huawei usg6000 series ngfwwebinars.huawei.ru/usg-firewall/materials/usg_firewall.pdf · atta ck...
TRANSCRIPT
1
V500R001C30
USG6305 USG6305-W
USG6310S USG6310S-W USG6310S-WL-OVS
USG6320
USG6330/6350/6360
USG6370/6380/6390
USG6620/6630
USG6650/6660/6670/6680
Overview of the USG6000 V500R001C30 Go-to-Market Schedule
• Models highlighted in read are new models.
2
Desktop
Model Fixed Port Wi-Fi 4G LTEFirewall
Throughput
USG63054 x GE
electrical port
Not
supported
Optional; 4G LTE
data card supported
by external USB
800 Mbit/s
USG6305-W4 x GE
electrical port
5 GHz/2.4
GHz800 Mbit/s
USG6310S8 x GE
electrical port
Not
supported1.2 Gbit/s
USG6310S-W8 x GE
electrical port
5 GHz/2.4
GHz1.2 Gbit/s
USG6310S-WL-OVS8 x GE
electrical port
5 GHz/2.4
GHz
Built-in LTE
module; 4G LTE
data card supported
by external USB
1.2 Gbit/s
-W models are equipped with fat APs,
which allow access through Wi-Fi.
The USG 6510-WL-OVS has an
external USB LTE module and a built-
in 4G LTE module that provides a
backup LTE uplink. These two
modules implement dual LTE uplinks.
USG6305 USG6305-W
USG6310S USG6310S-W USG6310S-WL-OVS
Overview of New USG6000 Models
3
Model 300 GB Hard Disk 600 GB Hard Disk Remarks
USG6650 (AC/DC power supply)
Optional; two 300 GB
hard disks (RAID1)
supported
Optional; two 600
GB hard disks
(RAID1) supported
Only 3 U models support
600 GB hard disks.
300 GB and 600 GB hard
disks cannot be used
together.
USG6660 (AC/DC power supply)
USG6670 (AC/DC power supply)
USG6680 (AC power supply)
USG6680 (DC power supply) Not supported
SAS-600GB
New 600 GB Hard Disks
4
USG6360, 3 Gbit/s, 1 U, 4 x GE + 2 x combo
USG6350, 2 Gbit/s, 1 U, 4 x GE + 2 x combo
USG6330, 1 Gbit/s, 1 U, 4 x GE + 2 x combo
USG6390, 8 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6380, 6 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6370, 4 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6620, 12 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6630, 16 Gbit/s, 1 U, 8 x GE + 4 x SFP
USG6650, 20 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP
USG6660, 25 Gbit/s, 3 U, 2 x 10GE + 8 x GE + 8 x SFP
USG6670, 35 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
USG6680, 40 Gbit/s, 3 U,
4 x 10GE + 16 x GE + 8 x SFP
WSIC-8 x SFP
WSIC-4 x GE-BypassWSIC-8 x GEWSIC-2 x SFP + 8 x GE
SAS-300GB
Extension module
Desktop/1 U/3 U
500 Mbit/s to 40 Gbit/s application identification throughput; up
to 15 Gbit/s IPS+AV capability
Interface: at the minimum of 4 GE and expandable to 56 x GE +
8 x SFP + 14 x 10GE
USG6310S/-W/-WL-OVS, 1 Gbit/s, Desktop, 8 x GE
USG6320, 2 Gbit/s, Desktop, 8 x GE
USG6305/-W, 500 Mbit/s, Desktop, 4 x GE
SAS-600GB
Huawei NGFW Portfolio
5
USG6000 Application Scenarios2
USG6000 Application Background and Highlights 1
Success Stories3
Contents
6
Perfect
—Fine-grained Control and
Comprehensive Security
7
Integrate policy:integrate security protection
Security ability deeply integrated with service awareness
6D manage and control:
• Intrusion detection and antivirus based-on SA
• content filter based-on SA
• different user, different location and different
time Corresponding to different authority
• deeper security defense to high risk application
Application
Location
Time
Attack
Content
User
3000+new threat
identification
5M malicious code
8.5M URL
20+ file content
identification
60+ file type
identification
Comprehensive
context awareness
Location library
8 user authentication
methods
5 tuple App.content
time userattack
location
action
6000+SA
NGFW Security policy:
8
Policy Integration: simplify management and improve efficiency
Access control policy and
content security policies, such
as IPS, AV configured in a
single interface.
