Professional Documents
Culture Documents
Usg Firewall
Usg Firewall
Александр Миляр
milyar.alexander@huawei.com
Overview of the USG6000 V500R001C30 Go-to-Market Schedule
V500R001C30
USG6330/6350/6360 USG6620/6630
USG6370/6380/6390
USG6650/6660/6670/6680
• Models highlighted in read are new models.
1
Overview of New USG6000 Models
-W models are equipped with fat APs,
Desktop
8 x GE 5 GHz/2.4
USG6310S-W 1.2 Gbit/s
electrical port GHz
Built-in LTE
USG6305 USG6305-W
8 x GE 5 GHz/2.4 module; 4G LTE
USG6310S-WL-OVS 1.2 Gbit/s
electrical port GHz data card supported
by external USB
USG6310S USG6310S-W USG6310S-WL-OVS
2
New 600 GB Hard Disks
SAS-600GB
3
Huawei NGFW Portfolio
USG6680, 40 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
Desktop/1 U/3 U USG6670, 35 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
500 Mbit/s to 40 Gbit/s application identification throughput; up
to 15 Gbit/s IPS+AV capability
USG6660, 25 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP
Interface: at the minimum of 4 GE and expandable to 56 x GE +
8 x SFP + 14 x 10GE USG6650, 20 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP
4
Contents
3 Success Stories
5
Perfect
6
Integrate policy:integrate security protection
Security ability deeply integrated
with service awareness
Application
7
Policy Integration: simplify management and improve efficiency
8
Applications Are Used for Access Control But Not Online
Behavior Management
ERP
CRM
Mail
Whitelist mode
Microblog
80
Identifies as many applications as possible, implements minimal authorization, allows only necessary services, and blocks unidentifiable
VS applications, bringing no harm. This typical firewall management mode is more secure than the blacklist mode.
Emule
Blacklist mode
Games
80
Identifies a limited number of applications and allows unidentifiable applications, which may be harmful. The NGFW working in online behavior
management mode is not secure.
9
“Application”Wareness:Business more clearly, finer control
10
11
User Awareness: I Know Who You Are
8 authentication modes:
• Local, RADIUS, LDAP, AD domain,
SecureID, TSM, and HWTACACS
authentication
Values:
• Following the mobile working trend
• User-based security policies
• User-based bandwidth management policies
• User-based online behavior management
12
Location Awareness: Where Attacks Are
IP Location
Identification granularity:
• China: city
• U.S.: state
• Others: country
• Support for IP segment-based location definition
Application scenarios:
• Traffic map: location-based application statistical analysis
report
• Attack map: location-based attack statistical analysis report
• Location policy: access permissions varying according to
locations
For example:
• Some data can be accessed at headquarters, not at branches.
13
Direct Way to Security
—Excellent Performance,
Optimal Experience
14
Comprehensive Security
15
Intrusion Prevention: 5500+ signatures
Detect and defend against over 5500 vulnerabilities
17
APT Defense
Able to identify actual file types and filtering sensitive content, even it was hidden
in compressed files, or it’s extension was modified.
19
File Blocking: Preventing Sensitive Data Leaks Through Files
Identification of 120+ real file types; identification through user-defined extension names
20
Data Filtering: Checking File Content
Data check for 30+ types of files; predefined keyword group
21
URL Category Database with Abundant URL Categories to Provide
Powerful URL Filtering
120 millions + URLs in 130+ categories for URL filtering for encrypted HTTP traffic and QoS optimization for access to various URL categories.
22
SSL encryption traffic security
More and more website use https Content security over SSL decryption
URL filtering
Anti-virus
Instruction prevention
File filtering
Activity control
23
Integrated VPN Client: SecoClient
24
Self-Learning Anti-DDoS Parameters
Defend against
over 10 types of
DDoS
Automatically set
threshold by
learning traffic.
25
Bandwidth Management
26
QoS Optimization: Intelligent Uplink Selection
Challenges in multi-ISP
Settlement costs are constantly high, Unicom
and the quality of key services cannot
be guaranteed.
Sticky session for intelligent uplink selection: prevents user disconnection and guarantees service stability in scenarios of
overload protection or with multiple destination server applications (such as e-banking and Alipay).
