HUAWEI USG6000 Next-Generation Firewall Technical Presentation
1
Changing Landscape
Mobile Cloud Social Big Data
…
ICT
Increasing
Number
Improved
Techniques
+APT
W ormsTro jans
W eb threatsBotnet
Mobi le threats
6X
WEB +Out of
control
Ne
two
rk T
hre
ats
2
Evolution of Firewall
1989 1994 1998
NGFW
2004
Packet filtering Stateful Firewall ASIC-basedUTM
IDCMulti-core
2008
Gartner
PC Intranet Internet Web2.02009
Mobile Internet
Access control Session based Hardware-based Multiple
features
Higher
performanceApp.+User+Content
NOW
?
3
NGFW Needs Optimization…
Basic FW/VPN Integrated IPSApplication-aware
APP
For Large Enterprise
Definition
Upgrade Traffic ControlManagement
OptimizationSecurity Scope Performance
4
Fine-granular Access Control
1
5
Applications Identification No.1
Applications Identification No.1 in Industry
6
Comprehensive Coverage, Fine-grained Control
Huawei
Cisco
CheckPoint
PAN
1181
1600
5000
6000ALL
P2P 450422GAME
321183
75
62
120
56
ALL
P2P
GAME
ALL
P2P
GAME
ALL
P2P
GAME
✔ ✔ ✔
✘
✘ ✘
WeChat Great WisdomLINE RapidShareFreenet Games
✘ ✘
✔
✔
✘✔
Games
Half-life
Voice/
Text
Voice/
Text
Upload/
Download
App Only
App Only
App Only
App Only
App Only
App Only
App Only
App Only
App Only
App Only
App Only
App Only
Browsing/
Exchange
Fortinet3133
148
ALL
P2P ✘ ✘ ✔ Voice/
Text
Voice/
Text
Upload/
Download
No
GAME214
7
Application Awareness: Better Service Visibility & More Refined Control
5 Categories and 33 Sub-categoriesBusiness Systems:
• Finance: E-bank and stock software
• Database: database, such as Mysql
• …
Entertainment:
• Game: Game software, such as Warcraft
• Social Networking: social software, such as
• …
General Internet:
• Web Browsing: web browsing
• Search Engines: Search engine, such as Google
• File Sharing: file sharing software
• …
…
Data Transmission Modeclient-server: applications, such as client-side games
browser-based: applications, such as browser games
Networking: network applications, such as HTTP
peer-to-peer: P2P applications, such as Thunder and BT
…
Risk Types and LevelsExploitable: applications that have known vulnerabilities
Evasive: applications, such as proxy applications, that attempt to
evade firewall inspections
Data leak: applications that can transmit files or upload text
Infected by malicious software: applications infected by malicious
software
Tunneling protocol: Applications that can use a tunneling protocol
to transmit other applications
…
Risk types risk levels
Identify 6000+ network applications.
Cover main application protocols.
Support popular encrypted P2P
protocols, Web2.0 applications, mobile
apps, and micro-apps.
Customize to meet individual needs.
Applications are described in three dimensions:
8
Value of Application awareness?
Access
Control
Service
Acceleration
Working in
conjunction
with other
defense
9
User Awareness: I Know Who You Are
Facing Changing User IP Addresses
8 authentication modes:
• Local, RADIUS, LDAP, AD domain,
SecureID, TSM, and HWTACACS
authentication
Values:
• Following the mobile working trend
• User-based security policies
• User-based bandwidth management policies
• User-based online behavior management
10
Location Awareness: Where Attacks Are
IP Location
Identification granularity:• China: city• U.S.: state• Others: country• Support for IP segment-based location definition
Application scenarios:• Traffic map: location-based application statistical analysis
report• Attack map: location-based attack statistical analysis report• Location policy: access permissions varying according to
locations
For example:• Some data can be accessed at headquarters, not at branches.
11
Policy Integration: simplify management and improve efficiency
Access control policy and
content security policies, such
as IPS, AV configured in a
single interface.
Content Security Area
Access Control Area
12
Easy Security Management
2
13
Traditional Security Management
?
? New deployment is difficult.
Applied policies never change
regardless of traffic changes.
? Polices become more redundant
and difficult to streamline.
