HUAWEI USG6000 Series NGFW

Александр Миляр
milyar.alexander@huawei.com
Overview of the USG6000 V500R001C30 Go-to-Market Schedule

USG6305 USG6305-W USG6320

USG6310S USG6310S-W USG6310S-WL-OVS

V500R001C30

USG6330/6350/6360 USG6620/6630

USG6370/6380/6390
USG6650/6660/6670/6680
• Models highlighted in read are new models.

1
Overview of New USG6000 Models
 -W models are equipped with fat APs,
Desktop

Firewall which allow access through Wi-Fi.

Model Fixed Port Wi-Fi 4G LTE
Throughput  The USG 6510-WL-OVS has an
4 x GE Not
USG6305 800 Mbit/s external USB LTE module and a built-
electrical port supported

4 x GE 5 GHz/2.4 in 4G LTE module that provides a

USG6305-W Optional; 4G LTE 800 Mbit/s
electrical port GHz
data card supported backup LTE uplink. These two
8 x GE Not by external USB
USG6310S 1.2 Gbit/s modules implement dual LTE uplinks.
electrical port supported

8 x GE 5 GHz/2.4
USG6310S-W 1.2 Gbit/s
electrical port GHz

Built-in LTE
USG6305 USG6305-W
8 x GE 5 GHz/2.4 module; 4G LTE
USG6310S-WL-OVS 1.2 Gbit/s
electrical port GHz data card supported
by external USB
USG6310S USG6310S-W USG6310S-WL-OVS

2
New 600 GB Hard Disks

SAS-600GB

Model 300 GB Hard Disk 600 GB Hard Disk Remarks

USG6650 (AC/DC power supply)

Only 3 U models support
USG6660 (AC/DC power supply) Optional; two 600 600 GB hard disks.
Optional; two 300 GB GB hard disks 300 GB and 600 GB hard
USG6670 (AC/DC power supply) hard disks (RAID1) (RAID1) supported disks cannot be used
supported together.
USG6680 (AC power supply)

USG6680 (DC power supply) Not supported

3
Huawei NGFW Portfolio
USG6680, 40 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
 Desktop/1 U/3 U USG6670, 35 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
 500 Mbit/s to 40 Gbit/s application identification throughput; up
to 15 Gbit/s IPS+AV capability
USG6660, 25 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP
 Interface: at the minimum of 4 GE and expandable to 56 x GE +
8 x SFP + 14 x 10GE USG6650, 20 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP

USG6630, 16 Gbit/s, 1 U, 8 x GE + 4 x SFP

USG6620, 12 Gbit/s, 1 U, 8 x GE + 4 x SFP

USG6390, 8 Gbit/s, 1 U, 8 x GE + 4 x SFP

USG6380, 6 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6370, 4 Gbit/s, 1 U, 8 x GE + 4 x SFP

USG6360, 3 Gbit/s, 1 U, 4 x GE + 2 x combo

USG6350, 2 Gbit/s, 1 U, 4 x GE + 2 x combo
USG6330, 1 Gbit/s, 1 U, 4 x GE + 2 x combo

USG6320, 2 Gbit/s, Desktop, 8 x GE Extension module

USG6310S/-W/-WL-OVS, 1 Gbit/s, Desktop, 8 x GE
WSIC-2 x SFP + 8 x GE WSIC-8 x GE WSIC-4 x GE-Bypass
USG6305/-W, 500 Mbit/s, Desktop, 4 x GE

WSIC-8 x SFP SAS-300GB SAS-600GB

4
Contents

1 USG6000 Application Background and Highlights

2 USG6000 Application Scenarios

3 Success Stories

5
 Perfect

—Fine-grained Control and

Comprehensive Security

6
Integrate policy：integrate security protection
Security ability deeply integrated
with service awareness
Application

6000+SA 6D manage and control：

Content
20+ file content • Intrusion detection and antivirus based-on SA
identification
Time 60+ file type • content filter based-on SA
identification
• different user, different location and different
User
8 user authentication time Corresponding to different authority
methods
Attack
• deeper security defense to high risk application
3000+new threat
Comprehensive identification
Location
context awareness
Location library
5M malicious code
8.5M URL

NGFW Security policy：

cont atta loca acti
5 tuple App. time user
ent ck tion on

7
Policy Integration: simplify management and improve efficiency

Access control policy and

Access Control Area
content security policies, such
as IPS, AV configured in a
single interface.