Content Security Area
Access Control Area
9
80
ERP CRM Mail Microblog
Emule Games
80
Identifies as many applications as possible, implements minimal authorization, allows only necessary services, and blocks unidentifiable
applications, bringing no harm. This typical firewall management mode is more secure than the blacklist mode.
Whitelis
tm
od
eB
lacklis
t m
od
e
Identifies a limited number of applications and allows unidentifiable applications, which may be harmful. The NGFW working in online behavior
management mode is not secure.
VS
Applications Are Used for Access Control But Not Online
Behavior Management
10
“Application”Wareness:Business more clearly, finer control
5 Category and 33 SubcategoryBusiness_Systems:
• Database:e.g.:Mysql
• …
Entertainment:
• Game:e.g. Warcraft
• Social_Networking:e.g.:facebook
• P2P:Thunder, eDonkey, BT…
General_Internet:
• Web_Browsing
• File_Sharing
• …
Network:
• Encrypted_Tunnel:e.g. IPSec
• …
General:
• General_TCP
• …
Data transmission model
client-server
browser-based
Networking
peer-to-peer
…
Risk levelExploitable
Productivity-loss
Evasive
Data-loss
✓6000+ application
✓ Cover all the main
application
✓ Support hot
encrypted P2P,
Web2.0, mobile app
✓ Quick response to
Customized demand
Malware-vehicle
Bandwidth-
consuming
Tunneling
Risk type Risk level
11
12
User Awareness: I Know Who You Are
Facing Changing User IP Addresses
8 authentication modes:
• Local, RADIUS, LDAP, AD domain,
SecureID, TSM, and HWTACACS
authentication
Values:
• Following the mobile working trend
• User-based security policies
• User-based bandwidth management policies
• User-based online behavior management
13
Location Awareness: Where Attacks Are
IP Location
Identification granularity:• China: city• U.S.: state• Others: country• Support for IP segment-based location definition
Application scenarios:• Traffic map: location-based application statistical analysis
report• Attack map: location-based attack statistical analysis report• Location policy: access permissions varying according to
locations
For example:• Some data can be accessed at headquarters, not at branches.
14
Direct Way to Security
—Excellent Performance,
Optimal Experience
15
Comprehensive Security
Data security• 30+ file reassembly and
content filtering
• 120+ file type filtering
Web security• 120 million+ URLs in
the database
• 130+ categories
Intrusion
prevention• 5500+ attack detection
• 90+% false alarm
detection rate
Application
security• 6000+ application
protocol identification
• 5 million + virus
detection
Comprehensive
context
awareness• Awareness of applications,
content, time, users, attacks,
and locations
• 8 user authentication modes
Network security• Anti-DDoS
• VPN
(IPSec/SSL/L2TP/MPLS/GRE
…)
Routing• IPv4: static routing, RIP, OSPF,
BGP, and IS-IS
• IPv6: RIPng, OSPFv3, BGP4+,
IPv6 IS-IS, IPv6 RD, and ACL6
Email security• Real-time anti-spam
• Content and keyword filtering
• Attachment virus detection and
notification
16
Intrusion Prevention: 5500+ signatures
Detect and defend against over 5500 vulnerabilities
Only 2 vendors worldwide have passed ICSA IPS certification.Detection of and defense against 5500+ vulnerability signatures, which are updated every week.
17
Anti-Virus: faster scanning and more fresh signatures
• Rich protocols of flow-based antivirus scanning.
• Signature database is updated daily.
• faster scanning than appliance of competitors.