IT
NMS
CLIWeb
UI
Policy
Security Features
Administrator
14
Smart Policy Management Optimization
15
Quick Deployment
Built-in Policy Templates Built-in Application Categories
16
Policy tuning
Traffic Analysis and Security Evaluation
Original Policies
Optimization BasedOn Applications
Optimization BasedOn Security
Optimization BasedOn Bandwidth
Validation Check
New Policies
Manual
Autom
atic
17
Policy Simplification
Finding long-term unused policies:
Finding redundant policies:
18
Traffic report: Multiple perspectives
19
Threat report: Multiple perspectives
20
Open API Interface:NGFW Programmable management
RESTful architecture style, open & extensible
API
MSSP/OSS
Programmable management through API
Define security & authentication policy
User dynamic log on
Define address object & security zone
Get NGFW system information
… …
NGFW management no longer rely on network management software only
21
U key opening:shorten deploy time, reduce manpower
Traditional deploy methodRequire many professional engineers
Innovative U key openingInsert preset U key to complete deployment
USB
USB
USB
USB
Especially valuable to large scale deployment. Larger scale, save more.
22
Comprehensive Prevention of
Threats3
23
Comprehensive Security
Data security• 30+ file reassembly and
content filtering
• 120+ file type filtering
Web security• 85,000,000+ URLs in
the database
• 80+ categories
Intrusion
prevention• 3500+ attack detection
• 90+% false alarm
detection rate
Application
security• 6000+ application
protocol identification
• 5,000,000+ virus
detection
Comprehensive
context
awareness• Awareness of applications,
content, time, users, attacks,
and locations
• 8 user authentication modes
Network security• Anti-DDoS
• VPN
(IPSec/SSL/L2TP/MPLS/GRE
…)
Routing• IPv4: static routing, RIP, OSPF,
BGP, and IS-IS
• IPv6: RIPng, OSPFv3, BGP4+,
IPv6 IS-IS, IPv6 RD, and ACL6
Email security• Real-time anti-spam
• Content and keyword filtering
• Attachment virus detection and
notification
24
Intrusion Prevention: 5500+ signatures
Detect and defend against over 5500 vulnerabilities
25
Anti-Virus: faster scanning and more fresh signatures
• Rich protocols of flow-based antivirus scanning.
• Signature database is updated daily.
• faster scanning than appliance of competitors.
26
File filtering & Content filtering: Data Loss prevention
Able to identify actual file types and filtering sensitive content, even it was hidden in compressed files, or it’s extension was modified.
XXXXXX price XXXX…credit card number :XXXXXXXXXXXXX Bidding material XXXXXX
27
URL filtering:Control web browsing activity
• 80+URL category
• 85,000,000 URLs in database
• 20 Language
• 500,000 malicious URLs
Illegal /Malicious websitesURL blacklist
Legitimate websitesURL whitelist
28
SSL encryption traffic security
More and more website use https Content security over SSL decryption
SSL traffic:blind spot of security
URL filtering
Anti-virus
Instruction prevention
Content filtering
File filtering
Activity control
29
Bandwidth Management
Bandwidth guarantee for key services
Bandwidth limit
Connection limit
QoS tag remark
30
Anti-DDOS
Defend against over 10 types of DDoS
Automatically set threshold by learning traffic.
31
Dynamic Smart Virtual Private Network (DSVPN)
Advantage of DSVPN:
Effective IPSec communication
between spokes。
simplifies configuration
maintenance。
32
Border Security of Cloud Data Centers
Virtualized Security Protection
A•Session: XX
•Bandwidth: XX
•Security: A
•Policy Num: X
B•Session: XX
•Bandwidth: XX
•Security: B
•Policy Num: X
C•Session: XX
•Bandwidth: XX
•Security: C
•Policy Num: X
Virtual system border defense:
Border protection for up to 1000 virtual systems
Application identification, IPS, antivirus, and URL
filtering
Virtualized security protection
Resource virtualization
Virtualized floating for security policies
Tenant-specific management:
Customized security management for tenants
Customized QoS management for tenants
33
IPSec intelligent uplink selection: use scene
Internet
HQ• Branch connect HQ through VPN;
• Internet back up for dedicated network,
VPN bearer service
• Internet not stable(Remote mountain areas)
Branch
NGFW
DC
NGFW
Office net
DMZ
Regional DC
NGFW
Regional center network
Dedicated network
ISP1
ISP2
34
Find VPN abnormal condition manual
Traditional solution
1
2
3
IPSec intelligent uplink selection
Real time find QOS problem of VPN
1
Set up new VPN tunnel manual
Service switch manual
Service switch automatically
)
3
long cycle of localization
Difficult to select best tunnel
Complex operation,
long cycle
Service switch to new tunnel automatically
ms Hours
Minutes
Select the best link, set up VPN automatically
2 Tunnel set up automatically
ms
Seconds Weeks
Greatly reduce service breaking time, keep service high quality and stable.
