route Dynamic Route The USG6000 supports static routes. Static routes are sufficient for simple and small networks. The proper configuration and application of static routes improve network performance and ensure bandwidths for important applications. However, when a fault occurs or the network topology is changed, the static route cannot automatically change. Therefore, the administrator must manually change the routes. Protocol RIP OSPF The USG6000 supports the configuration of Routing Information Protocol (RIP) to guide packet forwarding. RIP is a simple internal gateway protocol based on the distance vector algorithm. It uses UDP port 520. RIP uses the hop count to measure the distance to a destination IP address. In RIP, the hop count between the router and its directly connected network is 0. The hop count between the router and the network that can be reached through one router is 1. The hop count increases by one if a router is added. To restrict the convergence time, RIP regulates that the distance should be within the range of 0 to 15. Hop counts of 16 or more are defined as infinity. In such cases, the destination network or host is unreachable. Because of this restriction, you cannot apply RIP to large-scale networks. RIP supports the configuration of the transmission interval and maximum number of packets to improve network performance. In addition, RIP also supports Split Horizon and Poison Reverse to avoid routing loops. Open Shortest Path First (OSPF) is an internal network gateway protocol based on link status developed by Internet Engineering Task Force (IETF). The features of OSPF are as follows: Wide application scope: supports networks of various scales with hundreds of routers. Fast convergence: sends updated packets immediately after the network topology changes and synchronizes the updated network topology in the autonomous system. Loop free: calculates routes with the shortest path tree according to the link states collected to avoid routing loops. Area division: allows the division on the network of the autonomous system. Routing information among divided areas is further abstracted, which reduces the bandwidth usage. Equal Cost Multiple Path (ECMP): supports equivalence of multiple routes to the same destination IP address. Routing hierarchy: the routing falls into the intra-domain routing, inter-domain routing, level 1external routing, and level 2 external routing. 61

68 4 Product Functions Protocol BGP IS-IS Authentication: supports packet authentication based on interfaces, which ensures the security of packet transmission. Multicast sending: sends protocol packets with multicast IP addresses on certain types of links to reduce bandwidth waste. OSPF applies to medium and large networks. Border Protocol (BGP) is a protocol for dynamic route discovery between autonomous systems. It exchanges loop-free routing information (the reachability information with the AS attribute) between autonomous systems to form the topology of the autonomous area, eliminate routing loops, and implement user-defined routing policies. Different from the Interior Protocol (IGP), such as OSPF and RIP, that takes effect within an autonomous area, BGP is a type of the Exterior Protocol (EGP) and can be used between ISPs. BGP focuses on controlling route distribution, selecting optimal routes instead of discovering and computing routes. Intermediate system to intermediate system (IS-IS) is a dynamic routing protocol defined by the International Organization for Standardization (ISO) for its Connectionless Network Protocol (CLNP). To support IP routing, the IETF extends and modifies IS-IS in RFC1195, ensuring that IS-IS can be applied to the TCP/IP and OSI environments. The extended protocol is named as Integrated IS-IS or Dual IS-IS. IS-IS is a member of IGP and is usually used within an autonomous system. It is a link-state routing protocol that computes routes using the Shortest Path First (SPF) algorithm and is most similar to OSPF. Routing Policy Routing policy is a technology for revising routing information to change the path that network traffic passes. Routing policy changes routing attributes (including reachability). When advertising or receiving routing information, the USG6000 implements some policies to filter routing information. For example, the USG6000 receives or advertises only routing information that meets the specified conditions. In addition, a routing protocol may require the import of the routing information discovered by other routing protocols. The imported routing information must meet certain conditions and certain attributes of the imported routing information must be configured. In this way, the routing information meets the requirements of this protocol. The USG6000 provides seven filters as follows for routing protocols to reference: Access control list (ACL) Address prefix list AS path filter Community filter Extended community list RD attribute list 62