18
APT Defense
Encryption and authentication
HTTPS is used to transmit interworking data, and CA
certificates are used to authenticate the FireHunter.
Precise filtering
The NGFW restores the specified types of files uploaded
or downloaded using specified protocols and sends the
restored files to the FireHunter for detection.
Attack detection and mitigation
within 60 seconds
Huawei FireHunter detects attacks within 30 seconds
and can interwork with the NGFW to mitigate the
attacks within 60 seconds.
WAN/Internet
NGFW
FireHunter
Detection
results
19
File filtering & Content filtering: Data Loss prevention
Able to identify actual file types and filtering sensitive content, even it was hidden in compressed files, or it’s extension was modified.
XXXXXX price XXXX…credit card number :XXXXXXXXXXXXX Bidding material XXXXXX
20
Identification of 120+ real file types; identification through user-defined extension names
File Blocking: Preventing Sensitive Data Leaks Through Files
21
Data check for 30+ types of files; predefined keyword group
Data Filtering: Checking File Content
22
120 millions + URLs in 130+ categories for URL filtering for encrypted HTTP traffic and QoS optimization for access to various URL categories.
URL Category Database with Abundant URL Categories to Provide
Powerful URL Filtering
23
SSL encryption traffic security
More and more website use https Content security over SSL decryption
SSL traffic:blind spot of security
URL filtering
Anti-virus
Instruction prevention
Content filtering
File filtering
Activity control
24
L2TP IPSec SSL
Windows Mac OS
Core VPN services
OS adaptation
Automatic optimal gateway and link selection
Terminal security check and cache clearing
Roaming and reconnection
Customizable client logo and configuration
Multiple languages and import of new languages
Import and export of log, diagnosis, and
configuration files
Unified presentation and in-depth coupling
to simplify usage and enhance security
Integrated VPN Client: SecoClient
25
Self-Learning Anti-DDoS Parameters
Defend against
over 10 types of
DDoS
Automatically set
threshold by
learning traffic.
26
Bandwidth Management
Bandwidth guarantee for key services
Bandwidth limit
Connection limit
QoS tag remark
27
Unicom
Telecom
Education
network
Link bandwidth Link weightActive/Standby
backup by link priorityLink quality
Overload
protection
Link load balancingService- (Application-)
based
Destination ISP-based
DNS transparent
proxy
Smart DNS
Some links are always congested,
whereas some are always idle.
Settlement costs are constantly high,
and the quality of key services cannot
be guaranteed.
The Telecom interface is selected when
traffic is destined for the Unicom network.
Challenges in multi-ISP
The Telecom interface responds when
the user initiates the access request
resides on the Unicom network.
Sticky session for intelligent uplink selection: prevents user disconnection and guarantees service stability in scenarios of
overload protection or with multiple destination server applications (such as e-banking and Alipay).
QoS Optimization: Intelligent Uplink Selection
28
IPSec intelligent uplink selection: use scene
Internet
HQ• Branch connect HQ through VPN;
• Internet back up for dedicated network,
VPN bearer service
• Internet not stable(Remote mountain areas)
Branch
NGFW
DC
NGFW
Office net
DMZ
Regional DC
NGFW
Regional center network
Dedicated network
ISP1
ISP2
29
Border Security of Cloud Data Centers
Virtualized Security Protection
A•Session: XX
•Bandwidth: XX
•Security: A
•Policy Num: X
B•Session: XX
•Bandwidth: XX
•Security: B
•Policy Num: X
C•Session: XX
•Bandwidth: XX
•Security: C
•Policy Num: X
Virtual system border defense:
✓ Border protection for up to 1000 virtual systems
✓ Application identification, IPS, antivirus, and URL
filtering
✓ Virtualized security protection
✓ Resource virtualization
✓ Virtualized floating for security policies
Tenant-specific management:
✓ Customized security management for tenants
✓ Customized QoS management for tenants
30
Single resolution engine (IAE) that
improves software performance;
high-speed hardware
platform and architecture
Can the firewall maintain a high
performance when all security features
are enabled?
