HUAWEI TECHNOLOGIES CO., LTD. USG9500 Series. Cloud Data Center Security Gateway

Transcription

1 HUAWEI TECHNOLOGIES CO., LTD.

2 1 USG9520 USG9560 USG9580 Product Overview The full-ip network is expanding rapidly and is integrating more and more applications into the traditional broadband network. Network bandwidth is increasing exponentially, but so are the types of network threats and the intensity of attacks. As a result, enterprises and carriers must constantly adapt their network structures to change network environments. Data communication devices have stepped into the Terabit era. The USG9500, a highly scalable, reliable, and comprehensive security service platform, is such a Terabit device. It supports a wide range of security services, such as IPv6 security, virtual security systems, VPN, and IPS. It addresses the requirements of customers (including data centers, carriers, ISPs, and government agencies) for integrated security, rapid responses, fast processing, and continuous evolution.

3 2 Product Description The USG9500 series comprises the USG9520, USG9560, and USG9580, and provides industry-leading security capabilities and scalability. The firewall throughput of the series reaches 0.96 Tbps, the maximum number of concurrent connections exceeds 960 million, and the VPN performance is up to 500 Gbps. By using dedicated multi-core chips and the distributed hardware platform, the USG9500 provides industry-leading service processing and expansion capabilities. Moreover, all components are redundant, providing a high reliability that normally exists a core router to ensure continuous service on high-speed networks. The distributed technology uses line-rate intelligent traffic splitting for data forwarding. All data flows are equally distributed to service processing modules. Therefore, the service processing performance increases linearly with service modules. The USG9500 provides multiple types of I/O interface modules (Line Process Unit, LPU) for external connection and data transmission. The I/O interface modules and service processing modules use the same interface slot. You can mix and match the I/O interfaces modules and service processing modules as needed. The USG9500 provides GE and 10GE interfaces and supports cross-board port bundling to improve throughput and port density. The Service Process Unit (SPU) of the USG9500 processes all services. The SPU has a motherboard that can hold two expansion cards. The SPU uses the multi-core CPUs on the expansion cards and the software modules to process services. The heartbeat detection mechanism between the SPU and LPU and SPU redundancy ensure inservice switchover. If one SPU fails, all functions are quickly switched to other SPUs without service interruption.

4 3 Highlights Advanced network processor + multi-core CPU + distributed architecture allowing linear increase of performance The USG9500 uses a hardware platform that often exists in a core router to provide modularized components. Each interface module has two network processors (NPs) to provide line rate forwarding. The SPU uses multi-core CPUs and a multi-thread architecture, and each CPU has an application acceleration engine. These hardware advantages, combined with Huawei's optimized concurrent processing technology, increases CPU capacity to ensure the high speed parallel processing of multiple services, such as NAT and VPN. LPUs and SPUs function separately. The overall performance increases linearly with the addition of SPUs so that customers can easily scale up the performance at a low cost. High firewall performance ensuring mission-critical services With revolutionized system architecture, the USG9500 security gateway series has the industry's highest firewall throughput and the most concurrent connections. With dedicated traffic splitting technology, the overall performance of the USG9500 increases linearly with the addition of SPUs. The USG9500 delivers a maximum of 960 Gbps large-packet throughput, 960 million concurrent connections, and 4096 virtual firewalls. The industryleading performance can meet the performance demand of high-end customers, such as television and broadcast systems, government agencies, energy companies, and education organizations. Stable and reliable security gateway full redundancy ensuring service continuity Network security is a key point in enterprise operating. To ensure the service continuity on a high-speed network, the USG9500 supports active/standby and active/active redundancy, port aggregation, VPN redundancy, and SPU load balancing. Meanwhile, the USG9500 also supports dual-mpu active/standby switchover to provide high availability. The mean time between failures (MTBF) of the USG9500 is up to 200,000 hours, and the failover time is less than one second. These features ensure the service continuity. Excellent VPN performance meeting the needs for massive encryption More and more services, such as mobile access, short message notification, and push mail, require secure data transmission over the Internet. To meet these needs, a VPN gateway that supports hundreds of thousands of connections is required. The USG9500 supports VPN gateway redundancy, up to 500 Gbps encryption performance, and 960,000 concurrent VPN tunnels, which are industry's highest standards. The USG9500 supports 4over6 and 6over4 VPN technologies to deal with the evolution from IPv4 to IPv6. The USG9500 also supports