Content Security Area

8
Applications Are Used for Access Control But Not Online
Behavior Management
 ERP
 CRM
 Mail
Whitelist mode

 Microblog

80

Identifies as many applications as possible, implements minimal authorization, allows only necessary services, and blocks unidentifiable
VS applications, bringing no harm. This typical firewall management mode is more secure than the blacklist mode.

 Emule
Blacklist mode

 Games

80

Identifies a limited number of applications and allows unidentifiable applications, which may be harmful. The NGFW working in online behavior
management mode is not secure.

9
“Application”Wareness：Business more clearly, finer control

Data transmission model

5 Category and 33 Subcategory client-server
Business_Systems:
browser-based
• Database：e.g.：Mysql
Networking
• …
Entertainment: peer-to-peer
• Game：e.g. Warcraft …
• Social_Networking：e.g.：facebook ✓ 6000+ application
P2P：Thunder, eDonkey, BT…
•
✓ Cover all the main
General_Internet:
• Web_Browsing application Risk level
File_Sharing Exploitable Malware-vehicle
•
✓ Support hot
• … Productivity-loss Bandwidth-
Network: encrypted P2P, Evasive consuming
• Encrypted_Tunnel：e.g. IPSec Data-loss Tunneling
Web2.0, mobile app
• …
General: ✓ Quick response to
• General_TCP Risk type  Risk level
Customized demand
• …

10
11
User Awareness: I Know Who You Are

Facing Changing User IP Addresses

8 authentication modes:
• Local, RADIUS, LDAP, AD domain,
SecureID, TSM, and HWTACACS
authentication

Values:
• Following the mobile working trend
• User-based security policies
• User-based bandwidth management policies
• User-based online behavior management

12
Location Awareness: Where Attacks Are

IP  Location

Identification granularity:
• China: city
• U.S.: state
• Others: country
• Support for IP segment-based location definition

Application scenarios:
• Traffic map: location-based application statistical analysis
report
• Attack map: location-based attack statistical analysis report
• Location policy: access permissions varying according to
locations

For example:
• Some data can be accessed at headquarters, not at branches.

13
 Direct Way to Security

—Excellent Performance,

Optimal Experience

14
Comprehensive Security

Comprehensive Application Intrusion Web security

context security prevention • 120 million+ URLs in
the database
• 6000+ application • 5500+ attack detection
awareness protocol identification
• 130+ categories
• 90+% false alarm
• Awareness of applications, • 5 million + virus detection rate
content, time, users, attacks,
detection
and locations
• 8 user authentication modes

Email security Data security Network security Routing

• 30+ file reassembly and • Anti-DDoS • IPv4: static routing, RIP, OSPF,
• Real-time anti-spam
content filtering • VPN BGP, and IS-IS
• Content and keyword filtering
• 120+ file type filtering (IPSec/SSL/L2TP/MPLS/GRE • IPv6: RIPng, OSPFv3, BGP4+,
• Attachment virus detection and …) IPv6 IS-IS, IPv6 RD, and ACL6
notification

15
Intrusion Prevention: 5500+ signatures
Detect and defend against over 5500 vulnerabilities

Only 2 vendors worldwide have passed ICSA IPS certification.

Detection of and defense against 5500+ vulnerability signatures, which are updated every week.
16
Anti-Virus: faster scanning and more fresh signatures

• Rich protocols of flow-based

antivirus scanning.

• Signature database is updated

daily.