69 4 Product Functions Route-Policy Multicast Multicast offers point-to-multipoint delivery with minimum bandwidth consumption. IP multicast is suitable for real-time services such as online live broadcast, network TV, remote education, remote medical care, network TV station, and real-time video and audio conference. 4.7 Intelligent Route Selection Policy The USG6000 has multiple egress links and can dynamically select outbound interfaces based on intelligent route selection policies. This implementation ensures that traffic is forwarded based on preset policies, increases link usage, and improves users' Internet access experience. As shown in Figure 4-4, the USG6000 is deployed as a gateway at the egress of an enterprise network. Users in the enterprise can access Internet resources through ISP1 and ISP2 links, while Internet users can access enterprise resources over ISP1 and ISP2 networks. 63

70 4 Product Functions Figure 4-4 Intelligent uplink selection networking Conventionally, routes direct traffic based on destination addresses. As network services become complex and data traffic is constantly changing, route-based traffic forwarding cannot meet requirements. The USG6000 provides multiple route selection policies for different application scenarios. It analyzes traffic attributes and real-time link status to select an optimal outbound interface. Smart DNS When an enterprise network has DNS servers, the USG6000 intelligently replies DNS requests from different ISPs, so that the address obtained by a user is in the same ISP network with the user. The user then initiates a request with this address being the destination address to access the web server that the enterprise provided for this ISP. As this access does not bypass other ISP networks, the access latency is minimal, and the service experience is optimal. As the red curve shown in Figure 4-4, before ISP1 users access the enterprise website the DNS server on the enterprise network must parse the IP address. With 64

71 4 Product Functions DNS Transparent Proxy Policy-Based Routing smart DNS, the USG6000 returns to ISP1 users. Similarly, the USG6000 returns to ISP2 users. The USG6000 can change the destination addresses of DNS requests from certain intranet users to the addresses of DNS servers in other ISP networks. As DNS requests are forwarded to different ISPs, the parsed web server addresses belong to different ISPs. Therefore, Internet access traffic is forwarded through different ISP links, preventing congestion and improving link usage. As the blue curve shown in Figure 4-4, when an intranet user access an Internet website the user needs the parsed address of the Internet DNS server. For example, the IP address of the ISP2 DNS server is set on the client. With DNS transparent proxy, the USG6000 analyzes real-time link status and changes the destination address of the DNS request to the address of ISP1 DNS server. Then, the user accesses web server 1 in ISP1 network, not web server 2 in ISP2 network. With PBR, routes are selected based on user-defined policies, not the routing table. PBR determines packet forwarding based on more attributes, such as the application, service, user, inbound interface, source security zone, source and destination IP addresses, and time range. As the green and orange curves shown in Figure 4-4, PBR selects routes based on the specific application and service, so that P2P traffic is forwarded from ISP1 link, while /database service traffic is forwarded from ISP2 link. The USG6000 supports PBR with a single outbound interface or multiple outbound interfaces. For PBR with multiple outbound interfaces, intelligent uplink selection can be performed based on link bandwidths, weights, qualities, or priorities. Load balancing by link bandwidth: The NGFW forwards traffic to each link based on the link bandwidth ratio. This mode maximizes the link bandwidth efficiency. Load balancing by link weight: The NGFW forwards traffic to each link based on the link weight ratio. This mode controls the ratio of traffic to be forwarded to each link and uses specific links to forward more traffic, which maximizes the efficiency of all link resources and enterprise interests and improves user experience. Active/Standby backup by link priority: The NGFW preferentially uses the link with the highest priority to transmit traffic and all the other links as backup links or load balancing links. This mode preferentially uses some link to forward traffic, improving forwarding availability and user experience. Load balancing by link quality: The NGFW tunes traffic distribution dynamically based on real-time traffic transmission quality. You can use packet loss ratio, delay, and/or jitter to evaluate the traffic transmission quality of a link to select the link with the best quality for traffic forwarding. Global Route Selection Policy The global route selection policy is based on equal-cost default routes. If the USG6000 has multiple links to the destination, it intelligently selects a route based on link bandwidths, weights, or priorities. The mechanism is the same as that for intelligent uplink selection based on PBR. 65