5 4 IKEv2, provides improved user authentication, packet authentication, and NAT traversal functions, and prevents attacks, such as man-in-the-middle attacks and denial of service (DoS) attacks. The USG9500 also supports Extensible Authentication Protocol for GSM Subscriber Identity Module (EAP-SIM) and Extensible Authentication Protocol Authentication and Key Agreement (EAP-AKA) authentication to protect wireless networks. Practical IPS feature defending against external threats and promoting network security The performance of an Intrusion Prevention System (IPS) relies on detection engine performance, signature identification ratio, and processing capacity. With the advanced IPS detection engine and mature signature database, the USG9500 defends against various threats, including unauthorized automatic downloads, spoofing software, spyware/adware, abnormal protocols, P2P anomalies, and exploits that target system vulnerabilities. A single vulnerability-based signature covers thousands of attacks that target at the vulnerability. Supplemented with the globally deployed honeypot system, the USG9500 can capture the latest attacks, worms, and Trojan horses, thereby providing zero-day attack defense capability. Moreover, to improve real-world IPS performance, the USG9500 uses an internal off-line design and "one board one feature" technology to direct the traffic to be inspected by the IPS to a dedicated module. This method improves IPS performance without compromising basic firewall performance. Comprehensive CGN Features addressing the transition from IPv4 to IPv6 The IPv4 addresses are already exhausted and the Internet is smoothly evolving from IPv4 to IPv6. To meet the needs during the transition from IPv4 to IPv6, the USG9500 supports NAT44 (4), DS-Lite, 6RD, and NAT64, thereby providing an effective, flexible, reliable, and cost-effective transition solution for carriers. NAT44 (4) enables the high utilization of IPv4 addresses to prevent the exhaustion of IPv4 addresses; DS-Lite allows the IPv4 application to be used on the newly established IPv6 networks; 6RD provides efficient IPv6 access; and NAT64 enables an IPv6 network to communicate with an IPv4 network. The NAT44 and DS-Lite functions support NAT tracing. Enriched virtualization adapting to cloud networks Cloud computing, which relies on virtualization and high-speed network connection, faces security challenges. The USG9500 delivers high throughput and enriched virtual system functions, including resource, configuration, and management virtualization to meet the requirements of different customers. Resource virtualization manages virtual host resources based on quota, management virtualization supports user-defined policies, log management, and auditing for each virtual firewall, and forwarding virtualization enables customized service processing.

6 5 Specifications Model USG9520 USG9560 USG9580 Performance and Capacity Firewall throughput (maximum) 80 Gbps 480 Gbps 960 Gbps Firewall throughput (composite traffic) 80 Gbps 480 Gbps 960 Gbps Maximum number of concurrent sessions 80 million 480 million 960 million IPSec VPN performance (3DES) 48 Gbps 240 Gbps 500 Gbps IPSec VPN performance (AES) 48 Gbps 240 Gbps 500 Gbps Maximum number of concurrent IPSec VPN tunnels 128, ,000 1,000,000 Expansion and I/O Expansion slots 3 SPU and LPU slots 8 SPU and LPU slots 16 SPU and LPU slots