Reduce the cost of dedicated network rent.
IPSec intelligent uplink selection
Real time monitor VPN quality
35
Proxy of service health check
How r u?
How r u?
How r u?
fine
fine
Not good
ICMP
ICMP
ICMP Firewall
How r u?
How r u?
How r u?
fine
fine
fine
ICMP
ICMP
ICMP NGFW
How r u? fine
ICMP
Reply to massive state
check request, real
performance drop
Proxy for service health
check, lightening the
burden of severs
Traditional servers health check model:
proxy through ICMP checking model:
Proxy of service check
36
Excellent Performance
4
37
Control Power Management
Optimization
Security Scope Performance
38
Firewall Security Architecture
NE Router VRP
Knowledge Library
Update
Un
ified
Man
ag
em
en
t
Software & Hardware Platform
Security Engine
Security Function
Real-time Defense
Firewall IPS
IPSec
SSL
Anti-virus
Sandbox
HAURL
Filtering
Service Aware
Anti-DDoS
LB
Traffic Control
IAE (Intelligence Awareness Engine)
39
Everything UNIFIED
for High Performance
UN
IFIE
D D
L
UN
IFIE
D S
can
UN
IFIE
D P
M
Huawei
Industry VS
FW
App
IPS
Full
Protection
VPN
20G 20G 15G 20G
20G 20G 12G /
15G 8G 5G
10G 10G 6G /
12G 4G 2.5G 3G
Separate Definitions One By One Detection Software Only Approach
IPS
AV
URL
Data
Result
软件
UNIFIED App/Threat
Description Language
Intrusion
Trojan
horse
Exploit
MTDL
UNIFIED Security Scan
IPS
AV
URL
UNIFIED Pattern Match
Identific
atio
n
Pars
ing
Resp
on
se
Han
dlin
g
Regular
Non-regularData
Result
Software
Hardware
Resp
on
se
Han
dlin
g
Identific
atio
n
Pars
ing
Intrusion
Trojan
horse
Exploit
Highest Performance Experience
40
Appl
icatio
n Id
entif
icatio
n
UNIF
IED
Prot
ocol
Diss
ecto
r
Intrusion Detection
Intrusion Detection
DLP Scan
Web Security Scan
Intrusion Detection
DLP Scan
Virus Scan
DLP Scan
URL Scan
File Typer
UNIF
IED
Resp
onse
UNIFIEDPattern Match and Hash
Algorithm
UNIFIEDDecomposition
UNIFIEDThreat/Application
Description Language
General Contents
URL
File Stream
UNIFIEDSecurity Scan
Everything UNIFIED
NIC
Routing&
Switching
Basic Firewall Features
IAE
41
Hardware Acceleration
Security Scan
Prot
ocol
Di
ssec
tor
Resp
onse
Intrusion Detection
DLP Scan
UNIFIED Pattern MatchAp
plica
tion
Iden
tifica
tion
Utili
ze
Utili
ze
Utili
ze
Utili
ze
Software Based Pattern Match
Small/Singleton Requests Synchronous Result
Hardware Based Pattern Match
Bulk/Stream Requests Asynchronous Result
42
USG6300/USG6600 series has 13 models
Provides 1G to 40G performance when application identification
is enabled.