• faster scanning than appliance of

competitors.

17
APT Defense

Encryption and authentication

WAN/Internet
HTTPS is used to transmit interworking data, and CA
FireHunter certificates are used to authenticate the FireHunter.

NGFW Precise filtering

Detection The NGFW restores the specified types of files uploaded
results
or downloaded using specified protocols and sends the
restored files to the FireHunter for detection.

Attack detection and mitigation

within 60 seconds
Huawei FireHunter detects attacks within 30 seconds
and can interwork with the NGFW to mitigate the
attacks within 60 seconds.
18
File filtering & Content filtering: Data Loss prevention

XXXXXX price XXXX…

credit card number :XXXX
XXXXXXXXX Bidding material XXXXXX

Able to identify actual file types and filtering sensitive content, even it was hidden
in compressed files, or it’s extension was modified.

19
File Blocking: Preventing Sensitive Data Leaks Through Files
Identification of 120+ real file types; identification through user-defined extension names

20
Data Filtering: Checking File Content
Data check for 30+ types of files; predefined keyword group

21
URL Category Database with Abundant URL Categories to Provide
Powerful URL Filtering
120 millions + URLs in 130+ categories for URL filtering for encrypted HTTP traffic and QoS optimization for access to various URL categories.

22
SSL encryption traffic security
More and more website use https Content security over SSL decryption

URL filtering

Anti-virus

Instruction prevention

SSL traffic：blind spot of security Content filtering

File filtering

Activity control

23
Integrated VPN Client: SecoClient

Core VPN services  Automatic optimal gateway and link selection

 Terminal security check and cache clearing
 Roaming and reconnection
L2TP IPSec SSL
 Customizable client logo and configuration
 Multiple languages and import of new languages
Windows Mac OS
 Import and export of log, diagnosis, and
configuration files
OS adaptation
Unified presentation and in-depth coupling
to simplify usage and enhance security

24
Self-Learning Anti-DDoS Parameters

 Defend against
over 10 types of
DDoS
 Automatically set
threshold by
learning traffic.

25
Bandwidth Management

 Bandwidth guarantee for key services  Connection limit

 Bandwidth limit  QoS tag remark

26
QoS Optimization: Intelligent Uplink Selection

Challenges in multi-ISP
Settlement costs are constantly high, Unicom
and the quality of key services cannot
be guaranteed.

Some links are always congested,

whereas some are always idle. Telecom
The Telecom interface is selected when
traffic is destined for the Unicom network.
The Telecom interface responds when
the user initiates the access request Education
resides on the Unicom network. network

Service- (Application-) DNS transparent Link load balancing

based proxy
Overload Active/Standby
Link bandwidth Link weight Link quality
Destination ISP-based Smart DNS protection backup by link priority

Sticky session for intelligent uplink selection: prevents user disconnection and guarantees service stability in scenarios of
overload protection or with multiple destination server applications (such as e-banking and Alipay).
27
IPSec intelligent uplink selection： use scene
HQ
• Branch connect HQ through VPN；
• Internet back up for dedicated network, Office net DC
VPN bearer service
• Internet not stable(Remote mountain areas)

NGFW
DMZ
Branch

NGFW
Regional DC

Dedicated network
Internet NGFW
ISP1
ISP2

Regional center network

28
Virtualized Security Protection

Border Security of Cloud Data Centers

Virtual system border defense:

✓ Border protection for up to 1000 virtual systems
✓ Application identification, IPS, antivirus, and URL
filtering
C ✓ Virtualized security protection
•Session: XX
•Bandwidth: XX ✓ Resource virtualization
•Security: C
•Policy Num: X
B ✓ Virtualized floating for security policies
•Session: XX
•Bandwidth: XX
•Security: B Tenant-specific management:
A •Policy Num: X
✓ Customized security management for tenants
•Session: XX
•Bandwidth: XX
•Security: A
✓ Customized QoS management for tenants
•Policy Num: X