7 6 Number of MPU slots 2 Interface Interface board LPUF-21 LPU-40 LPUF x GE SFP 1x40GE CSFP 20xGE SFP 12 x GE RJ45 5x10GE XFP Ethernet interfaces 2x10GE XFP 1 x 10GE XFP 4x10GE SFP+ 4x10GE XFP 4 x 10GE XFP 24x1GE SFP POS 12 x GE RJ45 Not support Not support SPU SPUC SPUD Dimensions, Power Supply, and Operating Environment Dimensions (H x W x D:mm) Weight 175 x 442x 650 (4U DC model) 220 x 442 x 650 (5U DC model) Empty chassis: 15 kg, DC Full configuration: 32 kg, DC Empty chassis: 25 kg, AC Full configuration: 42 kg, AC 620 x 442 x x 442 x 650 Empty chassis: 43.2 kg Empty chassis: 94.4 kg Full configuration: 113 Full configuration: 229 kg kg AC power supply 90 V AC to 275 V AC; 175 V AC to 275 V AC (recommended) DC power supply -38 V to -72 V; Rated -48 V Power consumption 1270 W 3960 W 7540 W Operating temperature Ambient humidity Long term: 0 C to 45 C Storage: -40 C to +70 C Long term: 5% RH to 85% RH, non-condensing Short term: 5% RH to 95% RH, non-condensing Storage: 0% RH to 95% RH, non-condensing

8 7 Security Functions BASIC FIREWALL Routing/Transparent/Composite mode State validation detection Blacklist and whitelist Access control ASPF(Application Specific Packet Filter) Security zone division SERVICE AWARENESS Identify and Control Over 1,200 Applications: P2P, IM, game, stock, VoIP, video, media stream, mail, mobile, Web browsing, remote access, network management, and news etc. VIRTUAL PRIVATE NETWORK (VPN) DES, 3DES, and AES encryption MD5 and SHA-1 authentication Manually configured key, PKI (X 509), and IKEv2 Perfect forward secrecy (DH group) Anti-replay attack Remote VPN access IPSec NAT Traversal Dead Peer Detection EAP authentication VPN gateway redundancy IPSec V6,IPSec 4 over 6, IPSec 6 over 4 L2TP Tunnel GRE Tunnel NAT/CGN Destination NAT/PAT NAT NO-PAT Source NAT-IP address persistency Source IP address pool grouping NAT Server Bidirectional NAT NAT-ALG(Application Layer Gateway) Unlimited IP address expansion Policy-based destination NAT Port Range pre-allocated Hair pinning mode SMART NAT NAT64 DS-Lite 6RD(IPv6 Rapid Deployment) PKI PKI certificate requests (PKCS 10) Certificate authority (CA) PKI Authentication: EAP-SIM, EAP-AKA PKI Protocol: SCEP, OCSP, CMPv2 Self-signed certificate INTRUSION PREVENTION SYSTEM Protocol Anomaly Support Custom Signature Support Automatic Attack Database Update Defends against worms, zero-day attacks, Trojans horses, and malware.

9 8 ANTI-DDOS SYN-flood, ICMP-flood, TCP-flood, UDP-flood, DNS-flood etc. Port-scan, Smurf, Tear-drop, IP-Sweep etc. IPv6-extension-header defend TTL detection TCP-mss detection Attack log output HIGH AVALABILITY Active-Active, Active-Standby Stateful Failover (Huawei Redundancy Protocol) Configuration synchronization Firewall and IPSec VPN session synchronization Device fault detection Link fault detection Dual main board switchover Management Web UI (HTTP and HTTPS) CLI (console/telnet/ssh) U2000/VSM network management Hierarchical administrators Software upgrade Configuration rollback NETWORKING/ROUTING POS/GE/10GE link support DHCP relay/server Policy-based routing Dynamic Routing for IPv4/IPv6 (RIP/OSPF/ISIS/BGP) Multi-zone support Route between zones/vlans Multi-link Aggregation (Eth-trunk, LACP) VIRTUAL FIREWALLS 4096 virtual firewall(vfw) definition VLAN virtualization Security zones virtualization User defined virtual resources Route between VFW VFW based traffic CAR Logging/Monitoring Structured syslog SNMP (v2) Binary log Traceroute Log server (elog) Certification Safety certification, EMC, CB, Rohs, FCC, MET, C-tick, VCCI Note: The list above is comprehensive and may contain features which are not available on all USG9500 appliances. Consult USG9500 system documentation to determine feature availability.