27
IPSec intelligent uplink selection: use scene
HQ
• Branch connect HQ through VPN;
• Internet back up for dedicated network, Office net DC
VPN bearer service
• Internet not stable(Remote mountain areas)
NGFW
DMZ
Branch
NGFW
Regional DC
Dedicated network
Internet NGFW
ISP1
ISP2
29
Optimal Protection Performance: Hardware and Software
Integration for 10-Gigabit-Level Protection
Huawei
UNIFIED App/Threat
UNIFIED Security Scan UNIFIED Pattern Match
Description Language
Identification
Response
Handling
Software
Parsing
Trojan AV
horse Regular
UNIFIED Scan
MTDL
UNIFIED PM
UNIFIED DL
Hardware
Exploit URL
Result
Industry VS
Separate Definitions One By One Detection Software Only Approach
Intrusion IPS
Data
Identification
Response
Handling
Parsing
Software
Trojan AV
Everything UNIFIED horse
URL
Exploit Result
30
Introduction to IAE
URL category
Application Antivirus
identification Intelligent
Awareness
Engine
31
All under Control
—Cloud-based Management
32
Are You Ready for NGFW Management?
Anti-
spam
Management dimension increased
Application Anti- by one
DDoS
➢ Layer 4 quintuple management to Layer 7
application threat management
IP Content
VPN Management granularity refined
three to five times
Port ➢ Application identification, IPS, and URL
User IPS
administrator,
Location URL or
DLP
the NGFW is capable of smart
and automatic management.
Conventional firewall
NGFW (Layer 7)
(Layer 4)
33
Smart Policy: Intelligent Policy Management
Policy tuning
34
Refined Policy Management: Compatible with Unified
Security Policy Management Platform FireMon
35
Open API Interface:NGFW Programmable management
36
U key opening:shorten deploy time, reduce manpower
USB
USB
USB
37
Agile Cloud Management for Unified Operation of Massive Devices
Huawei
public cloud Plug-and-play; rapid rollout
Server hosting for small- and medium-sized
enterprises; interworking of massive branches for
Service large enterprises
Proactive Proactive registration of the firewall so that it can
management registration be managed by the cloud management platform
Rapid device deployment requiring no manual
Internet
intervention
38
Contents
3 Success Stories
39
Network Security and Firewall
Enterprise Network
Remote/Branch Office
IPS
FW Endpoint Security
Internet
WAF
SSL VPN SOC
Cloud DC
FW Anti-DDoS IPS FW
Endpoint Security
VFW
40
Secure VPN Access to Branches
Headquarters
RADIUS & CA
Security Challenge: Intranet
➢ Unsecure access for branches and mobile
working
Management system
➢ Unsecure data transmission on the Internet
USG6000 USG6000
VPN Solution
➢ Multiple VPN technologies, such as IPSec,
L2TP, GRE, SSL, and MPLS
➢ Online expansion of the number of tunnels
➢ Carrier-class reliability Internet
Solution Values
➢ Secure, flexible, and reliable VPN access
➢ Centralized service management
USG6000 USG6000
Branch Branch
Remote site
41
Policy Mobility: Group-based Service Flow and Application Security
Policies Agile Controller: centralized policy configuration and
one-click policy delivery
WAN/Internet Devices to Which
Source Destination Application
Application Action Policies Are
Group Group Security
Delivered
Data Center Diverted to the
Guest Internet Not involved security resource Not involved Core switch
center
AV+URL+SP Campus egress
Employee Internet http √
Application AM NGFW
Security Policy Employee DC server ALL √ AV DC egress NGFW
Agile
Controller
Service Flow Policy:
Uses the service chain technology to divert traffic of a specific group on
Security
Resource Center Agile authentication point switches to the security resource center for processing.
Switch/ Specify security devices through which the traffic passes and the traffic
Native AC Service Flow Policy processing sequence.
Application For example, divert the traffic of a guest to the Internet and set the traffic to pass
Security Policy
through the firewall and AV device.
Application Security Policy:
Huawei’s Next-Generation Firewall (NGFW) accurately identifies applications based on
the received service flow and the security policy implemented according to user group
and application. Security policy controls include: traffic blocking, Intrusion Prevention
System (IPS), Antivirus (AV), and content filtering.
For example, traffic from an R&D employee using his own device is diverted to the
Guest Employee security resource center. His or her application traffic unrelated to work (such as social
application and gaming traffic) is filtered out.
42
Contents
3 Success Stories
43
Huawei Signing a Memorandum of Understanding with FireMon to
Build a Joint Solution for NGFW Policy Management
Signing venue at the RSA2016 Huawei NGFW on FireMon's policy management dashboard
44
The First in China to Earn the
"Recommendation Level" from NSS LABS
Huawei is put in the upper-right quadrant and
earns the highest "recommendation level" Key evaluation items Huawei Cisco
Application
Firewall 100% supported 100% supported
control
Intrusion
96.3% 96.1%
blocking
46
Securing Next-
Huawei NGFW
Generation Networks
Александр Миляр
milyar.alexander@huawei.com
47