29
 Optimal Protection Performance: Hardware and Software
Integration for 10-Gigabit-Level Protection
Huawei
UNIFIED App/Threat
UNIFIED Security Scan UNIFIED Pattern Match
Description Language

Intrusion IPS Non-regular

Data

Identification

Response
Handling
Software

Parsing
Trojan AV
horse Regular

UNIFIED Scan
MTDL

UNIFIED PM
UNIFIED DL

Hardware
Exploit URL
Result

Industry VS
Separate Definitions One By One Detection Software Only Approach

Intrusion IPS
Data

Identification

Response
Handling
Parsing
Software
Trojan AV
Everything UNIFIED horse
URL
Exploit Result

Single resolution engine (IAE) that

Can the firewall maintain a high ➢ Highest application-layer processing performance (under the same
improves software performance;
performance when all security features firewall performance)
high-speed hardware
are enabled? ➢ Industry-leading IPS and full threat defense performance
platform and architecture

30
Introduction to IAE

URL category

Web security DLP

Intrusion File security

prevention

Application Antivirus
identification Intelligent
Awareness
Engine

Application IPS signature Web attack URL category

Antivirus database DLP database
signature database database database database

31
 All under Control

—Cloud-based Management

and Simplified O&M

32
Are You Ready for NGFW Management?
Anti-
spam
 Management dimension increased
Application Anti- by one
DDoS
➢ Layer 4 quintuple management to Layer 7
application threat management
IP Content
VPN  Management granularity refined
three to five times
Port ➢ Application identification, IPS, and URL
User IPS

Threat AV You need an extremely efficient security

Protocol

administrator,
Location URL or
DLP
the NGFW is capable of smart
and automatic management.
Conventional firewall
NGFW (Layer 7)
(Layer 4)

33
Smart Policy: Intelligent Policy Management

 Policy tuning

34
Refined Policy Management: Compatible with Unified
Security Policy Management Platform FireMon

Configuration policy change management

FireMon: world-leading firewall security policy
Topology display Policy analysis
management solution provider

NGFW+FireMon joint solution:

Accurate policy management
Compliance with management requirements of
Security audit Policy planning
sensitive industries and large enterprises
Unified visualized security management
Simplified configuration to reduce O&M costs

35
Open API Interface：NGFW Programmable management

Programmable management through API

MSSP/OSS ✓ Define security & authentication policy
✓ User dynamic log on
✓ Define address object & security zone
API ✓ Get NGFW system information
✓ ……

NGFW management no longer rely on

network management software only

RESTful，NetConf， open & extensible

36
U key opening：shorten deploy time, reduce manpower

Traditional deploy method Innovative U key opening

Require many professional engineers Insert preset U key to complete deployment
USB

USB

USB

USB

Especially valuable to large scale deployment. Larger scale, save more.

37
Agile Cloud Management for Unified Operation of Massive Devices

Huawei
public cloud Plug-and-play; rapid rollout
Server hosting for small- and medium-sized
enterprises; interworking of massive branches for
Service large enterprises
Proactive Proactive registration of the firewall so that it can
management registration be managed by the cloud management platform
Rapid device deployment requiring no manual
Internet
intervention

Policy delivery; unified management

Remote service-level configuration management
of the cloud NMS
Remote device monitoring and fault management

Firewall Cloud management of massive devices for

Firewall
simplified O&M
Firewall Firewall

Note: This feature is already supported by the

Small and medium- Small and medium- USG6300/6500 and to be supported by the USG6600/9500.
Branch Branch
sized enterprises sized enterprises

