HUAWEI USG2000&5000 Series Unified Security Gateway Traffic Control White Paper



Similar documents
NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

HUAWEI OceanStor Load Balancing Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Security Technology White Paper

Part Number: HG253s V2 Home Gateway Product Description V100R001_01. Issue HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI USG2000&5000 Series Unified Security Gateway Content Filtering White Paper

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

VLAN and QinQ Technology White Paper

White Paper on Video Wall Display Technology in Videoconferencing HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

MPLS L2VPN (VLL) Technology White Paper

IPS Attack Protection Configuration Example

DDoS Protection Technology White Paper

NQA Technology White Paper

Firewall Defaults and Some Basic Rules

IPS Anti-Virus Configuration Example

BroadCloud PBX Customer Minimum Requirements

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

Secospace elog. Secospace elog

Lab Configuring Access Policies and DMZ Settings

OceanStor 9000 InfoProtector Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Doc. Code. OceanStor VTL6900 Technical White Paper. Issue 1.1. Date Huawei Technologies Co., Ltd.

Bandwidth Management Technology White Paper

Chapter 3 Security and Firewall Protection

Oceanspace Series Storage Product Technical White Paper for the WORM

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

Secured Voice over VPN Tunnel and QoS. Feature Paper

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Log Audit Ensuring Behavior Compliance Secoway elog System

Configuration Guide for RFMS 3.0 Initial Configuration. WiNG5 How-To Guide. Network Address Translation. July 2011 Revision 1.0

Com.X IP PBX The complete communications solution in a box

H3C SecPath UTM Series Anti-Spam Configuration Example

VRRP Technology White Paper

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Application Note - Using Tenor behind a Firewall/NAT

Guideline on Firewall

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

The Broadband Service Optimization Handbook Chapter 3

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

Polycom. RealPresence Ready Firewall Traversal Tips

Author: Seth Scardefield 1/8/2013

Owner of the content within this article is Written by Marc Grote

Huawei NE5000E 400Gbps Flexible Line Processing Unit

Using a Cisco PIX Firewall to Limit Outbound Internet Access

SSL VPN Technology White Paper

EXINDA NETWORKS. Deployment Topologies

HUAWEI 9000 HD Video Endpoint V100R011. Security Maintenance. Issue 02. Date HUAWEI TECHNOLOGIES CO., LTD.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Eudemon1000E Series Firewall HUAWEI TECHNOLOGIES CO., LTD.

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

HG658c Home Gateway. User Guide HUAWEI TECHNOLOGIES CO., LTD.

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

How To Balance Out The Power Of The Usg On A Network On A Pc Or Mac Mac 2.5 (For A Mac 2) On A 2G Network On An Ipnet 2.2 (For An Ipro) On An Un

Huawei One Net Campus Network Solution

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Chapter 4 Customizing Your Network Settings

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

How To Protect Your Network From A Hacker Attack On Zcoo Ip Phx From A Pbx From An Ip Phone From A Cell Phone From An Uniden Ip Pho From A Sim Sims (For A Sims) From A

Configuring Quadro IP PBXs with "SIP Connect"

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Edge Configuration Series Reporting Overview

Customer Guide. BT Business - BT SIP Trunks. BT SIP Trunks: Firewall and LAN Guide. Issued by: BT Business Date Issue: v1.

Chapter 4 Customizing Your Network Settings

Best Practices for Controlling Skype within the Enterprise > White Paper

Eudemon8000E Anti-DDoS SPU

SDN, a New Definition of Next-Generation Campus Network

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

Barracuda Link Balancer Administrator s Guide

Technical Brief. DualNet with Teaming Advanced Networking. October 2006 TB _v02

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

About Firewall Protection

Internet and Intranet Calling with Polycom PVX 8.0.1

WLAN Spectrum Analyzer Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Voice, Video and Data Convergence > A best-practice approach for transitioning your network infrastructure. White Paper

QoS (Quality of Service)

VoIP technology employs several network protocols such as MGCP, SDP, H323, SIP.

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

PT Mbps Powerline Adapter. User Guide

Lab Configuring Access Policies and DMZ Settings

VOICE OVER IP AND NETWORK CONVERGENCE

Eircom F2000 efibre Modem User Guide & Product Description

Chapter 5 Customizing Your Network Settings

Networking Topology For Your System

Implementing Network Address Translation and Port Redirection in epipe

United Security Technology White Paper

Walnut Telephone Company, Inc. dba/ Walnut Communications Network Management Practices Policy Disclosure

SIP Security Controllers. Product Overview

Network Security Topologies. Chapter 11

SonicWALL Team Nordic Recommendations for safe Unified Threat Management (UTM) Deployments*

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

Lab Diagramming Intranet Traffic Flows

SIP Trunking Configuration with

Implementing Cisco Voice Communications and QoS

1 Network Service Development Trends and Challenges

Huawei Smart Education Solution

METHODS OF INTEGRATING mvoip IN ADDITION TO A VoIP ENVIRONMENT

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

Transcription:

