Huawei Traffic Cleaning Solution



Similar documents
Eudemon8000E Anti-DDoS SPU

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

AntiDDoS1000 DDoS Protection Systems

Data Sheet. DPtech Anti-DDoS Series. Overview

AntiDDoS8000 DDoS Protection Systems

HUAWEI TECHNOLOGIES CO., LTD. Anti-DDoS Solution

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

Security Technology White Paper

CloudFlare advanced DDoS protection

Acquia Cloud Edge Protect Powered by CloudFlare

DDoS Protection Technology White Paper

NIP6300/6600 Next-Generation Intrusion Prevention System

Huawei Eudemon200E-N Next-Generation Firewall

DPtech ADX Application Delivery Platform Series

S5700S-LI Series Gigabit Enterprise Switches

USG6600 Next-Generation Firewall

Huawei One Net Campus Network Solution

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

SVN5800 Secure Access Gateway

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

USG6300 Next-Generation Firewall

HUAWEI USG6000 Next-Generation Firewall V100R001. Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Huawei Eudemon1000E-X series Firewall. Eudemon 1000E-X Series Firewall. Huawei Technologies Co., Ltd.

CS5008: Internet Computing

Chapter 8 Security Pt 2

Introducing FortiDDoS. Mar, 2013

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

S5700S-LI Series Gigabit Enterprise Switches

How To Protect A Dns Authority Server From A Flood Attack

CloudEngine Series Data Center Switches. Cloud Fabric Data Center Network Solution

CS 356 Lecture 16 Denial of Service. Spring 2013

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

REAL-TIME WEB APPLICATION PROTECTION. AWF SERIES DATASHEET WEB APPLICATION FIREWALL

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Denial of Service Attacks

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

TDC s perspective on DDoS threats

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

co Characterizing and Tracing Packet Floods Using Cisco R

Safeguards Against Denial of Service Attacks for IP Phones

NSFOCUS Anti-DDoS System White Paper

HUAWEI Secospace USG6600 Next-Generation Firewall Datasheet

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Load Balance Router R258V

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

CMPT 471 Networking II

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

HUAWEI Tecal E6000 Blade Server

VALIDATING DDoS THREAT PROTECTION

20 GE + 4 GE Combo SFP G Slots L3 Managed Stackable Switch

S5700-LI-BAT Switch Brochure

CSCE 465 Computer & Network Security

Denial Of Service. Types of attacks

A S B

Firewalls and Intrusion Detection

Strategies to Protect Against Distributed Denial of Service (DD

A Layperson s Guide To DoS Attacks

Gigabit Content Security Router

S5700-SI Series Gigabit Enterprise Switches

Firewalls. Chapter 3

Why Is DDoS Prevention a Challenge?

Automated Mitigation of the Largest and Smartest DDoS Attacks

Eudemon8000E Series 10-Gigabits IPS security gateway

How To Stop A Ddos Attack On A Website From Being Successful

Attack and Defense Techniques

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

What's New in Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500 and Cisco 7600 Series Software Release 2.1.0

Frequent Denial of Service Attacks

ACHILLES CERTIFICATION. SIS Module SLS 1508

WHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems

10 Configuring Packet Filtering and Routing Rules

IxLoad-Attack: Network Security Testing

Content Distribution Networks (CDN)

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

How To Create A Network Access Control (Nac) Solution

DDoS Protection on the Security Gateway

Big Data for Big Security

Radware s Attack Mitigation Solution On-line Business Protection

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

1. Firewall Configuration

Abstract. Introduction. Section I. What is Denial of Service Attack?

White Paper A10 Thunder and AX Series Load Balancing Security Gateways

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

Chapter 15. Firewalls, IDS and IPS

The Product Description of SmartAX. MT882 ADSL2+ Router

Brocade NetIron Denial of Service Prevention

Realize Your Potential. S6700 Series 10G Switches

Load Balancing Security Gateways WHITE PAPER

HUAWEI. Quidway Eudemon Series Firewall HUAWEI

Huawei NE5000E 400Gbps Flexible Line Processing Unit

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

Game changing Technology für Ihre Kunden. Thomas Bürgis System Engineering Manager CEE

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

FortiDDos Size isn t everything

Firewalls, IDS and IPS

Transcription:

Huawei Traffic Cleaning Solution Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice.