➢ Highest application-layer processing performance (under the same
firewall performance)
➢ Industry-leading IPS and full threat defense performance
Everything UNIFIED
UN
IFIE
D D
L
UN
IFIE
D S
can
UN
IFIE
D P
M
Huawei
Industry VS
Separate Definitions One By One Detection Software Only Approach
IPS
AV
URL
Data
Result
Software
UNIFIED App/Threat
Description Language
Intrusion
Trojan
horse
Exploit
MTDL
UNIFIED Security Scan
IPS
AV
URL
UNIFIED Pattern Match
Identification
Pars
ing
Resp
on
se
Han
dli
ng
Regular
Non-regularData
Result
Software
Hardware
Resp
on
se
Han
dli
ng
Identification
Pars
ing
Intrusion
Trojan
horse
Exploit
Optimal Protection Performance: Hardware and Software
Integration for 10-Gigabit-Level Protection
31
Application
identification
Intrusion
prevention
Web security
URL category
DLP
File security
AntivirusIntelligent
Awareness
Engine
Application
signature databaseAntivirus database
IPS signature
database
Web attack
databaseDLP database
URL category
database
Introduction to IAE
32
All under Control
—Cloud-based Management
and Simplified O&M
33
Content
User
Threat
Application
Location
IP
Port
Protocol
VPN
IPS
AV
Anti-
DDoS
DLP
Anti-
spam
URL
Conventional firewall
(Layer 4)NGFW (Layer 7)
Management dimension increased
by one➢ Layer 4 quintuple management to Layer 7
application threat management
Management granularity refined
three to five times➢ Application identification, IPS, and URL
You need an extremely efficient security
administrator,
the NGFW is capable of smart
and automatic management.
or
Are You Ready for NGFW Management?
34
Policy tuning
Smart Policy: Intelligent Policy Management
35
Topology display
Configuration policy change management
Policy analysis
Security audit Policy planning
FireMon: world-leading firewall security policy
management solution provider
NGFW+FireMon joint solution:
Accurate policy management
Compliance with management requirements of
sensitive industries and large enterprises
Unified visualized security management
Simplified configuration to reduce O&M costs
Refined Policy Management: Compatible with Unified
Security Policy Management Platform FireMon
36
Open API Interface:NGFW Programmable management
RESTful,NetConf, open & extensible
API
MSSP/OSS
Programmable management through API
✓ Define security & authentication policy
✓ User dynamic log on
✓ Define address object & security zone
✓ Get NGFW system information
✓ … …
NGFW management no longer rely on network management software only
37
U key opening:shorten deploy time, reduce manpower
Traditional deploy methodRequire many professional engineers
Innovative U key openingInsert preset U key to complete deployment
USB
USB
USB
USB
Especially valuable to large scale deployment. Larger scale, save more.
38
Internet
Branch BranchSmall and medium-
sized enterprises
Small and medium-
sized enterprises
Proactive
registration
Service
management
Plug-and-play; rapid rolloutServer hosting for small- and medium-sized
enterprises; interworking of massive branches for
large enterprisesProactive registration of the firewall so that it can
be managed by the cloud management platformRapid device deployment requiring no manual
intervention
Policy delivery; unified managementRemote service-level configuration management
of the cloud NMSRemote device monitoring and fault managementCloud management of massive devices for
simplified O&MFirewall Firewall
Firewall Firewall
Note: This feature is already supported by the
USG6300/6500 and to be supported by the USG6600/9500.