72 4 Product Functions ISP Address Library Link Selection Link Health Check The USG6000 forwards traffic through corresponding outbound interfaces based on destination addresses, so that traffic is forwarded only within one ISP network, reducing web access latency. Link health check is to probe the link availability and adjust traffic distribution based on probe results to guarantee service quality. Link health check can work with PBR intelligent uplink selection, the global route selection policy, or ISP address library link selection. The USG6000 enables the link health check function to monitor the health condition of each link and make proper adjustments to ensure that only healthy links are used for traffic forwarding. This ensures access stability and reliability. 4.8 Support for IPv6 The USG6000 supports Internet Protocol Version 6 (IPv6) and multiple IPv6 networking modes to effectively secure IPv6 networks. IPv6, a new version network-layer protocol, is a suite of standards defined by the Internet Engineering Task Force (IETF). One IPv6 address has 128 bits. IPv6 resolves the lack of IP addresses. In addition, with IPv6, the routing entries of routing devices on the network decrease, improving the rate for forwarding packets. The following two types of IPv6 technologies are involved in IPv6 network construction: Technology for communications between IPv6 hosts, also called IPv6 basic technology Technology for communications between IPv6 hosts and IPv4 hosts during the transition from IPv4 networks to IPv6 networks, also called IPv6 transition technology Table 4-5 and Table 4-6 respectively show the IPv6 basic technologies and IPv6 transition technologies supported by the USG6000. Table 4-5 IPv6 basic technology Technology IPv6 address Supports both IPv4 and IPv6 protocol stacks, resolves IPv6 packet headers, and forwards the packets based on the IPv6 addresses. Supports both manual and automatic configuration of IPv6 addresses and IPv6 neighbor discovery. Supports related technologies such as ICMPv6, DNSv6, DHCPv6, and PPPoEv6. IPv6 routing Supports IPv6 static routing, policy-based routing (PBR), and routing policies for adjusting routing tables flexibly. Supports RIP next generation (RIPng). RIP next generation (RIPng) is the expanded and modified version of RIP-2 on IPv4 networks for the application of RIP on IPv6 networks. 66

73 4 Product Functions Technology Most RIP concepts also apply to RIPng. RIPng uses UDP port 521 to exchange routing information. The RIPng protocol uses the hop count to measure the distance (the metric value or cost) to a destination host. Supports OSPFv3. OSPFv3, short for OSPF version 3, supports IPv6 and complies with RFC2740 (OSPF for IPv6). Most OSPF concepts also apply to OSPFv3. OSPFv3 and OSPFv2 resemble in the following aspects: 32-bit Router ID, Area ID, and LSA Link State ID Same types of packets: Hello packets, DD packets, LSR packets, LSU packets, and LSAck packets Same neighbor discovery mechanism and adjacency mechanism Same LSA flooding and aging mechanisms Basically same type of LSAs OSPFv3 is different from OSPFv2 in the following respects: OSPFv3 runs based on links whereas OSPFv2 runs based on networks. OSPFv3 can run multiple instances on one link. The topology of OSPFv3 does not relate to the prefix of IPv6 addresses. OSPFv3 uses the link-local address of IPv6 to identify adjacent neighbors. Three different types of LSA flooding scopes are added to OSPFv3. Supports BGP4+. BGP4+, developed on the basis of BGP, is a dynamic routing protocol applied between Autonomous Systems (ASs). Traditional BGP4 manages only the routing information of IPv4. The applications of other network-layer protocols (such as IPv6) are restricted to a certain extent during the spreading of routing information across the AS. To support multiple network-layer protocols, the IETF extended BGP4 and forms BGP4+. The present standard for BGP4+ is RFC2858 (Multi-protocol Extensions for BGP4). The Next-Hop attribute in BGP4+ is included in an IPv6 address. It can be either an IPv6 global unicast address or a next-hop link-local address. BGP4+ inherits the original message mechanism and routing mechanism of BGP. Supports IS-IS IPv6. draft-ietf-isis-ipv6-05.txt of IETF defines the content for IS-IS to support IPv6, including the two Type-Length-Values (TLVs) supporting IPv6 routing information and one Network Layer Protocol Identifier (NLPID). 67