1 1.1 Introduction T h e m o d e r n w o r l d i s w i t n e s s i n g exponential growth of attacks. For example, in 2010 alone the rate of distributed denial-of-service (DDoS) traffic attacks on bandwidth was 100 Gbit/s, a 1000% increase compared with that in 2005. These emerging attacks target specific application-layer protocols, such as HTTP, HTTPS, SIP, and DNS. These new technologies and deep understanding on customer requirements, Huawei has devised a traffic cleaning solution able to secure customers' s while simplifying their management needs. The solution is specifically tailored for: Large and medium-sized enterprises Internet data centers (IDCs) Internet service providers (ISPs, including web portals, game service providers, and DNS service providers) Detecting center Acting like the "eyes" of the solution, the detecting center monitors traffic based on certain detection policies and reports abnormalities to the management center. Cleaning center Acting like the "heart" of the solution, the cleaning center receives instructions from the management center and cleans abnormal traffic based on traffic diversion policies. Management center Acting like the "brain" of the solution, the management center formulates detecting and cleaning policies, controls detecting and cleaning devices, and generates attack reports and cleaning logs. 1.3 Hardware The following figure shows detecting and 2 malicious attacks render conventional cleaning devices involved in the solution. flow devices ineffective. Consequently, customers are faced with the following problems: 1.2 Solution 160G How to withstand massive flooding and The Huawei traffic cleaning solution can application-layer attacks while securing the be divided into three centers, as shown in the following figure. 20G detecting board 20G cleaning board How to maximize investments on DDoS defense while reducing maintenance costs 10G detecting board 10G cleaning board E8080E E8016E Based on long-accumulated security 6G 6G detecting board 6G cleaning board E1000E-I (detecting device) E1000E-D (cleaning device) E1000E-I (detecting device) E1000E-D (cleaning device) Internet Management Security protection for small- and medium-sized enterprises. Security protection for IDCs/ large- and medium-sized enterprises The E1000E provides a gigabit-level cleaning capacity to secure services for small- and medium-sized Traffic Cleaning Solution Traffic Cleaning Solution enterprises (SMEs). The following table lists two models of the E1000E. Intranet Detecting Cleaning E1000E-I Detecting device E1000E-D Cleaning device