38
Contents

1 USG6000 Application Background and Highlights

2 USG6000 Application Scenarios

3 Success Stories

39
Network Security and Firewall
Enterprise Network
Remote/Branch Office

Office Data Center

IPS
FW Endpoint Security

Endpoint Security IPS

FW DMZ FW

Internet
WAF
SSL VPN SOC

Cloud DC

FW Anti-DDoS IPS FW
Endpoint Security
VFW

40
 Secure VPN Access to Branches
Headquarters

RADIUS & CA
Security Challenge: Intranet
➢ Unsecure access for branches and mobile
working
Management system
➢ Unsecure data transmission on the Internet
USG6000 USG6000
VPN Solution
➢ Multiple VPN technologies, such as IPSec,
L2TP, GRE, SSL, and MPLS
➢ Online expansion of the number of tunnels
➢ Carrier-class reliability Internet

Solution Values
➢ Secure, flexible, and reliable VPN access
➢ Centralized service management
USG6000 USG6000
Branch Branch

Remote site

41
Policy Mobility: Group-based Service Flow and Application Security
Policies Agile Controller: centralized policy configuration and
one-click policy delivery
WAN/Internet Devices to Which
Source Destination Application
Application Action Policies Are
Group Group Security
Delivered
Data Center Diverted to the
Guest Internet Not involved security resource Not involved Core switch
center
AV+URL+SP Campus egress
Employee Internet http √
Application AM NGFW
Security Policy Employee DC server ALL √ AV DC egress NGFW
Agile
Controller
Service Flow Policy:
Uses the service chain technology to divert traffic of a specific group on
Security
Resource Center Agile authentication point switches to the security resource center for processing.
Switch/ Specify security devices through which the traffic passes and the traffic
Native AC Service Flow Policy processing sequence.
Application For example, divert the traffic of a guest to the Internet and set the traffic to pass
Security Policy
through the firewall and AV device.
Application Security Policy:
Huawei’s Next-Generation Firewall (NGFW) accurately identifies applications based on
the received service flow and the security policy implemented according to user group
and application. Security policy controls include: traffic blocking, Intrusion Prevention
System (IPS), Antivirus (AV), and content filtering.
For example, traffic from an R&D employee using his own device is diverted to the
Guest Employee security resource center. His or her application traffic unrelated to work (such as social
application and gaming traffic) is filtered out.
42
Contents

1 USG6000 Application Background and Highlights

2 USG6000 Application Scenarios

3 Success Stories

43
Huawei Signing a Memorandum of Understanding with FireMon to
Build a Joint Solution for NGFW Policy Management

Signing venue at the RSA2016 Huawei NGFW on FireMon's policy management dashboard

Jim Lewandowski, CEO of FireMon:

"FireMon is delighted to partner with Huawei in China as well as in the global marketplace. Huawei is a world-renowned ICT solution
provider. We believe that the integration of FireMon's leading firewall policy management solutions with Huawei's next-generation
firewall products will provide our customers with more robust and comprehensive next-generation firewall solutions."

44
The First in China to Earn the
"Recommendation Level" from NSS LABS
Huawei is put in the upper-right quadrant and
earns the highest "recommendation level" Key evaluation items Huawei Cisco

Security effectiveness (total) 98.1% 96.5%

L4 policy 100% supported 100% supported

Application
Firewall 100% supported 100% supported
control

Identity control 100% supported 100% supported

Intrusion
96.3% 96.1%
blocking

IPS Network attack

99.95% 96.94%
blocking

Anti-evasion 100% supported 100% supported

Stability 100% supported 100% supported

The NGFW's security capability reaches the world-class level.

45
The First in China to Earn
the Best Threat Solution Award from 2016 SC Magazine

Tony Morbin, Chief Editor of SC Magazine UK:

"Huawei solutions represent the most innovative and effective security technology on the
market. Attackers are continuously developing means to obtain sensitive data while
enterprises are continuously developing defense and handling measures. Huawei
USG/Eudemon series firewalls have won the award from SC Magazine due to their constant
improvement in the security industry."

46
 Securing Next-
Huawei NGFW
Generation Networks

Most in-depth Most simple Highest Most sustainable

security management performance security capability
protection configuration experience

Александр Миляр
milyar.alexander@huawei.com
47