74 4 Product Functions Table 4-6 IPv6 transition technology Technology IPv6 over IPv4 tunnel IPv4 over IPv6 tunnel NAT64 Enables two IPv6 islands isolated by the IPv4 networks to communicate. In the early phase of IPv6, IPv6 networks are isolated by IPv4 networks and must communicate across IPv4 networks. Therefore, IPv6 over IPv4 tunnels are established between border devices on the IPv4 and IPv6 networks to transmit IPv6 packets over IPv4 networks. Enables two IPv4 islands isolated by the IPv6 networks to communicate. In the latter phase of IPv6, IPv6 networks become dominated and IPv4 networks are isolated by IPv6 networks. Therefore, IPv4 over IPv6 tunnels must be established between border devices on the IPv4 and IPv6 networks for transmitting IPv4 packets over IPv6 networks. Enables mutual translation between IPv4 and IPv6 addresses for IPv4 and IPv6 hosts to communicate on the coexisting IPv4 and IPv6 networks. For example, the source and destination IP addresses of a packet from an IPv6 host to an IPv4 host are translated to specified IPv4 addresses. Then the packet can be transmitted on the IPv4 network. The source and destination IP addresses of the reply packet from the IPv4 host are translated to the specified IPv6 addresses. Then the IPv6 host can receive the packet to complete the communication. In addition to technologies for constructing IPv6 networks, the USG6000 supports functions for securing IPv6 networks. The USG6000 supports security policies based on IPv6 address to secure the IPv6 network, and implements packet filtering and content security check on packets based on IPv6 addresses. The implemented functions and protection effects are the same as those for IPv4 networks. 4.9 Diversified VPN Access Modes L2TP Virtual private network (VPN) is a low-cost solution for securing private networks, which plays an important role on modern enterprise networks. The USG6000 supports multiple VPN technologies. The USG6000 establishes a virtual private dial network (VPDN) using the Layer 2 Tunneling Protocol (L2TP) and implements the virtual private network using the dial-up functions of public networks, such as the integrated services digital network (ISDN) and public switched telephone network (PSTN) to provide access services for enterprises, small Internet service providers (ISPs), and mobile workers. NAS-Initialized A remote dial-up user initiates a request to communicate with the headquarters. The remote dial-up user dials in to the L2TP access concentrator (LAC) using PSTN or ISDN, and then the LAC initiates a request to establish a tunnel with the L2TP network server (LNS) over the Internet. The LNS assigns an IP address to the dial-up user. The authentication and accounting can be performed by the agent on the LAC or by the LNS. Figure 4-5 shows the typical deployment. 68

75 4 Product Functions Figure 4-5 NAS-initialized L2TP Client-Initialized An LAC client (a PC that supports L2TP) initiates communication with the headquarters. In such cases, the LAC client directly initiates a request to establish a tunnel with the LNS, without requiring an independent LAC. The LNS assigns an IP address to the LAC client. Figure 4-6 shows the typical deployment. Figure 4-6 Client-initialized L2TP LAC-Initiated The user can run a command to establish a permanent L2TP connection between the LAC and the LNS. The LAC establishes a permanent L2TP tunnel with the LNS through the virtual template interface using a local user name. In these cases, the L2TP tunnel resembles a physical connection, and the outgoing interface is the virtual template interface. The connection between the user and the LAC can be any IP connection, so that the LAC can forward the IP packets of the user to the LNS. Figure 4-7 shows the typical deployment. Figure 4-7 LAC-Initiated L2TP IPSec The IP Security (IPSec) protocol suite, consisting of a series of protocols defined by the Internet Engineering Task Force (IETF), provides a high-quality, interoperable, and cryptology-based security protection mechanism for IP packets. Security measures such as encryption and source authentication ensure the confidentiality, integrity, and authenticity of packets transmitted over the networks and prevent replay attacks. 69