3 6G/10G An E8000E service board, coupled with a distributed E8000E series chassis, provides a cleaning capacity of 160 Gbit/s. The following table lists two models of the E8000E. 1.4 Features 1. 4. 1 I n d u s t r y s H i g h e s t Performance to Secure the Network High Performance Attack traffic Legitimate traffic With an industry-leading processing capacity of 160 Gbit/s per chassis, the solution can withstand large-scale attacks. Advanced architecture Built on the processor (NP), multicore CPU, and distributed architecture, the detecting and cleaning centers provide linear capacity expansion capability to overcome bottlenecks in processing performance. High capacity The solution provides fine-grained Static filtering Whitelist Blacklist UDP Flood ICMP Flood DNS Flood Malformed packet filtering Transport layer source validity authentication LAND attack SYN Flood Fraggle attack ACK Flood Winnuke SYN-ACK Flood Ping of Death TCP Fragment Flood Tear Drop Invalid TCP flag attack Super large ICMP attack 20G protection for 2000 VIP customers and 10,000 IP addresses and provides coarse-grained protection for 1 million IP addresses. Highest Detection Rate With DPI technology and a solid 7-layer defense structure, the solution can efficiently prevent various attacks from occurring. Deep Packet Inspection (DPI) Unlike conventional Netflow-based devices, Huawei s detecting devices use DPI technology to analyze every byte inside packets, and use the 7-layer defense structure to effectively identify attack types, including traffic, application-layer, scanning and snooping, and malformed packet attacks. Dynamic analysis Source validity authentication HTTP Flood HTTPS Flood DNS Query Flood DNS Reply Flood SIP Flood Sessionbased cleaning Behavior analysis Connection exhaustion CC attack attack UDP Flood DNS cache poisoning DNS reflection attack Slow connection attack Retransmission attack Slow start attack Traffic shaping Forwarding Avoid congestion to the target IPv6 attack defense The solution supports IPv6/IPv4 dual stack to defend against IPv4 and IPv6 attacks simultaneously, secure the IPv4-to-IPv6 transition, and reduce transition costs. Quick Attack Response The solution detects and cleans abnormal traffic within seconds to ensure service continuity. Fast detection Conventional flow-based detecting devices analyze -wide router logs, which takes long time to detect attacks. Huawei s detecting devices use the DPI technology to capture attack characteristics in real time and detect attacks within seconds. Quick response The synchronization of sessions and detection results between detecting and cleaning centers enables the solution to respond to attacks within seconds (less than 10 seconds). High Reliability Reliable platform Hardware platform: 1+1 main processing engines 3+1 switching boards Key component (power module and fan) redundancy Core router-class service stability Versatile Routing Platform (VRP): Independent modules with little impact on each other 4 million devices on live s Reliable system The solution ensures 500,000 hours of mean time between failures (MTBF) and 99.9999% reliability through: Inter-board load balancing Cross-board interface binding Two-node cluster hot backup 1.4.2 Industry s Easiest Solution to Simplify the Management Easy Management and Low OPEX Graphical management T h e s o l u t i o n p r o v i d e s a f l e x i b l e graphical user interface which simplifies configuration and maintenance and reduces operating expenses (OPEX). Flexible evidence collection methods For security audit, the solution collects evidences in either of the following ways: Packet capture based on access control lists (ACLs) Automatic packet capture based on the types of attack events Centralized management The solution manages distributed peripheral devices in a centralized and simplified mode, which decreases management servers and significantly reduces maintenance costs. Easy Expansion and Low Expansion Cost Software license upgrade The E1000E supports software license upgrades to expand the cleaning capacity without adding hardware, which thereby greatly reduces costs. Smooth upgrade The E1000E supports smooth capacity expansion. Linear expansion The E1000E supports a maximum of eight service boards per chassis. Users can add service boards to expand the capacity. The expansion mode improves investment efficiency and reduces capacity expansion 4

5 costs. Cost-saving Traffic detecting and cleaning devices share the same chassis, which effectively saves on customers' investment. 1.5 Application Scenarios 1.5.1 IDC Security The service-rich IDC with egress bandwidth is vulnerable to flooding attacks and application-layer attacks. Provides a processing capacity of 160 Gbit/s per chassis and quick response (within seconds). Withstands over 30 types of DDoS attacks, including e.g. : UDP Flood attacks CC attacks HTTP Flood attacks HTTPS Flood attacks DNS attacks Slow attacks attacks, including e.g. : UDP Flood attacks CC attacks HTTP Flood attacks Slow link attacks TCP retransmission attacks The following figure shows the anti-ddos of a web portal or game website. 6 Carrier 2 Carrier 1 Internet DDoS cleaning center Game server zone Web server zone 1.5.2 Web Portal or Game Server Security Web portals or game servers with egress bandwidth are vulnerable to flooding DDoS cleaning center Service area 3 Hosted server Hosted server Hosted server Service area 1 Service area 2 attacks and application-layer attacks. Provides a processing capacity of 160 Gbit/s per chassis and quick response (within seconds). Withstands over 30 types of DDoS 1.5.3 Enterprise Network Egress Security Large and medium-sized enterprises build s or rent links (about 10 GB) to enable office automation (OA) and internal communication, which is vulnerable to DDoS attacks. Withstands over 30 types of DDoS attacks, particularly those attacks aimed at OA Mail server zone s, including: UDP Flood attacks HTTP Flood attacks TCP Flood attacks The following figure shows the anti-ddos of an enterprise.