Doc. code HUAWEI USG2000&5000 Series Unified Security Gateway Traffic Control White Paper Issue 1.0 Date 2014-08-21 HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the commercial contract made between Huawei and the customer. All or partial products, services and features described in this document may not be within the purchased scope or the usage scope. Unless otherwise agreed by the contract, all statements, information, and recommendations in this document are provided AS IS without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Email: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 1 of total 9

Contents 1 Background 4 2 Traffic Control Technologies 4 2.1 IP Address (Segment)-specific Traffic Control 4 2.2 Application-specific Traffic Control (DPI-based) 4 2.3 User (Group)-specific Traffic Control 5 2.4 Local and Global Traffic Control 6 2.5 Bandwidth Guarantee 6 2.6 Limiting on the Number of Connections 6 2.7 Traffic-based Routing 7 3 Networking 7 Appendix: Acronyms and Abbreviations 8 Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 2 of total 9

HUAWEI USG2000&5000 Series Unified Security Gateway Traffic Control White Paper Abstract: As the Internet becomes increasingly popular and developed, its users multiply and cause massive traffic growth. Meanwhile, emerging network applications such as video, voice, online game, and P2P exponentially raise the demands on bandwidths. Under this background, bandwidth control technologies get increasingly highlighted. Keywords: firewall, traffic control, traffic limiting, limiting on the number of connections, application-specific (DPI-based) traffic limiting, user-specific traffic limiting, bandwidth guarantee Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 3 of total 9

1 Background As the Internet becomes increasingly popular and developed, its users multiply and cause massive traffic growth. Meanwhile, emerging network applications such as video, voice, online game, and P2P exponentially raise the bandwidth demand on backbone networks. For a certain network, the egress bandwidth is fixed and easily gets exhausted by few users if no limit is exerted on the bandwidth allocated to each user. If certain applications or users are allowed to consume bandwidth without any limit, no bandwidth is available for the basic services of other users. Therefore, network experience degrades on a general level. This white paper describes technologies that manage network traffic flexibly and efficiently. These technologies unite to provide an easy-to-deploy, multi-functional, and high-performance traffic control solution. 2 Traffic Control Technologies The first three chapters describe traffic identification technologies that fall into IP traffic identification on the basis of application (DPI), IP address or segment, and user or user group. The last three chapters describe traffic control policies applied to traffic identified by the three identification methods or their combination. 2.1 IP Address (Segment)-specific Traffic Control IP address (segment)-specific traffic control refers to the traffic policy based on quintuple, namely, source IP address, source port, destination IP address, destination port, and protocol type of packets. When traffic passes the firewall, if a match with any traffic limiting policy is found, the firewall exerted corresponding control action on the traffic. A policy can reference individual or set of IP addresses or protocols. IP address (segment)-specific traffic control can be exerted on the following two levels (local and global): Per-IP traffic limiting: limits the traffic on a specified IP address. Global traffic limiting: limits the total traffic that matches a policy. For example, for users from 172.16.1.1-172.16.1.200, it is required to limit the bandwidth of each user to 1 Mbit/s and the total bandwidth to 150 Mbit/s. 2.2 Application-specific Traffic Control (DPI-based) The Deep Packet Inspection (DPI) technology can identify more than 1000 protocols and Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 4 of total 9

applications of more than 20 categories including P2P, instant messaging (IM), VoIP such as Skype, H.323, SIP, RTP, Net2Phone, and Vonage, games such as Diablo and Tantra, web video services such as PPLive, QQLive, and SopCast, stock software, and attacks. To include latest applications and protocols, the DPI signature database on the firewall can be updated online in real time. You can apply different traffic limiting policies to different applications identified by DPI. For example, you can limit Thunder service traffic for each user to 1 Mbit/s and that for all users to 10 Mbit/s, and leave HTTP service traffic unlimited. For a DPI-based traffic policy, you can set the control action to: Permit: allows traffic of the application. Deny: discards traffic of the application. If the firewall blocks a data flow, the session table keeps this entry for a certain period of time during which all packets matching this session will be discarded. Otherwise, the firewall has to identify the traffic for another time after the session entry ages out. At that time, the traffic may fail to be identified and therefore get permitted. Bandwidth limiting: limits the rate of the traffic of a certain type of applications. Limiting on the number of connections: limits the number of connections allowed for specific applications. For example: The Thunder service occupies most of the total bandwidth of a community and impacts the normal use of other services. During peak hours 6:00 to 22:00, even web pages are slow to load. To resolve this problem, you can set the per-ip maximum Thunder bandwidth to 500 kbit/s and the total maximum Thunder bandwidth of the community to 200 Mbit/s. 2.3 User (Group)-specific Traffic Control As network technologies develop, network users become increasingly scattered and have a high probability to use dynamic IP addresses. Therefore, the traditional traffic limiting applied to IP address segment turns out to be ineffective. To address this issue, user-specific or user group-specific traffic limiting technologies appear and meet the requirements of enterprise. Because traffic identification is based on user identities, you can create the traffic limiting policy based on the user identity instead of the dynamic and complicated IP address information. Furthermore, you can create different traffic control policies for different users or user groups. This technology not only streamlines policy configuration but also accommodates to changing and complicated network subnet, saving administrative efforts. For example, an enterprise has department A and department B. The total egress bandwidth is 10 Mbit/s. To control Internet access of employees in the two departments, you can set the maximum Thunder bandwidth to 100 kbit/s for each employee in department A, and that to 200 kbit/s for each employee in department B. For privileged users, for example, the general manager, set the maximum bandwidth to 2 Mbit/s. Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 5 of total 9