76 4 Product Functions Through Authentication Header (AH) and Encapsulating Security Payload (ESP), the USG6000 protects IP data packets or upper layer protocols, and supports both the transport mode and tunnel mode. The USG6000 also supports the IPSec tunnel negotiation using IKEv2. IKEv2 reserves basic functions of IKEv1 and resolves problems found during the research in IKE. IKEv2 is a trade-off between conciseness, efficiency, security, and robustness. The RFC documents about IKE are integrated as RFC By minimizing core functions and default password algorithms, IKEv2 greatly improves the interoperability among different IPSec VPN systems. Using IPSec, the USG6000 provides secure transmission tunnels of high reliability for users and can also combine IPSec with L2TP and GRE to construct L2TP over IPSec VPN and GRE over IPSec VPN. GRE The USG6000 can encapsulate certain network layer protocol packets using the Generic Routing Encapsulation (GRE) protocol. In this manner, encapsulated packets are transmitted using another network-layer protocol. GRE, as a Layer-3 tunneling protocol, uses the tunneling technology between protocol layers. A tunnel is a virtual point-to-point connection. Actually, the tunnel interface can be regarded as a virtual interface that supports only point-to-point connections, and provides a tunnel through which encapsulated packets are transmitted. GRE encapsulates or decapsulates packets at both ends of the tunnel. The USG6000 uses the GRE protocol to encapsulate the packets of certain network-layer protocols. In this manner, encapsulated packets are transmitted using another network-layer protocol. DSVPN Dynamic Smart Virtual Private Network (DSVPN) provides a solution to the preceding problem. It enables branches that have dynamically changing public IP addresses to establish VPN tunnels for communication in the Hub-Spoke networking. Figure 4-8 shows a DSVPN network. On this network, when the source Spoke (tunnel initiator) needs to send traffic to a destination Spoke (tunnel responder), the source Spoke uses NHRP to obtain the public IP address of the destination Spoke and then establishes a dynamic MGRE tunnel with the destination Spoke. After establishing the tunnel, the Spokes forward traffic over the new MGRE tunnel directly to each other. After MGRE tunnels are established between network nodes, you only need to configure one tunnel interface (P2PM tunnel interface) on each VPN gateway to establish tunnels between all the VPN gateways. 70

77 4 Product Functions Figure 4-8 Hub-Spoke DSVPN network SSL VPN Virtual gateway On the USG6000, the channel established by the SSL VPN is a virtual gateway. The USG6000uses the virtual gateway to provide SSL VPN services. The USG6000, as a physical entity, functions as multiple logically standalone gateways by using the virtual gateway technology to serve multiple enterprises or multiple departments of one enterprise. For example, a large enterprise has several departments, and each of them has their own employees. Resources and services accessible to these departments are different. Each department has its own access control rules. In these cases, the administrator can assign one virtual gateway to each department. Then each virtual gateway is under individual management and has independent users, resources, and policies, functioning as a standalone access system. For each department, the virtual gateway is as efficient and secure as a standalone physical gateway. The virtual gateways are classified by IP address and domain name into exclusive and shared ones. An exclusive virtual gateway occupies one or multiple IP addresses and domain names. A shared virtual gateway, however, shares one IP address with other virtual gateways. These shared virtual gateways have the same parent domain name. You can distinguish them by their sub-domain names. Web proxy A web proxy relays the communication between clients on the Internet and the web server on the intranet to shield the server from attacks. The web proxy function of the USG6000 enables users to securely access intranet web resources, including the webmail and web servers. The web proxy forwards the access request (using HTTPS) from a remote browser to the web server on the intranet, and then relays the replies of the server to the terminal user. Users can access web resources after installing the related control on the Web page of the virtual gateway client of the USG6000. Network extension 71