7 Carrier 1 Carrier 2 Detecting firewall Trust zone DDoS defense firewall DMZ 8 Cleaning Office area Living area 1.5.5 DNS Security attacks, particularly those attacks aimed at DNS services, including: 1.5.4 Online Service Security Online services are vulnerable to DDoS attacks. These attacks severely compromise a service provider s customer base, financial security, and reputation. Withstands over 30 types of DDoS attacks, particularly those attacks aimed at online transaction systems, including: HTTP Flood attacks HTTPS Flood attacks CC attacks Slow link attacks DNS servers, a vital part of the Internet infrastructure, are often subject to DDoS attacks, which brings serious consequences onto its customers whom have shown vested interests in securing their DNS services. Withstands over 30 types of DDoS DNS attacks (DNS Query and Reply Flood) DNS cache poisoning UDP Flood attacks Provides the Top N DNS cache function to alleviate the DNS server's pressure in coping with attacks. The following figure shows the anti-ddos of a DNS sever. DNS attacks (DNS Query and Reply Flood) The following figure shows the anti-ddos of online services. Internet DDoS Cleaning DNS Server Management

9 1.6 Product Specifications Model E1000E-I/D Number of slots For a 1 U device: 4 pairs of GE optical/electrical (mutually exclusive) interfaces 2 USB 2.0 interfaces Detecting and cleaning capacity 4G Model Eudemon8080E Eudemon8160E Number of slots 8 slots, a maximum of 4 detecting/ cleaning boards and 4 interface boards 16 slots, a maximum of 8 detecting/ cleaning boards and 8 interface boards Detecting and cleaning capacity 80G 160G Protected IP addresses Protected targets: 2000 IP addresses (fine-grained protection): 10,000 IP addresses (coarse-grained protection): 1 million 10 Protected destination IP addresses Protected targets: 400 Preventable DDoS attacks (Applicable to IPv4, IPv6, and IPv4- IPv6 s) IP addresses (fine-grained protection): 2048 Traffic-type attacks SYN Flood ACK Flood SYN-ACK Flood FIN/RST Flood IP Fragment Flood UDP Flood ICMP Flood Smurf attack Application-layer attacks Connection Flood DNS Query Flood DNS Reply Flood DNS cache poisoning HTTP Get /Post Flood CC attack SIP Flood HTTPS Flood Scanning and snooping attacks Port scanning Address scanning Tracert packet IP source routing option attack IP timestamp option attack IP routing record option attack Malformed packet attacks IP Spoofing LAND attack Fraggle attack Winnuke Ping of Death Tear Drop IP Option control IP fragment control packet Invalid TCP flag attack Super large ICMP control packet ICMP redirect packet ICMP unreachable packet Preventable DDoS attacks (Applicable to IPv4, IPv6, and IPv4-IPv6 s) Reliability Traffic-type attacks Scanning and snooping attacks SYN Flood Port scanning ACK Flood Address scanning SYN-ACK Flood Tracert packet FIN/RST Flood IP source routing option attack IP Fragment Flood IP timestamp option attack UDP Flood IP routing record option attack ICMP Flood Smurf attack Application-layer attacks Connection Flood DNS Query Flood DNS Reply Flood HTTP Get /Post Flood Malformed packet attacks IP Spoofing LAND attack Fraggle attack Winnuke Ping of Death Tear Drop CC attack IP Option control SIP Flood IP fragment control packet HTTPS Flood Invalid TCP flag attack Super large ICMP control packet ICMP redirect packet ICMP unreachable packet Module/Component hot swap, two-node cluster hot backup, link aggregation, and 1+1 main processing engines Reliability Interface board type Dimensions (W x D x H) Weight Power Mean time between failures (MTBF) Dual power modules and fans 2 expansion slots that support 4*FE RJ45 connectors and 2*GE Combo connectors 436 x 560 x 44.2 mm 10 kg 100 W 37.54 years Interface board type Ethernet interface 1 x 10GE, 12 x 1G (optical/electrical) card P O S i n t e r f a c e 1 x 10G card Maximum interfaces Ethernet interface 8 x 12 x 1GE, 8 x 16 x 12 x 1GE, 16 x 10GE 10GE POS interface 8 x 10G 16 x 10G