Provides a minimum of 8 GE ports and scalable to a maximum of
64*GE+14*10GE ports
USG6320, 2Gbps,Desktop,8GE
USG6360, 3Gbps,1U,4GE+2Combo
USG6350, 2Gbps,1U,4GE+4Combo
USG6330, 1Gbps,1U,4GE+4Combo
USG6390, 8Gbps, 1U,8GE+4SFP
USG6380, 6Gbps, 1U,8GE+4SFP
USG6370, 4Gbps ,1U,8GE+4SFP
USG6620, 12Gbps,1U,8GE+4SFP
USG6630, 16Gbps,1U,8GE+4SFP
USG6650, 20Gbps
3U,2*10GE+8GE+8SFP
USG6660, 25Gbps 3U,
2*10GE+8GE+8SFP
USG6670, 35Gbps 3U,
4*10GE+16GE+8SFP
USG6680, 40Gbps 3U,
4*10GE+16GE+8SFP
WSIC-8SFP
WSIC-4GE-BYPASSWSIC-8GEWSIC-2SFP+&8GE
SAS-300GB
Expansion modules
NGFW Appliance
USG6310, 1Gbps,Desktop,8GE
43
NGFW Product Roadmap
USG9500
2014 Higher PerformanceHigher Performance
500GFull Protection Performance
Now Large-scale application
USG6000
1G-40GFW+APP Performance
20GFull Protection Performance
NGFW Security Blade
Now Full Integration
S7700/9700/S12700
44
Application Scenarios
5
45
Network Security and Firewall
Internet
Enterprise Network
Data Center
FW IPS
Office
DMZ
Endpoint SecurityIPS
Remote/Branch Office
FW
SOC
Endpoint Security
SSL VPN
Endpoint SecurityFWFW Anti-DDoS
VFW
Cloud DC
IPS
FW
WAF
46
Security Protection of Private Government Network
Private province government network
City 1 City N
District/County 1 District/County N
…
… …
Municipal governments
District/County
governments
USG6000
USG6000
USG6000
Security Challenge:
Private government networks are not
isolated.
Governmental intranet and Internet
communication is not protected.
Multiple internal service systems have
vulnerabilities.
Solution
Add antivirus (AV) isolation at borders for
security.
Manage unified network security.
Solution Values
Private government networks are isolated
securely.
The solution prevents viruses professionally
and effectively.
The solution controls the range of security
events effectively.
The solution upgrades vulnerabilities and
patches with unified management.District/County 1 District/County N
47
Security Isolation of the Data Center
Application
server
IP SAN
Database
server
FC SAN
NAS node FC switching planeIP switching plane
NAS
FC SAN
IP SAN
Backup device:
S2600T/S5500T /VIS6600T
Geographic redundancy center
Redundancy array: S5500
WAN
Network
redundancy and
virtualized device:
VIS6000
Unified storage
device: N8500
Main data center
Core switch
USG6000
Data center
switch
Security Challenge:
Unsecure heavy traffic isolation
Not guaranteed service continuity
No anti-DDoS defense
No visualized application
management
Solution
10-GB device for security isolation of
the data center
Hot standby deployment
Solution Values
Security isolation of 32 Gbit/s traffic
on one host
Professional 10 Gbit/s anti-DDoS
capability
Microsecond-level delay and hot
standby
Zero packet loss ratio to ensure
service continuity
Visualized service management
48
Network Admission Protection
Core switch
Access switch
USG6000
Terminal access
control gateway
Access switch
Terminal security management system
Access
switch
Switch
USG6000 USG6000
Server area
Router
IDS
NIP1000
WANSecurity Challenge:
Terminals have vulnerabilities.
Authorized users access unauthorized
resources.
Unauthorized access is not controlled.
Numerous terminals are hard to
manage.
Solution
Provide a professional gateway
solution with excellent adaptability.
Manage devices centrally with quick
deployment.
Support comprehensive terminals.
Provide HA and flexible control.
Solution Values
Forces terminals to protect service
systems.
Improves network security and
usability.
Improves efficiency and saves costs.
49
Headquarters
RADIUS & CA
Intranet
Branch Branch
VSM management system
Remote site
Internet
USG6000 USG6000
USG6000 USG6000
Security Challenge:
Unsecure access for branches and mobile
working
Unsecure data transmission on the Internet
VPN Solution
Multiple VPN technologies, such as IPSec,
L2TP, GRE, SSL, and MPLS
Online expansion of the number of tunnels
Carrier-class reliability
Solution Values
Secure, flexible, and reliable VPN access
Centralized service management
Secure VPN Access to Branches
50
Success Stories6
51
MQ for FW 2015
Source: Gartner MQ for Enterprise Nerwork FirewallsSource: Gartner MQ for unified_Threat_Management
MQ for UTM 2014
Third-part
ICSA Labs :Firewall + IPS certification
Gartner :
52
Lots of Commercial Use
Alibaba Cloud Computing
国家超级计算中心
6052pieces
112858pieces
Note: the shipment was collected until 2013 Dec.
53
Dortmund Signal Iduna Park stadium
Security Solution
Dortmund Signal Iduna Park stadium is Germany's largest, the world's ninth-largest football field, can accommodate more than 80000 viewers watch the game.