78 4 Product Functions BGP MPLS IP VPN The network extension function enables access to all IP-based services on the intranet by setting up secure socket layer (SSL) tunnels. Users can access intranet resources remotely just like accessing a LAN. The network extension function applies to a wide range of complex services. To use the network extension function, users must log in to the client of the USG6000 and install the ActiveX control or download and install a network extension client software. The network extension function supports three access modes: Full tunnel Users connect only to the USG6000 and can access only the intranet. Split tunnel Users can remotely access the intranet through the USG6000 and access the local subnets. Manual tunnel Users can access the specific resources on the intranet, the local subnet, and the resources on the Internet. The BGP/MPLS IP VPN is a PE-based L3VPN technology of Provider Provisioned VPN (PPVPN) solutions. It employs BGP to advertise VPN routes and MPLS to forward VPN packets on the backbone networks of service providers. BGP/MPLS IP VPN provides flexible networking with scalability and supports MPLS QoS. Therefore, BGP/MPLS IP VPN is increasingly employed by applications High Availability Mechanism The proper working of networks directly affects the revenue of enterprises, especially enterprises that rely on the network to provide online information, online game, and e-commerce services. Therefore, ensuring the stability and high availability of network devices becomes critical for such enterprises. With the long-term design and production experience of carrier-class products, the Huawei develops a carrier-class high availability mechanism for the USG6000, ensuring the stable operation of the device from hardware, software, and link dimensions, as shown in Figure

79 4 Product Functions Figure 4-9 High availability mechanism Hardware Availability Hardware availability means that hardware are designed to ensure the stable running of devices and to avoid adverse effects of hardware anomalies on the devices. Table 4-7 Hardware availability technologies Technology Dual-power backup Hardware bypass Fanr The USG6000 provides two power modules which provide power at the same time. If one power module fails, the other one can compensate for it to ensure service continuity. When the device is faulty or powered off, the interfaces directly connect to each other using a dedicated bypass interface card to ensure service continuity. The fan avoids overheating problems caused by ventilation issues and dust buildup. Clean the fan periodically to ensure proper operation of the USG6000. You do not need to power off the USG6000 for cleaning the fan. Software Availability Software availability means that good software design, in-time fault detection, and auto-adjustment measures are implemented to avoid adverse effects on devices because of network anomalies and ensure service continuity upon hardware failures. Table 4-8 Software availability technologies Technology Dual-system hot backup Two USG6000s are deployed in dual-system hot backup networking to ensure a smooth service switchover to the other device when a fault occurs on one device. Apart from hardware backup, dual-system hot 73

80 4 Product Functions Technology Load balancing backup employs a series of software availability protocols, such as VRRP, VGMP, and HRP. Two physical USG6000s form a logical device on the dual-system hot backup network. Then the logical device detects faults, switches services, and backs up configurations automatically without affecting the configurations of upstream and downstream devices. The active and standby USG6000s switch services upon faults to ensure service continuity. When one server cannot process the access requests of users, use multiple servers to share network traffic. In such cases, deploy the USG6000 at the egress of the network where the servers resides. Users access only one IP address. Then the USG6000 distributes access traffic to the multiple servers according to the configured algorithm. In addition, the USG6000 checks the healthy conditions of servers and enables them to share the load to improve availability. Link Availability Link availability means that a device can detect faults on one link and adjust the routing and forwarding accordingly to switch traffic to alternative links. Table 4-9 Link availability technologies Technology IP-Link BFD Link-group Interface backup The device tests IP connectivity to any IP address on the network in real time. If an IP address becomes unreachable, the device considers that the link is faulty and adjusts the routes or switches the active/standby device to switch the service traffic to the healthy backup link. Bidirectional Forwarding Detection (BFD) is a low-overhead and rapid fault detection mechanism which implements millisecond-level link fault detection. The bidirectional detection and small detection packet enables BFD to implement rapid fault detection without consuming many network resources. Link-group binds several physical interfaces to form a logical group. If one interface in the logical group is faulty, the system changes the status of the other interfaces to Down. The system changes the status of all the interfaces back to the Up state only after all the interfaces in the link group recover. In this way, the system switches the status of multiple links in a unified manner to ensure that service traffic is forwarded to the health link in a timely manner. Two physical interfaces back up each other. The backup interface automatically forwards traffic based on the connection status of the active interface and bandwidth usage, achieving interface backup or load balancing. 74