11 Model Eudemon8080E Eudemon8160E Dimensions (W x D x H) 442 x 669 x 886 mm 442 x 669 x 1600 mm Weight 100 kg 150 kg Power 700 W 900 W MTBF 57 years 57 years Traffic statistics and limit Global packet capture attack event packet capture Abnormal event packet capture Static fingerprint Global feature filtering 12 Attack logs Model Traffic cleaning service board Abnormal logs Detecting capacity (max.) Cleaning capacity (max.) 20 Gbit/s 20 Gbit/s 1.7 Order Information Response delay DDoS Attack Defense Defense against attacks based on protection targets SYN Flood defense 10 seconds Model E1000E-I/D SU4Z1ADGD Description E1000E anti-ddos cleaning host, AC, 2G license SYN-ACK Flood defense ACK Flood defense SU4Z2ADGD E1000E anti-ddos cleaning host, DC, 2G license HTTP Flood defense SU4Z1ADGI E1000E anti-ddos detecting host, AC HTTPS Flood defense DNS Request Flood defense SU4Z2ADGI E1000E anti-ddos detecting host, DC DNS Reply Flood defense FWEM0004FE02 4-port 100 M Ethernet electrical interface module (RJ45) SIP Flood defense FWBM12GE 2-port 1000 M Ethernet electrical interface module (RJ45 and SFP) RST Flood/FIN Flood defense UDP Flood defense IP Fragment Flood defense Non-TCP/UDP/ICMP protocol packet flood defense CC attack defense LSU4ADGD01 ATIC3-WINDOWS E8000E Anti-DDoS E8080E-BUNDLE-AC License used to expand the anti-ddos cleaning capacity of the E1000E to 4G Software suite, ATIC management system installation package, DVD Eudemon8080E AC: 1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards Connection flood defense E8080E-BUNDLE-DC Eudemon8080E DC: 1 chassis, 2 power modules, 2 SRUs, 2 switch boards, 4 1G memory modules, 4 CF cards

13 Model FWCD10GDDD01 FWCD10GDDC01 FWCD20GDDD01 Description Service processing unit, 10G detecting capacity Service processing unit, 10G cleaning capacity Service processing unit, 20G detecting capacity 14 FWCD20GDDC01 Service processing unit, 20G cleaning capacity FWCD10GDDU01 Plug-in board used to expand the anti-ddos detecting capacity from 10G to 20G FWCD10GDCU01 Plug-in board used to expand the anti-ddos cleaning capacity from 10G to 20G FWC2LPUKD1 Flexible card line processing unit (LPUF-21, two sub-slots) FWC2L1XX01 1-port 10GBase WAN/LAN-XFP flexible sub-card FWC2EBGF01 12-port 100/1000Base-X-SFP flexible sub-card FWC2EBGE01 12-port 10/100/1000Base-TX-RJ45 flexible sub-card FWC2P1XXBZ0 1-port OC-192c/STM-64c POS-XFP flexible sub-card FWCS00NOFA00 DDoS management center, a collection of functions for non-carrier customers FWCS00DOFA00 DDoS management center, a collection of functions for carriers FWCS00LCOP00 Data collector FWCS00BMOD00 DDoS management center-basic modules FWCS00STAT00 DDoS management center-statistical report management FWCS00ALAM00 DDoS management center-alarm management FWCS00PCAM00 DDoS management center-packet capture analysis management FWCS00SLHQ00 DDoS management center-self-service query FWCS05DMCL00 DDoS management center license (to add 5 control devices) FWCS10DMCL00 DDoS management center license (to add 10 control devices) FWCS25DMCL00 DDoS management center license (to add 25 control devices) FWCS50DMCL00 DDoS management center license (to add 50 control devices)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information