Huawei
public cloud
Agile Cloud Management for Unified Operation of Massive Devices
39
USG6000 Application Scenarios2
USG6000 Application Background and Highlights 1
Success Stories3
Contents
40
Network Security and Firewall
Internet
Enterprise Network
Data Center
FW IPS
Office
DMZ
Endpoint SecurityIPS
Remote/Branch Office
FW
SOC
Endpoint Security
SSL VPN
Endpoint SecurityFWFW Anti-DDoS
VFW
Cloud DC
IPS
FW
WAF
41
Headquarters
RADIUS & CA
Intranet
Branch Branch
Management system
Remote site
Internet
USG6000 USG6000
USG6000 USG6000
Security Challenge:
➢ Unsecure access for branches and mobile
working
➢ Unsecure data transmission on the Internet
VPN Solution
➢ Multiple VPN technologies, such as IPSec,
L2TP, GRE, SSL, and MPLS
➢ Online expansion of the number of tunnels
➢ Carrier-class reliability
Solution Values
➢ Secure, flexible, and reliable VPN access
➢ Centralized service management
Secure VPN Access to Branches
42
WAN/Internet
Guest
Data Center
Agile
Switch/
Native AC Service Flow Policy
Agile Controller: centralized policy configuration and
one-click policy delivery
Service Flow Policy:
Huawei’s Next-Generation Firewall (NGFW) accurately identifies applications based on
the received service flow and the security policy implemented according to user group
and application. Security policy controls include: traffic blocking, Intrusion Prevention
System (IPS), Antivirus (AV), and content filtering.
For example, traffic from an R&D employee using his own device is diverted to the
security resource center. His or her application traffic unrelated to work (such as social
application and gaming traffic) is filtered out.
Agile
Controller
Source
Group
Destination
GroupApplication Action
Application
Security
Devices to Which
Policies Are
Delivered
Guest Internet Not involved
Diverted to the
security resource
center
Not involved Core switch
Employee Internet http √AV+URL+SP
AM
Campus egress
NGFW
Employee DC server ALL √ AV DC egress NGFW
Employee
Security
Resource Center
Application Security Policy:
Uses the service chain technology to divert traffic of a specific group on
authentication point switches to the security resource center for processing.
Specify security devices through which the traffic passes and the traffic
processing sequence.
For example, divert the traffic of a guest to the Internet and set the traffic to pass
through the firewall and AV device.
Application
Security Policy
Application
Security Policy
Policy Mobility: Group-based Service Flow and Application Security
Policies
43
USG6000 Application Scenarios2
USG6000 Application Background and Highlights 1
Success Stories3
Contents
44
Signing venue at the RSA2016 Huawei NGFW on FireMon's policy management dashboard
Jim Lewandowski, CEO of FireMon:
"FireMon is delighted to partner with Huawei in China as well as in the global marketplace. Huawei is a world-renowned ICT solution
provider. We believe that the integration of FireMon's leading firewall policy management solutions with Huawei's next-generation
firewall products will provide our customers with more robust and comprehensive next-generation firewall solutions."
Huawei Signing a Memorandum of Understanding with FireMon to
Build a Joint Solution for NGFW Policy Management
45
Huawei is put in the upper-right quadrant and
earns the highest "recommendation level"
The NGFW's security capability reaches the world-class level.
Key evaluation items Huawei Cisco
Security effectiveness (total) 98.1% 96.5%
Firewall
L4 policy 100% supported 100% supported
Application
control100% supported 100% supported
Identity control 100% supported 100% supported
IPS
Intrusion
blocking96.3% 96.1%
Network attack
blocking99.95% 96.94%
Anti-evasion 100% supported 100% supported
Stability 100% supported 100% supported
The First in China to Earn the
"Recommendation Level" from NSS LABS
46
Tony Morbin, Chief Editor of SC Magazine UK:
"Huawei solutions represent the most innovative and effective security technology on the
market. Attackers are continuously developing means to obtain sensitive data while
enterprises are continuously developing defense and handling measures. Huawei
USG/Eudemon series firewalls have won the award from SC Magazine due to their constant
improvement in the security industry."
The First in China to Earn
the Best Threat Solution Award from 2016 SC Magazine
47
Huawei NGFW
Most simple
management
configuration
Most in-depth
security
protection
Highest
performance
experience
Securing Next-
Generation Networks
Most sustainable
security capability
Александр Миляр[email protected]