81 4 Product Functions 4.11 Easy-to-Use Virtual System A virtual system divides a physical device into multiple, logically independent, virtual devices. Each virtual device has its own administrator, routing table, and security policy. The virtual system applies to the following scenarios: Device leasing Some small enterprises cannot afford a network security device, the related license, and after-sales services, but require network protection for developing services. In such cases, network service providers or dedicated device leasing vendors can purchase a network security device, divide this device to multiple logically independent virtual devices using the virtual system technology, and provide security functions for different enterprises. Multiple enterprises share the hardware resource, but the actual traffic is completely isolated, saving the cost for purchasing and maintaining the devices and securing the enterprise networks. For network service providers or device leasing vendors, this service yields profits. Network isolation of large and medium-sized enterprises A large number of network devices are deployed on networks of large and medium-sized enterprises, subnets are strictly divided, and rights are differentiated to protect core assets of the enterprises. Traditional firewalls can isolate networks by dividing security zones. However, the interface-based security zone cannot cope with the increasing complex networking and requirements, and errors easily occur during complex policy configuration. In addition, administrators of multiple networks have the same permission and they operate the same device, which easily causes configuration conflicts. However, the virtual system technology can isolate networks to implement clear and easy service management. For example, a large enterprise covers the R&D area, production area, and marketing area. For security reasons, network traffic is forwarded between devices within each area. Devices between different areas seldom communicate. An area may have multiple subnets, and multiple users or networks may share the same interface for VPN access. In this case, adding interfaces to security zones cannot separately control the traffic. In addition, adding interfaces to security zones is complex. In such cases, you can divide the networks of different areas to different virtual systems. Each area can then have a logically independent firewall. You can create administrators for each virtual system for them to configure functions in different areas. This approach simplifies device configurations and improves device management efficiency without affecting services. Cloud computing The cloud computing technology is used to store network resources and computing capability in a network cloud. Network users can access network resources and use services after accessing the public network using a terminal. During this process, traffic isolation, security, and resource allocation among users are important. The virtual system technology enables the USG6000, deployed at the egresses of the cloud computing center and data center, to isolate user traffic and provide security. 75

82 4 Product Functions Figure 4-10 Networking diagram of virtual systems To enable correct forwarding, independent management, and isolation of services, the USG6000 virtualizes routes, security functions, and configurations: Route virtualization: Each virtual system maintains separate routing tables and session tables, independent and isolated from each other. Security function virtualization: Each virtual system has independent security policies and other security functions which apply only to packets of the virtual system. Configuration virtualization: Each virtual system has independent virtual system administrators and configuration pages. Administrators can manage only the virtual systems to which they belong. The virtualization technology enables you to easily manage the virtual systems of the USG6000. After virtual systems are created, administrators and users of each virtual system can use the virtual system, similar to operating an independent firewall Visualized Device Management and Maintenance Huawei has improved and enhanced the Web UI of the USG6000. Administrators can easily deploy, configure, maintain, troubleshoot, monitor the status of, and upgrade the device on the Web UI. The Web UI has five plates. Table 4-10 Plates on the Web UI Plate Dashboard Enables administrators to view the device operating status, including viewing the system information, connection status, traffic load, traffic statistics, and the latest logs and threat events. In addition, the administrators can click the shortcut links to modify common configurations. 76