10 9 Application Scenario Security Defense in Large IDCs Communicates through VPN 10-Gigabit link USG9500 IPSec Tunnel USG9000_B Branch1 Headquarters Large-scale IDC PC USG9000_A IPSec Tunnel USG9000_C Branch2 Basic services area Value-added services area Management and maintenance area Other area The USG9500 ensures security and stability of IDC services, with the configuration of the following services: Configuration of security policies such as blacklist to filter suspicious IP address. Configuration of intrusion prevention function to perform in-depth traffic detection, and blocks attack traffic once attacked. This function effectively defends against application-layer attacks. Configure virtual firewall to realize the virtual system separation function from level 2 to level 7 as you need. Configure resource pre-allocation to control virtual firewall traffic of inbound and outbound and the number of session connections; configure public IP address-based traffic restriction to prevent one IP address occupying too much bandwidth. The enterprise headquarters communicates with branches of the enterprise through the Internet. VPN tunnels (such as IPSec VPN, L2TP over IPSec VPN, GRE over IPSec VPN) can be established between the egress gateway of the headquarters and the egress gateways of the branches and between the egress gateway of the headquarters and the egress gateway of the regional offices. The employees on business trips can also access the headquarters egress gateway through the PC. The data flows produced when all users of the enterprise remotely access each other are carried by the secure VPN tunnel. Although the data flow is transmitted in the public network, it is protected through encryption and authentication, which ensures the security of the data transmission. In this networking, the IP addresses of branches can be fixed public IP addresses, or dynamically obtained through 3G, ADSL, PPPoE dial-up, or DHCP. Configure IPSec, L2TP over IPSec, or GRE over IPSec based on actual requirements.

11 10 Order Information E8KE-X3-BASE-DC E8KE-X3-BASE-AC E8KE-X8-BASE-DC-200 E8KE-X8-BASE-AC-200 E8KE-X16-BASE-DC-200 E8KE-X16-BASE-AC-200 SPU-X3-20-O-E8KE SPU-X8X16-20-O-E8KE FWCD0LPUKD01 FWCD00L1XX01 E8000E X3 DC Standard Configuration(include X3 DC Chassis,2*MPU),with HS General Security Platform Software E8000E X3 AC Standard Configuration(include X3 AC Chassis,2*MPU),with HS General Security Platform Software E8000E X8 DC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU),with HS General Security Platform Software E8000E X8 AC Standard Configuration(include X8 DC Chassis,2*SRU,1*200G SFU,4*AC Power Module),with HS General Security Platform Software E8000E X16 DC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU),with HS General Security Platform Software E8000E X16 AC Standard Configuration(include X16 DC Chassis,2*MPU,4*200G SFU,8*AC Power Module),with HS General Security Platform Software 20G X3 Firewall Processing Card(oversea),with HS General Security Platform Software 20G X8&X16 Firewall Processing Card(oversea),with HS General Security Platform Software Flexible Card Line Processing Unit(LPUF-21,2 Sub-Slots) B,With HS General Security Platform Software 1-Port 10GBase WAN/LAN XFP Flexible Interface Daughter Card FWCD00EBGF01 12-Port 100/1000Base-X SFP Flexible Interface Daughter Card FWCD00EBGE01 FWCD0LPUND01 FWCD00L2XX01 12-Port 10/100/1000Base-TX RJ45 Flexible Interface Daughter Card Flexible Card Line Processing Unit(LPUF-40,2 sub-slots) A,with HS General Security Platform Software 2-Port 10GBase LAN/WAN-XFP Flexible Card(P40) FWCD00EFGF01 20-Port 100/1000Base-X-SFP Flexible Card(P40) Note: The order information only lists the main components of USG9500 series, please contact Huawei engineer for detailed information.

12 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0