As a security solution for the WIFI system. Huawei NGFW developed a intelligent identification management based on URL.
In the whole ICT solution, Huawei NGFW provided fine-grained control, all threat high performance prevention, integrated IPS, URL filtering features, ensuring the best network experience for customer.
Huawei end-to-end stadium solutions
54
ICITA public cloud network in Australia
Sydney · Australia
• Serving more than 100 large enterprises
• 6 dimensional fine-grained control
• Full Threat Protection 10+ Gbps
Public cloud service provider in Australia
“USG6000 takes all the box to get ability to build on
infrastructure network to provide multi -tenancy for our
partners. It could complete separation, so each partner can
build their own virtual data center. In fact it has module, so we
can expand as our requirements. The cost is also very
effective. We don't have specific security engineer in the
infrastructure, but we can provide security support as
a service for our customers.”
Damien Stephens, CEO of ICITA
55
The City of Opole
Opole OSTO, Poland
The City of Opole · Poland
Security Solution The project includes delivery of 3 core routers, 3 edge routers, 5
firewalls, 69 access switches.
HUAWEI USG6000s are deployed at the edge of the optical
telecommunication network after HUAWEI NE40E routers to
secure the internal network and enhance data transmission
security.
HUAWEI USG6000s cooperate with Policy Center to perform
secure access.
Customer Values Huawei USG6600 series demonstrated its good firewall
performance at layer 7. The success is a good reference for the
Government network security expansion.
56
Guangdong Smart Grid Network
Huawei's Security Solution Huawei deploys its USG6650 products at the Internet egress and
comprehensive information network border. The USG6650 provides 10 Gbps
all threat defense performance and a powerful NAT function for the Internet
egress. In addition, Huawei's solution manages devices on the entire network
through a unified management center to implement power dispatching
management and report display, helping China Southern Power Grid build a
simplified, highly efficient security protection system.
Customer Benefits Feature- and sandbox-based all threat defense methods, guaranteeing
smooth office services for China Southern Power Grid
When the all threat defense feature is enabled, the performance decrease is
less than 50%. High-performance security protection and high-quality user
experience support large volumes of service traffic.
Automatic policy management based on traffic learning reduces the Total Cost
of Ownership (TCO) by over 30%.
57
Beijing University of Posts and Telecommunications
Customer feedback
“Huawei NGFW can automatically learn the traffic patterns and provide detailed suggestions for policy fine tuning. These functions provide good visibility into applications on our network so that we can determine which applications need to be protected and which need to be controlled. We can easily fine tune the policies based on the suggestions.”
Security Solution
Deploy a USG6600 at the network egress and access the WAN via multiple ISP links.
Implement application identification, traffic management, and comprehensive inspection
Jie AnDeputy director of the information network center
58
Ministry of education in Portugal
Customer challenges
• 20G performance to carry real-time services and ensure service
continuity and availability
• No effective defense against frequent attacks in various forms
Solution
• Deploy a USG6680 at the service border to provide 20G bidirectional
service protection, ensuring service continuity.
• Enable service protection against DDoS and application-layer
attacks and deploy Huawei cloud sandbox to defend against
unknown threats.
Construct a public government affairs platform for the ministry of education in Portugal, meeting the requirements on high-performance, high availability, and comprehensive security. This platform supports real-time online visits and public affairs query from users in the entire country。
59
2013 Huawei Firewall Global Reference
Spain Biggest Chain SupermarketSecure Interconnection>300 BranchesUSG2000/5000
IDC Service ProviderAnti-DDoS ProtectionHQ & Hong Kong DC EgressUSG9500
USA
Spain
Italy
Public Information Service AgencySecure Interconnection>500 BranchesUSG2000/5000
Italian TOP5 BanksSecure Interconnections>2000 BranchesUSG2000/5000
Germany
European Largest CarrierLTE VPN GatewayEudemon8000E
China
China Largest ISPDC Security Protect>20 DC Egress AntiDDoS8000
Netherlands
Amsterdam Metro USG6000
Dortmund stadium USG6000
IDC Service ProviderAntiDDoS8000
European CarrierCGN GatewayEudemon8000E
Notes: RED- Enterprise, BLACK-Carrier.
60
Huawei NGFW
Most
Accurate
Easier
ManagementBest
Threat CoverageHighest
Performance
Your Next Generation Network Security