2.4 Local and Global Traffic Control The following two traffic control methods, namely, local and global traffic control, can work at the same time. Per-IP/user traffic limiting: applied between two security zones in outbound or inbound direction, exerting traffic limiting on per IP address or per user basis. Global traffic limiting: applied between two security zones in outbound or inbound direction, exerting traffic limiting on all traffic that matches a traffic limiting policy. For example, an enterprise has department A and department B. The total egress bandwidth is 10 Mbit/s. To control Internet access of employees in the two departments, you can set the maximum Thunder bandwidth to 100 kbit/s for each employee in department A, and that to 200 kbit/s for each employee in department B. Meanwhile, set the total egress bandwidth of department A to 2 Mbit/s and that of department B to 6 Mbit/s. For privileged users, for example, the chief manager, set the maximum bandwidth to 2 Mbit/s. 2.5 Bandwidth Guarantee Guaranteed bandwidth: refers to the traffic guaranteed to be available for an IP address. On condition that the total maximum bandwidth assigned to a network segment is not used up, the available bandwidth for each IP address can be higher than the guaranteed bandwidth but must be lower than the maximum bandwidth. For the traffic of the IP address that exceeds the guaranteed bandwidth, the firewall discards it if the total outbound traffic exceeds the upper limit and forwards it if the total outbound traffic does not exceed the upper limit. Maximum bandwidth: refers to the maximum allowed traffic for an IP address. The firewall discards the traffic exceeding the maximum bandwidth. Total bandwidth: refers to the total egress bandwidth of a network. This value is usually set to guaranteed bandwidth multiplied by user number. For example, there are 100 users in a net cafe. The total bandwidth is 100 Mbit/s. Then, set the guaranteed bandwidth for each user to 1 Mbit/s and the maximum bandwidth to a larger value, say, 5 Mbit/s. If there are 10 users online, bandwidth of 1 Mbit/s is guaranteed and a maximum bandwidth of 5 Mbit/s is allowed for each user. If all 100 users are online, bandwidth of 1 Mbit/s is guaranteed for each user. 2.6 Limiting on the Number of Connections Limiting on the number of connections refers to setting the maximum number of concurrent connections allowed for a user or a network. This method effectively limits the traffic generated by applications using numerous concurrent connections such as P2P applications. Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 6 of total 9

Per-IP concurrent connection limiting: limits the maximum number of concurrent connections allowed for each IP address. The firewall blocks all excess connections.global concurrent connection limiting: limits the maximum number of concurrent connections that match a policy. The firewall blocks all excess connections. For example, on an enterprise LAN, to prevent individual employees from using too many connections and generating too large download traffic, set the maximum number of concurrent connections to 100 for each user and that to 10,000 for the whole LAN. 2.7 Traffic-based Routing For a network that has multiple egresses, you must set the paths for different types of traffic. For example, the firewall forwards P2P traffic through interface A and VoIP traffic through interface B. Or in another scenario, the firewall forwards all traffic through the primary interface, interface A. When traffic leaving the principal exceeds the preconfigured threshold, the firewall sends the excess traffic to interface B. 3 Networking As shown in the preceding figure, intranet users in the Trust zone reside on network 192.168.1.0/24. They can access the Internet, and extranet users can access the FTP server in the Demilitarized Zone (DMZ). Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 7 of total 9

Set the Internet upload bandwidth and download bandwidth to 512 kbit/s and 1 Mbit/s for each user in the Trust zone, and the total upload bandwidth and download bandwidth of all users in the Trust zone to 10 Mbit/s and 20 Mbit/s. A maximum of 20 connections from the Untrust zone to the FTP server in the DMZ is allowed. Extranet users' file download from the FTP server is controlled to avoid server congestion and save ports of the firewall. To verify the effect of the limiting, you can view the packet discarding and forwarding statistics on the command line interface (CLI) of the firewall. By reading the statistics, you can also locate the IP address or application that consumes the greatest bandwidth. Appendix: Acronyms and Abbreviations Abbreviation Full Spelling DPI Deep Packet Inspection VOIP Voice over IP Copyright 2012 Huawei Technologies Co., Ltd. All rights reserved Page 8 of total 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information